Skip to content

Instantly share code, notes, and snippets.

View ticarpi's full-sized avatar

ticarpi ticarpi

View GitHub Profile
javascript: (function() {
var scripts = document.getElementsByTagName("script"),
regex = /(?<=(\"|\%27|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\%60))/g;
const results = new Set;
for (var i = 0; i < scripts.length; i++) {
var t = scripts[i].src;
"" != t && fetch(t).then(function(t) {
return t.text()
}).then(function(t) {
var e = t.matchAll(regex);
echo ""
echo "************ Github Dork Links (must be logged in) *******************"
echo ""
echo " password"
echo "https://github.com/search?q="hackertarget.site"+password&type=Code"
echo "https://github.com/search?q=""hackertarget""+password&type=Code"
echo ""
echo " npmrc _auth"
@tothi
tothi / ms-msdt.MD
Last active September 29, 2024 08:10
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@tothi
tothi / certifried_with_krbrelayup.md
Last active November 22, 2023 10:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@tothi
tothi / krbrelay_privesc_howto.md
Last active November 15, 2024 03:50
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
@g0tmi1k
g0tmi1k / drupalgeddon2_CVE-2018-7600_SA-CORE-2018-002.md
Last active February 16, 2023 12:37
drupalgeddon2 / SA-CORE-2018-002 / CVE-2018-7600 cURL (PoC)
@scotgabriel
scotgabriel / Windows command line gui access.md
Last active November 11, 2023 14:53
Common windows functions via rundll user32 and control panel

Rundll32 commands

OS: Windows 10/8/7

Add/Remove Programs

  • RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0

Content Advisor

  • RunDll32.exe msrating.dll,RatingSetupUI

Control Panel

@HarmJ0y
HarmJ0y / PowerView-3.0-tricks.ps1
Last active November 15, 2024 03:49
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@lanmaster53
lanmaster53 / pyscripter-snippets.py
Last active May 6, 2024 05:03
Burp Python Scripter scripts
# Moved to https://github.com/lanmaster53/pyscripter-er/tree/master/snippets