Skip to content

Instantly share code, notes, and snippets.

View queencitycyber's full-sized avatar
💭
knuckin n buckin

clandestination queencitycyber

💭
knuckin n buckin
37 followers · 49 following
View GitHub Profile
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@ngregoire
ngregoire / BurpExtender.kt
Created June 4, 2021 15:25
Simple Burp extension using performAction()
package burp
@Suppress("unused") // Remove IDE warning, as this class will be used by burp anyway
class BurpExtender : IBurpExtender, ISessionHandlingAction {
private lateinit var cb : IBurpExtenderCallbacks
override fun registerExtenderCallbacks(callbacks: IBurpExtenderCallbacks) {
val extensionName = "A basic Kotlin template"
@lanmaster53
lanmaster53 / whey-cewler.py
Last active November 26, 2024 08:07
'''
Based on the initial work of Digininja at https://github.com/digininja/CeWL. While CeWL is a script written
in Ruby that requires an independent crawl of a website in order to build a custom wordlist, Whey CeWLer
runs within Portswigger's Burp Suite and parses an already crawled sitemap to build a custom wordlist. It
does not have the meta data parsing capabilities that CeWL does, but it more than makes up for it in
convenience.
The name gets its origins from the CeWLer portion of the CO2 Burp extension by Jason Gillam, which is written
in Java and does something similar, but Whey CeWLer is a completely reimagined extension written in Python,
making it "way cooler".
@cham423
cham423 / getloggedon.py
Last active February 21, 2022 19:24 — forked from dirkjanm/getloggedon.py
updated python3 version of @_dirkjan's getloggedon.py
#!/usr/bin/env python
# Gets logged on users via NetrWkstaUserEnum (requires admin on targets).
# Mostly adapted from netview.py and lookupsid.py
#
# Original Author:
# Dirk-jan Mollema (@_dirkjan)
# Modifier:
# Corey Ham (@cham423)
import sys
@theevilbit
theevilbit / divide_and_conquer.c
Created January 17, 2021 15:11
Divide and Conquer NextGen AV bypass
/*
This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
*/
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include "Commctrl.h"
#include <string>
@0xsha
0xsha / Solarwinds_Orion_LFD.py
Last active September 24, 2024 05:28
Solarwinds_Orion_LFD local file disclosure PoC for SolarWinds Orion aka door to SuperNova?)
# CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? )
# @0xSha
# (C) 2020 0xSha.io
# Advisory : https://www.solarwinds.com/securityadvisory
# Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip
# Details : https://kb.cert.org/vuls/id/843464
# C:\inetpub\SolarWinds\bin\OrionWeb.DLL
# According to SolarWinds.Orion.Web.HttpModules
@m-radzikowski
m-radzikowski / script-template.sh
Last active March 25, 2026 08:54
Minimal safe Bash script template - see the article with full description: https://betterdev.blog/minimal-safe-bash-script-template/
#!/usr/bin/env bash
set -Eeuo pipefail
trap cleanup SIGINT SIGTERM ERR EXIT
script_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd -P)
usage() {
cat <<EOF
Usage: $(basename "${BASH_SOURCE[0]}") [-h] [-v] [-f] -p param_value arg1 [arg2...]
@jfmaes
jfmaes / DInjectQueuerAPC.cs
Created November 13, 2020 19:00
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@mpgn
mpgn / Blackfield vs NetExec .md
Last active April 17, 2024 15:02
Blackfield vs NetExec for fun and profit @mpgn_x64
@decay88
decay88 / # Useful C# References.md
Created March 9, 2020 14:54
C# Useful References

Useful C# References