Skip to content

Instantly share code, notes, and snippets.

View michiiii's full-sized avatar

Michael Ritter michiiii

11 followers · 37 following
View GitHub Profile
@michiiii
michiiii / CVE-2020-9439.txt
Last active December 22, 2020 20:26
Vulnerability Name: Multiple cross-site scripting (XSS) vulnerabilities in Tin Canny Reporting for LearnDash
Registered: CVE-2020-9439
Discoverers:
Michael Ritter
Vendor of Product:
Uncanny Owl
Affected Product Code Base:
@michiiii
michiiii / CVE-2020-35650.txt
Last active December 23, 2020 07:23
Vulnerability Name: Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7
Registered: CVE-2020-35650
Discoverers:
Michael Ritter
Vendor of Product:
Uncanny Owl
Affected Product Code Base:
@michiiii
michiiii / setupiisforsslperfectforwardsecrecy_v17.ps1
Created March 17, 2021 19:55 — forked from jbratu/setupiisforsslperfectforwardsecrecy_v17.ps1
Great powershell script for tightening HTTPS security on IIS and disabling insecure protocols and ciphers. Very useful on core installations.
# Copyright 2019, Alexander Hass
# https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12
#
# After running this script the computer only supports:
# - TLS 1.2
#
# Version 3.0.1, see CHANGELOG.txt for changes.
Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...'
Write-Host '--------------------------------------------------------------------------------'
@michiiii
michiiii / nginx-tls.conf
Created March 17, 2021 20:01 — forked from gavinhungry/nginx-tls.conf
Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
#
# Name: nginx-tls.conf
# Auth: Gavin Lloyd <gavinhungry@gmail.com>
# Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
#
# Enables HTTP/2, PFS, HSTS and OCSP stapling. Configuration options not related
# to SSL/TLS are not included here.
#
# Additional tips:
#
@michiiii
michiiii / windows-basic.ps1
Last active March 19, 2021 12:25
#Requires -RunAsAdministrator
############################################################
# Install Chocolatey
############################################################
if (!(Get-Package -Name *choco*))
{
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
}
@michiiii
michiiii / Jenkinsfile
Created April 28, 2021 07:18 — forked from HarmJ0y/Jenkinsfile
Rubeus Jenkinsfile
@Library('ci-jenkins-common') _
// Jenkins build pipeline (declarative)
// Project: Seatbelt
// URL: https://github.com/GhostPack/Seatbelt
// Author: @tifkin_/@harmj0y
// Pipeline Author: harmj0y
def gitURL = "https://github.com/GhostPack/Seatbelt"
@michiiii
michiiii / rbcd_demo.ps1
Created April 28, 2021 07:20 — forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
@michiiii
michiiii / PowerShellHardeningCheck.ps1
Last active June 14, 2021 15:31
Checks a workstation regarding basic PowerShell hardening, Applocker and System
function Test-RegistryValue {
param (
[parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]$Path,
[parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]$Value
)
@michiiii
michiiii / SetIISSecurityHeader.ps1
Last active September 14, 2021 16:40
Quick and dirty commands to set basic security header in IIS
### Quick and dirty command set to set basic security header on IIS
## Please adjust the values according to your requirements
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Cache-Control';value='max-age=31536000'}
Write-Host 'Cache-Control header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Permissions-Policy';value='fullscreen=(), geolocation=()'}
Write-Host 'Permissions-Policy header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Referrer-Policy';value='strict-origin-when-cross-origin'}
Write-Host 'Referrer-Policy header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{na
@michiiii
michiiii / Workstation-Takeover.md
Created November 23, 2021 13:23 — forked from S3cur3Th1sSh1t/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.