Skip to content

Instantly share code, notes, and snippets.

View jivoi's full-sized avatar
:electron:
living off the land!

EK_ jivoi

:electron:
living off the land!
2.4k followers · 195 following
View GitHub Profile
@nikallass
nikallass / sysvol_observer_v2.sh
Last active April 7, 2025 12:04
Find interesting scripts and extensions in mounted directory (SMB, NFS, SSHFS, FTP shares)
#!/bin/bash
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# Help function
show_help() {
echo -e "${YELLOW}Usage: $0 <path_to_DIRECTORY> [option]${NC}"
echo "Options:"
@yunginnanet
yunginnanet / fwd55.go
Last active February 10, 2025 01:21
fwd55.go
package main
// ▄─▄ ▄ ▄ ▄ ──▄ ▄─▄ ▄─▄
// ▓─ ▓ ▓ ▓ ▓ ▓ ▀─▄ ▀─▄
// ▀ ▀─▀─▀ ──▀ ▀─▀ ▀─▀
// f w d --> 5 5
//
// simple rfc1928 proxy server
//
//
@tothi
tothi / kali-fde-tpm.md
Last active February 12, 2025 17:42
Full Disk Encryption with unattended auto-unlock using TPM2; hardened with Secure Boot on Kali

Full Disk Encryption w/ TPM2 on Kali

Short HOWTO about setting up Full Disk Encryption with unattended auto-unlock using TPM2 on Kali.

Useful for rogue devices (auto-connecting to C2), headless pentest boxes, etc. storing confidential information but lacking physical security.

NOTE: In order to maintain integrity and protect the encryption key, hardening the boot process with Secure Boot is a must. For making Secure Boot work (without messing up the default UEFI keys stored in the hardware), the Microsoft-signed UEFI shim loader is used (available in the Kali repo) which is able to load securely an arbitrary ELF image as 2nd stage

@GeisericII
GeisericII / Get-LoggedOn.py
Last active February 17, 2025 22:59
Stupid simple script copied and pasted from reg.py/lookupsid and inspired from itm4n's session enum via registry
#!/usr/bin/python3
from __future__ import division
from __future__ import print_function
import re
import codecs
import logging
import time
import argparse
import sys
from impacket import version
@LuemmelSec
LuemmelSec / GBC.ps1
Last active March 18, 2025 12:39
Give Back Control over Windows functions script
$elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
function Show-Menu {
Clear-Host
Write-Host "======================================================"
Write-Host "================ Give Back Control ================"
Write-Host "======================================================"
if($elevated -eq $true){
Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Green
Write-Host "We have superpowers. Ready to continue."
@embee-research
embee-research / suspicious_msdt_execution.yml
Last active September 13, 2022 04:33
title: Suspicious msdt.exe execution - Office Exploit
id: 97a80ed7-1f3f-4d05-9ef4-65760e634f6b
status: experimental
description: This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation.
references:
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://twitter.com/MalwareJake/status/1531019243411623939
author: 'Matthew Brennan'
tags:
- attack.execution
@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active September 11, 2024 21:41
Log4j RCE CVE-2021-44228 Exploitation Detection

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
@byt3bl33d3r
byt3bl33d3r / log4j_rce_check.py
Created December 10, 2021 06:02
Python script to detect if an HTTP server is potentially vulnerable to the log4j 0day RCE (https://www.lunasec.io/docs/blog/log4j-zero-day/)
#! /usr/bin/env python3
'''
Needs Requests (pip3 install requests)
Author: Marcello Salvati, Twitter: @byt3bl33d3r
License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)
This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.
@gquere
gquere / weblogic_password.decrypt.py
Last active January 22, 2025 09:53
Weblogic password decrypt python
#!/usr/bin/env python3
# python3 port from https://github.com/L-codes/ctf-scripts/blob/master/crypto/weblogic_password.py
# /console/ login account
# -i ~/wls<VERSION>/user_projects/domains/<DOMAIN_NAME>/security/SerializedSystemIni.dat
# -f ~/wls<VERSION>/user_projects/domains/<DOMAIN_NAME>/config/config.xml
from Cryptodome.Cipher import ARC2, AES, DES3
from Cryptodome.Hash import SHA
import struct
import re
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active March 17, 2025 03:05
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.