Skip to content

Instantly share code, notes, and snippets.

Wanna sip a sencha?

Mariusz Banach mgeeky

Wanna sip a sencha?
  • Poland
  • Twitter @mariuszbit
View GitHub Profile
mgeeky / PEB.cs
Created Oct 24, 2022 — forked from Sadulisten/PEB.cs
Unlinking Module from PEB with c# (64bit tested only)
View PEB.cs
public unsafe static bool UnlinkModuleFromPeb(IntPtr hModule)
if (hModule == IntPtr.Zero) return false;
PEB* peb = Get_PEB();
if (peb == null) return false;
LIST_ENTRY* CurrentEntry = peb->Ldr->InLoadOrderModuleList.Flink;
Debug.Assert(CurrentEntry != null);
View gist:a7dd62dd86205ad19c7365037508bb76
//All credit goes to and the great @tiraniddo
//Snippets copied from
// - Great read!
// - Another great read
using System;
using System.Collections.Generic;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using System.Reflection;
mgeeky / fork.c
Created Sep 25, 2022 — forked from Cr4sh/fork.c
fork() for Windows
View fork.c
* fork.c
* Experimental fork() on Windows. Requires NT 6 subsystem or
* newer.
* Copyright (c) 2012 William Pitcock <>
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
mgeeky /
Created Sep 15, 2022 — forked from gladiatx0r/
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

View gist:82d6abe0508ae81f107689864fb5dfc0
# Pack macro-enabled doc to ISO
py Resume1337.xlsm test11.iso
# Apply MOTW on that ISO
Set-Content -Path test11.iso -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
# Mount it
Mount-DiskImage -ImagePath test11.iso
mgeeky / AMSITools.psm1
Created Aug 5, 2022 — forked from mgraeber-rc/AMSITools.psm1
Get-AMSIEvent and Send-AmsiContent are helper functions used to validate AMSI ETW events. Note: because this script contains the word AMSI, it will flag most AV engines. Add an exception on a test system accordingly in order to get this to work.
View AMSITools.psm1
filter Send-AmsiContent {
Supplies the AmsiScanBuffer function with a buffer to be scanned by an AMSI provider.
Author: Matt Graeber
Company: Red Canary
mgeeky / Caddyfile
Created Aug 1, 2022 — forked from byt3bl33d3r/Caddyfile
Caddyfile reverse proxy example for C2 platforms
View Caddyfile
# This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this.
(proxy_upstream) {
# Enable access logging to STDOUT
# This is our list of naughty client User Agents that we don't want accessing our C2
mgeeky / transport_https.c
Created Jul 11, 2022 — forked from Cracked5pider/transport_https.c
perform HTTPs requests using WinHTTP
View transport_https.c
BOOL TransportSend( LPVOID Data, SIZE_T Size, PVOID* RecvData, PSIZE_T RecvSize )
HANDLE hConnect = NULL;
HANDLE hSession = NULL;
HANDLE hRequest = NULL;
DWORD HttpFlags = 0;
LPVOID RespBuffer = NULL;
mgeeky /
Created Jul 5, 2022 — forked from afdevries/
how to modify .ova file on linux/Mac using terminal....export vm (OVF 1.0) from virtualbox, then modify some tag and hash value for import vm to ESXi

extract ova files from an archive

$ tar -xvf vmName.ova

modify ovf for some invalid tag

$ vi vmName.ovf
mgeeky / sccmdecryptpoc.cs
Created Jul 3, 2022 — forked from xpn/sccmdecryptpoc.cs
SCCM Account Password Decryption POC
View sccmdecryptpoc.cs
// Twitter thread: (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace SCCMDecryptPOC
internal class Program