If you can register, do this, create a repo and go to settings -> githooks and there add a command as post-receive hook like a reverse shell. See https://www.cvedetails.com/vulnerability-list/vendor_id-19185/product_id-49829/Gitea-Gitea.html
UDP 623 https://book.hacktricks.xyz/pentesting/623-udp-ipmi Metasplot: scanner/ipmi/ipmi_version scanner/ipmi/ipmi_dumphashes ipmitool Tool for managing IPMI See hacktricks article
Registers General purpose registers Register x86 Register x64 Name Description EAX RAX Accumulator For results of calculations and return codes EBX RBX Base register General purpose ECX RCX Count register For number of iterations, often used for loops EDX RDX Data register For data of calculations or a pointer to large data ESI RSI Source index Pointer to a…
Keyboard functions CTRL+S Find sequence of commands SHIFT+F9 Pass exception
Assume you have a buffer overflow vulnerability. You can control the EIP. But your shellcode is never executed. Your shellcode is executed when a ret instruction is executed which calls the address you overwrite. But maybe the ret at the end of the function where the buffer overflow occurs is never reached, because you overwrote the…
SID Security Identifiers All elements have attributes. They are identified via a Security Identifier SID. The structure of a SID: Example: The Domain Identifier ist the SID without the last RID part. Examples for well-known SIDs: Basic Windows security access control Security context Mandatory Integrity Control and integrity levels Windows (from Vista on) has five integrity levels:…
ASLR Address Space Layout Randomization is a technique which randomizes addresses in the stack and heap. If addresses of functions are randomized (e.g. from shared libraries like libc), then an attacker cannot use a predefined exploit with hard-coded addresses. Linux Disable ASLR: echo 0 > /proc/sys/kernel/randomize_va_space Enable ASLR: echo 2 > /proc/sys/kernel/randomize_va_space In GDB, ASLR is…
On the return-to-libc post, we described the process of injecting a system call with parameters via environment variables to start a new process. But this requires to execute another program (which maybe no available on the target). Instead of calling system we can call other instructions from somewhere in the memory. But it would be…
Assume that we detected a buffer overflow vulnerability, but we don’t have enough space on the stack for our shellcode or the binary’s stack is marked as not-executable (DEP enabled). Then we can try to call a common library which is also loaded (wie the plt). Walkthrough of a ret2lib attack Before we start, disable ASLR as…
https://gtfobins.github.io/gtfobins/snap/
General purpose debugger. Hint: gbd disables ASRL by default. Commands General set disassembly-flavor intel/att Process handling run runs a programm without parameters run `python -c 'print("a")'‘ runs a program with a parameter run < <(python -c 'print("a")') runs a program and enters the given string into STDIN c continue si step one instruction Breakpoints break $f…
See also the Buffer Overflow post Execute shellcode Scenario: You have shellcode. You want to run it to analyze it in a debugger. On Windows Add the shellcode after the breakpoint with i686-w64-mingw32-cc s.c -o s.exex86_64-w64-mingw32-cc s.c -o s.exe and run it in a debugger. On Linux Add the shellcode after the breakpoint with gcc [-m32] s.c…
Bugs can only be found durring fuzzing code, which is executed. But which parts of the code of a target system is executing during a fuzzing session? And how we can improve our fuzzer to include also tests for code blocks which weren’t covered before? Dynamorio We’ll use now Dynamorio — a runtime code manipulation…
Scapy fundamentals Commands for the interactive scapy interpreter: conf.iface shows the currently used interface conf.iface='tun0' sets the interface to use ls shows all protocols ls(TCP) shows all known headers for a given protocol lsc shows build-in functions Details about a packet p: p shows general information p.summary() shows also general information p.show() shows each field and…
PE Portable Executung or DLL Dynamic Linking Libraries can be edited to remove or add capabilities or own code. Read and modify a PE file The following Python3 script reads a file, prints out a header, modified it to remove ASLR and write a new file without this flag. f = pefile.PE('filename.exe') print(hex(f.OPTIONAL_HEADER.DllCharacteristics)) // print as hex to…
This page contains various unstructured notes about crypto related things. General notes If you find somewhere that something should be random, but it isn’t, this is already an important finding. Stream Ciphers A stream cipher encrypts a cleartext bit for bit or character for character (normally via XOR) with a secret key. It produces a…
mitmdump is a proxy which can store and modify content. Change content of a third-party site Scenario: You want to manipulate some content from a website $target visits. Perform ARP-poisening with Bettercap, Ettercap, the http_hijack.py script or somehow else. Start mitmdump in transparent mode:mitmdump --mode transparent --replace /~s/wars/trek/or alternatively to read the new content from a…
Bypass HSTS is based on hostnames. If a target already visited www.supersite.example, you can try to redirect the target to a similar domain which the browser never visited before and thus doesn’t has HSTS activated. Rewrite the Host HTTP header for your server you want to impersonate and add another character, e.g. wwww.supersite.example. You prepared…
SSLstrip works as proxy which replaces HTTPS references in HTTP, HTML, JS,.… responses with HTTP versions. Installation: SSLstrip is old. Create a venv and install an older version of twisted: venv/bin/pip install Twisted==18.9.0 Remove HTTPS references via MitM Scenario: You want that $target routes all HTTP traffic through your own system. Your system should remove each…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';