Skip to content

Instantly share code, notes, and snippets.

Avatar

Chris Gates carnal0wnage

View GitHub Profile
View gist:606c41ac6ec40bf5c69d4db96d9312e3
From: http://redteams.net/bookshelf/
Techie
Unauthorised Access: Physical Penetration Testing For IT Security Teams by Wil Allsopp.
Social Engineering: The Art of Human Hacking by Christopher Hadnagy
Practical Lock Picking: A Physical Penetration Tester's Training Guide by Deviant Ollam
The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick
Hacking: The Art of Exploitation by Jon Erickson and Hacking Exposed by Stuart McClure and others.
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning by Fyodor
The Shellcoder's Handbook: Discovering and Exploiting Security Holes by several authors
@carnal0wnage
carnal0wnage / gcp_enum.sh
Last active Mar 1, 2021
use the gcloud utilities to enumerate as much access as possible from a GCP service account json file. see blog post: <to insert>
View gcp_enum.sh
# gcloud auth activate-service-account --key-file=85.json
# gcloud projects list
project="my-project"
space=""
echo "gcloud auth list"
gcloud auth list
echo -e "$space"
View CVE-2017-5638.sh
#!/bin/bash
#
# Poc
#
# ./CVE-2017-5638.sh 192.168.9.3
#
# by f0r34chb3t4 - Qui Abr 12 21:00:24 -03 2018
#
# CVE-2017-5638
# Apache Struts 2 Vulnerability Remote Code Execution
@carnal0wnage
carnal0wnage / kubelet-api.md
Created Feb 21, 2021 — forked from lizrice/kubelet-api.md
Checking Kubelet API access
View kubelet-api.md

Accessing Kubelet API

curl -sk https://localhost:10250/pods/
  • If --anonymous-auth is turned off, you will see a 401 Unauthorized response.
  • If --anonymous-auth is true and --authorization-mode is Webhook you'll see 403 Forbidden response with message Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy)
  • If --anonymous-auth is true and --authorization-mode is AlwaysAllow you'll see a list of pods.
@carnal0wnage
carnal0wnage / kubelet-find.sh
Created Jan 8, 2019
bash script to open file of IPs and looks for unsecure k8 API (10250)
View kubelet-find.sh
for a in $(cat kube-gke.txt); do
echo $a;
curl --insecure https://$a:10250/runningpods ";
echo "";
echo "";
done
@carnal0wnage
carnal0wnage / python_email.py
Created Jun 21, 2016 — forked from srv89/python_email.py
Python code for sending HTML email (Attachment + Multiple Recipients )
View python_email.py
__author__ = 'srv'
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.application import MIMEApplication
username = '' # Email Address from the email you want to send an email
password = '' # Password
server = smtplib.SMTP('')
@carnal0wnage
carnal0wnage / CVE-2020-10148.py
Created Dec 29, 2020 — forked from 0xsha/Solarwinds_Orion_LFD.py
CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova?)
View CVE-2020-10148.py
# CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? )
# @0xSha
# (C) 2020 0xSha.io
# Advisory : https://www.solarwinds.com/securityadvisory
# Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip
# Details : https://kb.cert.org/vuls/id/843464
# C:\inetpub\SolarWinds\bin\OrionWeb.DLL
# According to SolarWinds.Orion.Web.HttpModules
@carnal0wnage
carnal0wnage / DevOOPS: Attacks And Defenses For DevOps Toolchains Talk Links
Last active Nov 5, 2020
Links from Chris Gates/Ken Johnson DevOOPS RSA 17 presentation
View DevOOPS: Attacks And Defenses For DevOps Toolchains Talk Links
@carnal0wnage
carnal0wnage / auto_git_query
Created Sep 1, 2020 — forked from nullenc0de/auto_git_query
Automated Github Queries (Can open 29 tabs at a time)
View auto_git_query
https://github.com/search?q=BROWSER_STACK_ACCESS_KEY= OR BROWSER_STACK_USERNAME= OR browserConnectionEnabled= OR BROWSERSTACK_ACCESS_KEY=&s=indexed&type=Code
https://github.com/search?q=CHROME_CLIENT_SECRET= OR CHROME_EXTENSION_ID= OR CHROME_REFRESH_TOKEN= OR CI_DEPLOY_PASSWORD= OR CI_DEPLOY_USER=&s=indexed&type=Code
https://github.com/search?q=CLOUDAMQP_URL= OR CLOUDANT_APPLIANCE_DATABASE= OR CLOUDANT_ARCHIVED_DATABASE= OR CLOUDANT_AUDITED_DATABASE=&s=indexed&type=Code
https://github.com/search?q=CLOUDANT_ORDER_DATABASE= OR CLOUDANT_PARSED_DATABASE= OR CLOUDANT_PASSWORD= OR CLOUDANT_PROCESSED_DATABASE=&s=indexed&type=Code
https://github.com/search?q=CONTENTFUL_PHP_MANAGEMENT_TEST_TOKEN= OR CONTENTFUL_TEST_ORG_CMA_TOKEN= OR CONTENTFUL_V2_ACCESS_TOKEN=&s=indexed&type=Code
https://github.com/search?q=-DSELION_BROWSER_RUN_HEADLESS= OR -DSELION_DOWNLOAD_DEPENDENCIES= OR -DSELION_SELENIUM_RUN_LOCALLY=&s=indexed&type=Code
https://github.com/search?q=ELASTICSEARCH_PASSWORD= OR ELASTICSEARCH_USERNAME= OR EMAIL_NOTIFI