oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-05-16 04:16:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix the hacking tutorials

Browse source
This commit is contained in:
nihilist 2025-05-07 08:27:22 +02:00
parent 325b9c3814
commit 673311896a
21 changed files with 207 additions and 489 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Easy/27.md
View file

@ -313,7 +313,7 @@ Seems like we will use the C exploit n°44298. Let's locate it and copy it onto
/usr/share/exploitdb/exploits/linux/local/44298.c /usr/share/exploitdb/exploits/linux/local/44298.c
Fun Fact : we're going to privesc the exact same way as we did back on the [Bashed](15.html) machine. Fun Fact : we're going to privesc the exact same way as we did back on the [Bashed](15.md) machine.
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ] λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]

2
Easy/48.md
View file

@ -247,7 +247,7 @@ Here we get the /manager/text URI and if we lookup the tomcat documentation, thi
So from here, just like for the [Kotarak](../Hard/7.html) box, we can upload a malicious WAR file to get us a shell, we're going to generate it using msfvenom: So from here, just like for the [Kotarak](../Hard/7.md) box, we can upload a malicious WAR file to get us a shell, we're going to generate it using msfvenom:
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]

2
Easy/57.md
View file

@ -189,7 +189,7 @@ Just like we saw earlier, we see that the DC name is **EGOTISTICAL-BANK.LOCAL**
Now let's use GetNPusers.py to get the TGT (Ticket Granting Ticket) if the account doesn't need Kerberos pre-authentication, just like we did back on the [Forest](38.html) box. Now let's use GetNPusers.py to get the TGT (Ticket Granting Ticket) if the account doesn't need Kerberos pre-authentication, just like we did back on the [Forest](38.md) box.
[ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna] [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]

2
Medium/26.md
View file

@ -587,7 +587,7 @@ We try to ssh as the user prometheus with his assumed password St34l_th3_F1re :
icarus@620b296204a3:~$ icarus@620b296204a3:~$
We can't ssh on port 2222 as the user prometheus, because he isn't even an user on the box, so assuming from the hades riddle, we can assume that it is about port knocking just like on the box [Nineveh](10.html): We can't ssh on port 2222 as the user prometheus, because he isn't even an user on the box, so assuming from the hades riddle, we can assume that it is about port knocking just like on the box [Nineveh](10.md):
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus] λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]

4
Medium/28.md
View file

@ -55,7 +55,7 @@ Our nmap scan picked up port 5000 running http Gunicorn 19 so let's investigate
` ![](prg/28_001.png) ` ![](prg/28_001.png)
Looks like we have a website in construction so let's check out /upload which is a webpage onto which we can upload xml files So just like for [Aragorg](19.html), we will try to do some XXE exploitation, by first trying to print out the /etc/passwd file: Looks like we have a website in construction so let's check out /upload which is a webpage onto which we can upload xml files So just like for [Aragorg](19.md), we will try to do some XXE exploitation, by first trying to print out the /etc/passwd file:
![](prg/28_002.png) ![](prg/28_002.png)
@ -135,7 +135,7 @@ From there we navigate around and we stumble upon an interesting directory /home
4.0K drwxrwx--- 2 roosa roosa 4.0K Mar 26 2018 src 4.0K drwxrwx--- 2 roosa roosa 4.0K Mar 26 2018 src
Now let's get into the .git directory and see if we can print out the previous git commits just like on the [Canape box](25.html) but this time we specify the -p flag in order to list the changes under each commit: Now let's get into the .git directory and see if we can print out the previous git commits just like on the [Canape box](25.md) but this time we specify the -p flag in order to list the changes under each commit:
roosa@gitter:~/work/blogfeed$ git log -p roosa@gitter:~/work/blogfeed$ git log -p

2
Medium/29.md
View file

@ -69,7 +69,7 @@ As always we begin our Enumeration using **Nmap** to enumerate opened ports. We
## **Part 2 : Getting User Access** ## **Part 2 : Getting User Access**
Our nmap scan picked up port 80 running http with drupal 7 just like the box [Bastard](2.html) except that this time we are dealing with a linux box. Although our nmap scan also picked up port 21 ftp with anonymous login, so let's check it out first: Our nmap scan picked up port 80 running http with drupal 7 just like the box [Bastard](2.md) except that this time we are dealing with a linux box. Although our nmap scan also picked up port 21 ftp with anonymous login, so let's check it out first:
λ nihilist [ 10.10.14.24/23 ] [~] λ nihilist [ 10.10.14.24/23 ] [~]

2
Medium/31.md
View file

@ -149,7 +149,7 @@ From there all that we have to do is upload our reverse php shell and use it to
→ nano nihilist.php → nano nihilist.php
Now the trick here is, we are not on a Linux box like on [Apocalyst](11.html), we need to tweak our reverse php shell like so : Now the trick here is, we are not on a Linux box like on [Apocalyst](11.md), we need to tweak our reverse php shell like so :
<****?php <****?php

2
Medium/34.md
View file

@ -170,7 +170,7 @@ The interesting directory here is "/debug" which reveals us that the server is u
![](prg/34_001.png) ![](prg/34_001.png)
Here we see that support for IPv6 is enabled so with the combination of snmp running on port 161/udp we are heavily reminded of the previous box [Sneaky](7.html). Here we see that support for IPv6 is enabled so with the combination of snmp running on port 161/udp we are heavily reminded of the previous box [Sneaky](7.md).
![](prg/34_002.png) ![](prg/34_002.png)

2
Medium/35.md
View file

@ -268,7 +268,7 @@ Both the IPs are still up. the IP .5 is supposed to be the Firewall, and .4 is s
Connection to 192.168.122.4 80 port [tcp/http] succeeded! Connection to 192.168.122.4 80 port [tcp/http] succeeded!
So it looks like only 192.168.122.4 responded with 2 opened ports, we seem to have access to port 22 and 80. Now the problem here is, we do not have access to curl on the machine, so my initial thought was to make a ssh tunnel just like we did on [Hawk](29.html). But this case is different since this is not a specific port on the machine (127.0.0.1:port),in this case we need to be able to access an OTHER host through said tunnel: So it looks like only 192.168.122.4 responded with 2 opened ports, we seem to have access to port 22 and 80. Now the problem here is, we do not have access to curl on the machine, so my initial thought was to make a ssh tunnel just like we did on [Hawk](29.md). But this case is different since this is not a specific port on the machine (127.0.0.1:port),in this case we need to be able to access an OTHER host through said tunnel:
_Hawk SSH Tunnel:_ _Hawk SSH Tunnel:_

2
Medium/4.md
View file

@ -148,7 +148,7 @@ We can, therefore we execute LinEnum.sh after adding the executing right with ch
4.0K -rwxr-xr-x 1 www-data www-data 1.7K Apr 9 2017 artisan 4.0K -rwxr-xr-x 1 www-data www-data 1.7K Apr 9 2017 artisan
To privesc on the machine, we'll modify the artisan file (which is a php file) to contain a reverse shell, we'll use the same reverse shell named nihilist.php that we used when we did [Popcorn](1.html) To privesc on the machine, we'll modify the artisan file (which is a php file) to contain a reverse shell, we'll use the same reverse shell named nihilist.php that we used when we did [Popcorn](1.md)
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Cronos] λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Cronos]

4
Medium/46.md
View file

@ -159,7 +159,7 @@ However as you can see here sadly it is also an authenticated exploit requiring
![](prg/46_007.png) ![](prg/46_007.png)
Before sending this over to the repeater, we see that the request has a Cross Site Request Forgery token (CSRF token) This is used to prevent cross site forgery attacks not necessarily bruteforcing, To continue here we need to take another look at centreon's [REST API documentation](https://docs.centreon.com/docs/centreon/fr/19.04/api/api_rest/) for the current version 19.04 just like for the [Craft](44.html) box: Before sending this over to the repeater, we see that the request has a Cross Site Request Forgery token (CSRF token) This is used to prevent cross site forgery attacks not necessarily bruteforcing, To continue here we need to take another look at centreon's [REST API documentation](https://docs.centreon.com/docs/centreon/fr/19.04/api/api_rest/) for the current version 19.04 just like for the [Craft](44.md) box:
![](prg/46_008.png) ![](prg/46_008.png)
@ -894,7 +894,7 @@ So here we are hinted towards the /bin/screen-4.5.0 binary which seems to contai
So here we see the public exploits available to us, which should ring a bell because we also did a privesc through the screen binary back in the [Haircut](8.html) box which had literally the same binary as this box, so it will be quite similar: So here we see the public exploits available to us, which should ring a bell because we also did a privesc through the screen binary back in the [Haircut](8.md) box which had literally the same binary as this box, so it will be quite similar:
_Terminal 1:_ _Terminal 1:_

2
Medium/67.md
View file

@ -45,7 +45,7 @@ Our nmap scan picked up Apache Tomcat running on port 8080 so let's investigate
![](prg/67_001.png) ![](prg/67_001.png)
So the webserver is apparently a YAML parser, similarly to the [Time](64.html) box, this is probably about deserialization, however unlike for the Time box, giving it random data does not necessarily reveal the backend that's being used. Rather we can simply base our assumption that it is running a java backend because we saw that we were on apache tomcat. So let's look for YAML java deserialization payload by googling a bit, and we stumble upon [this](https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858) article, so let's first verify that this webserver is vulnerable with the following payload: So the webserver is apparently a YAML parser, similarly to the [Time](64.md) box, this is probably about deserialization, however unlike for the Time box, giving it random data does not necessarily reveal the backend that's being used. Rather we can simply base our assumption that it is running a java backend because we saw that we were on apache tomcat. So let's look for YAML java deserialization payload by googling a bit, and we stumble upon [this](https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858) article, so let's first verify that this webserver is vulnerable with the following payload:
!!javax.script.ScriptEngineManager [ !!javax.script.ScriptEngineManager [

2
asm/1.md
View file

@ -82,5 +82,5 @@ and now we have our executable file called '0', we make it executable with chmod
And that concludes our first assembly code! in the next part we're going to explain everything about this code [here](2.html). And that concludes our first assembly code! in the next part we're going to explain everything about this code [here](2.md).

2
asm/2.md
View file

@ -132,5 +132,5 @@ and thus we get resulting final code:
Most x86_64 assembly code have 3 sections, the .data section , the .bss section and the .text section. the label we used here _start acts like a function, everytime we will use the word _start in our code, it is going to execute the portion of code that's associated with it. Most x86_64 assembly code have 3 sections, the .data section , the .bss section and the .text section. the label we used here _start acts like a function, everytime we will use the word _start in our code, it is going to execute the portion of code that's associated with it.
In the next subject we're going to dig into jumps, calls and comparaisons, you can click [here](3.html). In the next subject we're going to dig into jumps, calls and comparaisons, you can click [here](3.md).

2
asm/3.md
View file

@ -100,5 +100,5 @@ Here we're going to use nasm and ld to compile our assembly code, and then we ju
→ ./3 → ./3
Hello, World! Hello, World!
In the next tutorial we will see how to get user input, you can click [here](4.html). In the next tutorial we will see how to get user input, you can click [here](4.md).

2
asm/4.md
View file

@ -118,5 +118,5 @@ Here we're going to use nasm to compile our assembly code and then use ld to cre
And that's it ! in the next tutorial we will cover math operations and the stack, you can click [here](5.html). And that's it ! in the next tutorial we will cover math operations and the stack, you can click [here](5.md).

2
asm/5.md
View file

@ -84,5 +84,5 @@ Here we're going to use nasm to compile our assembly code:
And that's it ! next tutorial we'll look into loops, you can click [here](6.html). And that's it ! next tutorial we'll look into loops, you can click [here](6.md).

2
asm/6.md
View file

@ -103,5 +103,5 @@ Here we're going to use nasm to compile our assembly code and then use ld to get
And we see that we have been able to print out the Hello World text string inside of test.txt ! In the next tutorial we will check out a minimal shellcode used to spawn a /bin/sh shell. you can click [here](7.html). And we see that we have been able to print out the Hello World text string inside of test.txt ! In the next tutorial we will check out a minimal shellcode used to spawn a /bin/sh shell. you can click [here](7.md).

68
binexp.md
View file

@ -4,15 +4,15 @@
##### Below you fill find my binary exploitation learning notes, the easier challenges are at the top, and the further down you go, the more we dig into advanced concepts. ##### Below you fill find my binary exploitation learning notes, the easier challenges are at the top, and the further down you go, the more we dig into advanced concepts.
[ Template Page ](0/0.html) [ Template Page ](0/0.md)
![](../assets/img/user.png) nihilist ![](../assets/img/user.png) nihilist
##### Preparing the Tools ##### Preparing the Tools
1. [Installing gdb gef](0/gdb.html) 1. [Installing gdb gef](0/gdb.md)
2. [Installing py pwntools](0/pwntools.html) 2. [Installing py pwntools](0/pwntools.md)
3. [Installing GHIDRA](0/ghidra.html) 3. [Installing GHIDRA](0/ghidra.md)
@ -28,9 +28,9 @@
The basics of reversing with simple to understand examples The basics of reversing with simple to understand examples
1. [✅ Strings](1/strings.html) 1. [✅ Strings](1/strings.md)
2. [✅ Helithumper RE](1/heli.html) 2. [✅ Helithumper RE](1/heli.md)
3. [✅ CSAW 2019 Beleaf](1/beleaf.html) 3. [✅ CSAW 2019 Beleaf](1/beleaf.md)
* | grep strings chmod * | grep strings chmod
@ -45,12 +45,12 @@ The basics of reversing with simple to understand examples
These are the most common binary exploits, they are there because of insecure functions that do not set a limit to user input, allowing the user to overwrite other memory registers. These are the most common binary exploits, they are there because of insecure functions that do not set a limit to user input, allowing the user to overwrite other memory registers.
1. [✅ CSAW 2018 Quals boi](2/boi.html) 1. [✅ CSAW 2018 Quals boi](2/boi.md)
2. [✅ TAMU 2019 pwn1](2/pwn1.html) 2. [✅ TAMU 2019 pwn1](2/pwn1.md)
3. [✅ TW 2017 Just Do It!](2/just.html) 3. [✅ TW 2017 Just Do It!](2/just.md)
4. [✅ CSAW 2016 Warmup](2/warm.html) 4. [✅ CSAW 2016 Warmup](2/warm.md)
5. [✅ CSAW 2018 Get it](2/get.html) 5. [✅ CSAW 2018 Get it](2/get.md)
6. [✅ TUCTF 2017 Vulnchat](2/vuln.html) 6. [✅ TUCTF 2017 Vulnchat](2/vuln.md)
@ -69,13 +69,13 @@ These are the most common binary exploits, they are there because of insecure fu
As i hit the shellcode buffer overflow binary challenges, i realized that i needed assembly skills, so this is a simple introduction to modern intel Assembly for the x86_64 (64bits) architecture. We make use of the [syscalls](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/constants/syscalls.md#x86_64-64_bit) used to communicate with the Linux Kernel: As i hit the shellcode buffer overflow binary challenges, i realized that i needed assembly skills, so this is a simple introduction to modern intel Assembly for the x86_64 (64bits) architecture. We make use of the [syscalls](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/constants/syscalls.md#x86_64-64_bit) used to communicate with the Linux Kernel:
1. [✅ Hello World](asm/1.html) 1. [✅ Hello World](asm/1.md)
2. [✅ Hello World Explained ](asm/2.html) 2. [✅ Hello World Explained ](asm/2.md)
3. [✅ Jumps, Calls](asm/3.html) 3. [✅ Jumps, Calls](asm/3.md)
4. [✅ User Input](asm/4.html) 4. [✅ User Input](asm/4.md)
5. [✅ Math Operations](asm/5.html) 5. [✅ Math Operations](asm/5.md)
6. [✅ Reading / Writing Files](asm/6.html) 6. [✅ Reading / Writing Files](asm/6.md)
7. [✅ Spawning a shell](asm/7.html) 7. [✅ Spawning a shell](asm/7.md)
@ -83,17 +83,17 @@ As i hit the shellcode buffer overflow binary challenges, i realized that i need
##### 2) Stack Buffer Overflows (Part 2) ##### 2) Stack Buffer Overflows (Part 2)
1. [✅ CSAW 2017 Pilot](2/pilot.html) 1. [✅ CSAW 2017 Pilot](2/pilot.md)
2. [✅ Tamu 2019 pwn3](2/pwn3.html) 2. [✅ Tamu 2019 pwn3](2/pwn3.md)
3. [✅ Tuctf 2018 shella-easy](2/shella.html) 3. [✅ Tuctf 2018 shella-easy](2/shella.md)
4. [✅ BKP 2016 calc](2/calc.html) 4. [✅ BKP 2016 calc](2/calc.md)
5. [✅ DCQuals 2019 speed](2/speed.html) 5. [✅ DCQuals 2019 speed](2/speed.md)
6. [✅ DCQuals 2016 feed](2/feed.html) 6. [✅ DCQuals 2016 feed](2/feed.md)
7. [✅ CSAW 2019 babyboi](2/bboi.html) 7. [✅ CSAW 2019 babyboi](2/bboi.md)
8. [✅ CSAW 2017 SVC](2/svc.html) 8. [✅ CSAW 2017 SVC](2/svc.md)
9. [✅ FB 2019 Overfloat](2/overf.html) 9. [✅ FB 2019 Overfloat](2/overf.md)
10. [✅ hs 2019 storytime](2/hs.html) 10. [✅ hs 2019 storytime](2/hs.md)
11. [✅ UTC 2019 shellme](2/shme.html) 11. [✅ UTC 2019 shellme](2/shme.md)
@ -115,9 +115,9 @@ As i hit the shellcode buffer overflow binary challenges, i realized that i need
##### 3) Bad Seed ##### 3) Bad Seed
1. [✅ h3 time ](3/h3.html) 1. [✅ h3 time ](3/h3.md)
2. [✅ hsctf 2019 tux talk ](3/tux.html) 2. [✅ hsctf 2019 tux talk ](3/tux.md)
3. [✅ Sunshine 17 Prepared ](3/prep.html) 3. [✅ Sunshine 17 Prepared ](3/prep.md)

282
commands.md
View file

@ -1,282 +0,0 @@
# ip=10.10.14.48 port=9005 course=2
Easy/26.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Teacher] → nc -lvnp 9005
Easy/26.html: → hash-identifier
Easy/11.html: λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.40
Easy/28.html: → nmap -F 10.10.10.123
Easy/28.html: → nmap -sC -sV 10.10.10.123 -p 21,22,53,80,139,443,445
Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → smbmap -H 10.10.10.123 -p 445,139
Easy/28.html:→ enum4linux 10.10.10.123
Easy/28.html:→ smbclient \\\\10.10.10.123\\general
Easy/28.html:→ mv creds.txt Friendzone/creds.txt
Easy/28.html:→ mkdir Friendzone
Easy/28.html:→ mv creds.txt Friendzone/creds.txt
Easy/28.html:→ cd Friendzone
Easy/28.html:→ cat creds.txt
Easy/28.html: → nmap 10.10.10.123 --script smb-enum-shares
Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → pacman -S blackarch/python2-dnsknife
Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → dig axfr @10.10.10.123 friendzone.red
Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → smbclient -H //10.10.10.123/Development
Easy/28.html:λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → nc -lvnp 9001
Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → nc -lvnp 9001
Easy/36.html: → nmap -F 10.10.10.149
Easy/36.html: → nmap -sCV -p80,135,445 10.10.10.149
Easy/36.html: → git clone https://github.com/theevilbit/ciscot7
Easy/36.html: → cd ciscot7
Easy/36.html: → ls [21af318]
Easy/36.html: → python ciscot7.py -p 0242114B0E143F015F5D1E161713 [21af318]
Easy/36.html: → python ciscot7.py -p 02375012182C1A1D751618034F36415408 [21af318]
Easy/36.html: → echo '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' >> cis.md5 [21af318]
Easy/36.html: → cat cis.md5 [21af318]
Easy/36.html: → hashcat -m 500 [21af318]
Easy/36.html: → hashcat -m 500 cis.md5 /usr/share/wordlists/rockyou.txt [21af318]
Easy/36.html:→ nano users.txt
Easy/36.html:→ nano pass.txt
Easy/36.html:→ crackmapexec smb 10.10.10.149 -u users.txt -p pass.txt
Easy/36.html: → msfdb init
Easy/36.html: → msfconsole
Easy/36.html:→ locate psexec.py
Easy/36.html:→ cd /usr/share/doc/python3-impacket/examples/
Easy/36.html:→ ls
Easy/36.html:→ python3 lookupsid.py 'hazard:stealth1agent'@10.10.10.149
Easy/36.html: → python3 lookupsid.py 'hazard:stealth1agent'@10.10.10.149
Easy/36.html: → crackmapexec smb 10.10.10.149 -u users.txt -p pass.txt
Easy/36.html: → git clone https://github.com/Hackplayers/evil-winrm
Easy/36.html: → cd evil-winrm
Easy/36.html: → cat Gemfile [e501272]
Easy/36.html: → gem install winrm winrm-fs stringio [e501272]
Easy/36.html: → sudo !! [e501272]
Easy/36.html: → sudo gem install winrm winrm-fs stringio [e501272]
Easy/36.html: → ruby evil-winrm.rb -u chase -p 'Q4)sJu\Y8qz*A3?d' -i 10.10.10.149 [e501272]
Easy/36.html: → wget https://download.sysinternals.com/files/SysinternalsSuite.zip
Easy/36.html: → mv ~/Downloads/SysinternalsSuite.zip .
Easy/36.html: → unzip SysinternalsSuite.zip
Easy/36.html: → strings firefox.exe_200218_153036.dmp | grep pass [e501272]
Easy/36.html: → crackmapexec smb 10.10.10.149 -u users.txt -p pass.txt --shares
Easy/36.html:→ python3 psexec.py administrator@10.10.10.149
Easy/31.html: → nmap -F 10.10.10.134
Easy/31.html: → nmap -sCV -p22,135,139,445 10.10.10.134
Easy/31.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/] → smbclient -L //10.10.10.134/ -U ""
Easy/31.html: → smbclient //10.10.10.134/Backups
Easy/31.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bastion] → cat note.txt
Easy/31.html:→ mount -t cifs //10.10.10.134/Backups mount
Easy/31.html:→ ls && cd mount
Easy/31.html:→ ls
Easy/31.html: → smbmap -u nihilist -H 10.10.10.134
Easy/31.html: → ls
Easy/31.html: → ls
Easy/31.html: → du -hs WindowsImageBackup
Easy/31.html: → cd WindowsImageBackup
Easy/31.html: → cd L4mpje-PC
Easy/31.html: → ls
Easy/31.html: → cd Backup\ 2019-02-22\ 124351
Easy/31.html: → du -hs *
Easy/31.html: → guestmount
Easy/31.html: → apt install libguestfs-tools && guestmount --help
Easy/31.html: → mkdir /home/nihilist/_HTB/Bastion/vhd
Easy/31.html: → guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /home/nihilist/_HTB/Bastion/vhd
Easy/31.html: → cd /home/nihilist/_HTB/Bastion
Easy/31.html: → cd vhd
Easy/31.html: → ls
Easy/31.html:→ find Desktop Documents Downloads -ls
Easy/31.html: → cd ../..
Easy/31.html: → cd Windows/System32/config
Easy/31.html: → ls
Easy/31.html: → cp SAM SYSTEM /home/nihilist/_HTB/Bastion
Easy/31.html: → cd ../../../..
Easy/31.html: → ls
Easy/31.html: → file SAM SYSTEM
Easy/31.html: → mkdir backup && mv SAM backup/ && mv SYSTEM backup/
Easy/31.html: → cd backup
Easy/31.html: → ls
Easy/31.html: → impacket-secretsdump -sam SAM -system SYSTEM local
Easy/31.html:→ smbmap -u L4mpje -p aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9 -H 10.10.10.134
Easy/31.html:→ ssh L4mpje@10.10.10.134
Easy/31.html: → cd vhd
Easy/31.html: → ls
Easy/31.html: → cd Windows/System32/config
Easy/31.html: → ls -lash | grep SAM
Easy/31.html: → ls -lash | grep SYSTEM
Easy/31.html: → cd ../../..
Easy/31.html: → cd ..
Easy/31.html: → curl -sk https://raw.githubusercontent.com/411Hall/JAWS/master/jaws-enum.ps1 > jaws-enum.ps1
Easy/31.html: → ifconfig | grep inet
Easy/31.html: → python -m SimpleHTTPServer 8080
Easy/31.html:→ curl -sk https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py > mremoteng.py
Easy/31.html:→ python3 mremoteng.py
Easy/31.html: → python3 mremoteng.py -s yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB
Easy/31.html: → python3 mremoteng.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Easy/31.html:→ ssh Administrator@10.10.10.134
Easy/31.html: → ssh Administrator@10.10.10.134
Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.68
Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~] → dirb http://10.10.10.68/
Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → nano rev.php
Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → cat rev.php
Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → python2 -m SimpleHTTPServer 80
Easy/15.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → nc -lvnp 9001
Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → curl -vsk http://10.10.10.68/uploads/rev.php
Easy/15.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → nc -lvnp 9001
Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → searchsploit kernel 4.4
Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → locate 44298.c
Easy/15.html:λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → cp /usr/share/exploitdb/exploits/linux/local/44298.c .
Easy/15.html:λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → gcc -o 44298 -m64 44298.c
Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → ls
Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → python2 -m SimpleHTTPServer 80
Easy/22.html: → nmap 10.10.10.98 -F
Easy/22.html:→ nmap -sCV 10.10.10.98
Easy/22.html:→ ftp 10.10.10.98
Easy/22.html:→ 7z x Access\ Control.zip
Easy/22.html:→ ls
Easy/22.html:→ file backup.mdb
Easy/22.html: → 7z x Access\ Control.zip -paccess4u@security
Easy/22.html: → ls
Easy/22.html: → file Access\ Control.pst
Easy/22.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Access] → telnet 10.10.10.98
Easy/16.html: λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.75
Easy/16.html: λ nihilist [ 10.10.14.48/23 ] [~] → curl -vsk http://10.10.10.75/
Easy/16.html: λ nihilist [ 10.10.14.48/23 ] [~] → dirb http://10.10.10.75/nibbleblog/
Easy/16.html:λ nihilist [ 10.10.14.48/23 ] [~] → searchsploit Nibbleblog 4.0.3
Easy/16.html: λ nihilist [ 10.10.14.48/23 ] [~] → msfconsole
Easy/33.html: → nmap -F 10.10.10.138
Easy/33.html:→ nmap -sCV -p80 10.10.10.138
Easy/33.html: → echo '10.10.10.138 writeup.htb' >> /etc/hosts
Easy/33.html: → curl -sk http://writeup.htb/
Easy/33.html: → dirsearch -u http://writeup.htb/ -e txt,php,html,js -t 50
Easy/33.html: → dirsearch -u http://writeup.htb/ -e txt,php,html,js -t 50
Easy/33.html: → nikto -h http://10.10.10.138/
Easy/33.html: → curl -sk http://10.10.10.138/robots.txt
Easy/33.html: → curl -sk http://10.10.10.138/writeup/ | grep CMS
Easy/33.html:→ searchsploit CMS Made Simple | grep Injection
Easy/33.html:→ locate 46635.py
Easy/33.html:→ cp /usr/share/exploitdb/exploits/php/webapps/46635.py .
Easy/33.html:→ nano 46635.py
Easy/33.html:→ python 46635.py -u http://10.10.10.138/writeup --crack -w /usr/share/wordlists/rockyou.txt
Easy/33.html: → ssh jkr@writeup.htb
Easy/33.html:→ cat nihilist.py
Easy/33.html:→ python -m SimpleHTTPServer 8080
Easy/33.html:→ nc -lvnp 1234
Easy/33.html: → ssh jkr@10.10.10.138
Easy/33.html:→ nc -lvnp 1234
Easy/35.html: → nmap -F 10.10.10.147 --top-ports 10000 -vvv
Easy/35.html: → nmap -sCV -p22,80,1337 10.10.10.147
Easy/35.html: → nikto -h http://10.10.10.147/
Easy/35.html: → dirsearch -u http://10.10.10.147/ -e php,html,txt,js
Easy/35.html: → ls
Easy/35.html: → file myapp
Easy/35.html: → chmod +x myapp
Easy/35.html: → gdb ./myapp
Easy/35.html:→ wget -q -O- https://github.com/hugsy/gef/raw/master/scripts/gef.sh | sh
Easy/35.html:→ gdb -q myapp
Easy/35.html:$rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?)
Easy/35.html:$rdx : 0x00007ffff7fad580 → 0x0000000000000000
Easy/35.html:$rsp : 0x00007fffffffe438 → "AAAAAAAA"
Easy/35.html:$rsi : 0x00000000004052a0 → "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
Easy/35.html:$rip : 0x00000000004011ac → <****main+77> ret
Easy/35.html:$r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp
Easy/35.html:$r13 : 0x00007fffffffe510 → 0x0000000000000001
Easy/35.html:0x00007fffffffe448│+0x0010: 0x00007fffffffe518 → 0x00007fffffffe774 → "/home/nihilist/_HTB/Safe/Ghidra/myapp"
Easy/35.html:0x00007fffffffe458│+0x0020: 0x000000000040115f → <****main+0> push rbp
Easy/35.html:0x00007fffffffe470│+0x0038: 0x0000000000401070 → <_start+0> xor ebp, ebp
Easy/35.html: → 0x4011ac <****main+77> ret
Easy/35.html:[#0] 0x4011ac → main()
Easy/35.html:$rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?)
Easy/35.html:$rdx : 0x00007ffff7fad580 → 0x0000000000000000
Easy/35.html:$rsp : 0x00007fffffffe438 → "paaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaava[...]"
Easy/35.html:$rsi : 0x00000000004052a0 → "aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaaga[...]"
Easy/35.html:$rip : 0x00000000004011ac → <****main+77> ret
Easy/35.html:$r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp
Easy/35.html:$r13 : 0x00007fffffffe510 → 0x0000000000000001
Easy/35.html: → 0x4011ac <****main+77> ret
Easy/35.html:[#0] 0x4011ac → main()
Easy/35.html:$rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?)
Easy/35.html:$rdx : 0x00007ffff7fad580 → 0x0000000000000000
Easy/35.html:$rsp : 0x00007fffffffe438 → "paaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaava[...]"
Easy/35.html:$rsi : 0x00000000004052a0 → "aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaaga[...]"
Easy/35.html:$rip : 0x00000000004011ac → <****main+77> ret
Easy/35.html:$r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp
Easy/35.html:$r13 : 0x00007fffffffe510 → 0x0000000000000001
Easy/35.html: → python -c 'print "X"*128 + "Y"*8 + "Z"*8'
Easy/35.html: $rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?)
Easy/35.html: $rdx : 0x00007ffff7fad580 → 0x0000000000000000
Easy/35.html: $rsp : 0x00007fffffffe438 → "XXXXXXXXYYYYYYYYZZZZZZZZ"
Easy/35.html: $rsi : 0x00000000004052a0 → "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...]"
Easy/35.html: $rip : 0x00000000004011ac → <****main+77> ret
Easy/35.html: $r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp
Easy/35.html: $r13 : 0x00007fffffffe510 → 0x0000000000000001
Easy/35.html:→ nano exploit.py
Easy/35.html: $rsp : 0x00007fff98990520 → 0x0000000000000001
Easy/35.html: $rip : 0x00007fd2a202e090 → <_start+0> mov rdi, rsp
Easy/35.html: 0x00007fff98990528│+0x0008: 0x00007fff98992748 → 0x00707061796d2f2e ("./myapp"?)
Easy/35.html: 0x00007fff98990538│+0x0018: 0x00007fff98992750 → "APPDIR=/tmp/.mount_tmtxDoJV"
Easy/35.html: 0x00007fff98990540│+0x0020: 0x00007fff9899276c → "APPIMAGE=/tmp/tm"
Easy/35.html: 0x00007fff98990548│+0x0028: 0x00007fff9899277d → "COLORTERM=truecolor"
Easy/35.html: 0x00007fff98990550│+0x0030: 0x00007fff98992791 → "DISPLAY=:0.0"
Easy/35.html: 0x00007fff98990558│+0x0038: 0x00007fff9899279e → "HOME=/root"
Easy/35.html: → 0x7fd2a202e090 <_start+0> mov rdi, rsp
Easy/35.html: [#0] 0x7fd2a202e090 → _start()
Easy/35.html: $rax : 0x000000000040115f → <****main+0> push rbp
Easy/35.html: $rcx : 0x00007fd2a2007718 → 0x00007fd2a2009a40 → 0x0000000000000000
Easy/35.html: $rdx : 0x00007fff98990538 → 0x00007fff98992750 → "APPDIR=/tmp/.mount_tmtxDoJV"
Easy/35.html: $rsp : 0x00007fff98990440 → 0x00000000004011b0 → <__libc_csu_init+0> push r15
Easy/35.html: $rbp : 0x00007fff98990440 → 0x00000000004011b0 → <__libc_csu_init+0> push r15
Easy/35.html: $rsi : 0x00007fff98990528 → 0x00007fff98992748 → 0x00707061796d2f2e ("./myapp"?)
Easy/35.html: $rip : 0x0000000000401163 → <****main+4> sub rsp, 0x70
Easy/35.html: $r8 : 0x00007fd2a2009a50 → 0x0000000000000004
Easy/35.html: $r9 : 0x00007fd2a203c780 → <_dl_fini+0> push rbp
Easy/35.html: $r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp
Easy/35.html: $r13 : 0x00007fff98990520 → 0x0000000000000001
Easy/35.html: 0x00007fff98990440│+0x0000: 0x00000000004011b0 → <__libc_csu_init+0> push r15 ← $rsp, $rbp
Easy/35.html: 0x00007fff98990448│+0x0008: 0x00007fd2a1e74bbb → <__libc_start_main+235> mov edi, eax
Easy/35.html: 0x00007fff98990458│+0x0018: 0x00007fff98990528 → 0x00007fff98992748 → 0x00707061796d2f2e ("./myapp"?)
Easy/35.html: 0x00007fff98990468│+0x0028: 0x000000000040115f → <****main+0> push rbp
Easy/35.html: → 0x401163 <****main+4> sub rsp, 0x70
Easy/35.html: [#0] 0x401163 → main()
Easy/35.html:→ 0x401163 <****main+4> sub rsp, 0x70
Easy/35.html:→ objdump -D myapp | grep -i system
Easy/35.html: → objdump -D myapp | grep -i test
Easy/35.html: → nano exploit.py
Easy/35.html: → python3 exploit.py
Easy/35.html:→ ssh-keygen -f safe
Easy/35.html:→ chmod 600 safe
Easy/35.html:→ cat safe.pub
Easy/35.html: → scp -i ../Ghidra/safe user@10.10.10.147:MyPasswords.kdbx .
Easy/35.html: → scp -i ../Ghidra/safe user@10.10.10.147:IMG_0547.JPG .
Easy/35.html: → ls
Easy/35.html: → file MyPasswords.kdbx
Easy/35.html: → file IMG_0547.JPG
Easy/35.html:→ /usr/sbin/keepass2john MyPasswords.kdbx | sed "s/MyPasswords/IMG_0547.JPG/g"
Easy/35.html:→ /usr/sbin/keepass2john MyPasswords.kdbx | sed "s/MyPasswords/IMG_0547.JPG/g" > keepass_hash
Easy/35.html: → john -w:/usr/share/wordlists/rockyou.txt keepass_hash
Easy/5.html:**λ nihilist [nihilist/_HTB/Optimum] → nmap -sC -sV 10.10.10.8**
Easy/5.html: **λ root [nihilist/_HTB/Optimum] → nikto -h http://10.10.10.8/**
Easy/5.html: **λ root [nihilist/_HTB/Optimum] → searchsploit rejetto**
Easy/34.html: → nmap -F 10.10.10.115
Easy/34.html: → nmap -sCV -p22,80 10.10.10.115
Easy/34.html:→ echo "10.10.10.115 haystack.htb" >> /etc/hosts
Easy/34.html: → dirsearch -u http://10.10.10.115/ -t 50 -e txt,php,html,js
Easy/34.html:→ nikto -h http://haystack.htb/
Easy/34.html: → curl -sk http://haystack.htb/robots.txt | grep nginx
Easy/34.html: → wget http://haystack.htb/needle.jpg
Easy/34.html: → exiftool needle.jpg
Easy/34.html: → strings needle.jpg
Easy/34.html: → echo "bGEgYWd1amEgZW4gZWwgcGFqYXIgZXMgImNsYXZlIg==" | base64 -d
Easy/34.html: → nmap -F 10.10.10.115 --top-ports 10000 -vvv
Easy/34.html: → nmap -sCV -p9200 10.10.10.115
Easy/34.html: → curl -sk http://haystack.htb:9200
Easy/34.html: → curl -sk http://haystack.htb:9200/_cat/indices/\?v
Easy/34.html:→ curl -X POST http://haystack.htb:9200/\/_search
Easy/34.html:→ curl -X POST http://haystack.htb:9200/bank/_search
Easy/34.html:→ npm install elasticdump -g
Easy/34.html:→ elasticdump --input=http://10.10.10.115:9200/quotes --output=quotes.json --type=data
Easy/34.html: → cat quotes.json| grep clave
Easy/34.html: → echo "cGFzczogc3BhbmlzaC5pcy5rZXk=" | base64 -d
Easy/34.html: → echo "dXNlcjogc2VjdXJpdHkg" | base64 -d
Easy/34.html: → ssh security@haystack.htb
Easy/34.html:→ nano nihilist.js
Easy/34.html:→ python -m SimpleHTTPServer 8080
Easy/34.html:→ cat nihilist.js
Easy/34.html:→ nc -lvnp 9001
Easy/34.html:→ nc -lvnp 9001
Easy/34.html: → nc -lvnp 9002
`**

306
index.md
View file

@ -10,78 +10,78 @@
##### Hack The Box - Easy Boxes ##### Hack The Box - Easy Boxes
[ Template Page ](Easy/0.html) [ Template Page ](Easy/0.md)
1. [ ✅ - Lame ](Easy/1.html) 1. [ ✅ - Lame ](Easy/1.md)
2. [ ✅ - Legacy ](Easy/2.html) 2. [ ✅ - Legacy ](Easy/2.md)
3. [ ✅ - Devel ](Easy/3.html) 3. [ ✅ - Devel ](Easy/3.md)
4. [ ✅ - Beep ](Easy/4.html) 4. [ ✅ - Beep ](Easy/4.md)
5. [ ✅ - Optimum ](Easy/5.html) 5. [ ✅ - Optimum ](Easy/5.md)
6. [ ✅ - Arctic ](Easy/6.html) 6. [ ✅ - Arctic ](Easy/6.md)
7. [ ✅ - Grandpa ](Easy/7.html) 7. [ ✅ - Grandpa ](Easy/7.md)
8. [ ✅ - Granny ](Easy/8.html) 8. [ ✅ - Granny ](Easy/8.md)
9. [ ✅ - Bank ](Easy/9.html) 9. [ ✅ - Bank ](Easy/9.md)
10. [ ✅ - Blocky ](Easy/10.html) 10. [ ✅ - Blocky ](Easy/10.md)
11. [ ✅ - Blue ](Easy/11.html) 11. [ ✅ - Blue ](Easy/11.md)
12. [ ✅ - Mirai ](Easy/12.html) 12. [ ✅ - Mirai ](Easy/12.md)
13. [ ✅ - Shocker ](Easy/13.html) 13. [ ✅ - Shocker ](Easy/13.md)
14. [ ✅ - Sense ](Easy/14.html) 14. [ ✅ - Sense ](Easy/14.md)
15. [ ✅ - Bashed ](Easy/15.html) 15. [ ✅ - Bashed ](Easy/15.md)
16. [ ✅ - Nibbles ](Easy/16.html) 16. [ ✅ - Nibbles ](Easy/16.md)
17. [ ✅ - Valentine ](Easy/17.html) 17. [ ✅ - Valentine ](Easy/17.md)
18. [ ✅ - Sunday](Easy/18.html) 18. [ ✅ - Sunday](Easy/18.md)
19. [ ✅ - Bounty](Easy/19.html) 19. [ ✅ - Bounty](Easy/19.md)
20. [ ✅ - Jerry ](Easy/20.html) 20. [ ✅ - Jerry ](Easy/20.md)
21. [ ✅ - Active ](Easy/21.html) 21. [ ✅ - Active ](Easy/21.md)
22. [ ✅ - Access ](Easy/22.html) 22. [ ✅ - Access ](Easy/22.md)
23. [ ✅ - Frolic ](Easy/23.html) 23. [ ✅ - Frolic ](Easy/23.md)
24. [ ✅ - Curling ](Easy/24.html) 24. [ ✅ - Curling ](Easy/24.md)
25. [ ✅ - Irked ](Easy/25.html) 25. [ ✅ - Irked ](Easy/25.md)
26. [ ✅ - Teacher ](Easy/26.html) 26. [ ✅ - Teacher ](Easy/26.md)
27. [ ✅ - Help ](Easy/27.html) 27. [ ✅ - Help ](Easy/27.md)
28. [ ✅ - FriendZone ](Easy/28.html) 28. [ ✅ - FriendZone ](Easy/28.md)
29. [ ✅ - Netmon ](Easy/29.html) 29. [ ✅ - Netmon ](Easy/29.md)
30. [ ✅ - CasaDePapel ](Easy/30.html) 30. [ ✅ - CasaDePapel ](Easy/30.md)
31. [ ✅ - Bastion ](Easy/31.html) 31. [ ✅ - Bastion ](Easy/31.md)
32. [ ✅ - SwagShop ](Easy/32.html) 32. [ ✅ - SwagShop ](Easy/32.md)
33. [ ✅ - Writeup ](Easy/33.html) 33. [ ✅ - Writeup ](Easy/33.md)
34. [ ✅ - Haystack ](Easy/34.html) 34. [ ✅ - Haystack ](Easy/34.md)
35. [ ✅ - Safe ](Easy/35.html) 35. [ ✅ - Safe ](Easy/35.md)
36. [ ✅ - Heist ](Easy/36.html) 36. [ ✅ - Heist ](Easy/36.md)
37. [ ✅ - Networked ](Easy/37.html) 37. [ ✅ - Networked ](Easy/37.md)
38. [ ✅ - Forest](Easy/38.html) 38. [ ✅ - Forest](Easy/38.md)
39. [ ✅ - Postman](Easy/39.html) 39. [ ✅ - Postman](Easy/39.md)
40. [ ✅ - Traverxec](Easy/40.html) 40. [ ✅ - Traverxec](Easy/40.md)
41. [ ✅ - OpenAdmin](Easy/41.html) 41. [ ✅ - OpenAdmin](Easy/41.md)
42. [ ✅ - Nest](Easy/42.html) 42. [ ✅ - Nest](Easy/42.md)
43. [ ✅ - Traceback](Easy/43.html) 43. [ ✅ - Traceback](Easy/43.md)
44. [ ✅ - Remote](Easy/44.html) 44. [ ✅ - Remote](Easy/44.md)
45. [ ✅ - Servmon](Easy/45.html) 45. [ ✅ - Servmon](Easy/45.md)
46. [ ✅ - Admirer](Easy/46.html) 46. [ ✅ - Admirer](Easy/46.md)
47. [ ✅ - Blunder](Easy/47.html) 47. [ ✅ - Blunder](Easy/47.md)
48. [ ✅ - Tabby](Easy/48.html) 48. [ ✅ - Tabby](Easy/48.md)
49. [ ✅ - Buff](Easy/49.html) 49. [ ✅ - Buff](Easy/49.md)
50. [ ✅ - Omni](Easy/50.html) 50. [ ✅ - Omni](Easy/50.md)
51. [ ✅ - Doctor](Easy/51.html) 51. [ ✅ - Doctor](Easy/51.md)
52. [ ✅ - Academy](Easy/52.html) 52. [ ✅ - Academy](Easy/52.md)
53. [ ✅ - Laboratory](Easy/53.html) 53. [ ✅ - Laboratory](Easy/53.md)
54. [ ✅ - Luanne](Easy/54.html) 54. [ ✅ - Luanne](Easy/54.md)
55. [ ✅ - Delivery](Easy/55.html) 55. [ ✅ - Delivery](Easy/55.md)
56. [ ✅ - Toolbox](Easy/56.html) 56. [ ✅ - Toolbox](Easy/56.md)
57. [ ✅ - Sauna](Easy/57.html) 57. [ ✅ - Sauna](Easy/57.md)
58. [ ✅ - ScriptKiddie](Easy/58.html) 58. [ ✅ - ScriptKiddie](Easy/58.md)
59. [ ✅ - Armageddon](Easy/59.html) 59. [ ✅ - Armageddon](Easy/59.md)
60. [ ✅ - Spectra](Easy/60.html) 60. [ ✅ - Spectra](Easy/60.md)
61. [ ✅ - Love](Easy/61.html) 61. [ ✅ - Love](Easy/61.md)
62. [ ✅ - Cap](Easy/62.html) 62. [ ✅ - Cap](Easy/62.md)
63. [ ✅ - Knife](Easy/63.html) 63. [ ✅ - Knife](Easy/63.md)
64. [ ✅ - Previse](Easy/64.html) 64. [ ✅ - Previse](Easy/64.md)
65. [ ✅ - Paper](Easy/65.html) 65. [ ✅ - Paper](Easy/65.md)
66. [ ✅ - BountyHunter](Easy/66.html) 66. [ ✅ - BountyHunter](Easy/66.md)
67. [ ✅ - Explore](Easy/67.html) 67. [ ✅ - Explore](Easy/67.md)
68. [ ✅ - Horizontall](Easy/68.html) 68. [ ✅ - Horizontall](Easy/68.md)
69. [ ✅ - Backdoor](Easy/69.html) 69. [ ✅ - Backdoor](Easy/69.md)
70. [ ✅ - Driver](Easy/70.html) 70. [ ✅ - Driver](Easy/70.md)
@ -162,75 +162,75 @@
##### Hack The Box - Medium Boxes ##### Hack The Box - Medium Boxes
[Template Page](Medium/0.html) [Template Page](Medium/0.md)
1. [ ✅ - Popcorn](Medium/1.html) 1. [ ✅ - Popcorn](Medium/1.md)
2. [ ✅ - Bastard](Medium/2.html) 2. [ ✅ - Bastard](Medium/2.md)
3. [ ✅ - Tenten](Medium/3.html) 3. [ ✅ - Tenten](Medium/3.md)
4. [ ✅ - Cronos](Medium/4.html) 4. [ ✅ - Cronos](Medium/4.md)
5. [ ✅ - October](Medium/5.html) 5. [ ✅ - October](Medium/5.md)
6. [ ✅ - Lazy](Medium/6.html) 6. [ ✅ - Lazy](Medium/6.md)
7. [ ✅ - Sneaky](Medium/7.html) 7. [ ✅ - Sneaky](Medium/7.md)
8. [ ✅ - Haircut](Medium/8.html) 8. [ ✅ - Haircut](Medium/8.md)
9. [ ✅ - Europa](Medium/9.html) 9. [ ✅ - Europa](Medium/9.md)
10. [ ✅ - Nineveh](Medium/10.html) 10. [ ✅ - Nineveh](Medium/10.md)
11. [ ✅ - Apocalyst](Medium/11.html) 11. [ ✅ - Apocalyst](Medium/11.md)
12. [ ✅ - SolidState](Medium/12.html) 12. [ ✅ - SolidState](Medium/12.md)
13. [ ✅ - Node](Medium/13.html) 13. [ ✅ - Node](Medium/13.md)
14. [ ✅ - Enterprise](Medium/14.html) 14. [ ✅ - Enterprise](Medium/14.md)
15. [ ✅ - Jeeves](Medium/15.html) 15. [ ✅ - Jeeves](Medium/15.md)
16. [ ✅ - Inception](Medium/16.html) 16. [ ✅ - Inception](Medium/16.md)
17. [ ✅ - FluxCapacitor](Medium/17.html) 17. [ ✅ - FluxCapacitor](Medium/17.md)
18. [ ✅ - Chatterbox](Medium/18.html) 18. [ ✅ - Chatterbox](Medium/18.md)
19. [ ✅ - Aragog](Medium/19.html) 19. [ ✅ - Aragog](Medium/19.md)
20. [ ✅ - Bart](Medium/20.html) 20. [ ✅ - Bart](Medium/20.md)
21. [ ✅ - Stratosphere](Medium/21.html) 21. [ ✅ - Stratosphere](Medium/21.md)
22. [ ✅ - Celestial](Medium/22.html) 22. [ ✅ - Celestial](Medium/22.md)
23. [ ✅ - Silo](Medium/23.html) 23. [ ✅ - Silo](Medium/23.md)
24. [ ✅ - Poison](Medium/24.html) 24. [ ✅ - Poison](Medium/24.md)
25. [ ✅ - Canape](Medium/25.html) 25. [ ✅ - Canape](Medium/25.md)
26. [ ✅ - Olympus](Medium/26.html) 26. [ ✅ - Olympus](Medium/26.md)
27. [ ✅ - TartarSauce](Medium/27.html) 27. [ ✅ - TartarSauce](Medium/27.md)
28. [ ✅ - DevOops](Medium/28.html) 28. [ ✅ - DevOops](Medium/28.md)
29. [ ✅ - Hawk](Medium/29.html) 29. [ ✅ - Hawk](Medium/29.md)
30. [ ✅ - Waldo](Medium/30.html) 30. [ ✅ - Waldo](Medium/30.md)
31. [ ✅ - SecNotes](Medium/31.html) 31. [ ✅ - SecNotes](Medium/31.md)
32. [ ✅ - Giddy](Medium/32.html) 32. [ ✅ - Giddy](Medium/32.md)
33. [ ✅ - Ypuffy](Medium/33.html) 33. [ ✅ - Ypuffy](Medium/33.md)
34. [ ✅ - Carrier](Medium/34.html) 34. [ ✅ - Carrier](Medium/34.md)
35. [ ✅ - Vault](Medium/35.html) 35. [ ✅ - Vault](Medium/35.md)
36. [ ✅ - Redcross](Medium/36.html) 36. [ ✅ - Redcross](Medium/36.md)
37. [ ✅ - Lightweight](Medium/37.html) 37. [ ✅ - Lightweight](Medium/37.md)
38. [ ✅ - Chaos](Medium/38.html) 38. [ ✅ - Chaos](Medium/38.md)
39. [ ✅ - Querier](Medium/39.html) 39. [ ✅ - Querier](Medium/39.md)
40. [ ✅ - Arkham](Medium/40.html) 40. [ ✅ - Arkham](Medium/40.md)
41. [ ✅ - Unattended](Medium/41.html) 41. [ ✅ - Unattended](Medium/41.md)
42. [ ✅ - Luke](Medium/42.html) 42. [ ✅ - Luke](Medium/42.md)
43. [ ✅ - Jarvis](Medium/43.html) 43. [ ✅ - Jarvis](Medium/43.md)
44. [ ✅ - Craft](Medium/44.html) 44. [ ✅ - Craft](Medium/44.md)
45. [ ✅ - Bitlab](Medium/45.html) 45. [ ✅ - Bitlab](Medium/45.md)
46. [ ✅ - Wall](Medium/46.html) 46. [ ✅ - Wall](Medium/46.md)
47. [ ✅ - Json](Medium/47.html) 47. [ ✅ - Json](Medium/47.md)
48. [ ✅ - AI](Medium/48.html) 48. [ ✅ - AI](Medium/48.md)
49. [ ✅ - Sniper ](Medium/49.html) 49. [ ✅ - Sniper ](Medium/49.md)
50. [ ✅ - Mango ](Medium/50.html) 50. [ ✅ - Mango ](Medium/50.md)
51. [ ✅ - Obscurity](Medium/51.html) 51. [ ✅ - Obscurity](Medium/51.md)
52. [ ✅ - Monteverde](Medium/52.html) 52. [ ✅ - Monteverde](Medium/52.md)
53. [ ✅ - Book](Medium/53.html) 53. [ ✅ - Book](Medium/53.md)
54. [ ✅ - Cascade](Medium/54.html) 54. [ ✅ - Cascade](Medium/54.md)
55. [ ✅ - Magic](Medium/55.html) 55. [ ✅ - Magic](Medium/55.md)
56. [ ✅ - Cache](Medium/56.html) 56. [ ✅ - Cache](Medium/56.md)
57. [ ✅ - Fuse](Medium/57.html) 57. [ ✅ - Fuse](Medium/57.md)
58. [ ✅ - SneakyMailer](Medium/58.html) 58. [ ✅ - SneakyMailer](Medium/58.md)
59. [ ✅ - OpenKeyS](Medium/59.html) 59. [ ✅ - OpenKeyS](Medium/59.md)
60. [ ✅ - Worker](Medium/60.html) 60. [ ✅ - Worker](Medium/60.md)
61. [ ✅ - Passage](Medium/61.html) 61. [ ✅ - Passage](Medium/61.md)
62. [ ✅ - Jewel](Medium/62.html) 62. [ ✅ - Jewel](Medium/62.md)
63. [ ✅ - Bucket](Medium/63.html) 63. [ ✅ - Bucket](Medium/63.md)
64. [ ✅ - Time](Medium/64.html) 64. [ ✅ - Time](Medium/64.md)
65. [ ✅ - Ready](Medium/65.html) 65. [ ✅ - Ready](Medium/65.md)
66. [ ✅ - Tenet](Medium/66.html) 66. [ ✅ - Tenet](Medium/66.md)
67. [ ✅ - Ophiuchi](Medium/67.html) 67. [ ✅ - Ophiuchi](Medium/67.md)
@ -282,7 +282,7 @@
* | Centreon, uncompyle, linpeas, GNU Screen 4.5.0 * | Centreon, uncompyle, linpeas, GNU Screen 4.5.0
* | Json.Net deserialization, WS2012 R2 Datacenter * | Json.Net deserialization, WS2012 R2 Datacenter
* | Speech recognition SQL injection, jdwp * | Speech recognition SQL injection, jdwp
* | RFI, MS Compiled HTML Help * | RFI, MS Compiled md Help
* | MongoDB NoSQL injection, jjs * | MongoDB NoSQL injection, jjs
* | Python exec(), file decryption, background processes * | Python exec(), file decryption, background processes
* | Azure AD Connect exploit PoC * | Azure AD Connect exploit PoC
@ -308,18 +308,18 @@
##### Hack The Box - Hard Boxes ##### Hack The Box - Hard Boxes
[Template Page](Hard/0.html) [Template Page](Hard/0.md)
1. [ ✅ - Joker](Hard/1.html) 1. [ ✅ - Joker](Hard/1.md)
2. [ ✅ - Calamity ](Hard/2.html) 2. [ ✅ - Calamity ](Hard/2.md)
3. [ ✅ - Charon](Hard/3.html) 3. [ ✅ - Charon](Hard/3.md)
4. [ ✅ - Shrek](Hard/4.html) 4. [ ✅ - Shrek](Hard/4.md)
5. [ ✅ - Mantis](Hard/5.html) 5. [ ✅ - Mantis](Hard/5.md)
6. [ ✅ - Kotarak](Hard/7.html) 6. [ ✅ - Kotarak](Hard/7.md)
7. [ ✅ - Tally](Hard/6.html) 7. [ ✅ - Tally](Hard/6.md)
8. [ ✅ - CrimeStoppers](Hard/8.html) 8. [ ✅ - CrimeStoppers](Hard/8.md)
9. [ ✅ - Falafel](Hard/9.html) 9. [ ✅ - Falafel](Hard/9.md)
10. [ ✅ - Dropzone](Hard/10.html) 10. [ ✅ - Dropzone](Hard/10.md)
@ -340,7 +340,7 @@
##### Recurrent Tricks ##### Recurrent Tricks
[ Template Page ](Easy/0.html) [ Template Page ](Easy/0.md)
1. [✅ - File transfers ](Tools/files/index.md) 1. [✅ - File transfers ](Tools/files/index.md)
2. [✅ - reverse shells with XC ](Tools/xc/index.md) 2. [✅ - reverse shells with XC ](Tools/xc/index.md)
@ -357,7 +357,7 @@
![](concept.png) ![](concept.png)
# [Binary Exploitation](binexp.html) # [Binary Exploitation](binexp.md)
![](0.png) ![](0.png)