modulexcite

## Workstation-Takeover.md

      
              1 file
            
          
              89 forks
            
          
              9 comments
            
          
              249 stars
            
          
                gladiatx0r
                / Workstation-Takeover.md
            
            
              Last active
              April 25, 2024 13:23
            
              
                From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
              
          
    Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

  
## secdriven.md

      
              1 file
            
          
              0 forks
            
          
              4 comments
            
          
              15 stars
            
          
                terjanq
                / secdriven.md
            
            
              Last active
              June 18, 2022 11:58
            
              
                A TL;DR solution to Security Driven by @terjanq

              
    A TL;DR solution to Security Driven by @terjanq

For this year's Google CTF, I prepared a challenge that is based on a real-world vulnerability. The challenge wasn't solved by any team during the competition so here is the proof that the challenge was in fact solvable! :)

Link to the challenge: https://capturetheflag.withgoogle.com/challenges/web-security-driven
Link to the PoC: https://github.com/google/google-ctf/tree/master/2021/quals/web-security-driven/solution

The goal of the challenge was to send a malicious file to the admin and leak their file with a flag. The ID of the file was embedded into the challenge description (/file?id=133711377731) and only admin had access to it, because the file was private.
Disclamer: The write-up is written on airplane therefore the quality of it is poor, mostly to showcase the required steps to solve the challenge

  
## DInjectQueuerAPC.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;

namespace DinjectorWithQUserAPC
{


    public class Program

## NetLoader.cs
/*
Author: Arno0x0x, Twitter: @Arno0x0x
Completely based on @Flangvik netloader

This partial rewrite of @Flangvik Netloader includes the following changes:

	- Allow loading of an XOR encrypted binary to bypass antiviruses
		To encrypt the initial binary you can use my Python transformFile.py script.
		Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor


## get-shodan-favicon-hash.py
# https://twitter.com/brsn76945860/status/1171233054951501824
pip install mmh3

-----------------------------
# python 2
import mmh3
import requests

response = requests.get('https://cybersecurity.wtf/favicon.ico')
favicon = response.content.encode('base64')

## Github bash generated search links (from hunter.sh)


echo ""
echo "************ Github Dork Links (must be logged in) *******************"
echo ""
echo "  password"
echo "https://github.com/search?q=%22$1%22+password&type=Code"
echo "https://github.com/search?q=%22$without_suffix%22+password&type=Code"
echo ""
echo " npmrc _auth"

## AWS API calls that return credentials.md

      
              1 file
            
          
              27 forks
            
          
              2 comments
            
          
              130 stars
            
          
                kmcquade
                / AWS API calls that return credentials.md
            
            
              Last active
              May 2, 2024 14:39
            
              
                AWS API calls that return credentials
              
          
chime:CreateApiKey
codepipeline:PollForJobs
cognito-identity:GetOpenIdToken
cognito-identity:GetOpenIdTokenForDeveloperIdentity
cognito-identity:GetCredentialsForIdentity
connect:GetFederationToken
connect:GetFederationTokens
ecr:GetAuthorizationToken
[gamelift:RequestUploadCredentials](ht


## Base64_CheatSheet.md

      
              1 file
            
          
              43 forks
            
          
              6 comments
            
          
              263 stars
            
          
                Neo23x0
                / Base64_CheatSheet.md
            
            
              Last active
              March 10, 2024 09:15
            
              
                Learning Aid - Top Base64 Encodings Table
              
          
    Base64 Patterns - Learning Aid


Base64 Code
Mnemonic Aid
Decoded*
Description


JAB
🗣 Jabber
$.
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:


TVq
📺 Television
MZ
MZ header


SUVY
🚙 SUV
IEX
PowerShell Invoke Expression


SQBFAF
🐣 Squab favorite
I.E.
PowerShell Invoke Expression (UTF-16)


SQBuAH
🐣 Squab uahhh
I.n.
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz


PAA
💪 "Pah!"
&lt;.
Often used by Emotet (UTF-16)


## resources.bin
   ++++++ Basic knowledge requirements for cybersecurity and hacking ++++++
These are the basic competencies expected (and tested for during the 1st in person interview) by a large, very visible InfoSec company I think it is a good base competency list for anyone looking to get into an Infosec career (with specialization plus and some programming /scripting ability) or learn cybersecurity/hacking as a hobby:

Networking: Good understanding of OSI layer model / Understating of communication flow through each layer / Good understanding of functions of each layer / Understanding of major protocols in each layer / In-depth understanding Layer 3 & Layer 4 protocols  IP, ICMP Protocols (layer 3) TCP, UDP Protocols (layer 4)

Overview of TCP/IP Layer model: ARP / Understanding of Client & Server communication model / Ports common services run on / Ephemeral port vs Well known ports

Understanding of major (everyday Layer 7) services/protocols: DNS o DHCP o HTTP HTTP Header Fields HTTP Status Codes  How HTTP mainta

## TestAssembly.cs
/*

================================ Compile as a .Net DLL ==============================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs

*/

using System.Windows.Forms;

namespace TestNamespace
	using System;
	using System.Diagnostics;
	using System.IO;
	using System.Runtime.InteropServices;

	namespace DinjectorWithQUserAPC
	{


	public class Program
	/*
	Author: Arno0x0x, Twitter: @Arno0x0x
	Completely based on @Flangvik netloader

	This partial rewrite of @Flangvik Netloader includes the following changes:

	- Allow loading of an XOR encrypted binary to bypass antiviruses
	To encrypt the initial binary you can use my Python transformFile.py script.
	Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor
	# https://twitter.com/brsn76945860/status/1171233054951501824
	pip install mmh3

	-----------------------------
	# python 2
	import mmh3
	import requests

	response = requests.get('https://cybersecurity.wtf/favicon.ico')
	favicon = response.content.encode('base64')


	echo ""
	echo "********** Github Dork Links (must be logged in) *****************"
	echo ""
	echo " password"
	echo "https://github.com/search?q=%22$1%22+password&type=Code"
	echo "https://github.com/search?q=%22$without_suffix%22+password&type=Code"
	echo ""
	echo " npmrc _auth"
Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16), e.g. `JABlAG4AdgA` for `$env:`
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)
	++++++ Basic knowledge requirements for cybersecurity and hacking ++++++
	These are the basic competencies expected (and tested for during the 1st in person interview) by a large, very visible InfoSec company I think it is a good base competency list for anyone looking to get into an Infosec career (with specialization plus and some programming /scripting ability) or learn cybersecurity/hacking as a hobby:

	Networking: Good understanding of OSI layer model / Understating of communication flow through each layer / Good understanding of functions of each layer / Understanding of major protocols in each layer / In-depth understanding Layer 3 & Layer 4 protocols  IP, ICMP Protocols (layer 3) TCP, UDP Protocols (layer 4)

	Overview of TCP/IP Layer model: ARP / Understanding of Client & Server communication model / Ports common services run on / Ephemeral port vs Well known ports

	Understanding of major (everyday Layer 7) services/protocols: DNS o DHCP o HTTP HTTP Header Fields HTTP Status Codes  How HTTP mainta
	/*

	================================ Compile as a .Net DLL ==============================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs

	*/

	using System.Windows.Forms;

	namespace TestNamespace