JorianWoltjer
diff --git a/‎SUMMARY.md‎
Lines changed: 5 additions & 5 deletions b/‎SUMMARY.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎cryptography/hashing/README.md‎
Lines changed: 18 additions & 20 deletions b/‎cryptography/hashing/README.md‎
Lines changed: 18 additions & 20 deletions
diff --git a/‎cryptography/hashing/cracking-hashes.md‎
Lines changed: 34 additions & 41 deletions b/‎cryptography/hashing/cracking-hashes.md‎
Lines changed: 34 additions & 41 deletions
diff --git a/‎cryptography/z3-solver.md‎
Lines changed: 2 additions & 2 deletions b/‎cryptography/z3-solver.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎forensics/archives.md‎
Lines changed: 3 additions & 4 deletions b/‎forensics/archives.md‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎forensics/file-formats.md‎
Lines changed: 9 additions & 11 deletions b/‎forensics/file-formats.md‎
Lines changed: 9 additions & 11 deletions
diff --git a/‎forensics/file-recovery.md‎
Lines changed: 3 additions & 4 deletions b/‎forensics/file-recovery.md‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎forensics/grep.md‎
Lines changed: 3 additions & 6 deletions b/‎forensics/grep.md‎
Lines changed: 3 additions & 6 deletions
@@ -55,7 +55,7 @@
 
 ## 🐧 Linux
 
-* [Shells](linux/shells.md)
+* [Shells](linux/hacking-linux-boxes.md)
 * [Linux Privilege Escalation](linux/linux-privilege-escalation/README.md)
   * [Enumeration](linux/linux-privilege-escalation/enumeration.md)
   * [Sudo](linux/linux-privilege-escalation/sudo.md)
@@ -70,7 +70,7 @@
 ## ❔ Other
 
 * [WSL Guide](other/wsl-guide.md)
-* [OSINT](other/osint.md)
+* [OSINT](other/osint/README.md)
 
 ## 🔨 TODO
 
@@ -105,6 +105,6 @@
 * [Python](todo/python.md)
 * [Hacking Windows Boxes](todo/hacking-windows-boxes.md)
 * [Windows Privilege Escalation](todo/windows-privilege-escalation.md)
-* [Networking](todo/networking.md)
-* [Googling](todo/googling.md)
-* [WaybackMachine](todo/waybackmachine.md)
+* [Networking](linux/networking.md)
+* [Googling](other/osint/todo-googling.md)
+* [WaybackMachine](other/osint/todo-waybackmachine.md)
@@ -69,20 +69,19 @@ To create such a file you can use the [poc\_no.sh](https://github.com/cr-marcste
 In the example above I used a file containing `"A"*64 + "B"*64 + "C"*64 + "test"` as the prefix. This will make sure the identical prefix starts with AAA...CCC and the collision blocks start with "test". \
 Then after this, I added `"D"*64 + "E"*64 + "F"*64` to the generated collisions because any data after will only change the hash, but the collision will remain.&#x20;
 
-```shell-session
-$ python3 -c 'print("A"*64 + "B"*64 + "C"*64 + "test", end="")' > prefix  # Create prefix
-$ ../scripts/poc_no.sh prefix  # Do collision (takes a few minutes)
-...
-$ md5sum collision*.bin  # MD5 sums are the same
-a83232a6730cdd6102d002e31ffd1c3f  collision1.bin
+<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ python3 -c 'print("A"*64 + "B"*64 + "C"*64 + "test", end="")' > prefix  # Create prefix
+</strong><strong>$ ../scripts/poc_no.sh prefix  # Do collision (takes a few minutes)
+</strong>...
+<strong>$ md5sum collision*.bin  # MD5 sums are the same
+</strong>a83232a6730cdd6102d002e31ffd1c3f  collision1.bin
 a83232a6730cdd6102d002e31ffd1c3f  collision2.bin
-$ # Append data to collisions
-$ cat collision1.bin <(python3 -c 'print("D"*64 + "E"*64 + "F"*64, end="")') > collision1_extra.bin
-$ cat collision2.bin <(python3 -c 'print("D"*64 + "E"*64 + "F"*64, end="")') > collision2_extra.bin
-$ md5sum collision*_extra.bin  # MD5 sums still match
-e8842904b573ed3cd545a5b116f70af8  collision1_extra.bin
+# # Append data to collisions
+<strong>$ cat collision1.bin &#x3C;(python3 -c 'print("D"*64 + "E"*64 + "F"*64, end="")') > collision1_extra.bin
+</strong><strong>$ cat collision2.bin &#x3C;(python3 -c 'print("D"*64 + "E"*64 + "F"*64, end="")') > collision2_extra.bin
+</strong><strong>$ md5sum collision*_extra.bin  # MD5 sums still match
+</strong>e8842904b573ed3cd545a5b116f70af8  collision1_extra.bin
 e8842904b573ed3cd545a5b116f70af8  collision2_extra.bin
-```
+</code></pre>
 
 ### MD5 - Chosen Prefix
 
@@ -95,7 +94,7 @@ To create a collision like this, you could use the [cpc.sh](https://github.com/c
 I've let a VPS with 24 cores run for 1.5 days to find a chosen-prefix collision like this. I chose one prefix of a simple 256x256 png image, and the other prefix to be an XSS and PHP shell payload. So I could leave the terminal and look back at it later I used the `screen` command to start a session, and used `screen -r` every once in a while to check back into it. Another way would be to redirect the output to some log file to check.&#x20;
 
 ```shell-session
-$ # From hashclash clone (and build)
+# # From hashclash clone (and build)
 $ mkdir workdir && cd workdir
 $ ../scripts/cpc.sh 256.png prefix.php  # Takes a long time
 ```
@@ -169,15 +168,14 @@ In HTML, this can be done by looking at the `innerHTML` with `charCodeAt(102)` i
 1. [https://arw.me/f/1.html](https://arw.me/f/1.html)
 2. [https://arw.me/f/2.html](https://arw.me/f/2.html)
 
-```shell-session
-$ wget https://arw.me/f/1.html && wget https://arw.me/f/2.html
-$ sha1sum 1.html 2.html  # SHA1 collision
-ba97502d759d58f91ed212d7c981e0cfdfb70eef  1.html
+<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ wget https://arw.me/f/1.html &#x26;&#x26; wget https://arw.me/f/2.html
+</strong><strong>$ sha1sum 1.html 2.html  # SHA1 collision
+</strong>ba97502d759d58f91ed212d7c981e0cfdfb70eef  1.html
 ba97502d759d58f91ed212d7c981e0cfdfb70eef  2.html
-$ sha256sum 1.html 2.html  # SHA256 does not
-4477a514fa5e948d69e064a4e00378c69262e32e36c079b76226ae50e3d312cf  1.html
+<strong>$ sha256sum 1.html 2.html  # SHA256 does not
+</strong>4477a514fa5e948d69e064a4e00378c69262e32e36c079b76226ae50e3d312cf  1.html
 71c484897c7af6cb34cffa8f7c12dc3bf7fc834ed7f57123e21258d2f3fc4ba6  2.html
-```
+</code></pre>
 
 ## Length-extension Attack
 
 
@@ -49,24 +49,22 @@ Hashcat:                $pkzip$1*2*2*0*11*5*22dc8822*0*42*0*11*55ee*bfcbf39396ab
 
 Sometimes you also need to **extract** a hash from a password-protected ZIP file for example. This is where John has a lot of useful tools. In the [`john/run`](https://github.com/openwall/john/tree/bleeding-jumbo/run) directory of your John the Ripper installation, there should be a lot of scripts and programs that allow you to convert certain files to the john format. For `.zip` archives there is the `zip2john` utility:
 
-```shell-session
-$ zip2john test.zip
-ver 1.0 efh 5455 efh 7875 test.zip/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=17, decmplen=5, crc=22DC8822 ts=55EE cs=55ee type=0
-test.zip/flag.txt:$pkzip$1*2*2*0*11*5*22dc8822*0*42*0*11*55ee*bfcbf39396ab87b78eb574a02dd5020f23*$/pkzip$:flag.txt:test.zip::test.zip
-$ zip2john test.zip > john.hash
-$ cat john.hash
+<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ zip2john test.zip
+</strong>ver 1.0 efh 5455 efh 7875 test.zip/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=17, decmplen=5, crc=22DC8822 ts=55EE cs=55ee type=0
 test.zip/flag.txt:$pkzip$1*2*2*0*11*5*22dc8822*0*42*0*11*55ee*bfcbf39396ab87b78eb574a02dd5020f23*$/pkzip$:flag.txt:test.zip::test.zip
-```
+<strong>$ zip2john test.zip > john.hash
+</strong><strong>$ cat john.hash
+</strong>test.zip/flag.txt:$pkzip$1*2*2*0*11*5*22dc8822*0*42*0*11*55ee*bfcbf39396ab87b78eb574a02dd5020f23*$/pkzip$:flag.txt:test.zip::test.zip
+</code></pre>
 
 There are a lot of files that can be converted to john like this, just find one for the file format you need and convert it using the script.&#x20;
 
 You can also use John to convert the hashes from a file, and then actually crack them with **Hashcat**. As stated above hashcat has a slightly different hash format, but from what I've found it's almost always just splitting the john hash by `:` colons and then taking the second part. That way you're only getting the hash without any other information.&#x20;
 
-```shell-session
-$ cat john.hash | awk -F: '{print $2}' > hashcat.hash
-$ cat hashcat.hash
-$pkzip$1*2*2*0*11*5*22dc8822*0*42*0*11*55ee*bfcbf39396ab87b78eb574a02dd5020f23*$/pkzip$
-```
+<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ cat john.hash | awk -F: '{print $2}' > hashcat.hash
+</strong><strong>$ cat hashcat.hash
+</strong>$pkzip$1*2*2*0*11*5*22dc8822*0*42*0*11*55ee*bfcbf39396ab87b78eb574a02dd5020f23*$/pkzip$
+</code></pre>
 
 ## [Hashcat](https://hashcat.net/hashcat/)
 
@@ -120,8 +118,9 @@ password?d         => password0 - password9  # Can put text in mask
 ```
 {% endcode %}
 
-<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ hashcat -m 0 hash.txt -a 3 -1 ?l?u ?1?l?l?l?l?l19?d?d
-</strong></code></pre>
+```shell-session
+$ hashcat -m 0 hash.txt -a 3 -1 ?l?u ?1?l?l?l?l?l19?d?d
+```
 
 #### Cracking IP addresses
 
@@ -147,16 +146,15 @@ ROOT123
 
 Using actual `.rule` files with the `-r` argument you can even specify multiple rules to create lots of passwords quickly:
 
-```shell-session
-$ cat case.rule
-l
+<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ cat case.rule
+</strong>l
 u
-$ cat 123.rule
-$1
+<strong>$ cat 123.rule
+</strong>$1
 $2
 $3
-$ hashcat --stdout -r case.rule -r 123.rule list.txt
-password1
+<strong>$ hashcat --stdout -r case.rule -r 123.rule list.txt
+</strong>password1
 PASSWORD1
 password2
 PASSWORD2
@@ -174,7 +172,7 @@ root2
 ROOT2
 root3
 ROOT3
-```
+</code></pre>
 
 ## [John the Ripper](https://github.com/openwall/john)
 
@@ -188,19 +186,16 @@ A list of example hashes with their name and john mode
 
 John is pretty specific with its arguments. For a custom wordlist, make sure to use `-wordlist=` with the `=` sign. If you do not include the `=` sign it will give a weird "invalid UTF-8" error. Here is an example of how you should run john:
 
-{% code title="Cracking an MD5 hash" %}
-```shell-session
-$ cat hash.txt
-5ebe2294ecd0e0f08eab7690d2a6ee69
-$ john --wordlist=/list/rockyou.txt --format=raw-md5 hash.txt 
-Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
+<pre class="language-shell-session" data-title="Cracking an MD5 hash"><code class="lang-shell-session"><strong>$ cat hash.txt
+</strong>5ebe2294ecd0e0f08eab7690d2a6ee69
+<strong>$ john --wordlist=/list/rockyou.txt --format=raw-md5 hash.txt 
+</strong>Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
 Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
 secret           (?)
 1g 0:00:00:00 DONE (2022-08-18 22:05) 50.00g/s 19200p/s 19200c/s 19200C/s 123456..michael1
 Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
 Session completed.
-```
-{% endcode %}
+</code></pre>
 
 ### Cracking shadow hashes
 
@@ -242,25 +237,23 @@ $ make install
 
 Then after it's installed, you can use the `hcxpcapngtool` command to extract the handshakes from the capture. Then use hashcat with mode 22000 or 22001 to crack the password:
 
-```shell-session
-$ hcxpcapngtool capture.pcap -o capture.hashes
-$ cat capture.hashes
-WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*02
-$ hashcat -m 22000 hash.txt list.txt
-...
+<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ hcxpcapngtool capture.pcap -o capture.hashes
+</strong><strong>$ cat capture.hashes
+</strong>WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*02
+<strong>$ hashcat -m 22000 hash.txt list.txt
+</strong>...
 a462a7029ad5ba30b6af0df391988e45:000c4182b255:000d9382363a:Coherer:Induction
-```
+</code></pre>
 
 After you find the password, you can use Wireshark to decrypt the packets (see [#decrypting](../../forensics/wireshark.md#decrypting "mention"))
 
 ### WEP
 
 WEP is an old Wifi encryption standard where every device uses the same key. It also happens to be easily crackable with enough traffic. It requires lots of IVs (Initialization Vectors), which can come from lots of normal traffic, or you can manually send specific packets that would trigger IVs to be generated if you have access to the network (see [this tutorial](https://www.aircrack-ng.org/doku.php?id=simple\_wep\_crack)). When you have a packet capture with enough information, you can use [`aircrack-ng`](https://www.aircrack-ng.org/) to quickly find the key:
 
-```shell-session
-$ aircrack-ng capture.cap
-...
+<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ aircrack-ng capture.cap
+</strong>...
 KEY FOUND! [ 1F:1F:1F:1F:1F ]
-```
+</code></pre>
 
 After it completes, you can use the key it found (hex format) to decrypt all the traffic (see [#decrypting](../../forensics/wireshark.md#decrypting "mention"))
@@ -8,8 +8,8 @@ description: The Z3 Theorem Prover can automatically solve puzzles in Python
 
 The Z3 Theorem Prover is a Python library that can automatically solve puzzles you give it in code.&#x20;
 
-```shell
-pip install z3-solver
+```shell-session
+$ pip install z3-solver
 ```
 
 The idea is that you define Z3 variables and perform certain operations on them. Then you can add constraints to the solver and lets it fulfill those constraints. To learn using Z3 I highly suggest looking up some random puzzles and trying to solve them with Z3. There are lots of useful functions in Z3 to try out.&#x20;
 
@@ -24,15 +24,14 @@ Doing it manually would require you to first get a hash using a tool like `zip2j
 
 An interesting little thing about most archive file formats is the fact that when they are encrypted, you can still read the filenames and structure, only the content is encrypted. This can already give a good idea of what kind of files the archive contains.&#x20;
 
-```shell-session
-$ unzip -v archive.zip
-Archive:  archive.zip
+<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ unzip -v archive.zip
+</strong>Archive:  archive.zip
  Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
 --------  ------  ------- ---- ---------- ----- --------  ----
       15  Stored       15   0% 1970-01-01 00:00 21c0cb62  file.txt
 --------          -------  ---                            -------
       15               15   0%                            1 file
-```
+</code></pre>
 
 As you can see, even the size and a CRC32 are present. This CRC is a checksum of the **unencrypted** file content, so if you can guess the content you can confirm it by taking the CRC. This allows for brute-forcing content of very small files as well. See this tool for an implementation of that:
 
 
@@ -19,9 +19,8 @@ A big collection of drawings of file formats to understand them quickly
 Sometimes when data tries to be hidden inside another file, it is just pasted right into the host file. Meaning that the bytes of the secret file are just somewhere in the other file. Using [binwalk](https://github.com/ReFirmLabs/binwalk) you can check for known file signatures in a file to see if it embeds something. \
 Using the following command you can also recursively extract all of these into a `.extracted` folder:
 
-```shell-session
-$ binwalk -eM file.bin
-DECIMAL       HEXADECIMAL     DESCRIPTION
+<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ binwalk -eM file.bin
+</strong>DECIMAL       HEXADECIMAL     DESCRIPTION
 --------------------------------------------------------------------------------
 0             0x0             TRX firmware header, little endian, image size: 37883904 bytes, CRC32: 0x95C5DF32, flags: 0x1, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x0, rootfs offset: 0x0
 28            0x1C            uImage header, header size: 64 bytes, header CRC: 0x780C2742, created: 2018-10-10 02:12:20, image size: 2150281 bytes, Data Address: 0x8000, Entry Point: 0x8000, data CRC: 0xA097CFEA, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "DD-WRT"
@@ -32,8 +31,8 @@ DECIMAL       HEXADECIMAL     DESCRIPTION
 2117484       0x204F6C        device tree image (dtb)
 3145756       0x30001C        UBI erase count header, version: 1, EC: 0x0, VID header offset: 0x800, data offset: 0x1000
 
-$ binwalk --dd='.*' file.bin  # Another way to extract all file signatures
-```
+<strong>$ binwalk --dd='.*' file.bin  # Another way to extract all file signatures
+</strong></code></pre>
 
 {% hint style="warning" %}
 A common false positive with PNGs is `Zlib compressed data`. This is because PNG uses Zlib for compression in its own file format, so it is recognized by binwalk. But very often this compressed data just covers the entire file
@@ -55,9 +54,8 @@ Image files like PNG can have a lot of hidden info. It's a relatively complex fi
 
 A quick check you can do to see if it is a completely valid PNG file is using [pngcheck](http://www.libpng.org/pub/png/apps/pngcheck.html):
 
-```shell-session
-$ pngcheck -h
-Test PNG, JNG or MNG image files for corruption, and print size/type info.
+<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ pngcheck -h
+</strong>Test PNG, JNG or MNG image files for corruption, and print size/type info.
 
 Usage:  pngcheck [-7cfpqtv] file.{png|jng|mng} [file2.{png|jng|mng} [...]]
    or:  ... | pngcheck [-7cfpqstvx]
@@ -74,9 +72,9 @@ Options:
    -v  test verbosely (print most chunk data)
    -x  search for PNGs within another file and extract them when found
 
-$ pngcheck image.png
-OK: image.png (1920x1080, 32-bit RGB+alpha, non-interlaced, 96.6%).
-```
+<strong>$ pngcheck image.png
+</strong>OK: image.png (1920x1080, 32-bit RGB+alpha, non-interlaced, 96.6%).
+</code></pre>
 
 PNG files consist of **chunks** of bytes that tell something about the image. The most common one is `IDAT` which contains the pixel data of the image. An image always ends with `IEND` and 4 checksum bytes (every chunk has the checksum).&#x20;
 
 
@@ -6,11 +6,10 @@ description: Recovering content of deleted files
 
 Find disks using `mount` and looking for `sd[a-z]`:
 
-```shell-session
-$ mount
-/dev/sdb on / type ext4 (rw,relatime,discard,errors=remount-ro,data=ordered)
+<pre class="language-shell-session"><code class="lang-shell-session"><strong>$ mount
+</strong>/dev/sdb on / type ext4 (rw,relatime,discard,errors=remount-ro,data=ordered)
 ...
-```
+</code></pre>
 
 Then grep for any known text:
 
 
@@ -16,12 +16,9 @@ $ grep [OPTIONS...] PATTERNS [FILES...]
 * `PATTERNS` are a string containing one or more patterns to search for, separated by newline characters (`\n`). To put a newline character in an argument you can use the `$'first\nsecond'` syntax
 * `FILES` are the files to search through for the `PATTERNS`. If not specified, it will read from standard input (piping into grep). If in recursive mode with -r, it will default to the current directory but can be any directory
 
-{% code title="Simple example" %}
-```shell-session
-$ grep something file.txt
-And here is something.
-```
-{% endcode %}
+<pre class="language-shell-session" data-title="Simple example"><code class="lang-shell-session"><strong>$ grep something file.txt
+</strong>And here is something.
+</code></pre>
 
 {% hint style="info" %}
 See all documentation about the options with `man grep`