r3k2

.... there is more before this... but to big.

104965.818:02f8:0304:trace:seh:NtQueryInformationThread (0x8c,0,0xb9e1e0,30,(nil))
104965.818:02f8:0304:trace:seh:NtQueryInformationThread (0x8c,0,0xb9e1e0,30,(nil))
104965.818:02f8:0304:trace:seh:NtQueryInformationThread (0x8c,0,0xb9e1e0,30,(nil))
104965.818:02f8:0304:trace:seh:NtQueryInformationThread (0x8c,0,0xb9e1e0,30,(nil))
104965.818:02f8:0304:trace:seh:NtQueryInformationThread (0x8c,0,0xb9e1e0,30,(nil))
104965.818:02f8:0304:trace:seh:NtQueryInformationThread (0x8c,0,0xb9e1e0,30,(nil))
104965.819:02f8:0304:trace:seh:NtQueryInformationThread (0x8c,0,0xb9e1e0,30,(nil))
104965.819:02f8:0304:trace:seh:NtQueryInformationThread (0x8c,0,0xb9e1e0,30,(nil))

r3k2

How to pass the OSCP

1. Recon
2. Find vuln
3. Exploit
4. Document it

Recon

Unicornscans in cli, nmap in msfconsole to help store loot in database.

r3k2

Installing Arch:


sudo vim /etc/pacman.conf
Update packages list: sudo pacman -Syy
run sudo pacman -Syu  before installing any software (to update the repositories first)

* Timing issue:
    - Change hardware clock to use UTC time:
        sudo timedatectl set-local-rtc 0

r3k2

# for background in 16 color terminal, valid background colors include:
# base03, bg, black, any of the non brights

# style notes:
# when bg=235, that's a highlighted message
# normal bg=233

# basic colors ---------------------------------------------------------
# color normal        brightyellow    default
color error         color196        color235                        # message line error text

r3k2

#!/bin/bash
set -eu

URL=$1
SECLIST="${HOME}/herramientas/diccionarios/SecLists/Discovery/Web_Content"
MIDDIR="/usr/share/dirbuster/directory-list-2.3-medium.txt"
declare -a FILES=("tomcat.txt" "nginx.txt" "apache.txt" "Top1000-RobotsDisallowed.txt" "ApacheTomcat.fuzz.txt" "sharepoint.txt" "iis.txt")
EXTENSIONS=("txt,php,doc,docx")
GOB="/bin/gobuster"
OUTPUT="${URL}-results"

r3k2

import sys
import requests
import threading
import HTMLParser
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

'''
Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
Author: @xassiz
'''

r3k2

This turns https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt 
into a Remote Command Execution:

NOTE: It relies on the PHP expect module being loaded 
(see http://de.php.net/manual/en/book.expect.php)

joern@vbox-1:/tmp$ cat /var/www/server.php 
<?
    require_once("/usr/share/php/libzend-framework-php/Zend/Loader/Autoloader.php");
    Zend_Loader_Autoloader::getInstance();

r3k2

Keybase proof

I hereby claim:

• I am rek2fernandez on github.
• I am cfernandez (https://keybase.io/cfernandez) on keybase.
• I have a public key ASDB2t5UcZyFOJ7JllgzK85TEJfktBx0ibpsCrPs6aacGQo

To claim this, I am signing this object:

r3k2

#!/bin/env ruby
# Hispgatos
# by ReK2, Fernandez Chris
# https://keybase.io/cfernandez
# Bruteforce password protected documents hidden inside images
# add you dictionary below to the dic variable
# of course you need to have installed steghide

require 'open3'

r3k2

# OBJECTIVE:  Install Arch Linux with encrypted root and swap filesystems and boot from UEFI.

# Note:  This method supports both dedicated Arch installs and those who wish to install Arch on a multi-OS-UEFI booting system.

# The official Arch installation guide contains details that you should refer to during this installation process.
# That guide resides at:  https://wiki.archlinux.org/index.php/Installation_Guide

# Download the archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature.
# Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended.  For example: