Dliv3

## 2024_04_26_3.txt
77ac40da30d6940147b34b9454949b3fdbc9e780cdfd8ea62ad78ff972592cad

## 2024_04_26_2.txt
5e19673782c2e334d8cc4b36299b0a054d2bec5827b8efe6da8917fbb40b7e1e

## 2024_04_26.txt
dc7e3c839ad9ce5194a2d6977c12cbd590a59e68788d20f17566ac860ec163dd

## 2024_03_10_gist.txt
bdacb3823320a5c7a630f513dfa981a7f5abacf6bdffc990a90615d37da0101c

## Source.cpp
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>

#define WORKER_FACTORY_FULL_ACCESS 0xf00ff

// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
	WorkerFactoryTimeout, // LARGE_INTEGER

## decryptKerbTicket.py
#!/usr/bin/env python3
# NOTE: this script was created for educational purposes to assist learning about kerberos tickets.
#   Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets.
#
# Recommended Instructions:
#   Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export"
#   Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>"
#   Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket)
#   Run this script to decrypt:
#     ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./Administrator@TESTLAB.LOCAL_krbtgt~TESTLAB.LOCAL@TESTLAB.LOCAL.ccaches

## unwxapkg.py
# coding: utf-8
# py2 origin author lrdcq
# usage python3 unwxapkg.py filename

__author__ = 'Integ: https://github.com./integ'

import sys, os
import struct

class WxapkgFile(object):

## esc1.ps1
#Thank you @NotMedic for troubleshooting/validating stuff!

$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!

$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER

## PatchExtract.ps1
<#

 ____     ______   ______  ____     __  __
/\  _`\  /\  _  \ /\__  _\/\  _`\  /\ \/\ \
\ \ \L\ \\ \ \L\ \\/_/\ \/\ \ \/\_\\ \ \_\ \
 \ \ ,__/ \ \  __ \  \ \ \ \ \ \/_/_\ \  _  \
  \ \ \/   \ \ \/\ \  \ \ \ \ \ \L\ \\ \ \ \ \
   \ \_\    \ \_\ \_\  \ \_\ \ \____/ \ \_\ \_\
    \/_/     \/_/\/_/   \/_/  \/___/   \/_/\/_/


## delta_patch.py
from ctypes import (windll, wintypes, c_uint64, cast, POINTER, Union, c_ubyte,
                    LittleEndianStructure, byref, c_size_t)
import zlib


# types and flags
DELTA_FLAG_TYPE             = c_uint64
DELTA_FLAG_NONE             = 0x00000000
DELTA_APPLY_FLAG_ALLOW_PA19 = 0x00000001
	#include <Windows.h>
	#include <winternl.h>
	#include <stdio.h>

	#define WORKER_FACTORY_FULL_ACCESS 0xf00ff

	// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
	typedef enum _WORKERFACTORYINFOCLASS
	{
	WorkerFactoryTimeout, // LARGE_INTEGER
	#!/usr/bin/env python3
	# NOTE: this script was created for educational purposes to assist learning about kerberos tickets.
	# Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets.
	#
	# Recommended Instructions:
	# Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export"
	# Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>"
	# Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket)
	# Run this script to decrypt:
	# ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./Administrator@TESTLAB.LOCAL_krbtgt~TESTLAB.LOCAL@TESTLAB.LOCAL.ccaches
	# coding: utf-8
	# py2 origin author lrdcq
	# usage python3 unwxapkg.py filename

	__author__ = 'Integ: https://github.com./integ'

	import sys, os
	import struct

	class WxapkgFile(object):
	#Thank you @NotMedic for troubleshooting/validating stuff!

	$password = Read-Host -Prompt "Enter Password"
	#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!

	$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
	$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
	$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
	$CASERVER = "alexlab-dc01-ca" #CA name.
	$CA = $CAFQDN + "\" + $CASERVER
	<#

	____ ______ ______ ____ __ __
	/\ _`\ /\ _ \ /\__ _\/\ _`\ /\ \/\ \
	\ \ \L\ \\ \ \L\ \\/_/\ \/\ \ \/\_\\ \ \_\ \
	\ \ ,__/ \ \ __ \ \ \ \ \ \ \/_/_\ \ _ \
	\ \ \/ \ \ \/\ \ \ \ \ \ \ \L\ \\ \ \ \ \
	\ \_\ \ \_\ \_\ \ \_\ \ \____/ \ \_\ \_\
	\/_/ \/_/\/_/ \/_/ \/___/ \/_/\/_/
	from ctypes import (windll, wintypes, c_uint64, cast, POINTER, Union, c_ubyte,
	LittleEndianStructure, byref, c_size_t)
	import zlib


	# types and flags
	DELTA_FLAG_TYPE = c_uint64
	DELTA_FLAG_NONE = 0x00000000
	DELTA_APPLY_FLAG_ALLOW_PA19 = 0x00000001