Skip to content

Instantly share code, notes, and snippets.

View tothi's full-sized avatar
:shipit:

tothi

:shipit:
603 followers · 159 following
View GitHub Profile
@tothi
tothi / nmap-http-url.py
Last active January 6, 2026 15:04
Generate HTTP URLs from Nmap XML (and optionally use VirtualHosts)
#!/usr/bin/env python3
#
# inputs: nmap.xml (nmap scan xml output), subdomains.csv (optional virtualhost info, hostname + ip address csv file)
# output: url listing (useful for tools like EyeWitness)
#
# sample usage: ./nmap-http-url.py nmap.xml subdomains.csv | sort -u | gowitness file -f -
#
description = '''
Generate HTTP URLs from Nmap XML (and optionally additional VirtualHost listing, taken from e.g. subdomain enumeration).
@tothi
tothi / krbrelay_privesc_howto.md
Last active April 7, 2026 10:09
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
@tothi
tothi / certifried_with_krbrelayup.md
Last active December 18, 2024 19:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@tothi
tothi / ms-msdt.MD
Last active June 16, 2025 21:37
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@tothi
tothi / cpau-decrypt-creds.py
Created June 5, 2022 19:07
Decrypt credentials from encrypted CPAU job file using the original CPAU.exe (and Frida.re)
# extract credentials from CPAU (and possibly other) encrypted config file
# using the original CPAU.exe and hooking WinAPI call CreateProcessWithLogonW using Frida.re
#
# https://www.joeware.net/freetools/tools/cpau/
#
import sys
import frida
def on_message(message, data):
@tothi
tothi / mitmproxy-jwt-refresh-addon.py
Created August 28, 2022 20:52
mitmproxy addon for handling oauth access and refresh tokens automatically
# run: mitmproxy -k -p 8090 -s mitmproxy-jwt-refresh-addon.py
# set burp upstream proxy to localhost:8090
#
# use case:
# - application authorization is implemented by OAuth 2.0
# - testing is performed using Burp as primary and mitmproxy as upstream proxy
# - mitmproxy takes care of the Authorization tokens using this addon
# - user gets an access_token and a refresh_token during the 1st login (e.g. password login)
# - mitmproxy addon caches access_token and refresh_token
# - mitmproxy addon adds Authorization: Bearer [access_token from cache] header for every request
@tothi
tothi / mmimikatz.cna
Last active November 13, 2022 13:51
multi-command mimikatz functionality in a Cobalt Strike beacon
#
# multi-command mimikatz in a Cobalt Strike beacon extending the built-in mimikatz functionality
#
# cmd separator is |
#
# practical example: export machine certificates (including non-exportable private key :)):
#
# mmimikatz "crypto::capi|crypto::certificates /systemstore:local_machine /store:my /export"
#
@tothi
tothi / DInjectQueuerAPC.cs
Last active November 26, 2024 17:57 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
/// Using with GadgetToJScript (e.g. for VBS payload):
/// 1.) compile to DLL: c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:DInjectQueuerAPC.dll /r:System.Net.Http.dll DInjectQueuerAPC.cs
/// 2.) generate VBS: GadgetToJScript.exe -w vbs -b -o DInjectQueuerAPC -a DInjectQueuerAPC.dll
/// 3.) test: cscript.exe DInjectQueuerAPC.vbs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Threading.Tasks;
@tothi
tothi / openssl-legacy-md4.md
Last active September 4, 2023 12:51
/etc/ssl/openssl.cnf supporting legacy digests like MD4 (useful for offensive tools requiring NTLM support)

This is a minimal /etc/ssl/openssl.cnf supporting legacy algorithms on modern openssl installations where it is disabled by default.

The marked (######) lines should be added to your openssl.cnf (other parts may be unchanged).

For checking if legacy providers are enabled successfully:

$ openssl list -providers
Providers:
@tothi
tothi / PidLidReminderPwn.py
Created March 28, 2023 09:30
Exploiting Outlook CVE-2023-23397 using Python by sending the message through EWS
#!/usr/bin/python -u
from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty
from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW
from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)