Skip to content

Instantly share code, notes, and snippets.

View kaywoz's full-sized avatar

ka kaywoz

5 followers · 2 following
  • between a hard place and a nightmarish hellscape....
  • X @Morna666
View GitHub Profile
@brooksvb
brooksvb / Uptime-Kuma-Status-Page-Dark-Mode-High-Density-Tweaks.css
Last active May 4, 2025 13:06
These CSS tweaks are for higher density display for Uptime Kuma status pages in dark mode.
:root {
--min-item-width: 28ch;
--max-item-width: .5fr;
--grid-spacing: .25rem;
--item-padding: .25rem;
}
/* Let items expand on small screens */
@media (max-width: 600px) {
:root {
@scyto
scyto / proxmox.md
Last active May 4, 2025 19:28
my proxmox cluster

ProxMox Cluster - Soup-to-Nutz

aka what i did to get from nothing to done.

note: these are designed to be primarily a re-install guide for myself (writing things down helps me memorize the knowledge), as such don't take any of this on blind faith - some areas are well tested and the docs are very robust, some items, less so). YMMV

Purpose of Proxmox cluster project

Required Outomces of cluster project

@jorisvervuurt
jorisvervuurt / opnsense-i226-nic-tunables.txt
Last active April 20, 2025 10:14
OPNsense - Intel i226 NIC tunables
<item>
<tunable>net.inet.icmp.drop_redirect</tunable>
<value>1</value>
<descr/>
</item>
<item>
<tunable>net.isr.bindthreads</tunable>
<value>1</value>
<descr/>
</item>
@api0cradle
api0cradle / check_vulnerabledrivers.ps1
Created May 19, 2023 14:13
A quick script to check for vulnerable drivers. Compares drivers on system with list from loldrivers.io
# Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list
# Author: Oddvar Moe - @oddvar.moe
$drivers = get-childitem -Path c:\windows\system32\drivers
$web_client = new-object system.net.webclient
$loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") | ConvertFrom-Json
Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count)
foreach ($lol in $loldrivers.KnownVulnerableSamples)
{
@h4x0r-dz
h4x0r-dz / Generic keys
Created May 5, 2022 09:15
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k
@vikas891
vikas891 / ExtractAllScripts.ps1
Last active July 16, 2024 19:32
A PowerShell script to re-construct a suspicious .PS1 from script-blocks recorded in Event ID 4104
#Usage:
#
#NOTE: The script expects an argument which is the full File Path of the EVTX file.
#
#C:\>ExtractAllScripts.ps1
#The default behavior of the script is to assimilate and extract every script/command to disk.
#
#C:\ExtractAllScripts -List
#This will only list Script Block IDs with associated Script Names(if logged.)
#
@DissectMalware
DissectMalware / deobfuscator.py
Last active January 18, 2022 15:18
VBA deobfuscation - Emotet XLSM
from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
import sys
import re
vbaparser = VBA_Parser(sys.argv[1])
replace_regex = r"\s*([^=]+)\s*=\s*Replace\(\s*([^,]+)\s*,\s*\"([^,]*)\"\s*,\s*\"([^,]*)\"\s*\)"
replace = re.compile(replace_regex, re.MULTILINE)
regex_url = "http(s)?://[^,\"]+"
@jackullrich
jackullrich / mainc.c
Last active November 3, 2023 17:20
Single Step Encryption/Decryption
#include <Windows.h>
LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo);
typedef VOID(__stdcall* Shellcode)();
LPBYTE ShellcodeBuffer;
ULONG_PTR PreviousOffset;
ULONG_PTR CurrentOffset;
ULONGLONG InstructionCount;
DWORD dwOld;
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active March 17, 2025 03:05
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@fr0gger
fr0gger / DhashIcon.py
Last active September 30, 2024 11:08
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Thomas Roccia | IconDhash.py
# pip3 install lief
# pip3 install pillow
# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html
import lief
import os
import argparse