fix the hacking tutorials

Medium/26.md

@@ -587,7 +587,7 @@ We try to ssh as the user prometheus with his assumed password St34l_th3_F1re :
       icarus@620b296204a3:~$
     
 
-We can't ssh on port 2222 as the user prometheus, because he isn't even an user on the box, so assuming from the hades riddle, we can assume that it is about port knocking just like on the box [Nineveh](10.html): 
+We can't ssh on port 2222 as the user prometheus, because he isn't even an user on the box, so assuming from the hades riddle, we can assume that it is about port knocking just like on the box [Nineveh](10.md): 
     
     
       λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]

Medium/28.md

@@ -55,7 +55,7 @@ Our nmap scan picked up port 5000 running http Gunicorn 19 so let's investigate
 
 ` ![](prg/28_001.png)
 
-Looks like we have a website in construction so let's check out /upload which is a webpage onto which we can upload xml files So just like for [Aragorg](19.html), we will try to do some XXE exploitation, by first trying to print out the /etc/passwd file: 
+Looks like we have a website in construction so let's check out /upload which is a webpage onto which we can upload xml files So just like for [Aragorg](19.md), we will try to do some XXE exploitation, by first trying to print out the /etc/passwd file: 
 
 ![](prg/28_002.png)
 
@@ -135,7 +135,7 @@ From there we navigate around and we stumble upon an interesting directory /home
       4.0K drwxrwx--- 2 roosa roosa 4.0K Mar 26  2018 src
     
 
-Now let's get into the .git directory and see if we can print out the previous git commits just like on the [Canape box](25.html) but this time we specify the -p flag in order to list the changes under each commit: 
+Now let's get into the .git directory and see if we can print out the previous git commits just like on the [Canape box](25.md) but this time we specify the -p flag in order to list the changes under each commit: 
     
     
       roosa@gitter:~/work/blogfeed$ git log -p

Medium/29.md

@@ -69,7 +69,7 @@ As always we begin our Enumeration using **Nmap** to enumerate opened ports. We
 
 ## **Part 2 : Getting User Access**
 
-Our nmap scan picked up port 80 running http with drupal 7 just like the box [Bastard](2.html) except that this time we are dealing with a linux box. Although our nmap scan also picked up port 21 ftp with anonymous login, so let's check it out first:
+Our nmap scan picked up port 80 running http with drupal 7 just like the box [Bastard](2.md) except that this time we are dealing with a linux box. Although our nmap scan also picked up port 21 ftp with anonymous login, so let's check it out first:
     
     
       λ nihilist [ 10.10.14.24/23 ] [~]

Medium/31.md

@@ -149,7 +149,7 @@ From there all that we have to do is upload our reverse php shell and use it to
       → nano nihilist.php
     
 
-Now the trick here is, we are not on a Linux box like on [Apocalyst](11.html), we need to tweak our reverse php shell like so : 
+Now the trick here is, we are not on a Linux box like on [Apocalyst](11.md), we need to tweak our reverse php shell like so : 
     
     
       <****?php

Medium/34.md

@@ -170,7 +170,7 @@ The interesting directory here is "/debug" which reveals us that the server is u
 
 ![](prg/34_001.png)
 
-Here we see that support for IPv6 is enabled so with the combination of snmp running on port 161/udp we are heavily reminded of the previous box [Sneaky](7.html).
+Here we see that support for IPv6 is enabled so with the combination of snmp running on port 161/udp we are heavily reminded of the previous box [Sneaky](7.md).
 
 ![](prg/34_002.png)
 

Medium/35.md

@@ -268,7 +268,7 @@ Both the IPs are still up. the IP .5 is supposed to be the Firewall, and .4 is s
       Connection to 192.168.122.4 80 port [tcp/http] succeeded!
     
 
-So it looks like only 192.168.122.4 responded with 2 opened ports, we seem to have access to port 22 and 80. Now the problem here is, we do not have access to curl on the machine, so my initial thought was to make a ssh tunnel just like we did on [Hawk](29.html). But this case is different since this is not a specific port on the machine (127.0.0.1:port),in this case we need to be able to access an OTHER host through said tunnel: 
+So it looks like only 192.168.122.4 responded with 2 opened ports, we seem to have access to port 22 and 80. Now the problem here is, we do not have access to curl on the machine, so my initial thought was to make a ssh tunnel just like we did on [Hawk](29.md). But this case is different since this is not a specific port on the machine (127.0.0.1:port),in this case we need to be able to access an OTHER host through said tunnel: 
 
 _Hawk SSH Tunnel:_
     

Medium/4.md

@@ -148,7 +148,7 @@ We can, therefore we execute LinEnum.sh after adding the executing right with ch
     4.0K -rwxr-xr-x  1 www-data www-data 1.7K Apr  9  2017 artisan
     
 
-To privesc on the machine, we'll modify the artisan file (which is a php file) to contain a reverse shell, we'll use the same reverse shell named nihilist.php that we used when we did [Popcorn](1.html)
+To privesc on the machine, we'll modify the artisan file (which is a php file) to contain a reverse shell, we'll use the same reverse shell named nihilist.php that we used when we did [Popcorn](1.md)
     
     
       λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Cronos]

Medium/46.md

@@ -159,7 +159,7 @@ However as you can see here sadly it is also an authenticated exploit requiring
 
 ![](prg/46_007.png)
 
-Before sending this over to the repeater, we see that the request has a Cross Site Request Forgery token (CSRF token) This is used to prevent cross site forgery attacks not necessarily bruteforcing, To continue here we need to take another look at centreon's [REST API documentation](https://docs.centreon.com/docs/centreon/fr/19.04/api/api_rest/) for the current version 19.04 just like for the [Craft](44.html) box: 
+Before sending this over to the repeater, we see that the request has a Cross Site Request Forgery token (CSRF token) This is used to prevent cross site forgery attacks not necessarily bruteforcing, To continue here we need to take another look at centreon's [REST API documentation](https://docs.centreon.com/docs/centreon/fr/19.04/api/api_rest/) for the current version 19.04 just like for the [Craft](44.md) box: 
 
 ![](prg/46_008.png)
 
@@ -894,7 +894,7 @@ So here we are hinted towards the /bin/screen-4.5.0 binary which seems to contai
     
     
 
-So here we see the public exploits available to us, which should ring a bell because we also did a privesc through the screen binary back in the [Haircut](8.html) box which had literally the same binary as this box, so it will be quite similar:
+So here we see the public exploits available to us, which should ring a bell because we also did a privesc through the screen binary back in the [Haircut](8.md) box which had literally the same binary as this box, so it will be quite similar:
 
 _Terminal 1:_
     

Medium/67.md

@@ -45,7 +45,7 @@ Our nmap scan picked up Apache Tomcat running on port 8080 so let's investigate
 
 ![](prg/67_001.png)
 
-So the webserver is apparently a YAML parser, similarly to the [Time](64.html) box, this is probably about deserialization, however unlike for the Time box, giving it random data does not necessarily reveal the backend that's being used. Rather we can simply base our assumption that it is running a java backend because we saw that we were on apache tomcat. So let's look for YAML java deserialization payload by googling a bit, and we stumble upon [this](https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858) article, so let's first verify that this webserver is vulnerable with the following payload:
+So the webserver is apparently a YAML parser, similarly to the [Time](64.md) box, this is probably about deserialization, however unlike for the Time box, giving it random data does not necessarily reveal the backend that's being used. Rather we can simply base our assumption that it is running a java backend because we saw that we were on apache tomcat. So let's look for YAML java deserialization payload by googling a bit, and we stumble upon [this](https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858) article, so let's first verify that this webserver is vulnerable with the following payload:
     
     
     !!javax.script.ScriptEngineManager [