Skip to content

Instantly share code, notes, and snippets.

View filipesam's full-sized avatar

filipesam

22 followers · 70 following
View GitHub Profile
@filipesam
filipesam / PELoader.cs
Created October 11, 2021 21:20 — forked from xorrior/PELoader.cs
Reflective PE Loader - Compressed Mimikatz inside of InstallUtil
using System;
using System.IO;
using System.IO.Compression;
using System.Text;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;
@filipesam
filipesam / .htaccess
Created January 7, 2022 11:58 — forked from curi0usJack/.htaccess
FYI THIS IS NO LONGER AN .HTACCESS FILE. SEE COMMENTS BELOW. DON'T WORRY, IT'S STILL EASY.
#
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
#
# Note this version requires Apache 2.4+
#
# Save this file into something like /etc/apache2/redirect.rules.
# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
#
# Include /etc/apache2/redirect.rules
#
@filipesam
filipesam / .htaccess
Created January 7, 2022 12:19 — forked from Meatballs1/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
Define REDIR_TARGET example.com
RewriteEngine On
RewriteOptions Inherit
# Uncomment the below line for verbose logging, including seeing which rule matched.
#LogLevel alert rewrite:trace5
# BURN AV BURN
@filipesam
filipesam / CSM_pocs.md
Created January 13, 2022 11:32 — forked from Frycos/CSM_pocs.md

TLDR

Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.

@filipesam
filipesam / gist:ac0dc1bc69be959d9489b67264a449e7
Created January 16, 2022 17:48 — forked from chtz/gist:b3f3e0e764a75ee4f41e0e7da922c39d
SSH over HTTP tunnel (hts- & htc Sample)
# Client (Cygwin)
lynx -source rawgit.com/transcode-open/apt-cyg/master/apt-cyg > apt-cyg
install apt-cyg /bin
apt-cyg install httptunnel
htc -P $CORP_HTTP_PROXY_HOST:$CORP_HTTP_PROXY_PORT -F 8888 $HTS_SERVER_HOST:80
 
ssh -p 8888 $USER@localhost
@filipesam
filipesam / plink_socks_proxy.bat
Created January 24, 2022 09:04 — forked from moshekaplan/plink_socks_proxy.bat
plink SOCKS proxy short guide
@filipesam
filipesam / AD notes.md
Created February 22, 2022 10:50 — forked from ivanitlearning/AD notes.md
Some notes I took while learning about Active Directory

Notes on learning Active Directory

  1. NetBIOS name should match your forest FQDN. So if FQDN=adlunches.net, NetBIOS name is ADLUNCHES
  2. Every AD forest has a server which indexes all the objects in the forest. This is known as the Global Catalog server.
    1. Each domain needs at least 1 GC server, can have more for redundancy. This is so it can find objects in other domains.
    2. Any DC can be GC.
    3. By default all DCs will be GCs. GCs take up disk space and bandwidth, but both are plentiful.
    4. Microsoft Exchange requires GC server to run.
    5. Allow logins via UPN eg. [email protected], which may be on same domain.
  3. GC servers should be deployed at sites with poor WAN links or filtered connections.
@filipesam
filipesam / customqueries.json
Created April 12, 2022 08:13 — forked from seajaysec/customqueries.json
bloodhound custom queries
{
"queries": [{
"name": "List all owned users",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List all owned computers",
@filipesam
filipesam / Workstation-Takeover.md
Created April 18, 2022 10:07 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@filipesam
filipesam / java_download.sh
Created May 31, 2022 14:56 — forked from wavezhang/java_download.sh
download java from oracle without login
wget -c --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" https://download.oracle.com/otn-pub/java/jdk/12.0.2+10/e482c34c86bd4bf8b56c0b35558996b9/jdk-12.0.2_linux-x64_bin.tar.gz