Skip to content

Instantly share code, notes, and snippets.

View tothi's full-sized avatar
:shipit:

tothi

:shipit:
506 followers · 157 following
View GitHub Profile
@tothi
tothi / mitmproxy-jwt-refresh-addon.py
Created August 28, 2022 20:52
mitmproxy addon for handling oauth access and refresh tokens automatically
# run: mitmproxy -k -p 8090 -s mitmproxy-jwt-refresh-addon.py
# set burp upstream proxy to localhost:8090
#
# use case:
# - application authorization is implemented by OAuth 2.0
# - testing is performed using Burp as primary and mitmproxy as upstream proxy
# - mitmproxy takes care of the Authorization tokens using this addon
# - user gets an access_token and a refresh_token during the 1st login (e.g. password login)
# - mitmproxy addon caches access_token and refresh_token
# - mitmproxy addon adds Authorization: Bearer [access_token from cache] header for every request
@tothi
tothi / cpau-decrypt-creds.py
Created June 5, 2022 19:07
Decrypt credentials from encrypted CPAU job file using the original CPAU.exe (and Frida.re)
# extract credentials from CPAU (and possibly other) encrypted config file
# using the original CPAU.exe and hooking WinAPI call CreateProcessWithLogonW using Frida.re
#
# https://www.joeware.net/freetools/tools/cpau/
#
import sys
import frida
def on_message(message, data):
@tothi
tothi / ms-msdt.MD
Last active April 18, 2024 02:22
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@tothi
tothi / certifried_with_krbrelayup.md
Last active November 22, 2023 10:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@tothi
tothi / krbrelay_privesc_howto.md
Last active March 1, 2024 12:26
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
@tothi
tothi / nmap-http-url.py
Last active August 9, 2023 18:49
Generate HTTP URLs from Nmap XML (and optionally use VirtualHosts)
#!/usr/bin/env python3
#
# inputs: nmap.xml (nmap scan xml output), subdomains.csv (optional virtualhost info, hostname + ip address csv file)
# output: url listing (useful for tools like EyeWitness)
#
# sample usage: ./nmap-http-url.py nmap.xml subdomains.csv | sort -u | gowitness file -f -
#
description = '''
Generate HTTP URLs from Nmap XML (and optionally additional VirtualHost listing, taken from e.g. subdomain enumeration).
@tothi
tothi / magisk_ramdisk_patch_avd.sh
Last active February 18, 2024 08:47
Apply Magisk patches on AVD (Android Emulator) RAMDISK images for running Magisk (root) on Android Emulators
#!/bin/bash
#
# patch ramdisk.img (for installing Magisk on x64 Android emulator)
#
# x86_64 on Android 12 (API Level 32) is supported/tested currently
#
# install AVD:
#
# sudo sdkmanager 'system-images;android-32;google_apis_playstore;x86_64'
@tothi
tothi / ip_to_geo_map.md
Last active March 6, 2022 13:48
Draw geolocation map from list of IP addresses

Creating geolocation heatmap from a list of IP addresses

Source IP set is proxies.txt.

Generate KML with geolocation coordinates using the tool geoiplookup from MaxMind (free db from MaxMind may be needed):

cat proxies.txt | \
  awk '{ cmd="/usr/bin/geoiplookup "$1" | tr '\''\n'\'' '\''|'\''"; 
         cmd | getline res; print $1"|"res; close(cmd) }' \
 > proxies_geo.csv
@tothi
tothi / openvpn2-dynamic-challenge-wrapper.sh
Created January 31, 2022 17:04
Wrapper script for OpenVPN version 2.x clients for supporting Dynamic Challenge (OTP) authentication
#!/bin/bash
#
# openvpn2 wrapper for supporting Dynamic Challenge (in openvpn 2.x)
#
# Dynamic Challenge:
# CRV1:<FLAGS>:<STATE_ID>:<BASE64_USERNAME>:<CHALLENGE_TEXT>
# Dynamic Challenge response:
# Username: [username decoded from challenge, probably equals to the original username]
# Password: CRV1::<STATE_ID>::<RESPONSE_TEXT>
@tothi
tothi / blasty-vs-pkexec-mod.c
Last active January 27, 2022 18:55
CVE-2021-4034
/*
* blasty-vs-pkexec-mod.c -- by blasty <peter@haxx.in>
* ------------------------------------------------
* PoC for CVE-2021-4034, shout out to Qualys
*
* ctf quality exploit
*
* bla bla irresponsible disclosure
*
* -- blasty // 2022-01-25