Skip to content

Instantly share code, notes, and snippets.

View marcostolosa's full-sized avatar
👽
Memento Mori. Try Harder.

Marcos Tolosa marcostolosa

👽
Memento Mori. Try Harder.
20 followers · 25 following
View GitHub Profile
@marcostolosa
marcostolosa / Workstation-Takeover.md
Created January 6, 2022 13:57 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@marcostolosa
marcostolosa / kerberos_attacks_cheatsheet.md
Created December 11, 2019 18:14 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@marcostolosa
marcostolosa / read-access.sql
Created April 16, 2019 12:51 — forked from oinopion/read-access.sql
How to create read only user in PostgreSQL
-- Create a group
CREATE ROLE readaccess;
-- Grant access to existing tables
GRANT USAGE ON SCHEMA public TO readaccess;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;
-- Grant access to future tables
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readaccess;
@marcostolosa
marcostolosa / nginx.conf
Last active April 16, 2019 13:13 — forked from nrollr/nginx.conf
NGINX config for SSL with Let's Encrypt certs
worker_processes 2;
events {
worker_connections 1024;
}
upstream app {
server 127.0.0.1:5000 fail_timeout=0;
}
@marcostolosa
marcostolosa / wp.sh
Created March 13, 2019 16:16 — forked from bgallagh3r/wp.sh
Wordpress: Bash Install Script -- Downloads latest WP version, updates wp-config with user supplied DB name, username and password, creates and CHMOD's uploads dir, copies all the files into the root dir you run the script from, then deletes itself!
#!/bin/bash -e
clear
echo "============================================"
echo "WordPress Install Script"
echo "============================================"
echo "Database Name: "
read -e dbname
echo "Database User: "
read -e dbuser
echo "Database Password: "