ricardojba

{
	"queries": [{
			"name": "--https://github.com/ZephrFish/Bloodhound-CustomQueries/--",
			"queryList": [{
				"final": true,
				"query": ""
			}]
		},
		{
			"name": "Return All Azure Users that are part of the 'Global Administrator' Role",

ricardojba

# Crash the Windows Event Log Service remotely, needs Admin privs
# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r
#
# Once the service crashes 3 times it will not restart for 24 hours
#
# https://github.com/limbenjamin/LogServiceCrash
# https://limbenjamin.com/articles/crash-windows-event-logging-service.html
#
# Needs the impacket library (https://github.com/SecureAuthCorp/impacket)

ricardojba

#!/bin/bash

while :; do

    verf=$(cat /dev/urandom | tr -dc '0-9' | fold -w 8 | head -n 1)
    pin=$(cat /dev/urandom | tr -dc '0-9' | fold -w 5 | head -n 1)

    ip=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))")

ricardojba

#!/usr/bin/env python

def xor(data,key):
    return bytearray(((data[i]^key[i%len(key)]) for i in range(0,len(data))))

data = bytearray(open("my_magic_bytes.jpg.enc","rb").read())
# Known plaintext from wikipedia https://en.wikipedia.org/wiki/List_of_file_signatures - XOR the enc file with it first
#key = bytearray([0xFF,0xD8,0xFF,0xE0,0x00,0x10,0x4A,0x46,0x49,0x46,0x00,0x01])
# 12 bytes key extracted from the file after the first above XOR
key = bytearray([0x46,0xcc,0xf9,0xa5,0x71,0xf0,0xff,0xb1,0x7e,0x41,0xcb,0x84])

ricardojba

#Wireless Penetration Testing Cheat Sheet

##WIRELESS ANTENNA

• Open the Monitor Mode

root@uceka:~# ifconfig wlan0mon down
root@uceka:~# iwconfig wlan0mon mode monitor
root@uceka:~# ifconfig wlan0mon up

ricardojba

# original https://pastebin.com/zBDnzELT

Starting with MS-SQL 2016 MS has allowed for the inclusion of the Microsoft R Server services, permitting the execution of R scripts in the MS-SQL environment. In order for this funcitonality to be enabled, the R services for SQL server component must be installed, the server must be reconfigured to permit sp_exectue_external_script, and a user must be granted the 'EXECUTE ANY EXTERNAL SCRIPT' permission; yes, all of this is becoming increasingly more common.
 
Once these conditions are in place, SQL users will have R capabilities in their queries through the use of sp_execute_external_script().
 
This can be 'fun'..
 
Sample R query in MS-SQL (from MSDN):
 

ricardojba

#!/bin/bash

P="*"

if [ -n "$1" ]; then
	P="$1"
fi

grep -E "\spassthru\(|\sexec\(|\spnctl_exec\(|\sproc_open\(|\spopen\(|\ssystem\(|\sshell_exec\(|\sregister_shutdown_function\(|\sregister_tick_function\(|\seval\(|\sexpect_popen\(|\sapache_child_terminate\(|\slink\(|\sposix_kill\(|\sposix_mkfifo\(|\sposix_setpgid\(|\sposix_setsid\(|\sposix_setuid\(|\sproc_close\(|\sproc_get_status\(|\sproc_nice\(|\sproc_terminate\(|\sputenv\(|\stouch\(|\salter_ini\(|\shighlight_file\(|\sshow_source\(|\sini_alter\(|\sfgetcsv\(|\sfputcsv\(|\sfpassthru\(|\sini_get_all\(|\sopenlog\(|\ssyslog\(|\srename\(|\sparse_ini_file\(|\sftp_connect\(|\sftp_ssl_connect\(|\sfsockopen\(|\spfsockopen\(|\ssocket_bind\(|\ssocket_connect\(|\ssocket_listen\(|\ssocket_create_listen\(|\ssocket_accept\(|\ssocket_getpeername\(|\ssocket_send\(|\sapache_get_modules\(|\sapache_get_version\(|\sapache_getenc\(|\sapache_note\(|\sapache_setenv\(|\sapache_request_headers\(|\sdiskfreespace\(|\sdisk_free_space\(|\sget_current_user\(|\sgetmypid\(|\sgetmyuid\(|\s

ricardojba

JIRA_REST_URL="${JIRA_REST_URL:-https://MYCOMPANY.jira.com/rest/api/2}"
JIRA_CREDENTIALS="${JIRA_CREDENTIALS:-user:password}"

# https://developer.atlassian.com/jiradev/api-reference/jira-rest-apis/jira-rest-api-tutorials/jira-rest-api-example-discovering-meta-data-for-creating-issues

# https://MYCOMPANY.jira.com/rest/api/2/issue/createmeta?projectKeys=MYPROJ&issuetypeNames=MyIssueType&expand=projects.issuetypes.fields
# customfield_10171: My Custom Field Name 1
# customfield_10172: My Custom Field Name 2

# This methods create a new issue of type 'MyIssueType' in project 'MYPROJ' with 2 custom fields

ricardojba

#Creates a new issue with custom fields
curl -D- -u uname:pass -X POST --data "{\"fields\": {\"project\": { \"id\": \"10430\" },\"summary\": \"This is a test issue\", \"description\": \"Description\",\"issuetype\": { \"id\" : \"1\"}, \"components\" : [{\"id\":\"10731\"}], \"customfield_10711\" : [{\"id\":\"10500\"}] } }" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/

#Returns all information for all versions
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/project/AN/versions?

#Returns all issues in a version
#This URL requires the version ID of a single version which is provided by the above query
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/search?jql=project="AN"+AND+fixVersion='12345'

ricardojba

#Creates a new issue with custom fields
curl -D- -u uname:pass -X POST --data "{\"fields\": {\"project\": { \"id\": \"10430\" },\"summary\": \"This is a test issue\", \"description\": \"Description\",\"issuetype\": { \"id\" : \"1\"}, \"components\" : [{\"id\":\"10731\"}], \"customfield_10711\" : [{\"id\":\"10500\"}] } }" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/

#Returns all information on an issue
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/KEY-12345

#Adds a comment to an existing issue
curl -D- -u uname:pass -X PUT -d "{\"update\": {\"comment\": [{\"add\": {\"body\": \"Comment added when resolving issue\"}}]}}" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/KEY-12345

#Transitions an issue