Skip to content

Instantly share code, notes, and snippets.

@markwh245
markwh245 / github_onplatform.md
Created August 27, 2020 10:22 — forked from EdOverflow/github_onplatform.md
My basic workflow when using GitHub for recon purposes.

On-platform GitHub Reconnaissance

Note: Please keep in mind, that all of this does not work if you are not signed in to GitHub.

When searching for issues related to a target I often like to quickly look up their GitHub organization on Google.

So let's say Gratipay says nothing about being open source. A quick Google "Gratipay GitHub" should return Gratipay's org page on GitHub.

Then from there I am going to check what repos actually belong to the org and which are forked. You can do this by selecting the Type: dropdown on the right hand side of the page.

@markwh245
markwh245 / all.txt
Created August 21, 2020 19:00 — forked from jhaddix/all.txt
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.
.
..
........
@
*
*.*
*.*.*
🐎
@markwh245
markwh245 / alert.js
Created March 5, 2020 18:15 — forked from tomnomnom/alert.js
Ways to alert(document.domain)
// How many ways can you alert(document.domain)?
// Comment with more ways and I'll add them :)
// I already know about the JSFuck way, but it's too long to add (:
// Direct invocation
alert(document.domain);
(alert)(document.domain);
al\u0065rt(document.domain);
al\u{65}rt(document.domain);
window['alert'](document.domain);
#!/bin/sh
while read -r domain
do
# Remember. Account for the fact that some sites don't exist on HTTP
# And others don't exist on HTTPS. Prune later.
curl -I "https://$domain" --max-time 3 -H "Origin: https://$domain.evil.com" | ./respirator&
curl -I "http://$domain" --max-time 3 -H "Origin: http://$domain.evil.com" | ./respirator&
done < "top1mdomains"
@markwh245
markwh245 / setuid-root-backdoor.md
Created February 13, 2020 14:01 — forked from dergachev/setuid-root-backdoor.md
How to use setuid to install a root backdoor.

Why You Can't Un-Root a Compromised Machine

Let's say somebody temporarily got root access to your system, whether because you "temporarily" gave them sudo rights, they guessed your password, or any other way. Even if you can disable their original method of accessing root, there's an infinite number of dirty tricks they can use to easily get it back in the future.

While the obvious tricks are easy to spot, like adding an entry to /root/.ssh/authorized_keys, or creating a new user, potentially via running malware, or via a cron job. I recently came across a rather subtle one that doesn't require changing any code, but instead exploits a standard feature of Linux user permissions system called setuid to subtly allow them to execute a root shell from any user account from the system (including www-data, which you might not even know if compromised).

If the "setuid bit" (or flag, or permission mode) is set for executable, the operating system will run not as the cur

@markwh245
markwh245 / apt-security-check
Created March 7, 2019 13:45 — forked from thesp0nge/apt-security-check
A slightly hacked version of apt-check that takes care only about security packages that need an update.
#!/usr/bin/python3
#
# apt-security-check - [email protected]
#
# A slightly hacked version of apt-check that takes care only about security
# packages that need an update.
#
# Tested on Ubuntu 16.04.5 LTS, 18.04.1 LTS