Skip to content

Instantly share code, notes, and snippets.

View kawing-ho's full-sized avatar
🔎
Code Review...

kawing-ho

🔎
Code Review...
15 followers · 13 following
View GitHub Profile
@kawing-ho
kawing-ho / axiom-spawn.sh
Created March 1, 2023 09:21
Spawn 100 boxes, 10 for each region, change prefix to whatever as needed
#!/bin/bash
# sleep time between box spawn
#SLEEP=1 #debug lol
SLEEP=60
# spawn 100 instances, 10 in each region
for region in nyc1 nyc3 ams3 sfo3 sgp1 lon1 fra1 tor1 blr1 syd1
do
echo "" && echo "[Spawning 10 boxes in $region]" && echo ""
@kawing-ho
kawing-ho / jwks.json
Last active July 25, 2021 12:36
https://book.hacktricks.xyz/pentesting-web/hacking-jwt-json-web-tokens#jwks-spoofing
{"keys":[{"e":"AQAB","kid":"jwt_tool","kty":"RSA","n":"kAxsJGZwBGq2i6nOw1bCIrg7JfGQch4InP4FyFJFexEvc5LeiPB5jRk0YEanlnoNdKdsqMdg2hMGOUBKOCYycWdwd3pXUDB-qTV7v2qzO586QA3F4G912ieLfD_2jdl9PGAl7RwK9YemQTly-x4d3eC4Qh7MzdSWl3VrNQ-WFWbkYGg2oIzACLPTX_-Ko9zdzDT3WhD_Zpub5q1jpwRw72KnHdQmLNS5M-12-Yz1VEhylcGCOu6MO2bYKco233SyGu9-g2Wkr-zDut6RA4UEVfwd70x316c85xxd2f4WLun_wW01akWf051kePX7uZq9VoF5WoXK4CSF7ZqoARebiQ","use":"sig"}]}
@kawing-ho
kawing-ho / aem-list.txt
Created July 15, 2021 23:08
by @z0idsec
///bin///wcm///search///gql.json?query=type:base%20limit:..1&pathPrefix=
/security/.5..json?debug=layout
/online/.-1..json
/bin/querybuilder.json.css?path=/home/&p.limit=8
/bin/querybuilder.json?path=/libs/
/bin/querybuilder.json?path=/content
/bin/querybuilder.json?path=/content/test/test/en_nz/security/
/bin/querybuilder.json?path=/crx/&p.hits=full&p.limit=50
/bin/querybuilder.json?path=/home&p.hits=full&p.limit=-1
/bin/querybuilder.json?fulltext=admin&p.limit=30
@kawing-ho
kawing-ho / wordlist.txt
Last active April 14, 2021 00:20
Wordlist for interesting files/dirs discovered while on client jobs / bountying
/wps/portal
/elmah.axd
/test/php/test.html
/phpmyadmin/setup/
@kawing-ho
kawing-ho / twilio_alerter.py
Last active June 18, 2019 05:34
Takes in a message from stdin and SMS'es it to the specified phone number via Twilio (trial)
#!/usr/bin/env python3
# some libraries that you might need to pip install
from twilio.rest import Client
from requests import get as reget
from os import environ as env
from os import path
from sys import exit as sysexit
from sys import stdin
@kawing-ho
kawing-ho / vim-color-list
Last active February 5, 2019 01:43
List of vim colorschemes that I like (LIGHT THEME)
donttouchme
miko
murphy
mayansmoke (similar to Tomorrow)
messy
madeofcode
getafe
cherryblosssom (json)
lakers_away
vice
@kawing-ho
kawing-ho / writeup.pdf
Last active October 28, 2018 06:42
picoCTF 2018 -- Forensics Triple Combo (I got too lazy to do the others as they were "trivial")
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@kawing-ho
kawing-ho / picoCTF2018 - Flaskcards.md
Last active October 12, 2018 12:43
Solutions to a series of web challenges of increasing difficulty surrounding Flask vulnerabilities

Summary / TL;DR

I played in picoCTF again this year, and I think I performed a lot better than I did last year, especially in web, I wanted to share this writeup because I think I did a good job being the 75th person (out of like 5000 other players) to solve the final part of this series of web challenges.

  1. Flaskcards (350 pts)
  2. Flaskcards Skeleton Key (600 pts)
  3. Flaskcards and Freedom [Highest point web challenge] (900 points)

Flaskcards

@kawing-ho
kawing-ho / upload.php
Last active October 6, 2018 10:45
Arguments: [Path to an image file]      Returns: [ URL to image ]
#!/usr/bin/php
<?php /* install php and php-curl */
if($argc != 2) {
fwrite(STDERR, "Usage: ".$argv[0]." <path to image>\n");
die();
}
$image = $argv[1];
if(! file_exists($image)) { fwrite(STDERR, "Not an image!\n"); die(); }
@kawing-ho
kawing-ho / link_collector.py
Created August 26, 2018 00:49
Example of using selenium webdriver + headless chrome to scrape links from dynamic-content pages