Skip to content

Instantly share code, notes, and snippets.

View borancar's full-sized avatar

Boran Car borancar

44 followers · 13 following
View GitHub Profile
@Caesurus
Caesurus / Readme.md
Last active January 6, 2024 18:49
Unlocking "Partial" TTY Interactivity in Basic Reverse Shell Environments

Revconsole

We all know that feeling, your exploit finally lands and you pop a /bin/sh shell. You're IN, but now you have to deal with interacting with a dumb shell. Your muscle memory kicks in, and you press the up arrow to rerun a command, and are faced with a ^[[A on the screen. Frustrating, right? It's like stepping back in time to an era before the comforts of modern shells. No command history, no stderr visibility - just you and a bare-bones command line that doesn't understand your shortcuts or needs. It's enough to make you miss the slick, feature-rich terminals you're used to.

Now for a slightly better approach. We can use our trusty pwntools to add some additional functionality:

python3 -c "from pwn import*;p=remote('192.168.1.123',31337);p.interactive()"

We've upgraded and have command history, and we can edit commands before we send them, making the remote interaction less of a headache. It's not perfect, but it's an improvment. If we send a command that results in output to

@slimsag
slimsag / ramblings.md
Last active December 13, 2023 08:02
Because cross-compiling binaries for Windows is easier than building natively

Because cross-compiling binaries for Windows is easier than building natively

I want Microsoft to do better, want Windows to be a decent development platform-and yet, I constantly see Microsoft playing the open source game: advertising how open-source and developer friendly they are - only to crush developers under the heel of the corporate behemoth's boot.

The people who work at Microsoft are amazing, kind, talented individuals. This is aimed at the company's leadership, who I feel has on many occassions crushed myself and other developers under. It's a plea for help.

The source of truth for the 'open source' C#, C++, Rust, and other Windows SDKs is proprietary

You probably haven't heard of it before, but if you've ever used win32 API bindings in C#, C++, Rust, or other languages, odds are they were generated from a repository called microsoft/win32metadata.

@r2r-dev
r2r-dev / HOWTO.md
Last active April 5, 2022 16:07
quick and dirty lazy /nix/store

Create a lazy /nix/store filesystem using nixfs.py

  1. Grab static nix from https://hydra.nixos.org/build/170454219/download/1/nix and place in the same dir as py script
  2. Install fusepy (on nix: nix-shell -p python3Packages.fusepy)
  3. Ensure your /etc/fuse.conf contains user_allow_other
  4. Create workdirs: mkdir -p $(pwd)/{fakenix,workdir} && mkdir -p $(pwd)/fakenix/nix/store
  5. Mount our fs: python nixfs.py $(pwd)/fakenix $(pwd)/workdir
  6. Run some container image with workdir mounted: docker run -v $(pwd)/workdir/nix:/nix ubuntu:latest
  7. Try running some command, for example: /nix/store/pqpa3glx3iqd0cavslmr0lfkzgq1iias-cowsay-3.03+dfsg2/bin/cowsay thefuck?
@loknop
loknop / writeup.md
Created December 30, 2021 14:59
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

@brendanzab
brendanzab / gist:d41c3ae485d66c07178749eaeeb9e5f7
Last active July 19, 2023 04:28
My personal list of Rust grievances (September 2021)

September 2022:

This has spread to a far wider audience than I had anticipated - probably my fault for using a title that is in hindsight catnip for link aggregators. I wrote this back in 2021 just as a bunch of personal thoughts of my experiences using Rust over the years (not always well thought through), and don't intend on trying to push them further, outside of personal experiments and projects.

Managing a living language is challenging and difficult work, and I am grateful for all the hard work that the Rust community and contributors put in given the difficult constraints they work within. Many of the things I listed below are not new, and there's been plenty of difficult discussions about many of them over the years, and some are being worked on or postponed, or rejected for various good reasons. For more thoughts, please see my comment below.

My personal list of Rust gr

@Zac-HD
Zac-HD / hypothesis-crosshair.md
Last active July 18, 2022 06:47
Notes for a project to combine property-based tests with SAT-solving, based on the Hypothesis and Crosshair libraries.

Hybrid concrete/symbolic testing

You’ve probably heard that "testing can be used to show the presence of bugs, but never to show their absence" - usually as an argument for formal methods like symbolic execution. On the other hand, testing is often easier and finds bugs in formally verified systems too. But why not use both?

Crosshair is an SMT-based symbolic execution tool for Python. Providing an interface or extension to check Hypothesis

@riobard
riobard / tcpdump.txt
Last active August 12, 2022 08:19
Poem lines broadcast by my ISP-provided fiber optical modem
# My ISP-provided fiber optical modem broadcasts a line of a poem every ten seconds. Here's the tcpdump of the complete poem.
# The optical modem is made by Shanghai Nokia-Bell Co.,Ltd and its model number is G-140W-UD. It's provided by my ISP, China Unicom in Shenzhen.
$ tcpdump -i vlan10 ether proto 0x8300
15:59:00.720301 00:00:00:00:00:12 (oui Ethernet) > Broadcast, ethertype Unknown (0x8300), length 72:
0x0000: 0000 0000 e4ea 8386 d93c 5468 6520 6461 .........<The.da
0x0010: 7920 4920 6c6f 7374 206d 7920 7665 7279 y.I.lost.my.very
0x0020: 2066 6972 7374 2074 6f6f 7468 2c00 0000 .first.tooth,...
0x0030: 0000 0000 0000 0000 0000 ..........
15:59:10.740778 00:00:00:00:00:12 (oui Ethernet) > Broadcast, ethertype Unknown (0x8300), length 72:
@geerlingguy
geerlingguy / nvidia-gt710-arm-pi-setup.sh
Last active April 14, 2024 16:26
Set up the Nvidia GeForce GT 710 on Raspberry Pi Compute Module 4
#!/bin/bash
# Attempt to set up the Nvidia GeForce GT 710 on a Pi CM4.
#
# I have tried both armv7l and aarch64 versions of the proprietary driver, in
# addition to the nouveau open source driver (which needs to be compiled into
# a custom Raspberry Pi kernel).
#
# tl;dr - None of the drivers worked :P
@zserge
zserge / kvm-host.c
Last active April 29, 2024 07:17
Tiny KVM host to at least partially run Linux kernel
#define _GNU_SOURCE
#include <asm/bootparam.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/kvm.h>
#include <linux/kvm_para.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
@Em-AK
Em-AK / airports_wifi_passwords
Created August 13, 2019 14:33
---
source: https://www.google.com/maps/d/viewer?mid=1Z1dI8hoBZSJNWFx2xr_MMxSxSxY&&ll=54.784654126394415%2C-8.91870626273581&z=3
last_update: Jul 23, 2019
contribute: http://bit.ly/2d13csJ
ios: http://apple.co/2b7BatI
android: http://bit.ly/2dDeaaN
how_to_update: 1. open the source in a browser
2. open browser console and type in `_pageData` to print the content of the variable
3. copy-paste all the content in a file
4. keep interesting lines with: `grep -e "name" -e "description" > new_file`