boh

## gist:a1d4c3642bde7e1e37d9466e87779109
# see https://httptoolkit.tech/blog/chrome-android-certificate-transparency/
# put your Burp cacert.der in the current working directory!

FINGERPRINT=`openssl x509 -in cacert.der -inform der -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64`

echo "chrome --ignore-certificate-errors-spki-list=$FINGERPRINT" > chrome.sh

adb push chrome.sh /data/local/tmp/chrome.sh
adb shell su -c cp /data/local/tmp/chrome.sh /data/local/chrome-command-line
adb shell su -c cp /data/local/tmp/chrome.sh /data/local/android-webview-command-line

## pwsh_dirty_words.yml
# Source: System.Management.Automation.dll
# This list is used to determin if a ScriptBlock contains potential suspicious content
# If a match is found an automatic 4104 with a "warning" level is generated.
# https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs
- "Add-Type"
- "AddSecurityPackage"
- "AdjustTokenPrivileges"
- "AllocHGlobal"
- "BindingFlags"
- "Bypass"

## patchless_amsi.h
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H

#include <windows.h>

static const int AMSI_RESULT_CLEAN = 0;

PVOID g_amsiScanBufferPtr = nullptr;

unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {

## 1) Active Directory One Liners
Retrieves all of the trust relationships for this domain - Does not Grab Forest Trusts

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()


Grab Forest Trusts.

([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()


## AzureCLICheatSheet.ps1
#List all resources
az resource list | convertfrom-json | foreach-object { $_ | Select-Object type, name, resourceGroup, id}

#List details for all VM's
az vm lis

#Run PowerShell command on a VM
az vm run-command invoke --command-id RunPowerShellScript --name MyVm --resource-group MyResourceGroup --scripts 'whoami'

#Run PowerShell command on ALL VM's

## Workstation-Takeover.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                boh
                / Workstation-Takeover.md
            
            
              Created
              July 26, 2021 06:13
                — forked from gladiatx0r/Workstation-Takeover.md
            
              
                From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
              
          
    Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

  
## Windows command line gui access.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                boh
                / Windows command line gui access.md
            
            
              Created
              July 12, 2021 11:36
                — forked from scotgabriel/Windows command line gui access.md
            
              
                Common windows functions via rundll user32 and control panel
              
          
    Rundll32 commands

OS: Windows 10/8/7

Add/Remove Programs


RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0

Content Advisor


RunDll32.exe msrating.dll,RatingSetupUI

Control Panel


## Base64_CheatSheet.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                boh
                / Base64_CheatSheet.md
            
            
              Created
              November 7, 2020 17:35
                — forked from Neo23x0/Base64_CheatSheet.md
            
              
                Learning Aid - Top Base64 Encodings Table
              
          
    Learning Aid - Top Base64 Encodings Table


Base64 Code
Mnemonic Aid
Decoded*
Description


JAB
🗣 Jabber
$.
Variable declaration (UTF-16)


TVq
📺 Television
MZ
MZ header


SUVY
🚙 SUV
IEX
PowerShell Invoke Expression


SQBFAF
🐣 Squab favorite
I.E.
PowerShell Invoke Expression (UTF-16)


SQBuAH
🐣 Squab uahhh
I.n.
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz


PAA
💪 "Pah!"
&lt;.
Often used by Emotet (UTF-16)


## Amass Config
# Copyright 2017-2020 Jeff Foley. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

# Should results only be collected passively and without DNS resolution? Not recommended.
#mode = passive
mode = active

# The directory that stores the Cayley graph database and other output files
# The default for Linux systems is: $HOME/.config/amass
#output_directory = amass

## Node.js Security Checklist
Security - the elephant in the room. Everyone agrees that it is very important but few takes it seriously. We at RisingStack want you to do it right - this is why we have put together this checklist to help you guide through the must have security checks before your application is enabled to thousands of users/customers.

Most of these items are general and applies to all languages and frameworks not just Node.js - however some of the tools presented are Node.js specific. You should also check our introductory Node.js security blogpost.

Configuration Management

Security HTTP Headers

There are some security-related HTTP headers that your site should set. These headers are:
	# see https://httptoolkit.tech/blog/chrome-android-certificate-transparency/
	# put your Burp cacert.der in the current working directory!

	FINGERPRINT=`openssl x509 -in cacert.der -inform der -pubkey -noout \| openssl pkey -pubin -outform der \| openssl dgst -sha256 -binary \| openssl enc -base64`

	echo "chrome --ignore-certificate-errors-spki-list=$FINGERPRINT" > chrome.sh

	adb push chrome.sh /data/local/tmp/chrome.sh
	adb shell su -c cp /data/local/tmp/chrome.sh /data/local/chrome-command-line
	adb shell su -c cp /data/local/tmp/chrome.sh /data/local/android-webview-command-line
	# Source: System.Management.Automation.dll
	# This list is used to determin if a ScriptBlock contains potential suspicious content
	# If a match is found an automatic 4104 with a "warning" level is generated.
	# https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs
	- "Add-Type"
	- "AddSecurityPackage"
	- "AdjustTokenPrivileges"
	- "AllocHGlobal"
	- "BindingFlags"
	- "Bypass"
	#ifndef PATCHLESS_AMSI_H
	#define PATCHLESS_AMSI_H

	#include <windows.h>

	static const int AMSI_RESULT_CLEAN = 0;

	PVOID g_amsiScanBufferPtr = nullptr;

	unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
	Retrieves all of the trust relationships for this domain - Does not Grab Forest Trusts

	([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()


	Grab Forest Trusts.

	([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()
	#List all resources
	az resource list \| convertfrom-json \| foreach-object { $_ \| Select-Object type, name, resourceGroup, id}

	#List details for all VM's
	az vm lis

	#Run PowerShell command on a VM
	az vm run-command invoke --command-id RunPowerShellScript --name MyVm --resource-group MyResourceGroup --scripts 'whoami'

	#Run PowerShell command on ALL VM's
Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16)
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)
	# Copyright 2017-2020 Jeff Foley. All rights reserved.
	# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

	# Should results only be collected passively and without DNS resolution? Not recommended.
	#mode = passive
	mode = active

	# The directory that stores the Cayley graph database and other output files
	# The default for Linux systems is: $HOME/.config/amass
	#output_directory = amass
	Security - the elephant in the room. Everyone agrees that it is very important but few takes it seriously. We at RisingStack want you to do it right - this is why we have put together this checklist to help you guide through the must have security checks before your application is enabled to thousands of users/customers.

	Most of these items are general and applies to all languages and frameworks not just Node.js - however some of the tools presented are Node.js specific. You should also check our introductory Node.js security blogpost.

	Configuration Management

	Security HTTP Headers

	There are some security-related HTTP headers that your site should set. These headers are: