Skip to content

Instantly share code, notes, and snippets.

View modulexcite's full-sized avatar


View GitHub Profile
gladiatx0r /
Last active September 6, 2024 13:56
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

terjanq /
Last active July 21, 2024 16:33
A TL;DR solution to Security Driven by @terjanq

A TL;DR solution to Security Driven by @terjanq

For this year's Google CTF, I prepared a challenge that is based on a real-world vulnerability. The challenge wasn't solved by any team during the competition so here is the proof that the challenge was in fact solvable! :)

The goal of the challenge was to send a malicious file to the admin and leak their file with a flag. The ID of the file was embedded into the challenge description (/file?id=133711377731) and only admin had access to it, because the file was private.

Disclamer: The write-up is written on airplane therefore the quality of it is poor, mostly to showcase the required steps to solve the challenge

jfmaes / DInjectQueuerAPC.cs
Created November 13, 2020 19:00
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
public class Program
Arno0x / NetLoader.cs
Last active October 12, 2023 23:19
Partial rewrite of @Flangvik NetLoader. Supports proxy with authentication, XOR encrypted binaries, multiple arguments passing to binary.
Author: Arno0x0x, Twitter: @Arno0x0x
Completely based on @Flangvik netloader
This partial rewrite of @Flangvik Netloader includes the following changes:
- Allow loading of an XOR encrypted binary to bypass antiviruses
To encrypt the initial binary you can use my Python script.
Example: ./ -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor
yehgdotnet /
Last active September 4, 2024 17:00
Get Shodan FAVICON Hash
pip install mmh3
# python 2
import mmh3
import requests
response = requests.get('')
favicon = response.content.encode('base64')
jhaddix / Github bash generated search links (from
Created January 12, 2020 19:55
Github bash generated search links (from
Neo23x0 /
Last active August 26, 2024 21:26
Learning Aid - Top Base64 Encodings Table

Base64 Patterns - Learning Aid

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" <. Often used by Emotet (UTF-16)
teixeira0xfffff / resources.bin
Created June 2, 2019 22:52
Redteam/Pentesting/Hacking/Cybersecurity/OSINT Resources
++++++ Basic knowledge requirements for cybersecurity and hacking ++++++
These are the basic competencies expected (and tested for during the 1st in person interview) by a large, very visible InfoSec company I think it is a good base competency list for anyone looking to get into an Infosec career (with specialization plus and some programming /scripting ability) or learn cybersecurity/hacking as a hobby:
Networking: Good understanding of OSI layer model / Understating of communication flow through each layer / Good understanding of functions of each layer / Understanding of major protocols in each layer / In-depth understanding Layer 3 & Layer 4 protocols  IP, ICMP Protocols (layer 3) TCP, UDP Protocols (layer 4)
Overview of TCP/IP Layer model: ARP / Understanding of Client & Server communication model / Ports common services run on / Ephemeral port vs Well known ports
Understanding of major (everyday Layer 7) services/protocols: DNS o DHCP o HTTP HTTP Header Fields HTTP Status Codes  How HTTP mainta
Arno0x / TestAssembly.cs
Last active May 19, 2024 11:37
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
using System.Windows.Forms;
namespace TestNamespace