akde/infosec

Information security is ultimately about managing risk


Con­vert a Python2 script into a Python3 script:

2to3 -w example.py

Fix tab/space/identation problems:

autopep8 -i linuxprivchecker.py

If a library is installed, but can­not found

from smb.SMBConnection import SMBConnection

then try to search the file local­ly and include the path manually:

import sys
sys.path.append("path/to/your/file")

One­lin­er for exe­cut­ing bash in a file:

echo 'import os;os.system("/bin/bash")' > /tmp/e.py

Exe­cute something:

import os
os.system('ls -l')

__import__('os').popen('whoami').read();

os = globals()['os']
print(os.name)

Use python scripts under Windows

If an exploit is avail­able in Python, but the tar­get sys­tem does­n’t have a python instal­la­tion, use in anoth­er Win­dows System/VM PyIn­staller to cre­ate a EXE out of a Python script. Example

# pyinstaller --onefile windows-exploit-suggester.py

Or use https://pypi.org/project/auto-py-to-exe/

Note: In case of an error, try a new­er release (pip install https://github.com/pyinstaller/pyinstaller/archive/develop.tar.gz)

Interpolation

"{name}".format(name="P")
"%s and %d" % ("string", 42)
f"User {user}" # variable user was defined before.

Jinja Template hijacking

See Jin­ja article

Flask

Flask uses a secret key to sign cook­ies. If you have a secret key, you can use flask-unsign to decode a cook­ie you’ve got from the http response.

The sec­ond com­mand from this screen­shot changed the id. The new cre­at­ed cook­ie can be used for a HTTP request which then would imper­sion­ate the user with id 20093.

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';