Skip to content

Instantly share code, notes, and snippets.

@tothi
tothi / VMSA-2024-0012.yaml
Last active July 6, 2024 17:23
Nuclei template for scanning VMSA-2024-0012 (CVE-2024-37079, CVE-2024-37080, CVE-2024-37081)
id: VMSA-2024-0012
info:
name: VMware vCenter Server heap-overflow (potential RCE) and privilege escalation
author: "@an0n_r0"
severity: critical
description: |
CVE-2024-37079, CVE-2024-37080: vCenter Server multiple heap-overflow vulnerabilities
CVE-2024-37081: vCenter Server local privilege escalation due to misconfiguration of sudo
impact: |
@tothi
tothi / Empire_Install_ArchLinux.md
Created January 4, 2024 00:58
PowerShell Empire install notes for Arch Linux

Notes on installing PowerShell Empire for Arch Linux

Default installer scripts works for .deb based distros like Debian, Ubuntu and Kali and not for Arch Linux (pacman).

Here are some hints on installing Empire for ArchLinux. Base repo is here: https://github.com/BC-SECURITY/Empire

  1. Clone the repo recursively:
git clone --recursive https://github.com/BC-SECURITY/Empire.git
@tothi
tothi / bh_split2.py
Last active March 13, 2024 13:48 — forked from Acebond/bh_split2.py
Split large SharpHound datasets (JSON files) into smaller files that can more easily be imported into BloodHound. Especially useful due to the Electron memory limitations and BloodHound CE (running in browser) 1GB file size limitation.
#!/usr/bin/python3
# Based on https://gist.github.com/deltronzero/7c23bacf97b4b61c7a2f2950ef6f35d8
# updated to current BloodHound JSON format (compatible with SharpHound 2.x and BloodHound CE)
# pip install simplejson
import simplejson
import sys
def splitfile(file_name, object_limit):
print(f"[*] Loading {file_name}")
with open(file_name) as f:
@tothi
tothi / PrtSc_Screenshotter.ps1
Created September 16, 2023 20:00
Capture screenshot by sending PrtSc key using PowerShell and grab it through HTTP with a Python CGI receiver
# dependency
Add-Type -AssemblyName System.Windows.Forms
# send PrtSc key (= capture the screen to the clipboard)
[Windows.Forms.Sendkeys]::SendWait("{PrtSc}")
# save the image as PNG in memory
$png = New-Object System.IO.MemoryStream
[Windows.Forms.Clipboard]::GetImage().Save($png, [System.Drawing.Imaging.ImageFormat]::Png)
@tothi
tothi / kali-fde-tpm.md
Last active August 4, 2024 01:17
Full Disk Encryption with unattended auto-unlock using TPM2; hardened with Secure Boot on Kali

Full Disk Encryption w/ TPM2 on Kali

Short HOWTO about setting up Full Disk Encryption with unattended auto-unlock using TPM2 on Kali.

Useful for rogue devices (auto-connecting to C2), headless pentest boxes, etc. storing confidential information but lacking physical security.

NOTE: In order to maintain integrity and protect the encryption key, hardening the boot process with Secure Boot is a must. For making Secure Boot work (without messing up the default UEFI keys stored in the hardware), the Microsoft-signed UEFI shim loader is used (available in the Kali repo) which is able to load securely an arbitrary ELF image as 2nd stage

@tothi
tothi / config.nims
Last active May 13, 2023 12:21
Nim config script for making Nim build compatible with Mingw-w64 (useful on ArchLinux setups because the defaults there break things)
# original idea: https://github.com/nim-lang/Nim/issues/20007#issue-1300915309
# use case for https://github.com/chvancooten/NimPlant
# - put this config.nims into NimPlant/client folder and build should work without errors on ArchLinux also
import std/strutils
import std/sequtils
# remove -fstack-clash-protection
switch("gcc.options.always", replace(get("gcc.options.always"), "-fstack-clash-protection", ""))
@tothi
tothi / msmq_detect.py
Created April 17, 2023 00:09
Detect whether the remote MSMQ service on 1801/tcp is enabled or not by sending a valid message to the target
#!/usr/bin/env python3
#
# detect whether the remote MSMQ service on 1801/tcp is enabled or not
# by sending a valid message to the target
#
# resources:
# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqmq/b7cc2590-a617-45df-b6a3-1f31102b36fb
# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/85498b96-f2c8-43b3-a108-c9d6269dc4af
#
@tothi
tothi / PidLidReminderPwn.py
Created March 28, 2023 09:30
Exploiting Outlook CVE-2023-23397 using Python by sending the message through EWS
#!/usr/bin/python -u
from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty
from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW
from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
@tothi
tothi / openssl-legacy-md4.md
Last active September 4, 2023 12:51
/etc/ssl/openssl.cnf supporting legacy digests like MD4 (useful for offensive tools requiring NTLM support)

This is a minimal /etc/ssl/openssl.cnf supporting legacy algorithms on modern openssl installations where it is disabled by default.

The marked (######) lines should be added to your openssl.cnf (other parts may be unchanged).

For checking if legacy providers are enabled successfully:

$ openssl list -providers
Providers:
@tothi
tothi / DInjectQueuerAPC.cs
Last active November 26, 2024 17:57 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
/// Using with GadgetToJScript (e.g. for VBS payload):
/// 1.) compile to DLL: c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:DInjectQueuerAPC.dll /r:System.Net.Http.dll DInjectQueuerAPC.cs
/// 2.) generate VBS: GadgetToJScript.exe -w vbs -b -o DInjectQueuerAPC -a DInjectQueuerAPC.dll
/// 3.) test: cscript.exe DInjectQueuerAPC.vbs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Threading.Tasks;