Skip to content

Instantly share code, notes, and snippets.

View NotMedic's full-sized avatar

Tim McGuffin NotMedic

147 followers · 8 following
View GitHub Profile
@NotMedic
NotMedic / _vmdir-exploit.md
Created April 28, 2020 14:00 — forked from praseodym/_vmdir-exploit.md
Exploit for VMware vCenter Directory Service (vmdir) - CVE-2020-3952 / VMSA-2020-0006

Exploit for VMware vCenter Directory Service (vmdir) - CVE-2020-3952 / VMSA-2020-0006

This is my proof-of-concept exploit code for the VMware vCenter Directory Service (vmdir) sensitive information disclosure vulnerability (CVE-2020-3952 / VMSA-2020-0006).

It turns out that the vmdir service, which provides an LDAP directory server (and more), allows anonymous LDAP connections (also called LDAP binding) in the ACL MODE: Legacy configuration that is present after upgrading from vCenter 6.5. While the LDAP tree doesn't expose password hashes for administrative users, it does expose the VMware SSO server's SAML identity provider (IdP) certificates and private key. This key can be downloaded and used to sign arbitrary SAML responses, allowing an attacker to

@NotMedic
NotMedic / Invoke-Kerberoast.ps1
Created May 6, 2021 21:12 — forked from jaredhaight/Invoke-Kerberoast.ps1
Get Kerberoastable SPNs
<#
Invoke-Kerberoast.ps1
Author: Will Schroeder (@harmj0y), @machosec
License: BSD 3-Clause
Required Dependencies: None
Credit to Tim Medin (@TimMedin) for the Kerberoasting concept and original toolset implementation (https://github.com/nidem/kerberoast).
Note: the primary method of use will be Invoke-Kerberoast with various targeting options.
@NotMedic
NotMedic / Instructions.md
Created November 7, 2019 20:10
Headless Remote Chrome Debugging - Ichabod Chrome :)

Target

Start Chrome with the following flags:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

--remote-debugging-port=9222

--remote-debugging-address=0.0.0.0