Skip to content

Instantly share code, notes, and snippets.

View marcostolosa's full-sized avatar
👽
Memento Mori. Try Harder.

Marcos Tolosa marcostolosa

👽
Memento Mori. Try Harder.
20 followers · 25 following
View GitHub Profile
@marcostolosa
marcostolosa / Workstation-Takeover.md
Created January 6, 2022 13:57 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@marcostolosa
marcostolosa / kerberos_attacks_cheatsheet.md
Created December 11, 2019 18:14 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@marcostolosa
marcostolosa / windows-privesc-cheatsheet.md
Created November 3, 2019 20:49
Windows Privesc Cheatsheet

Made By J3wker

██╗ ██╗██████╗ ██╗ ██╗██╗ ██╗███████╗██████╗ ██╗ ██╔╝ ██║╚════██╗██║ ██║██║ ██╔╝██╔════╝██╔══██╗ ╚██╗ ██╔╝█████╗ ██║ █████╔╝██║ █╗ ██║█████╔╝ █████╗ ██████╔╝█████╗╚██╗ ╚██╗╚════╝██ ██║ ╚═══██╗██║███╗██║██╔═██╗ ██╔══╝ ██╔══██╗╚════╝██╔╝ ╚██╗ ╚█████╔╝██████╔╝╚███╔███╔╝██║ ██╗███████╗██║ ██║ ██╔╝ ╚═╝ ╚════╝ ╚═════╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═╝

@marcostolosa
marcostolosa / cli-cheatsheet.md
Last active October 23, 2019 19:06
Variaty CLI CheatSheet

Commandline cheat-sheet

Search recursively for a string inside files and directories

grep -R 'string' dir/

Download entire website w/ wget

wget --limit-rate=200k --no-clobber --convert-links --random-wait -r -p -E -e robots=off -U mozilla http://www.asdasdsaqd.com
@marcostolosa
marcostolosa / ysvc.txt
Created September 22, 2019 13:56
Yaourt skip validity checks
yaourt --m-arg "--skippgpcheck" -S {{ package }}
###
--skipinteg
Do not perform any integrity checks (checksum and PGP)
on source files.
--skipchecksums
Do not verify checksums of source files.
@marcostolosa
marcostolosa / addCron.md
Last active April 18, 2019 13:25
Create a Cron Job Using Bash (Shell Script) Automatically Without Interactive Editor

Adding a Cron Job via Shell Script

#write out current crontab
crontab -l > mycron

#echo new cron into cron file
echo "00 09 * * 1-5 echo hello" >> mycron

#install new cron file
@marcostolosa
marcostolosa / cleanCache.sh
Created April 18, 2019 13:13
A sample shell script created to clean up cached files from lighttpd web server every 10 days. This script is directly created at /etc/cron.daliy/ directory.
```
#!/bin/bash
CROOT="/tmp/cachelighttpd/"
# Clean files every $DAYS
DAYS=10
# Web server username and group name
LUSER="lighttpd"
LGROUP="lighttpd"
@marcostolosa
marcostolosa / CloudFlare-API.md
Last active April 13, 2024 20:32
Cloudflare API - Using Cloudflare’s API, you can do just about anything you can do on cloudflare.com via the customer dashboard.

Cloudflare's API Cheat-Sheet

VARIABLE VALUE
EMAIL The email address associated with your Cloudflare account.
KEY The global API key associated with your Cloudflare account.
DOMAIN The name of the domain to create a zone record for.
JUMP_START If true, automatically attempts to fetch existing DNS records when creating a domain’s zone record
ZONE_ID The unique ID of the domain’s zone record. Assigned by Cloudflare. Required when managing an existing zone record and its DNS records.
@marcostolosa
marcostolosa / sonar-scanner.properties
Created April 17, 2019 09:43
Example of **/sonar-scanner/conf/sonar-scanner.properties**
#No information about specific project should appear here
#----- Default SonarQube server
sonar.host.url=http://localhost:9000
sonar.projectKey=
sonar.projectName=
sonar.projectVersion=1.0
sonar.sources=/home/<user>/Codes/blockchain-py
sonar.language=py
@marcostolosa
marcostolosa / read-access.sql
Created April 16, 2019 12:51 — forked from oinopion/read-access.sql
How to create read only user in PostgreSQL
-- Create a group
CREATE ROLE readaccess;
-- Grant access to existing tables
GRANT USAGE ON SCHEMA public TO readaccess;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;
-- Grant access to future tables
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readaccess;