From 452ba0102dcc2674fa1323143c4849c628c7603d Mon Sep 17 00:00:00 2001
From: dusoleil <howcansocksbereal@gmail.com>
Date: Thu, 5 Aug 2021 02:19:42 -0400
Subject: Dusoleil's Writeups from Metasploit Community CTF 2020

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
---
 .../format_string.txt                              |  28 +++
 .../Metasploit_Community_CTF_2020/ihatesalt.txt    |  24 +++
 .../Metasploit_Community_CTF_2020/login_timing.txt |  26 +++
 .../Metasploit_Community_CTF_2020/photos.txt       |  10 +
 .../Metasploit_Community_CTF_2020/php_equality.txt |  11 +
 .../Metasploit_Community_CTF_2020/scanning.txt     |  19 ++
 .../Metasploit_Community_CTF_2020/socks5.txt       |  18 ++
 .../Metasploit_Community_CTF_2020/target_scan.txt  | 240 +++++++++++++++++++++
 .../Metasploit_Community_CTF_2020/welcome.txt      |   3 +
 9 files changed, 379 insertions(+)
 create mode 100644 docs/writeups/Metasploit_Community_CTF_2020/format_string.txt
 create mode 100644 docs/writeups/Metasploit_Community_CTF_2020/ihatesalt.txt
 create mode 100644 docs/writeups/Metasploit_Community_CTF_2020/login_timing.txt
 create mode 100644 docs/writeups/Metasploit_Community_CTF_2020/photos.txt
 create mode 100644 docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt
 create mode 100644 docs/writeups/Metasploit_Community_CTF_2020/scanning.txt
 create mode 100644 docs/writeups/Metasploit_Community_CTF_2020/socks5.txt
 create mode 100644 docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt
 create mode 100644 docs/writeups/Metasploit_Community_CTF_2020/welcome.txt

diff --git a/docs/writeups/Metasploit_Community_CTF_2020/format_string.txt b/docs/writeups/Metasploit_Community_CTF_2020/format_string.txt
new file mode 100644
index 0000000..e5206f4
--- /dev/null
+++ b/docs/writeups/Metasploit_Community_CTF_2020/format_string.txt
@@ -0,0 +1,28 @@
+PORT 1337
+
+nc target 1337
+we're presented with a simple program
+|     Welcome to the '9 of Clubs' service.
+|     -------------------------------
+|     Please choose an option:
+|     Send contact info
+|     Greetings
+|     Send feedback
+|     Exit
+
+all three options take user input. Option 2 asks for a name and prints it back out to you which could be vulnerable to a format string attack.  We can test it with "%x".  This prints out "200", so it looks like it is vulnerable.
+
+I used perl to construct my payload because I like the syntax.
+perl -e 'print "2\n"."%x"x20 ."\n"'
+This prints the top 20 items on the stack as unsigned hex.
+
+I originally assumed I would need to execute shellcode, so I was trying to determine where my buffer was and where the bottom of the stack frame was.  It seemed that the buffer was actually very large, but around 8092 it would start being picked up by the next command, so I'm assuming some sort of overflow was happening.  That said, I couldn't seem to get it to crash or change anything important on the stack (e.g. return address).  With a format string vuln, I could probably still overwrite the return address, but I need to figure out where it is, first, and the actual print is only printing a ~1000 characters, making it hard to examine very far down the stack.  Normally, you could use positional indices (e.g. %2$x), but this isn't working, so I'm assuming the libc this program was compiled with doesn't support the syntax.  This actually sucks for writing arbitrary data into arbitrary addresses, too.
+
+For now, let's just look at the data in the first few spots on the stack.
+At first, I was getting confused because I was printing 32 bits per item and the numbers didn't make a lot of sense (pointers didn't look like stack pointers, stuff in my own buffer was missing bytes, etc.). %lx or %p will print a full 64 bits (x64, so each item on the stack is 64 bits and each format parameter will advance 64 bits down the stack) while %x will only print the least significant 32 bits.  Once I realized that, the items on the stack made more sense. In particular, most addresses were 0x00007fffxxxxxxxx. On x64, the full address space isn't used, so the stack starts somewhere around 0x00007fffffffffff.  The null bytes make things harder for writing custom pointers, but I wasn't able (and didn't need to) get arbitrary read/write working anyways, so it didn't matter.
+
+Just looking at the first few items on the stack, there are stack addresses at 3,4,5,7,9,10,11, and 12.
+Using %s, I could print out any string data at those locations.
+3,4 were junk.  5 was the format string itself (my buffer), 7 was the destination string (after formatting), and 9 was the flag.
+
+Ended up being much simpler than I was making it.
diff --git a/docs/writeups/Metasploit_Community_CTF_2020/ihatesalt.txt b/docs/writeups/Metasploit_Community_CTF_2020/ihatesalt.txt
new file mode 100644
index 0000000..ea4cbb7
--- /dev/null
+++ b/docs/writeups/Metasploit_Community_CTF_2020/ihatesalt.txt
@@ -0,0 +1,24 @@
+PORT 8123
+
+another web server.  This time, we're presented with a blog about hating salt.  At the bottom of the main page there is an admin@example.com email listed.  There is a signup  page as well as a "forgot your password" page.  There is also an admin page which prompts you with http basic auth.  On the forgotten password page, we can input the admin@example.com email and get a hint for the password.  It begins with "ihatesalt". The signup page allows us to put in a username and password, but will tell us that they are not taking new users at the moment.  We can see that there is client side validation of the password format running in a js file.
+
+Looking at the password validation code, we can see that a password is made up of lower alpha numeric characters and only [9-14] characters long.  So now we have a pretty good guess at the credentials.  username: admin, password: ihatesalt<5 more lowalphanum characters>.  We can brute force it from here, but that could take a long time.  In fact, there was a hint on the main page basically telling us not to use hydra.
+
+Looking back at the hint page, the actual http response for the hint has a little mroe information than just the beginning of the password.  It gives us the hash of the password!  For someone who hates salts, it's interesting that he gives us essentially a 9 character salt for a 5 character hash.
+
+Again, we can brute force this as we have 0-5 characters to try every combination of lower alpha num characters, prepend with "ihatesalt", and md5sum it.  I originally tried doing this in a bash script, but after 10 hours it was still on 3 character passwords and I decided to use a tool built for this.
+
+hashcat saves the day:
+hashcat -a 3 -m 0 -i --increment-min 9 --increment-max 14 -1 ?l?d hash ihatesalt?1?1?1?1?1
+hashcat hash --show
+
+-a gives the attack mode.  We give 3 for brute force. the default mode would use a wordlist and we could have generated a bruteforce wordlist with crunch, but this will do.
+-m gives the hash type.  0 is for MD5
+-i enables increment mode for brute forcing. the min and max give the min and max length for the password (which we know to be 9 and 14)
+-1 lets us define a custom character set.  When we specify the password format, we can match on a character set, but none of the built in sets are lower alpha num.  We define it here with ?l?d where ?l is any lower alpha and ?d is any digit
+then we give a file containing a list of hashes (we have a file "hash" with our single hash) and the password format ihatesalt?1?1?1?1?1
+
+this cracked it in just a couple minutes
+ihatesaltalot7
+
+we can input this on the admin page and get the flag
diff --git a/docs/writeups/Metasploit_Community_CTF_2020/login_timing.txt b/docs/writeups/Metasploit_Community_CTF_2020/login_timing.txt
new file mode 100644
index 0000000..29ae962
--- /dev/null
+++ b/docs/writeups/Metasploit_Community_CTF_2020/login_timing.txt
@@ -0,0 +1,26 @@
+PORT 8080
+
+This challenge presents us with a simple login page and says that there is one other user.  If we can figure out the username of this other user, we can input it into a different form to check if we're right.
+
+The page says to use your observational skills.
+When logging in, if we use the username "guest" that we are given, the page takes a bit to load.  If we give anything else, it immediately tells us it failed.
+
+I pulled a public wordlist of common usernames, cleaned the list up of special characters, and wrote a simple bash script to iterate over it and try to login using curl.  I kept the log of this loop and ran a grep over it for any requests that took more than basically instant.
+
+Two results were found: guest and demo.
+
+Inputting demo into the other form gives us a success message and a link to the card.
+
+```
+#!/bin/bash
+while IFS= read -r line; do
+	echo "Trying $line..."
+	curl target:8080/login.php --data "username=$line&password=" 1>/dev/null;
+done < usernames-fixed.txt
+```
+
+```
+#!/bin/bash
+grep '0:0' -B3 werdz.txt
+
+```
diff --git a/docs/writeups/Metasploit_Community_CTF_2020/photos.txt b/docs/writeups/Metasploit_Community_CTF_2020/photos.txt
new file mode 100644
index 0000000..2504fb5
--- /dev/null
+++ b/docs/writeups/Metasploit_Community_CTF_2020/photos.txt
@@ -0,0 +1,10 @@
+PORT 6868
+
+A web server with simple file hosting (disabled for new users).
+By exploring the site, you quickly realize that there is a structure to where the photos are retrieved from.  Each users' photos are under a subdirectory with their initials.
+
+If we try to create a new user, it uses our initials to create a subdirectory with notes (and single note about how we can't upload anything).  This, of course, means we can check the notes of other users if we know their initials (which we do because of the public photos on the main page).
+
+Looking through these notes, we learn about another user who is an admin, or security person or something.  We can figure out her initials from these notes.  One interesting piece is that she is the only user with a multiple word middle name.  If we try to create a user with a multiple word middle name, the first letter of each word is used in our unique id.  So we need to use the first letters from every word in her name to look at her files.
+
+The flag is just one of the public photos she has under her id.
diff --git a/docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt b/docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt
new file mode 100644
index 0000000..bddc5fa
--- /dev/null
+++ b/docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt
@@ -0,0 +1,11 @@
+PORT 8092
+
+another web server which gives us a login page and the php source code for the login page.  The password we give is hashed with a secret salt and compared to a hash that we provide.  If we can guess the salted hash for a given password, we get the flag.
+
+Obviously we aren't going to just guess a salted hash.  At first, I thought this would require us to brute force the salt's hash with an empty password, but this will be way too slow considering the alphabet size, a default 22 character salt, and cost=12 option used in the php.
+
+Then I noticed that the hash was being compared with "==" instead of "===".  php's "fuzzy equality" check does some interesting things (docs/lang/php/loose_comparison.png).
+
+I tried a couple things, but what I got working was to give an array as the password which will cause the password_hash function to return false.  This compared with a null string passed as the hash will actually equal true.
+
+curl target/login.php --data "password[]=&hash="
diff --git a/docs/writeups/Metasploit_Community_CTF_2020/scanning.txt b/docs/writeups/Metasploit_Community_CTF_2020/scanning.txt
new file mode 100644
index 0000000..0b30fdf
--- /dev/null
+++ b/docs/writeups/Metasploit_Community_CTF_2020/scanning.txt
@@ -0,0 +1,19 @@
+For the CTF, we were given two machines that were provisioned specifically for us and sitting on a private VPN.  One machine was the target box which hosted several services to be attacked.  The other machine was a Kali box that we could access from the outside internet and was meant to be used as a jump box into the VPN to attack the target box. Once ssh'd in to the kali box, we needed to discover what services were exposed on the target box that we could attack.  We know that there are 20 flags (from the scoreboard), so we can assume there should be around that many services.  We tried port scanning the box using nmap and netcat. We never actually found all of the services, but through trial, error, and man pages, we learned about a number of nmap flags that found most of the services.
+
+Our first attempt was a simple
+nmap -A 172.15.18.117
+
+This returned about 10 services and gave us a starting point to start solving challenges.  Eventually, though, we needed to find the other services.  A netcat scan (tools/netcat_scanner.sh) was used to find most of the other ports, but with significantly less helpful information that nmap provides.
+
+After playing with nmap flags for a while and reading the man page, we used this
+nmap -A -T5 -p1-65535 172.15.18.117
+-p lets you specify ports to check. by default, nmap only scans the top 1000 most common ports, but several of the challenges were not on these ports. apparently you can also omit the bounds of the range and it will default to min/max, so -p- will accomplish the same thing as -p1-65535. possibly we could have used --top-ports <number> to scan more top ports than just the top 1000 and maybe we would have gotten hits as well
+-T specifies how quickly nmap proceeds to the next port when enumerating.  lower numbers are for stealth/not DOSing the network. They can take a very long time, though.  We decided to try the fastest (5) and see if it caused any problems.  No one yelled at us or banned us from the competitiion, so I'm assuming we were fine.
+-A is a convenience flag that turns on several diagnostic options including OS detection, version detection, script scanning, and traceroute
+
+This gave us 20 ports (21 after completing one of the challenges that opens another port for the flag), but two of these ports were for the same challenge, so ultimately we were missing one more service.  After reading writeups, it turns out that we only scanned TCP ports and the last service was on a UDP port.  To find it, we needed to do a UDP scan.  By default, nmap will do a SYN scan (-sS) or a basic TCP connect scan (-sT) if it can't do a SYN scan.  We can give -sU to do a UDP scan.  Apparently you can give both -sS and -sU together to scan both at the same time.
+
+So our final scan that we should have done would be
+nmap -A -T5 -sS -sU -p- 172.15.18.117
+
+The results of the scans we ran and our notes on the services during the ctf can be found in target_scan.txt
diff --git a/docs/writeups/Metasploit_Community_CTF_2020/socks5.txt b/docs/writeups/Metasploit_Community_CTF_2020/socks5.txt
new file mode 100644
index 0000000..f3b8e00
--- /dev/null
+++ b/docs/writeups/Metasploit_Community_CTF_2020/socks5.txt
@@ -0,0 +1,18 @@
+PORT 1080
+
+nmap detected a socks5 proxy on this port.  I did a bit of reading into socks5 and proxies in general as I didn't have a lot of experience actually using them.
+
+The basic idea of socks5 is that any traffic we send to this port will be sent back out from the perspective of the machine hosting the proxy (our target in this case).  This means we can see things from behind any firewalls or on other networks that the target has access to.
+
+The easiest way to use the proxy was with proxychains.
+In /etc/proxychains.conf
+add the line
+socks5 172.15.18.117 1080
+
+then we can scan the target localhost from the other side of the its firewall
+proxychains nmap -A -p- 127.0.0.1
+
+The scan results are in target_scan_local_through_proxy.txt
+we can see ssh on 22, the socks5 on 1080 that we used to get here, and a web server on 8000
+proxychains wget http://127.0.0.1:8000
+gets us a webpage with the flag
diff --git a/docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt b/docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt
new file mode 100644
index 0000000..353c6e3
--- /dev/null
+++ b/docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt
@@ -0,0 +1,240 @@
+Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds
+Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-05 05:20 UTC
+Nmap scan report for target (172.15.18.117)
+Host is up (0.00075s latency).
+Not shown: 65505 closed ports
+PORT     STATE SERVICE     VERSION
+
+
+### welcome page (we solved)
+80/tcp   open  http        nginx 1.19.5
+|_http-server-header: nginx/1.19.5
+|_http-title: Metasploit CTF
+
+## proxy. found a flag on a webserver that was only available through localhost (solved)
+1080/tcp open  socks5      (No authentication; connection failed)
+| socks-auth-info: 
+|_  No authentication
+
+### basic format string read flag out of memory (solved)
+1337/tcp open  waste?
+| fingerprint-strings: 
+|   GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
+|     Welcome to the '9 of Clubs' service.
+|     -------------------------------
+|     Please choose an option:
+|     Send contact info
+|     Greetings
+|     Send feedback
+|     Exit
+|     Unknown option.
+|     Welcome to the '9 of Clubs' service.
+|     -------------------------------
+|     Please choose an option:
+|     Send contact info
+|     Greetings
+|     Send feedback
+|     Exit
+|   NULL: 
+|     Welcome to the '9 of Clubs' service.
+|     -------------------------------
+|     Please choose an option:
+|     Send contact info
+|     Greetings
+|     Send feedback
+|_    Exit
+
+### Buffalo RE (we solved)
+4545/tcp open  http        SimpleHTTPServer 0.6 (Python 3.8.5)
+|_http-server-header: SimpleHTTP/0.6 Python/3.8.5
+|_http-title: Directory listing for /
+
+### simple dodge falling rocks game needs a bot (solved)
+5555/tcp open  telnet
+| fingerprint-strings: 
+|   NULL: 
+|     [HSCORE: 0
+|     [HSCORE: 1
+|     [HSCORE: 2
+|     [HSCORE: 3
+|_    [HSCORE: 4
+
+### Photos5u flag was just in one of the "other user"'s files which are publically open (solved)
+6868/tcp open  http        WSGIServer 0.2 (Python 3.8.5)
+|_http-server-header: WSGIServer/0.2 CPython/3.8.5
+|_http-title: Photos5u
+
+### comes up and lets you retrieve the flag once you beat 5555 game (solved)
+7878/tcp open  http    SimpleHTTPServer 0.6 (Python 3.8.5)
+|_http-server-header: SimpleHTTP/0.6 Python/3.8.5
+|_http-title: Directory listing for /
+
+### Guest -- guess other username (we solved)
+8080/tcp open  http        Apache httpd 2.4.38 ((Debian))
+|_http-open-proxy: Proxy might be redirecting requests
+|_http-server-header: Apache/2.4.38 (Debian)
+|_http-title: Site doesn't have a title (text/html).
+
+### vuln == in php (solved)
+8092/tcp open  http        Apache httpd 2.4.38 ((Debian))
+|_http-server-header: Apache/2.4.38 (Debian)
+|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
+
+### Make metasploit module
+8101/tcp open  http        Apache httpd 2.4.38 ((Debian))
+|_http-server-header: Apache/2.4.38 (Debian)
+|_http-title: 5 of Clubs Frontend
+
+### we have the password hash, salt, and width/alphabet of the rest. hashcat saves the day: ihatesaltalot7 (solved)
+8123/tcp open  http        WSGIServer 0.2 (Python 3.8.5)
+|_http-server-header: WSGIServer/0.2 CPython/3.8.5
+|_http-title: Salt Free Hashes
+
+### Image upload (we solved)
+8200/tcp open  http        Apache httpd 2.4.38 ((Debian))
+|_http-server-header: Apache/2.4.38 (Debian)
+|_http-title: Home
+
+### redirects to vhost. says to use other subdomains, but what are they?
+8201/tcp open  http        nginx 1.19.5
+|_http-server-header: nginx/1.19.5
+|_http-title: Did not follow redirect to http://intranet.metasploit.ctf:8201
+
+### obfuscated graphql queries. "all posts" query not authenticated and leaks url to flag (solved)
+8202/tcp open  http        nginx 1.19.5
+|_http-server-header: nginx/1.19.5
+|_http-title: Site doesn't have a title (text/html).
+
+### Metasploit modules looks like something to do with the session cookie
+8888/tcp open  http        Werkzeug httpd 1.0.1 (Python 3.8.5)
+|_http-title: Home
+
+### Game library (we solved)
+9000/tcp open  http        WEBrick httpd 1.6.0 (Ruby 2.7.0 (2019-12-25))
+|_http-server-header: WEBrick/1.6.0 (Ruby/2.7.0/2019-12-25)
+|_http-title: Site doesn't have a title (text/html;charset=utf-8).
+
+### Game reviews (we solved)
+9001/tcp open  http        Thin httpd
+|_http-server-header: thin
+|_http-title: Site doesn't have a title (text/html;charset=utf-8).
+
+### Broken zip file (we solved)
+9007/tcp open  http        Apache httpd 2.4.46 ((Unix))
+| http-methods: 
+|_  Potentially risky methods: TRACE
+|_http-server-header: Apache/2.4.46 (Unix)
+|_http-title: Index of /
+
+### QOH(9010) server. if sent a GET from a browser, it returns 4 bytes (ACED0005) (solved)
+9008/tcp open  java-object Java Object Serialization
+
+### admin/password /etc/ace_of_clubs.png owned by root setuid /opt/vpn_connect (solved)
+9009/tcp open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey: 
+|   2048 4c:0f:d8:c5:a2:f1:54:f9:92:30:df:62:1f:52:e6:fe (RSA)
+|   256 6e:b8:6f:94:e6:c0:2f:15:0c:80:71:32:cb:d0:2a:00 (ECDSA)
+|_  256 8a:55:03:98:8e:87:29:50:66:1a:57:4c:5b:10:a4:01 (ED25519)
+
+### Jar file - wireshare protocol vuln (solved)
+9010/tcp open  http        Apache httpd 2.4.38
+| http-ls: Volume /
+| SIZE  TIME              FILENAME
+| 3.2K  2020-12-01 15:29  QOH_Client.jar
+|_
+|_http-server-header: Apache/2.4.38 (Debian)
+|_http-title: Index of /
+3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port1337-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU
+SF:LL,9B,"\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n-----
+SF:--------------------------\nPlease\x20choose\x20an\x20option:\n1\.\x20S
+SF:end\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\
+SF:x20Exit\n\0")%r(GenericLines,146,"\nWelcome\x20to\x20the\x20'9\x20of\x2
+SF:0Clubs'\x20service\.\n-------------------------------\nPlease\x20choose
+SF:\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\
+SF:.\x20Send\x20feedback\n0\.\x20Exit\n\0Unknown\x20option\.\n\nWelcome\x2
+SF:0to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n------------------------
+SF:-------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20contact\x20i
+SF:nfo\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0")%r(Get
+SF:Request,146,"\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\
+SF:n-------------------------------\nPlease\x20choose\x20an\x20option:\n1\
+SF:.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback
+SF:\n0\.\x20Exit\n\0Unknown\x20option\.\n\nWelcome\x20to\x20the\x20'9\x20o
+SF:f\x20Clubs'\x20service\.\n-------------------------------\nPlease\x20ch
+SF:oose\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings
+SF:\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0")%r(HTTPOptions,146,"\nWelco
+SF:me\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n-------------------
+SF:------------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20contact
+SF:\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0Unk
+SF:nown\x20option\.\n\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20servi
+SF:ce\.\n-------------------------------\nPlease\x20choose\x20an\x20option
+SF::\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20fee
+SF:dback\n0\.\x20Exit\n\0")%r(RTSPRequest,146,"\nWelcome\x20to\x20the\x20'
+SF:9\x20of\x20Clubs'\x20service\.\n-------------------------------\nPlease
+SF:\x20choose\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Gre
+SF:etings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0Unknown\x20option\.\n\n
+SF:Welcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n--------------
+SF:-----------------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20co
+SF:ntact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n
+SF:\0");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port5555-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU
+SF:LL,699,"\xff\xfd\"\xff\xfb\x01\x1b\[2J\x1b\[HSCORE:\x200\r\n\|\x20\x20\
+SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20
+SF:\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x2
+SF:0\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
+SF:20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
+SF:|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20
+SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x2
+SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x
+SF:20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x2
+SF:0\x20\x20\x20\|\r\n\x1b\[2J\x1b\[HSCORE:\x201\r\n\|\x20\x20\x20\x20\x20
+SF:\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x
+SF:20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
+SF:x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r
+SF:\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x2
+SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x
+SF:20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\
+SF:x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
+SF:\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
+SF:|\r\n\x1b\[2J\x1b\[HSCORE:\x202\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x
+SF:20\x20\x20\x200\|\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\x20\x2
+SF:0\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x
+SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\
+SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20
+SF:\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x2
+SF:0\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
+SF:20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\
+SF:n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\x1b\[2J\x1b
+SF:\[HSCORE:\x203\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\x20\x20\|
+SF:\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x200\|\r\n\|\x20\x20
+SF:\x20\x20\x20\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x
+SF:20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\
+SF:x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
+SF:\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\
+SF:r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x
+SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x2
+SF:0\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\x1b\[2J\x1b\[HSCORE:\x204\r\n\|
+SF:\x20\x20\x200\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x
+SF:20\x20\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20
+SF:\x20\x20\x20\x20\x200\|\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\
+SF:x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r
+SF:\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x2
+SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x
+SF:20\x20\x20\x20\x20");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port9008-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU
+SF:LL,4,"\xac\xed\0\x05");
+MAC Address: 0A:6C:D1:10:33:CD (Unknown)
+Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Netgear RAIDiator 4.2.28 (94%), Linux 2.6.32 - 2.6.35 (94%)
+No exact OS matches for host (test conditions non-ideal).
+Network Distance: 1 hop
+Service Info: Host: 172.17.0.15; OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+TRACEROUTE
+HOP RTT     ADDRESS
+1   0.75 ms target (172.15.18.117)
+
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 245.48 seconds
diff --git a/docs/writeups/Metasploit_Community_CTF_2020/welcome.txt b/docs/writeups/Metasploit_Community_CTF_2020/welcome.txt
new file mode 100644
index 0000000..a11688e
--- /dev/null
+++ b/docs/writeups/Metasploit_Community_CTF_2020/welcome.txt
@@ -0,0 +1,3 @@
+PORT 80
+
+basic web server with the flag given.  just there to let you figure out the scoreboard and tell you that the other challenges are on other ports.
-- 
cgit v1.2.3