Skip to content

Instantly share code, notes, and snippets.

View chriselgee's full-sized avatar

Chris Elgee chriselgee

  • Maine
View GitHub Profile
@chriselgee
chriselgee / OneLiners.sh
Last active June 7, 2024 17:47
Useful One-Liners
# Find a Linux executable named python3 in the /usr/ directory (finds the python3 executable)
find /usr -name python3 -exec file {} \; | grep ELF
# Loop over a set of numbers (pings 192.168.1.1 through 192.168.1.255)
for i in {1..255}; do sudo /usr/bin/ping -c1 192.168.1.$i; done
# Loop over lines in a file; write to a file (resolves hostnames to IP addresses)
while read f; do dig A $f +short; done < hosts.txt > ips.txt
# Loop over files ending in txt in your current directory (counts lines in files)
@chriselgee
chriselgee / pyslicing.txt
Created January 2, 2024 18:12
Python String Slicing
>>> "THIS is what I want"[:4]
'THIS'
>>> "THIS is what I don't want"[4:]
" is what I don't want"
>>> "I do not want THIS"[:-4]
'I do not want '
>>> "I only want THIS"[-4:]
# SSH Callback Service
# Replace HOSTNAME with the VPS you're connecting to
# Replace USERNAME with your user on the VPS
# Replace LOCALUSER (or the whole path) to point to the private key for USERNAME on HOSTNAME
# Usage:
# - Try the SSH manually first, as the root user, so the VPS can be added to the known_hosts file
# - `systemctl enable callback.service`, `systemctl start callback.service`
# - SSH to the VPS from your system, and `ssh USER@127.0.0.1 -p22000 -i KEYNAME`, where USER is a user on the distant system and KEYNAME is an accepted key for that user
# Troubleshooting:
# - Ensure "GatewayPorts" is set to "Yes" in /etc/ssh/sshd_config on the VPS
@chriselgee
chriselgee / AlternateDataStreams.md
Last active September 7, 2024 10:42
Finding and reading alternate data streams (ADS) with PowerShell on an NTFS partition

To find all streams within file.txt: Get-Item .\file.txt -Stream *

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\file.txt::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\
PSChildName   : file.txt::$DATA
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\file.txt
@chriselgee
chriselgee / ToolSyntaxWithIPv6.md
Last active July 16, 2024 20:18
Tool Syntax with IPv6

Some tools allow or even require -6 as a command line option, and curl requires an IPv6 address to be in [] (square brackets). Also, for link local addresses, you usually have to specify the local interface you want to use.

  • ping 2001:7b8:666:ffff::1:42 -I eth0
  • nmap -6 2001:7b8:666:ffff::1:42%eth0
  • curl http://[2001:7b8:666:ffff::1:42]:8080/ --interface eth0
  • wget http://[2001:7b8:666:ffff::1:42]:8080/
  • telnet -6 2001:7b8:666:ffff::1:42
  • nc -6 2001:7b8:666:ffff::1:42%eth0 23

Want to find link local addresses for systems in your network segment? Try hitting local hosts and routers with these multicast addresses:

@chriselgee
chriselgee / DecodingFlaskCookies.md
Last active October 14, 2023 01:23
Decoding Flask Cookies with Python and Cyber Chef

Flask cookies, when stored client-side, are .-delimited, often zlib-deflated, and Base64-encoded with _ subbed in for / and - subbed in for + (URL-safe encoding).

Let's take an example cookie from https://snowball2.kringlecastle.com/:

.eJy1kT8PgjAQxb9L5w7UIv9mNJoYB3UjDI1WJQE0IENj_O6WZxFQYhw0l7z23l1yvV-vJEz2-2RbpRdFAouSSS4ztRDqVF1IEEUWfYuYapf90WXdgDv8BqvX23WHe_tubHZdH5NzWa8aPaaNoBxqQ8da9aFPH5kHdaGOqXBkNnQMz0WHqztqbTyOzI7r8dMikfku_YJ2E_1Nf0v71W1ndml_dj_SbtZtgQ-jppFjgHsGF4f3QMxRYYDLAJcZuC3-9mNcfJajtX7BpipyEpBzKpQsCDWXeai9WXU4rkRenrKwUOVOpPJZX4pM6g7f9rjv-CNObncEAMTx.YaTaAA.SGRJEzFnk9BCtFwX-SmuSHrKofM

We can take the first piece (ignoring the signature) and store it as a variable in python3:

@chriselgee
chriselgee / E-PS_Outside.ps1
Last active July 16, 2024 20:17
Enter-PSSession from outside a domain
# Tell the attack machine to trust these hosts on a foreign domain
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "ws01.example.com,sql02.example.com"
# Enter the credentials to use when connecting
$username = "example.com\compromisedAdmin"
$pass = "Luggage=12345"
$fancypass = ConvertTo-SecureString $pass -AsPlainText -Force
$dacred = New-Object System.Management.Automation.PSCredential ($userName, $fancypass)
# Connect!

Typing special characters:

  • In Windows, the simplest way to type special characters is with the Character Map, or charmap.exe. Scroll through, double-click the ° symbol you need, click Copy, and you can Paste it into your application. Notice though - while it's selected, there are codes at the bottom. On the left is the Unicode code, U+00B0. This means that the system stores the degree character as hex 00 and B0. (Who cares? We'll come back to it.) On the right, you see Alt-0176. This means that when NumLock is turned on, you can hold Alt and type 0176 on the number pad and get a degree symbol.
  • In Linux, we need that Unicode code. Press Ctrl-Shift-U, then type 00B0 and hit enter or space or whatever. The ° appears!

If you need to type something you haven't found in charmap, you can Google it. The lobster emoji, for example, is apparently 1F99E. So, on my Linux system, I hit Ctrl-Shift-U, enter the code, and get 🦞!

Want to type a lobster in Win 10? If you're up-to-date on p

@chriselgee
chriselgee / Typer.ahk
Created November 3, 2019 19:55
AutoHotkey Typer Script
; Sends user-entered text to most recently used program -LTLG, 27JUN06
; Disables the little "H" systray icon while program runs
#NoTrayIcon
; Allows more than one copy to run at once
#SingleInstance, OFF
Gui, Add, Edit, x16 y50 w370 h70 vTextFodder,
Gui, Add, Text, x206 y120 w40 h20 , Times:
Gui, Add, Button, x276 y120 w110 h30 Default, &Giddyup!