Kali Config

Proxy Configuration Configure proxy (if applicable) by inputting the required values into /etc/environment. It will probably look something like this: http_proxy=www.proxy.com:80 https_proxy=www.proxy.com:80 no_proxy=.proxy.com,localhost, Resource: https://askubuntu.com/questions/175172/how-do-i-configure-proxies-without-gui Config apt with proxy (if applicable): touch /etc/apt/apt.conf.d/95proxies Input the required values into this file. It will probably look something like this: Acquire::http::proxy "http://www.proxy.com:80"; Acquire::https::proxy "http://www.proxy.com:80"; Acquire::ftp::proxy "http://www.proxy.com:80"; Restart the server : reboot Welcome back, your proxy should be working now. Celebrate by taking a snapshot....

October 3, 2018 · Jayson Grace

Burp Notes

Automatically change value of request parameter Go to Proxy -> Options Click Add under Match and Replace Specify the value to match and the value to replace, such as: Match: uid=bob and Replace with: uid=evilbob This can be done with regex if you’d like, for example: Match: ^Host: foo.example.org$ and Replace with: bar.example.org to rewrite the host header. Feel free to add a Comment: to lend it some context. Intruder Extracting useful info from responses Run your attack Find stuff you want to grep out Click Options Go to Grep - Extract Click Add Search for the item you want to grep out, click the > to highlight it Make sure the Start after expression and End at delimiter match a pattern that will consistently get you the data you want Click OK Clear out the other columns you’ll see by clicking the Clear button under Grep - Match Click the Results tab, observe the item you wanted to grep as a column Export output to excel Click Save -> Results table Specify the columns that you want in the document, and click Save Resource: https://security....

August 16, 2018 · Jayson Grace

Burp Extension Development

Thanks to Al for helping me to compile this. General For debugging (and modularity in general), be sure to separate out your logic from the file with the BurpExtender class, which is what Burp needs for the thing to work. This file should be stripped down to the bare essentials. Jython Install Jython obviously. You’ll find classes you can import from Burp’s extender tab. To import a class, use from burp import <name_here>...

July 19, 2018 · Jayson Grace

Splunk Notes

URI Path for web application If you want to look at the information associated with a specific uri path for a web application: sitetolookat.com sourcetype=<the sourcetype you have for web stuff> url="/uri/path/file.php*" Add image to dashboard <dashboard> <row> <html> <h1>HTML Panel Example</h1> <p>The HTML panel displays inline HTML.</p> <img src="picture.jpg"/> </html> </row> </dashboard> Resource: https://answers.splunk.com/answers/136162/add-picture-to-dashboard.html View internal splunk logs index=_internal source="*.log" Resource: https://answers.splunk.com/answers/575570/where-can-i-find-the-internal-logs-in-the-splunk-5.html tail -f functionality After running a query, be sure to change the presets for real-time to a window, such as a 5 minute window to show all events that match the input criteria in the past 5 minutes....

July 19, 2018 · Jayson Grace

HashiCorp Vault Research

Nice introduction: https://mycodesmells.com/post/introduction-to-vault Fun write-up: https://www.davidbegin.com/cubbyhole-backend-and-response-wrapping/ Token info: https://www.vaultproject.io/docs/concepts/tokens.html Cool dev implementation series with OSX and lastpass: https://blog.alanthatcher.io/fun-and-profit-with-vault-2/ https://blog.alanthatcher.io/fun-and-profit-with-vault-part-2/ https://blog.alanthatcher.io/fun-and-profit-with-vault-part-3/ Single-use implementation: https://www.slalom.com/thinking/managing-secrets-using-hashicorp-vault How-to on Ubuntu: https://www.digitalocean.com/community/tutorials/how-to-securely-manage-secrets-with-hashicorp-vault-on-ubuntu-16-04

July 2, 2018 · Jayson Grace

Python Notes

Read file line-by-line and print each line def print_lines(file): with open(file) as f: for line in f: print(line) Read file into list def return_list(file): with open(file) as f: list = f.readlines() return list Remove line from a file containing a specified string def remove_line_containing_string(file): f = open(file, 'r') contents = f.readlines() f.close() f = open(file, 'w') for line in contents: if not 'some string' in line: f.write(line) f.close() Check if file exists def file_exists(file): if os....

January 3, 2018 · Jayson Grace

Old: Modernizing Techvomit

This site used to run on Ghost. I decided to keep this article despite now using Hugo for posterity. Begin old article: I made this decision a couple of years ago on a 4 hour plane ride when I was bored, and wanted to kill two birds with one stone: start learning how some of the AWS services worked, and get a website going. At the time I didn’t really make the site very easy to maintain, and had to learn a couple of lessons over the years as a result....

October 2, 2017 · Jayson Grace

Vulnhub - Sedna

These are my notes from running through the Sedna vulnerable VM. Run discover content in Burp to map the application out. You can also run Nikto to try and find any vulnerabilities. Observe /license.txt - it will inform us that the target web application is running BuilderEngine. Search for an exploit we can use: searchsploit builderengine View the source for the exploit: searchsploit -x 40390 Copy the exploit code into exploit....

March 27, 2017 · Jayson Grace

Mongo Cheatsheet

robomongo is an awesome GUI clicky tool. Connect to the DB: mongo <target> Get host information: db.adminCommand({ hostInfo: 1 }); Show users: db.runCommand({ usersInfo: 1 }); Show roles: show roles Show databases: show dbs Use a database: use <db name> Show tables: db.getCollectionNames() // or show tables // or show collections Get data in a table: db.<table name>.find() Get version of mongo: db.version(); Get json dump of the data Create export....

February 17, 2017 · Jayson Grace

Abusing HTTP PUT

Detection of vulnerability Run Nikto: nikto --host <target ip>:<target port> If it returns this: + OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server. You are potentially in business. Use davtest to get a backdoor This tool runs all of the payloads that it has, sends backdoors if exploitation is successful, and cleans up after itself. davtest -url "http://${TARGET_IP}:${TARGET_PORT}" -sendbd auto -cleanup PHP Backdoor with Burp Capture a request and send it to repeater....

February 17, 2017 · Jayson Grace