mhmdiaa

javascript: (function() {
    var scripts = document.getElementsByTagName("script"),
        regex = /(?<=(\"|\%27|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\%60))/g;
    const results = new Set;
    for (var i = 0; i < scripts.length; i++) {
        var t = scripts[i].src;
        "" != t && fetch(t).then(function(t) {
            return t.text()
        }).then(function(t) {
            var e = t.matchAll(regex);

jhaddix

echo ""
echo "************ Github Dork Links (must be logged in) *******************"
echo ""
echo "  password"
echo "https://github.com/search?q="hackertarget.site"+password&type=Code"
echo "https://github.com/search?q=""hackertarget""+password&type=Code"
echo ""
echo " npmrc _auth"

tothi

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

tothi

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

tothi

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

• LDAP signing not required on Domain Controller (default!)

Flangvik

PKI Abuse

Some golden links when you are having issues: https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity

Enumerating ADCS On Linux

Download and install Certi

g0tmi1k

CVE-2018-7600 | Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' RCE (SA-CORE-2018-002)

Source: https://gist.github.com/g0tmi1k/7476eec3f32278adc07039c3e5473708

Improved (Ruby) exploit ~ http://github.com/dreadlocked/Drupalgeddon2/ // https://www.exploit-db.com/exploits/44449/

---

Drupal v8.x

scotgabriel

Rundll32 commands

OS: Windows 10/8/7

Add/Remove Programs

• RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0

Content Advisor

• RunDll32.exe msrating.dll,RatingSetupUI

Control Panel

HarmJ0y

# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set

lanmaster53

# Moved to https://github.com/lanmaster53/pyscripter-er/tree/master/snippets