Skip to content

Instantly share code, notes, and snippets.

View myst404's full-sized avatar
🔥

myst404

🔥
30 followers · 13 following
View GitHub Profile
@ThePirateWhoSmellsOfSunflowers
ThePirateWhoSmellsOfSunflowers / badsuccessordumper.py
Last active October 27, 2025 16:42
This script retrieves NT hashes of all domain users and computers using a dMSA
import argparse
import datetime
import logging
import os
import random
import struct
import sys
from binascii import hexlify, unhexlify
from six import ensure_binary
@incogbyte
incogbyte / mixunpin.js
Last active February 12, 2026 07:54
Frida script to bypass common methods of sslpining Android
console.log("[*] SSL Pinning Bypasses");
console.log(`[*] Your frida version: ${Frida.version}`);
console.log(`[*] Your script runtime: ${Script.runtime}`);
/**
* by incogbyte
* Common functions
* thx apkunpacker, NVISOsecurity, TheDauntless
* Remember that sslpinning can be custom, and sometimes u need to reversing using ghidra,IDA or something like that.
* !!! THIS SCRIPT IS NOT A SILVER BULLET !!
@tothi
tothi / krbrelay_privesc_howto.md
Last active January 24, 2026 07:17
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
@tothi
tothi / usbgadget_razer.sh
Created August 22, 2021 09:52
Razer USB gadget on Android for Local Privilege Escalation on Windows
# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID
# devices for triggering the vulnerable Windows Driver installer
# credits for the Windows Driver install vuln: @j0nh4t
#
# https://twitter.com/j0nh4t/status/1429049506021138437
# https://twitter.com/an0n_r0/status/1429263450748895236
#
# the script was developed & tested on Android LineageOS 18.1
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@itm4n
itm4n / DllRpcEndpointMapperPoc.cpp
Created November 8, 2020 12:03
Windows 7-2008R2 RpcEptMapper Service Insecure Registry Permissions EoP - PoC DLL
#include <iostream>
#include <Windows.h>
#include <Lmcons.h> // UNLEN + GetUserName
#include <tlhelp32.h> // CreateToolhelp32Snapshot()
#include <strsafe.h>
extern "C" __declspec(dllexport) DWORD APIENTRY OpenPerfData(LPWSTR pContext);
extern "C" __declspec(dllexport) DWORD APIENTRY CollectPerfData(LPWSTR pQuery, PVOID* ppData, LPDWORD pcbData, LPDWORD pObjectsReturned);
extern "C" __declspec(dllexport) DWORD APIENTRY ClosePerfData();
@N4kedTurtle
N4kedTurtle / CredGuard_PoC
Created August 25, 2020 14:17
PoC for enabling wdigest to bypass credential guard
#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <iostream>
DWORD GetLsassPid() {
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
@emanuelduss
emanuelduss / gist:c82e4ddae16c8d68a67a9699ff7c4c20
Created June 9, 2020 10:43
Curl Connection Statistics
curl -w "DNS: %{time_namelookup}\nTCP: %{time_connect}\nTLS: %{time_appconnect}\nTotal: %{time_total}\n" -o /dev/null -s https://example.net/test
@gteissier
gteissier / root-my-emulator.py
Created June 3, 2020 13:23
gdb Python script that adds root-single command to elevate a process given by the name of its executable
import gdb
import re
from collections import namedtuple
DETAILS = {
# API 24 playstore
# API 25 playstore
'3.10.0+': (0xC0887D20, 0xC092138C, 316, 0xC0A7754C, 4),
# API 26 playstore
@tillson
tillson / gist:620e8ef87bc057f25b0a27c423433fda
Created May 10, 2020 19:22
Decode Base64 strings in a git repo's commit history
from pydriller import RepositoryMining
import re
import base64
foundSet = set()
for commit in RepositoryMining('./').traverse_commits():
for mod in commit.modifications:
if mod.source_code_before != None:
regex = re.findall(r"<text encoding=\"base64\">[^>]+</text>", mod.source_code_before)
for result in regex: