Lefteris Panos leftp

## WinRM_File_Copy.cs
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Security;

## Program.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace Test
{
    // CCOB IS THE GOAT

## DynamicWrapperCS.cs
using System;
using System.Reflection;
using System.Reflection.Emit;
using System.Runtime;
using System.Text;
using System.Runtime.InteropServices;
using System.EnterpriseServices;
using ComTypes = System.Runtime.InteropServices.ComTypes;


## main.cpp
#include <windows.h>
#include <iostream>

#include "ntddk.h"

bool enum_processes()
{
    ULONG retLen = 0;

    // check length:

## process_list_without_handles.cpp
/*
*
* List process information on windows without opening any handles, including process architecture and username
*
*/

#include <Windows.h>
#include <stdio.h>
#include <math.h>

## .net WMI Provider Template
using System;
using System.Collections;
using System.Management;
using System.Management.Instrumentation;
using System.Runtime.InteropServices;
using System.Configuration.Install;

/*
 *  Added references:
 *  system.configuration.install

## ClippyShellcodeInject.cs
// Using the clipboard as your code cave.
// Generate your shellcode with msfvenom or whatever
// Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\ClippyShellcodeInject.cs

using System;
using System.IO;
using System.Runtime.InteropServices;

namespace ClippySCInject
{

## Workstation-Takeover.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                leftp
                / Workstation-Takeover.md
            
            
              Created
              July 26, 2021 05:15
                — forked from gladiatx0r/Workstation-Takeover.md
            
              
                From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
              
          
    Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

  
## HookFx.cs
using System;
using System.Runtime.InteropServices;

public class FxHook:IDisposable {

	const int nBytes = 5;

	IntPtr addr;
	Protection old;
	byte[] src = new byte[5];

## Invoke-WMItoSMB.ps1
function Invoke-SMBShellcodeLoad {
    <#
    .SYNOPSIS
    Short description

    .DESCRIPTION
    Long description

    .EXAMPLE
    An example
	using System;
	using System.Collections.Generic;
	using System.IO;
	using System.Linq;
	using System.Text;
	using System.Threading;
	using System.Management.Automation;
	using System.Management.Automation.Runspaces;
	using System.Security;
	using System;
	using System.Reflection;
	using System.Reflection.Emit;
	using System.Runtime;
	using System.Text;
	using System.Runtime.InteropServices;
	using System.EnterpriseServices;
	using ComTypes = System.Runtime.InteropServices.ComTypes;
	#include <windows.h>
	#include <iostream>

	#include "ntddk.h"

	bool enum_processes()
	{
	ULONG retLen = 0;

	// check length:
	/*
	*
	* List process information on windows without opening any handles, including process architecture and username
	*
	*/

	#include <Windows.h>
	#include <stdio.h>
	#include <math.h>
	using System;
	using System.Collections;
	using System.Management;
	using System.Management.Instrumentation;
	using System.Runtime.InteropServices;
	using System.Configuration.Install;

	/*
	* Added references:
	* system.configuration.install
	// Using the clipboard as your code cave.
	// Generate your shellcode with msfvenom or whatever
	// Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\ClippyShellcodeInject.cs

	using System;
	using System.IO;
	using System.Runtime.InteropServices;

	namespace ClippySCInject
	{
	using System;
	using System.Runtime.InteropServices;

	public class FxHook:IDisposable {

	const int nBytes = 5;

	IntPtr addr;
	Protection old;
	byte[] src = new byte[5];
	function Invoke-SMBShellcodeLoad {
	<#
	.SYNOPSIS
	Short description

	.DESCRIPTION
	Long description

	.EXAMPLE
	An example