clod81

#include <Windows.h>
#include <psapi.h>
#include <stdio.h>

void main() {
    LPVOID DriverBases[1024];
    CHAR DriverName[100];
    DWORD Needed;
    ULONG i, DriverCount;
    if (!EnumDeviceDrivers(DriverBases, sizeof(DriverBases), &Needed) || (Needed >= sizeof(DriverBases))) {

clod81

using System;
using System.Security.Cryptography;
using System.Text;

namespace Decrypt1
{
  internal class Program
  {
    static void Main(string[] args)
    {

clod81

using System;
using System.Security.Cryptography;
using System.Text;

namespace Encrypt1
{
    internal class Program
    {

        readonly static byte[] entropy = {}; //the entropy

clod81

import json

cookies = '[{"name":"cookiename","value":"cookievalue","domain":"domain.com","path":"/","expires":1710446521.314705,"size":8,"httpOnly":false,"secure":true,"session":false,"priority":"Medium","sameParty":false,"sourceScheme":"Secure","sourcePort":443}]'

parsed = json.loads(cookies)

# print("")
# print("Set-Cookie: ******************************")
# print("")

clod81

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.common.keys import Keys
import time
import sys
import os

global driver
driver = webdriver.Chrome("/PATH_TO/chromedriver")

clod81

// 1. Access a company page on LinkedIn and click on the company employees
// 2. Open the browser dev console
// 3. Import jQuery first (copy and paste jQuery into browser dev console will do)
// 4. Copy and paste the below in the console
// 5. Wait until the last page (10 people per page are displayed)
// 6. Enjoy the list in console output

function scrape(){
  jQuery.each(jQuery('span.entity-result__title-line span a span span[aria-hidden="true"]'), function(i,v){
    console.log((v.innerHTML.replace(/<!---->/g, "").replace(/ /g, " ")));

clod81

#Thank you @NotMedic for troubleshooting/validating stuff!

$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!

$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now. 
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER

clod81

// From: https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH/blob/16f8f7a90a543a0f5a3f70d3d02e8f120273e6ed/SharpNamedPipePTH/PipeServerImpersonate.cs

using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Diagnostics;

namespace SharpNamedPipePTH
{
    class PipeServerImpersonate

clod81

// 1. Access a company page on LinkedIn and click on the company employees
// 2. Open the browser dev console
// 3. Import jQuery first (copy and paste jQuery into browser dev console will do)
// 4. Copy and paste the below in the console
// 5. Wait until the last page (10 people per page are displayed)
// 6. Enjoy the list in console output

function scrape(){
  jQuery.each(jQuery('span.entity-result__title-line span a span span[aria-hidden="true"]'), function(i,v){
    console.log((v.innerHTML.replace(/<!---->/g, "").replace(/ /g, ".")));

clod81

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites: