Skip to content

Instantly share code, notes, and snippets.

View timb-machine's full-sized avatar

Tim Brown timb-machine

View GitHub Profile
@timb-machine
timb-machine / Early implementation of Place in Kill Chain
Created June 26, 2025 20:17
Early implementation of Place in Kill Chain
$ python3 PiKC.py
=== System Parameters Summary ===
System Role: web server
Open Ports: [80, 443, 8080]
IP Addresses: ['203.0.113.50']
Software: Apache httpd 2.4.54
Interactive User: False
Critical Asset: False
Virtualized: False
@timb-machine
timb-machine / So you just want code execution on your NAS?
Created June 5, 2025 21:15
So you just want code execution on your NAS?
If you don't need persistence, why work so hard?
$ rm /foo; xmldbc -t "test:10:touch /foo"; ls -la /foo; xmldbc -D /tmp/config.xml; sleep 20; ls -la /foo
ls: /foo: No such file or directory
-rw-r--r-- 1 root root 0 Jun 5 22:11 /foo
@timb-machine
timb-machine / Adding persistence to WD MyCloud NAS device cron...
Last active June 5, 2025 21:13
Adding persistence to WD MyCloud NAS device cron...
Say for exmaple, you wanted a cron entry that would run persist.sh every 5 minutes...
$ xmldbc -s /system_mgr/crond/list/count "9"
$ xmldbc -s /system_mgr/crond/list/name:9 "persist"
$ xmldbc -s /system_mgr/crond/persist/count "1"
$ xmldbc -s /system_mgr/crond/persist/item:1/method "3"
$ xmldbc -s /system_mgr/crond/persist/item:1/1 "*/5"
$ xmldbc -s /system_mgr/crond/persist/item:1/2 "*"
$ xmldbc -s /system_mgr/crond/persist/item:1/3 "*"
$ xmldbc -s /system_mgr/crond/persist/item:1/4 "*"
@timb-machine
timb-machine / Dumping CrowdStrike's LKM
Created May 10, 2025 16:16
Dumping CrowdStrike's LKM
Falcon-sensor strace:
1185 init_module(0x556ce33f8b00, 204357, "") = 0
1185 init_module(0x556ce3430940, 122757, "") = 0
1185 init_module(0x556ce342a950, 24541, "") = 0
1185 init_module(0x7f33243be010, 1718317, "configbuild=1007.8.0012905.1") = 0
(gdb) catch syscall init_module
(gdb) run
@timb-machine
timb-machine / ssh sshgw.stromberg.org
Last active May 10, 2025 16:17
ssh sshgw.stromberg.org

$ ssh sshgw.stromberg.org The authenticity of host ‘sshgw.stromberg.org (136.47.201.206)’ can’t be established. RSA key fingerprint is SHA256:VqUUSiSuOQhm+3vrJG9VDb4fWa2dM23Th23T9D88+L4. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added ‘sshgw.stromberg.org’ (RSA) to the list of known hosts. OpenBSD 7.3 (GENERIC.MP) #0: Thu May 18 19:05:43 MDT 2023

Welcome to OpenBSD: The proactively secure Unix-like operating system.

@timb-machine
timb-machine / Example of bcrypt() weakness around input string truncation (the choice of PHP is arbitrary)
Created March 1, 2025 21:47
Example of bcrypt() weakness around input string truncation (the choice of PHP is arbitrary)
<?php
if (password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "test", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"]) === password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "hell", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"])) {
print "matches\n";
}
?>
@timb-machine
timb-machine / unix-audit DSL prototype
Last active August 1, 2023 05:58
unix-audit DSL prototype
platformtags:
- "linux"
checks:
- type: "Informational"
checks:
- name: "Platform"
exec:
- command: "uname"
stderr: true
encode: ""
@timb-machine
timb-machine / Comparing and contrasting generations of RedMenshen AKA BPFDoor
Created June 9, 2023 21:39
Comparing and contrasting generations of RedMenshen AKA BPFDoor
Recent:
$ ../../../src/tools/triage-binary.sh fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73.elf.x86_64
[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1)
[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1)
[Defense Evasion: attack:T1070.004:File Deletion]: unlink@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: argv0 (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: prctl@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:ProcessTreeSpoofingForking]: fork@@GLIBC_2.2.5 (1)
@timb-machine
timb-machine / List of CVEs for vulnerability disclosures
Last active June 13, 2025 17:47
List of CVEs for vulnerability disclosures
NDSA20020719.txt.asc, CVE-2002-2331
NDSA20021112.txt.asc, CVE-2002-2399
NDSA20050719.txt.asc
NDSA20060705.txt.asc, CVE-2006-3848
NDSA20070206.txt.asc, CVE-2007-0838
NDSA20070412.txt.asc
NDSA20070524.txt.asc, CVE-2007-3190, CVE-2007-3191, CVE-2007-3189
NDSA20071016.txt.asc, CVE-2007-5691, CVE-2007-5492, CVE-2007-5493, CVE-2007-5694, CVE-2007-5695
NDSA20071119.txt.asc, CVE-2007-6100
NDSA20080215.txt.asc, CVE-2007-4074
@timb-machine
timb-machine / A brief history of treasury bugs
Created February 13, 2023 21:25
A brief history of treasury bugs
$ ./get-attack-patterns.py treasury
I: searching for treasury%20
10
CVE-2017-3183
CVE-2019-0280
CVE-2019-0383
CVE-2019-0384
CVE-2020-6204
CVE-2019-20150
CVE-2019-20151