diff --git a/.gitignore b/.gitignore
index d7a0f9e..48c2293 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ templates/blog/*
flask_run.sh
poetry.lock
build
+venv
diff --git a/.python-version b/.python-version
new file mode 100644
index 0000000..afad818
--- /dev/null
+++ b/.python-version
@@ -0,0 +1 @@
+3.11.0
diff --git a/blog/Directory Writeup — TryHackMe/index.md b/blog/Directory Writeup — TryHackMe/index.md
new file mode 100644
index 0000000..37a47d7
--- /dev/null
+++ b/blog/Directory Writeup — TryHackMe/index.md
@@ -0,0 +1,95 @@
+2025-07-20
+
+# Directory Writeup — TryHackMe
+
+This blog post is a writeup of the
+[Directory](https://tryhackme.com/room/directorydfirroom) challenge on
+[TryHackMe](https://tryhackme.com)
+
+**What ports did the threat actor initially find open? Format: from lowest to
+highest, separated by a comma.**
+
+We can see that the attacker is scanning ports on the target system. If there
+would be an open port on the target system, the answer would include SYN/ACK,
+which is a flag of `0x12`.
+
+```sh
+tshark -r ./traffic-1725627206938.pcap \
+-T fields -Y tcp.flags == 0x12 \
+-e tcp.srcport -e ip.dst_host \
+| sort -n | uniq | sort -rn
+```
+
+**The threat actor found four valid usernames, but only one username allowed
+the attacker to achieve a foothold on the server. What was the username?
+Format: Domain.TLD\username**
+
+After extracting all HTTP files, the result shows that there are some potential usernames
+to be crafted from the names of the people mentioned on the page, which the
+adversary
+could try to login.
+
+Filtering for Kerberos packages, it is clearly visible that the attacker tried
+to bruteforce the usernames
+
+
+
+Only two requests did not end up in an error as a response. These contain the username
+we are looking for.
+
+We need the `CNameString` as well as the `SNameString` in combination to get
+the correct login name.
+
+**The threat actor captured a hash from the user in question 2. What are the
+last 30 characters of that hash?**
+
+The same `AS-REP` response package from the previous question contains an
+encrypted part, which contains the hash as a cipher of type
+`eType-ARFOUR-HMAC-MD5 (23)`. This is the hash we are looking for.
+
+**What is the user's password?**
+
+We can use
+[Krb5RoastParser](https://github.com/jalvarezz13/Krb5RoastParser.git) to
+extract the AS-REP hash and crack it.
+
+```
+$krb5asrep$23$larry.doe@DIRECTORY.THM:f8716efbaa984508ddde606756441480$805ab8be8cfb018a282718f7c040cd43924c6f9afeb6171230bbd3dccc79294dcf2f877a44c1a0981aadb7bb7a9510dd52d8dda4039ef4dcb444f18c9902be1623035e10aebf16ce4bdf5f7064f480e67e96ec2eb32bad95c5a1247bd7a241273fe80e281f4e6a99926f7969fcf803190c7096b947a33407f8578d4c0fb8b52d2aa8d0405a44b72bd21e014563cb71e82aee0e12538d0d440c930b98abf766e18ddc99a964e6e812ecf8dc8994a912a02074d40e5e6906915c1d216653d45df88636b51656f2c37de2020a2fd86ee7ecf6f0afe3f509fd31144e1573f9587155616532b664cd0b50cda8d4ba469f
+```
+
+Use john or hashcat to decrypt the password.
+
+```sh
+john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ../kerb.hash
+```
+
+**What were the second and third commands that the threat actor executed on the
+system? Format: command1,command2**
+
+There is a script to decrypt winrm traffic on [jborean93's github
+page](https://gist.github.com/jborean93/d6ff5e87f8a9f5cb215cd49826523045/).
+Using the password we aquired before, the traffic can be decoded.
+
+```sh
+python winrm_decrypt.py ./traffic-1725627206938.pcap --password '********' > winrm.output
+```
+
+The parts we are interested in are the Powershell commands. We need to decode
+the commands, since these are b64 encoded.
+
+```sh
+grep "AAAAAA" winrm.output | cut -d '>' -f2 | cut -d '<' -f1 | base64 -d >> decoded.out
+```
+
+Now we can take e look at the commands using less or some other tool.
+
+**What is the flag?**
+
+We already decoded the commands in the previous step, just do a search for the
+flag structure in the already decoded output.
+
+```
+THM{***************}
+```
diff --git a/build/about.html b/build/about.html
index 3013b9b..c2f320c 100644
--- a/build/about.html
+++ b/build/about.html
@@ -9,7 +9,7 @@
Hello, this is my
"
md_template = md_css_string + html
res = render_template(
"blog.html",
- #toc=md.toc,
+ # toc=md.toc,
md_doc=md_template,
colors=colors,
stylesheet=STYLESHEET,
- #stylesheet_auto_complete=STYLESHEET_AUTO_COMPLETE,
+ # stylesheet_auto_complete=STYLESHEET_AUTO_COMPLETE,
project_name=project_name,
project_title=project_title,
# tree=cut_path_tree(
@@ -100,12 +90,12 @@ def blog(blog_item, _date=meta_data):
# make_tree(content_path),
# content_path,
# ".md" # )
- _date=meta_data[blog_item]
- )
+ _date=meta_data[blog_item],
+ )
response = make_response(res)
response.headers["Content-Type"] = "text/html; charset=utf-8"
- return response
+ return response
# return render_template(
# f"blog/{blog_item}/index.html",
@@ -115,31 +105,32 @@ def blog(blog_item, _date=meta_data):
@app.route("/about.html")
def about():
- ''' About Page.
- '''
+ """About Page."""
+
return render_template("about.html", colors=colors)
@app.route("/contact.html")
def contact():
- ''' Contact Page.
- '''
+ """Contact Page."""
+
return render_template("contact.html", colors=colors)
@app.route("/rss.xml")
def rss(_items=meta_data):
- ''' RSS Feed.
+ """RSS Feed.
Generates RSS feed as XML
- '''
+ """
# rss_feed = []
- _tz = pytz.timezone('Europe/Berlin')
+ _tz = pytz.timezone("Europe/Berlin")
_fg = FeedGenerator()
_fg.title("Website of Stefan Friese")
_fg.description("test")
_fg.language("en-us")
# _fg.author({'name': "Stefan Friese", 'email': 'stefan@stefan.works'})
_fg.link(href="https://stefan.works", rel="self")
+
for key in meta_data.keys():
_fe = _fg.add_entry()
_fe.id(f"https://stefan.works/blog/{key}/index.html")
@@ -149,50 +140,42 @@ def rss(_items=meta_data):
_fe.link(href=f"https://stefan.works/blog/{key}/index.html")
_fe.pubDate(pubDate=_tz.localize(meta_data[key]))
_fg.rss_str(pretty=True)
- _fg.rss_file('./static/rss.xml')
- return send_from_directory(
- os.path.join(
- app.root_path,
- 'static'
- ),
- 'rss.xml'
- )
+ _fg.rss_file("./static/rss.xml")
+
+ return send_from_directory(os.path.join(app.root_path, "static"), "rss.xml")
-@app.route('/favicon.ico')
+@app.route("/favicon.ico")
def favicon():
- ''' Provides favicon.
- '''
- return send_from_directory(
- os.path.join(
- app.root_path,
- 'static'
- ),
- 'favicon.ico'
- )
+ """Provides favicon."""
+
+ return send_from_directory(os.path.join(app.root_path, "static"), "favicon.ico")
@app.errorhandler(404)
def page_not_found(_error):
- ''' Error Handling.
+ """Error Handling.
Error 404
- '''
+ """
+
return render_template("/status_code/404.html", colors=colors), 404
@app.errorhandler(400)
def bad_request(_error):
- ''' Error Handling.
+ """Error Handling.
Error 400
- '''
+ """
+
return render_template("/status_code/400.html", colors=colors), 400
@app.errorhandler(500)
def internal_server_error(_error):
- ''' Error Handling.
+ """Error Handling.
Error 500
- '''
+ """
+
return render_template("/status_code/500.html", colors=colors), 500
diff --git a/static/images/usernames-kerberos.jpg b/static/images/usernames-kerberos.jpg
new file mode 100644
index 0000000..b23d554
Binary files /dev/null and b/static/images/usernames-kerberos.jpg differ
diff --git a/static/rss.xml b/static/rss.xml
index f32cf8a..a3bde5b 100644
--- a/static/rss.xml
+++ b/static/rss.xml
@@ -1,2 +1,2 @@
-Website of Stefan Friesehttps://stefan.workstesthttp://www.rssboard.org/rss-specificationpython-feedgenen-usWed, 11 Oct 2023 19:32:42 +0000Restoring (NT)Backups From a SCSI Tape Drivehttps://stefan.works/blog/Restoring (NT)Backups From a SCSI Tape Drive/index.htmlhttps://stefan.works/blog/Restoring (NT)Backups From a SCSI Tape Drive/index.htmlWed, 27 Sep 2023 00:00:00 +0200The Joy of One-Linershttps://stefan.works/blog/The Joy of One-Liners/index.htmlhttps://stefan.works/blog/The Joy of One-Liners/index.htmlSun, 29 May 2022 00:00:00 +0200Keep It Simplehttps://stefan.works/blog/Keep It Simple/index.htmlhttps://stefan.works/blog/Keep It Simple/index.htmlTue, 01 Jun 2021 00:00:00 +0200
\ No newline at end of file
+Website of Stefan Friesehttps://stefan.workstesthttp://www.rssboard.org/rss-specificationpython-feedgenen-usSun, 20 Jul 2025 22:08:29 +0000Directory Writeup — TryHackMehttps://stefan.works/blog/Directory Writeup — TryHackMe/index.htmlhttps://stefan.works/blog/Directory Writeup — TryHackMe/index.htmlSun, 20 Jul 2025 00:00:00 +0200Restoring (NT)Backups From a SCSI Tape Drivehttps://stefan.works/blog/Restoring (NT)Backups From a SCSI Tape Drive/index.htmlhttps://stefan.works/blog/Restoring (NT)Backups From a SCSI Tape Drive/index.htmlWed, 27 Sep 2023 00:00:00 +0200The Joy of One-Linershttps://stefan.works/blog/The Joy of One-Liners/index.htmlhttps://stefan.works/blog/The Joy of One-Liners/index.htmlSun, 29 May 2022 00:00:00 +0200Keep It Simplehttps://stefan.works/blog/Keep It Simple/index.htmlhttps://stefan.works/blog/Keep It Simple/index.htmlTue, 01 Jun 2021 00:00:00 +0200
\ No newline at end of file
diff --git a/templates/about.html b/templates/about.html
index d25411c..77a54a7 100644
--- a/templates/about.html
+++ b/templates/about.html
@@ -4,7 +4,5 @@
{{ super() }}
{% endblock %}
{% block content %}
-My name is Stefan Friese. I am fascinated by computers since I first saw my Dad working on the ZX Spectrumn. For me, the greatest thing is to learn something new. I like music, engineering, art, design and security CTFs. I write blog entries on my journey, so I’ll be able to look stuff up, remember and share it with you and students at work.
+My name is Stefan Etringer. I am fascinated by computers since I first saw my Dad working on the ZX Spectrumn. For me, the greatest thing is to learn something new. I like music, engineering, art, design and security CTFs. I write blog entries on my journey, so I’ll be able to look stuff up, remember and share it with you and students at work.