Skip to content

Instantly share code, notes, and snippets.

jordanpotti /
Created October 28, 2021 16:00 — forked from matterpreter/
Convert Ghidra Call Trees to JSON for Neo4j Ingestion
#@author matterpreter
# To import to Neo4j:
# CREATE CONSTRAINT function_name ON (n:Function) ASSERT IS UNIQUE
jordanpotti /
Created July 26, 2021 13:42 — forked from gladiatx0r/
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

jordanpotti /
Created January 25, 2021 15:09 — forked from Neo23x0/
Offensive Research Guide to Help Defense Improve Detection

Whenever you research a certain vulnerability ask yourself these questions and please answer them for us


Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)

Does a system service write a log?
(e.g. check with tail -f /var/log/messages)

View UACBypass.ps1
function Invoke-UACBypass {
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
jordanpotti /
Created July 23, 2020 13:42 — forked from TarlogicSecurity/
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet



python -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

View CommonWebPorts
`-p80,81,280,443,591,593,832,981,1311,2480,4444–4445,4567,5000,5104,5800,7000-7002,8008,8042,8080,8088,8222,8243,8280,8281,8333,8530-8531,8887-8888,8000,8443,9080,9443,9981,11371,12043,12046,12443,16080,18091-18092` (edited)
jordanpotti / jenkins-decrypt.groovy
Created March 15, 2019 13:46 — forked from tuxfight3r/jenkins-decrypt.groovy
Decrypting Jenkins Password
View jenkins-decrypt.groovy
#To Decrypt Jenkins Password from credentials.xml
#go to the jenkins url
#In the console paste the script
jordanpotti /
Created January 3, 2018 15:50
setup script for ElastAlertGrouper
git clone
cp ElastAlertGrouper/ /bin/
chmod 755 /bin/
cp ElastAlertGrouper/alert_rules/* /etc/elastalert/alert_rules/
service elastalert restart
View excerpt-sysmonconfig-export.xml
<!-- Mimikatz Detection -->
<ImageLoaded condition="is">C:\Windows\System32\WinSCard.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: -->
<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: -->
<ImageLoaded condition="is">C:\Windows\System32\hid.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: -->
<ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: -->
<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g:
View config.yml
port: 9200
use_ssl: False
ssl_no_validate: False