@0x00string Also the hidden hashtags thing is pretty cool :D

@pastecrypt link that will last a little while long than my posts here do:

https://pastecry.pt/XHUxp0#Af8SuzYh2Er0Af5Hew8Pug4Tep

python

post to mastodon with 0 - 4 images

import argparse
from mastodon import Mastodon
parser = argparse.ArgumentParser(description='simple mastodon poster with spoiler and reply args')
parser.add_argument('-t','--token', help='mastodon access token', required=True)
parser.add_argument('-u','--url', help='mastodon server url', required=True)
parser.add_argument('-s','--status', help='Text to post', required=True)
parser.add_argument('-r','--reply', help='id of post to make this post in reply to', required=False)
parser.add_argument('-c','--cw', help='CW text', required=False)
parser.add_argument('-i', '--image', help='Path to an image file to attach to post', action='append', required=False)
args = vars(parser.parse_args())
media_list = None
irt = None
cw = None
m = Mastodon(
    access_token = args['token'],
    api_base_url = args['url']
)
if args['reply']:
    irt = args['reply']
if args['cw']:
    cw = args['cw']
if (args['image']):
    media_list = list()
    for i in args['image']:
        try:
            t = m.media_post(i)
        except:
            print("oops lol wah wah")
            exit()
        media_list.append(t['id'])
print(m.status_post(args['status'], in_reply_to_id=irt, spoiler_text=cw, media_ids=media_list))

lurk a servers streams with python (this stopped working on infosec.exchange's latest update, mastodon.py doesnt support the current version, needs some custom events to work in current state)

from mastodon import Mastodon
import mastodon
import json
class StreamListener(mastodon.StreamListener):
        def on_update(self, status):
            if (status['account']['acct'] is "0x00string@infosec.exchange"):
                print(json.dumps(status, indent=4, sort_keys=True, default=str))
m = Mastodon(
        access_token = "",
        api_base_url = "https://<server>"
)
listener = StreamListener()
m.stream_public(listener) # no creds required for public timeline
#m.stream_local(listener)
#m.stream_user(listener)
#m.stream_hashtag("#hiddenhashtags", listener)

download youtube videos from links in mentions with python (i didnt really test this)

from mastodon import Mastodon
import re, youtube_dl

def dv(u):
    o = {
        'format': 'bestvideo+bestaudio',
        'no_color': True,
        'nooverwrites': True,
        'restrictfilenames': True,
        'call_home': False,
        'writedescription': True,
        'writeinfojson': True,
        'ignoreerrors': True,
        'continuedl': True,
        'download_archive': "archive.txt",
    }
    with youtube_dl.YoutubeDL(o) as ydl:
        ydl.download([u])

m = Mastodon(
    access_token = '',
    api_base_url = 'https://infosec.exchange'
)
n = m.notifications(exclude_types=["follow", "favourite", "reblog", "poll", "follow_request"])
for a in n:
        try:
            dv(re.search('https://youtube.com/watch\?v=...........', a['status']['content']).group())
        except:
            b="lol"

curl

post with curl

curl --header "Authorization: Bearer <your_token>" -sS "https://<your_instance>/api/v1/statuses" -X POST -d "status=<your post>"

lurk public timeline, no authentication required

curl -X GET -sS "https://infosec.exchange/api/v1/streaming/public"

lurk local timeline, use token

curl -X GET --header "Authorization: Bearer <token>" -sS "https://<server>/api/v1/streaming/public"

hidden hashtags (greets @Copycatworks )

on servers that supports glitch-soc, you can use markdown in web by setting it in preferences, or via the api by including the content_type='text/markdown' argument when posting.

with markdown posts, hashtags can be hidden by formatting as a blank link, like so:

elsewhere, these hashtags will appear as they plain text deception and tom foolery they truly are.

also you can do things like [](@everyone) lol

curl -X POST -d "status=lol [](#hiddenHashtags)&content_type=text/markdown" --header "Authorization: Bearer <token>" -sS "https://<server>/api/v1/statuses"

abusing the silly way bio urls are verified and displayed

remember when twitter changed the way usernames and display names were displayed and you could do unicode spaces and push your username off the div? (greets to @tamas )

(this seems to have stopped working on infosec.exchange after 11/9/2022 - URLs containing "@" no longer seem to elicit requests from infosec.exchange, but still do from a great many other servers.)

because of a fun little quirk in a discrepancy between how a URL containing a username and "@" symbol are handled by the backend code which verifies links, and the frontend code which displays them, links with looooooooong stretches of unicode spaces will result in a nearly empty div after some other text.

a URL such as:
hxxps://whitehouse.gov                         actual.domain.hosting.a.page.with.your.verification.link.com

would appear like:
whitehouse. com ...

and be verified (this part no longer true) which is super cute

the characters which work for this include: 0xa0, 0x200e, 0x2002, 0x2003, 0x2004, 0x2005, 0x2006, 0x2007

verifixsstion

you can also obviously just get a verified check for any URL of a working reflected XSS, like this one:
hxxps://xss-game.appspot.com/level1/frame?query=%3Ca%20rel=%22me%22%20href=%22https://YOURSERVER/@YOURUSERNAME%22%3Elol,%20mastodon%3C/a%3E

mastoDDoS (greets to @pixelnull for complaining about lol)

another fun thing about this is because all the servers which host someone who follows your account have to fetch your bio URLs for verification, you can do a cute little DDoS attack by pointing URLs in your bio at a target host and then just repeatedly update the bio, which can be easily automated. you can scale the amplification by making accounts on as many servers as can be found, and having each of the accounts follow eachother and then run the bio update script on each of them.

Abusing lack of API application names

due to a lack of constraints on what titles can be given an API application, you can create an API application titled Web and post from this API but appear by all indications in the webapp and various mobile apps to be posting from the webapp.

these servers allow you to disclose or not if your account is automated, so this isnt that big a deal, but it is fun

from mastodon import Mastodon
import mastodon
import json
class StreamListener(mastodon.StreamListener):
        def on_update(self, status):
                print(json.dumps(status, indent=4, sort_keys=True, default=str))
m = Mastodon(
        access_token = "",
        api_base_url = "https://<server>"
)
listener = StreamListener()
m.stream_public(listener) # no creds required for public timeline
#m.stream_local(listener)
#m.stream_user(listener)
#m.stream_hashtag("#hiddenhashtags", listener)

man that defcon mastodon been coming soon a while now