- Syscalls in x32 and x64
- Gdb/Gef
- Radare2
- Metasploit shortcut
- VIM shortcut
- Tmux shortcut
- Mariadb commands
- Elasticsearch API request
- Additional ressources
Syscalls in x32 and x64
x86_32
+---------+------+------+------+------+------+------+
| syscall | arg0 | arg1 | arg2 | arg3 | arg4 | arg5 |
+---------+------+------+------+------+------+------+
| %eax | %ebx | %ecx | %edx | %esi | %edi | %ebp |
+---------+------+------+------+------+------+------+
offset_padding + system_addr + 4_bytes_padding + print_flag_cmd
x86_64
+---------+------+------+------+------+------+------+
| syscall | arg0 | arg1 | arg2 | arg3 | arg4 | arg5 |
+---------+------+------+------+------+------+------+
| %rax | %rdi | %rsi | %rdx | %r10 | %r8 | %r9 |
+---------+------+------+------+------+------+------+
offset_padding + pop_rdi_gadget + print_flag_cmd + system_addrGdb/Gef
b main :Break at main
start :Start and break at the entry point
r :Run
vmmap :Show memory layout
info functions :List functions
disassemble fonctions :Show function
i r :Print register (not really necessary with gef)
x/20x $sp :Dump the stack starting at $sp
telescope $esp l30 :Dump the stack starting at $sp
x/4i $pc :Dump 4 instruction starting at $pc
b * 0x00 :Break at 0x00
pattern create 200 :Create cyclic patterm
pattern search xxx :Search for the patern xxx
pattern offset :Get the offset based on the value off RSP/ESP
r < input :Injecting payload to input
#python2 -c 'import struct;print "A"*40 + struct.pack("Q",0x400883)+struct.pack("Q",0x601060)+struct.pack("Q",0x4005e0)' > input
#python2 -c 'from pwn import *;print("A" * 40 + p64(0x0400883) + p64(0x00601060) + p64(0x00400810))' > inputRadare2
aaaa :Analyse the binary
afl :List all functions
aflj :List all functions in Json
aflj:{} :List all functions in Json but with better formating
afl!exec :List all functions containing "exec"
pdf @ function :Show the function
izz :Show strings
izz~FLAG :Show strings containing "FLAG"
axt 0x0000 :Show cross-reference of the address 0x0000
/a pop rdi, ret :Search for gadget pop rdi, ret
rabin2 -i <binary> :List fonctions in a binary
rabin2 -I <binary> :List protections and info about a binary
rabin2 -qs <binary> | grep -ve imp -e ' 0 ' :List fonctions in a binary in an easier format
rabin2 -z <binary> :Looking strings in a binaryMetasploit shortcut
Updates
searchsploit -u
apt update ; apt install metasploit-frameworkSearchsploit
searchsploit -m :copy exploit in pwn
searchsploit -e :examine exploit
searchsploit -p :print full pathLoad exploit to msf
msf > loadpath /usr/share/metasploit-framework/modules/
or
mv exploit.rb ~/.msf4/modules/exploit/exploit.rb and msf > reload_all
sessions -l :list sessionsVIM shortcut
vimtutor :vim tutorial
http://vim-adventures.com :vim tutorial
gg :beginning of the document
G :end of the document
dd :delete line
yy :copy line
p :paste
u :undo
. :repeat last command
SHIFT-A :append
gg dG :delete all
gg " + y G :yank all line
:% y + :yank all line (shorter)
:%! :execute bash command (like "sort u")
:%s/patern_to_search/replace/gc :replace text with confirmation
:s/patern_to_search/replace/g :replace for current line
:%!xargs -n1 -I{} sh -c 'echo{} | base64 -d' :execute base64 -d on each line
|vim - :send output to vim buffer
:tabf :open new file in a tab
:tabnew :opening a new tab
:gt :move to next tab
:w !sudo tee % :save file when sudo was forgotten Tmux shortcut
tmux attach-session : recover last session
Ctrl + b c :Create window
Ctrl + b , :Rename current window
Ctrl + b % :Split pane vertically
Ctrl + b " :Split pane horizontally
Ctrl + b z :Toggle pane zoom
Ctrl + b ! :Convert pane into a window
Ctrl + b x :Close current pane
Ctrl + b [ :Enter copy mode
Ctrl + s :Enable you to search (press enter to validate and n for next item)
Ctrl + space : Start selecting
Ctrl + w :Copy selection
Ctrl + b + ] :Paste the selection
q : Quit copy mode
/ :Search forward or CTRL S if vim mode not enable
? :Search backward
n :Next keyword occurance
N :Previous keyword occurance
Spacebar :Start selection
Esc :Clear selection
Enter :Copy selection
Ctrl + b ] : Paste contents of buffer_0Mariadb commands
mysql -u root -p :login
show databases; :show databases
use elk; :select a databas
show tables; :show tables
select * from alerts; :show content of alert tables
show columns from alerts.elk; :show coloumns of the table alerts in the database elk
Setting up mariadb and root password
------------------------------------
sudo apt install mariadb-server
sudo mysql -u root
#mysql commands:
use mysql;
update user set plugin='' where User='root';
flush privileges;
exit
#back to bash:
sudo systemctl restart mariadb.service
sudo mysql_secure_installation
#Python
mycursor.execute(CREATE DATABASE IF NOT EXISTS elk;)
mycursor.execute("CREATE TABLE IF NOT EXISTS alerts (id INT PRIMARY KEY, username VARCHAR(255),tags VARCHAR(255),url VARCHAR(255))")
mycursor.execute("INSERT IGNORE INTO alerts (id,username,tags,url) VALUES (%s,%s,%s,%s)",(ID, username, hashtags, link)) #IGNORE is to ignore the error generate by duplicate entry
mycursor.execute("SELECT first_name,last_name FROM employees WHERE first_name=%s", (some_name,))
#https://mariadb.com/resources/blog/how-to-connect-python-programs-to-mariadb/
mariadb_connection.commit() #dont forget to commit!Elasticsearch API request
curl -X DELETE "localhost:9200/twinttweets?pretty" :delete index
curl -X PUT "localhost:9200/twinttweets?pretty" :create index
curl -X GET "localhost:9200/twinttweets/_mapping?pretty" :show mappings
curl -X GET "localhost:9200/twinttweets/_search?pretty" -H 'Content-Type: application/json' -d'
{
"from" : 0, "size" : 10,
"query" : {
"term" : { "username" : "mushi-mushi" }
}
}
' 2>/dev/null |jq Additional ressources
Gdb/Gef
-gef.readthedocs.io -github.com/hugsy/ -cheat Sheet
Radare2
Elasticsearch API
Mariadb
Vim
-Vim Cheat Sheet -Vim Dot File -Vim Adventures -Vim Screen cast