Posts

Showing posts from 2018

Microsoft Flow - Form, into excel, create word document from template, send email, addressing Copy/Create File errors

Image
Today a customer showed me a paper (invoice) recipe  he had to write into an excel, and then again into a word "thank you" for printing/emailing. If you're here for the Copy/Create File errors, jump to the end. So what we did is to prepare a Form for inputs, and then a Flow that takes that data, use " Insert Row " for excel. Next was to create the word document. I've tried to create custom properties myself, but didn't manage so I followed Netwoven's tutorial , and the simple steps are: 1 - Create a Sharepoint Document Library and add your custom properties to the library as custom Fields. 2 - Go to  Library Settings > Advanced Settings > click Edit Template 3 - The template will open an empty word document, edit it however you want 4 - Wherever you want one of the dynamic custom properties to fit in put your cursor there and click Insert > Quick Parts > Document Property > your custom Fields name 5 - Save the document as a...

Microsoft Flow - auto post in twitter and pinterest

The task at hand - a form, when filled, creates a post at [all] social networks, this blog is about twitter and pinterest. Part 1 - prepare the image Twitter needs "file content" in its media field, while pinterest needs an image url open to the public. So [1st flow] was in OneDrive folder for those uploaded images, sending back the image ID to be used in the form. Can take a few minutes, sent to mail (better to send with the image). The twitter account will create the public url for the image. Part 2 - the form Most simple form, Title, Content and image id into [2nd flow] a Sharepoint list. If you're sure you're never going to use more than 255 characters you can just use the title (i dont like to extend title fields characters limit). Part 3 - to the social media Next [3rd flow] when the SPItem is created, I use OneDrive "Get file content" for the file content and the "Title - Content" for the text, and post a new tw...

Becoming a (very Jn.) Hacker, how to, and my 1st Black Box Test

~ This is not a technical post, its a story post. ~ A story to whom just like stories, or to whom like to learn some lessons, and especially to anyone that wants to become a hacker. Lately (like 6 last months) i'm starting to really go into hacking, it always interested me, but i could never find the time, plus, there was always another challenge @work like the new Angular. But with time and effort, payment has become bigger, and with it my time. And the 1st thing was how... from some videos and many SQL injections or XSS, DVWA ect. I didnt feel i'm learning anything other then extra web security. Finally i found OverTheWire website, and finally i learn some "real" things, linux, php, memory, crypto, ssh, ect., all basics that I, as a web-programmer, had no clue. Only the web-based challenges were "natural" for me. I can say that there I learned lesson no.1 - LEARNING. In the world of hacking, you must be a weary-less learner, new things every ti...

Damn Vulnerable Web Application (DVWA) - File Inclusion and WebShells

today we are going to have some fun understanding the full potential of File Inclusion attacks. my goals for today 1. a few words, Disclaimer, Lab, and links. 2. Web Shells intro with DVWA 3. How to complete the File Inclusion challenge in the new DVWA 4. Metasploit 1. a few words, Disclaimer, Lab, and links. DISCLAIMER - if you do what i teach you today you WILL go to jail. so dont do this outside of your lab. Setting up the lab - For a hacking lab download either VirtualBox or VMWare, or, if you own win10pro, you have Hyper-V. With those you can create virtual machines, and you will need 2 today, one with DVWA, and another as the attacker, which for ease better be kali, download machines from osboxes . For DVWA you can either download Metasploitable 2 or set up dvwa in some machine. In my case i just turned them both on an internal network, so they can see each other but no internet (might need to set up DHCP if you dont have any ip). For basic help about solvi...

Damn Vulnerable Web Application (DVWA) - installation 2018

for anyone trying today to install DVWA, thing changed a little, took me a while to get it working, so here it is: IMPORTANT -  su if you are not root user (i.e. not kali) 1. download the latest version  to get it working with MariaDB and PHP v7.x wget https://github.com/ethicalhack3r/DVWA/archive/master.zip && unzip master.zip unzip under /var/www/html, rename folder to dvwa 2. config file cd /var/www/html/dvwa/config cp config.inc.php.dist config.inc.php gedit config.inc.php create captcha keys https://www.google.com/recaptcha/intro/index.html and set in $_DVWA[ 'recaptcha_public/private_key' ] start at low difficulty $_DVWA[ 'default_security_level' ] = 'low'; you need to clean cookies if the dvwa was running 3. set user in MariaDB sudo service mysql start mysql -u root -p db commands... mysql > create database dvwa; mysql > CREATE USER dvwa@localhost IDENTIFIED BY 'p@ssw0rd'; mysql > grant al...

Real Hacking Challenge - victim behind ssh

Image
the challenge is like this, i have the attacker machine (A), which connect with ssh client to another machine (B), which run ssh server (daaa...), these 2 are connected to the internet, but (B) is also connected to an internal network, and there there is a WIN10 machine (C), NOT connected to the internet but to (B) as said. we will use the help of ssh, ShellTer  to try also do it with windows defender on. to succeed we will try to do this from bottom to top. *DISCLAIMER - all this is illegal, and you may only do it at your lab, if you hack really you will go to jail. *BIG NOTE : sometimes stuff just dont work, restarting (not power off) the machines, and the services refreshes stuff and then they work. PLAN 1. prepare lab 2. test exploit on xp 3. test 3 machines ssh with 3 linux 4. exploit xp via ssh 5. exploit win10 6. test ssh with win 10 7. exploit win10 via ssh 1. preparing lab using VBox (doesnt matter) i will create 4 machines, an arbitrary linux fo...

VBOX Windows XP - how to use internet

1. right-click on the machine -> settings -> network -> choose NAT -> expand advnaced -> choose "PCnet-FAST III(...)" 2. run cmd -> "inetcpl.cpl" -> advanced -> enable "use TLS 1.0" 3. open IE -> go to "www.bing.com" -> search "download firefox/chrome" -> do the usual with choosing "Yes" a zillion times every time he complains about the certificate. -chrome do all kinda troubles sometimes with xp 4.1 with chrome and browse to "www.google.com", in the error screen click advanced -> proceed. 4.2 with firefox, just browse and enjoy P.S. - if you have bridged connection problems try to change MAC

What every Browser knows about you

using this nice tool  http://webkay.robinlinus.com/ to see how anon i can get, lets go table will contain: method (browser + proxy/vpn), location, OS, browser, plugins (of browser), hardware, prev page, public ip, local ip, ISP, speed. surfing with just chrome , normal connection, the site i am visiting knows everything about me, that i use chrome (and what version), my location, my OS, my display hardware, the last page i've been, my exact public and local IP, and my download speed, the social media i am currently logged in, and that there is a devices in my network (i think its my printer). now with tor , normal connection, normal config, leaving tor at its default size, JavaScript Enabled . proxy's location proxy's OS right browser version (FF 52) proxy's hardware and down-speed social media not shown logged-in, yet i never logged in with FF or Tor, so i cant tell. cant scan network tor   JavaScript Disabled : that website does not show any i...

Angular add more html pages

1. ng-build with your index.html set properly with its components. (or conditional app-components ) 2. rename and copy the rendered to (for example)  /src/search.html 3. in angular.json ( angular-cli.json for pre v5) find "assets" : "assets" : [ "src/favicon.ico" , "src/search.html" , "src/assets" ], browse localhost:4200/search.html enjoy :)

OverTheWire[.com] Natas Walkthrough - JUST HINT, NO SPOILERS

game portal: http://overthewire.org/wargames/natas/ PASSWORDS for each level are stored in /etc/natas_webpass/natasX I made this walkthrough for people like me, i needed some help, but didnt want the spoiler, so here i will give you all the information needed to pass each level, yet not the solution. For levels needed custom web request i made a different post for powershell and javascript  with how-to's, since is a piece of learning for itself, and also for those of us that play at work and have only powershell at their hands. Although its not a complete spoiler there, its quite most of the solution so try yourself 1st. Natas The Natas game is from basic to advances web hacking. Every few levels is about whole new exploitation (with some harder ones doing comeback later), so a lot of learning. If you're new, you're the reason i am writing so much even for the 1st level, just please google EVERY topic you see, since in the following levels i assume you know the ...

Natas Powershell and JavaScript Helper (OverTheWire)

I did most of Natas from work, and there i couldn't have anything but Windows PowerShell, or the browser's console for Javascript, so here are examples how to use it for the game for anyone in the same position. SPOILER ALERT even though i tried not to have this a the solutions, its kinda the solution. Level 4: HTTP Headers # basics for working with .Net WebClient # create a variable with a value $u = "http://natas4.natas.labs.overthewire.org" # creating new Object you need to specify the full namespaces and classes route $wc = New-Object System.Net.WebClient # this is how you send user and pass $c = New-Object System.Net.NetworkCredential( "natas4" , "............" ) $wc .Credentials = $c # adding headers. # # adding a cookie is just "cookie", "name=value". $wc .Headers.Add( "header-name" , "header-value" ) # download the same html you see in "view-source". # you c...

Javascript Event Oriented Programming example on SPSocialFeed

SPSocialFeed is the sharepoint microblog, where you can post your thoughts and reply on yourself and other. We wanted to add some functionalities for every reply and post added, so i used the new  "MutationObserver" and "CustomEvent"  new API's in ES6 to create an event-full way to implement solution // batman is the man in-charge catching the bad guys in the night. // so now he catches the good events in the feed let batman = ( function (){ let config = { childList : true }; let batman = class batman{ constructor(){ this .v = "2.0.0" ; //register call to batCave fn. to _spBodyOnLoadFunctionNames, the SP onready _spBodyOnLoadFunctionNames.push( 'batman.batCave' ); } batCave(){ let feed = document.getElementById( 'ms-feedthreadsdiv' ); //childNodes can be any type of nodes, like text node. children is only HTML...