These scripts are a proof of concept of an attack monitoring hosts from Certificate Transparency for unprotected web installers.
Certificate Transparency: Hacking web applications before they are installed / Golem.de
Def Con 25: Abusing Certificate Transparency Logs (talk announcement)
This checks for currently active CT logs and writes them to ctloglist.txt. That file is required for the other scripts
This checks a host for a vulnerable web installer.
This monitors CT logs for vulnerable web installers. It writes them to subdirectories named after the log URLs and certificate numbers. Vulnerable installers are logged in the file named webapps in the respective subdirectory.
In the subdirectory hijack there is a wordpress plugin that will upload a PHP shell that allows executing commands and reverting a wordpress installation.
It can be called with:
https://[hostname]/wp-content/plugins/hijack/shell.php?secret=defcon2017