skysbsb

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

Red Hat Security: Securing Containers & OpenShift (DO425)

Last update: Tue Jan 14 23:15:49 UTC 2020 by @luckylittle

Objectives

Understand, identify, and work with containerization features
Deploy a preconfigured application and identify crucial features such as namespaces, SELinux labels, and cgroups

Red Hat Security: Linux in Physical, Virtual and Cloud (RH415)

Last update: Mon Nov 18 05:32:46 UTC 2019 by @luckylittle

1. Managing Security & Risk

# USING YUM TO MANAGE SECURITY ERRATA:

Red Hat Enterprise Linux Diagnostics & Troubleshooting (RH342)

Last update: Fri Jul 26 08:23:20 UTC 2019 by @luckylittle

	#generated by chatgpt 4
	# https://support.1password.com/1pux-format/
	# https://community.bitwarden.com/t/convert-1password-vaults-to-bitwarden-folders-when-importing-1pux/52599/11#:~:text=Any%20tags%20will%20get%20converted%20into%20Bitwarden%20collections.
	import json
	import os
	import sys


	if len(sys.argv) < 2:
	print("Usage: python script.py filename")

	# find the kube node of the running pod, appear next to hostIP, and note containerID hash
	kubectl get pod mypod -o json
	# -> save hostIP
	# -> save containerID

	# connect to the node and find the pods unique network interface index inside it's container
	docker exec containerID /bin/bash -c 'cat /sys/class/net/eth0/iflink'
	# -> returns index

	# locate the interface of the node

	#!/usr/bin/python

	# Copyright 2014 Amazon.com, Inc. or its affiliates. All Rights Reserved.
	#
	# Licensed under the Amazon Software License (the "License"). You may not use
	# this file except in compliance with the License. A copy of the License is
	# located at http://aws.amazon.com/asl/ or in the "license" file accompanying
	# this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
	# CONDITIONS OF ANY KIND, either express or implied. See the License for the specific
	# language governing permissions and limitations under the License.

	#!/usr/bin/env python

	# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
	# this is a rough PoC

	# requirements for RCE:
	# - the attacker needs to either have or create an object with a service principal name
	# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
	# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
	# - NTLM has to be in use