Skip to content

Instantly share code, notes, and snippets.

Wanna sip a sencha?

Mariusz Banach mgeeky

Wanna sip a sencha?
  • Poland
  • Twitter @mariuszbit
View GitHub Profile
mgeeky / adodb_stream_for_hta.js
Created March 6, 2023 19:05 — forked from rndomhack/adodb_stream_for_hta.js
Create ADODB.Stream object for HTA (mode IE9, IE10)
View adodb_stream_for_hta.js
var fso = new ActiveXObject("Scripting.FileSystemObject");
var ado = (function() {
if (typeof window === "undefined") {
return new ActiveXObject("ADODB.Stream");
} else {
var _GetObject = (typeof GetObject === "function") ? GetObject : (function() {
var script = window.document.createElement("script");
script.setAttribute("language", "VBScript");
script.innerHTML = "Function GetObjectHelper(name)\nSet GetObjectHelper = GetObject(name)\nEnd Function";
mgeeky / loadlibrary_system.c
Created March 2, 2023 17:57 — forked from rossy/loadlibrary_system.c
Safe LoadLibrary for DLLs that are expected to be in system32
View loadlibrary_system.c
#include <windows.h>
#include <wchar.h>
#define LOAD_LIBRARY_SEARCH_SYSTEM32 (0x00000800)
HMODULE loadlibrary_system(const wchar_t* name)
/* If running on Windows 8 or a system with KB2533623, LoadLibraryEx with
LOAD_LIBRARY_SEARCH_SYSTEM32 does the right thing */
if (GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "AddDllDirectory"))
mgeeky / KeePass-Export-Trigger.xml
Last active January 26, 2023 19:33
KeePass Export Database Trigger XML - aka CVE-2023-24055 aka KeeThief . Insert this XML into %APPDATA%\Roaming\KeePass\KeePass.config.xml
View KeePass-Export-Trigger.xml
View msteams-token.js
// Obtain teams token - you can reuse it for GoMapEnum for example
// Author: Juan Manuel Fernandez (@TheXC3LL)
const puppeteer = require('puppeteer');
(async () => {
console.log("\t\tMS Teams Token Generator - @TheXC3LL\n\n");
const username = process.argv[2];
const password = process.argv[3];
console.log("[*] Using credentials: %s:%s", username, password);
mgeeky / FreshyCalls-VBA.vba
Created January 12, 2023 00:44 — forked from X-C3LL/FreshyCalls-VBA.vba
Retrieving SSN for syscalling in VBA following FreshyCalls technique
View FreshyCalls-VBA.vba
' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)
'Based on:
mgeeky / Configure-ASR.ps1
Created December 28, 2022 12:13
A little script that configures all Microsoft Defender Attack Surface Reduction (ASR) rules at once to a specific state. Example: PS> .\Configure-ASR.ps1 -State Enabled
View Configure-ASR.ps1
#Requires -RunAsAdministrator
Script used to manage state of Microsoft Defender's Attack Surface Redution rules.
Configures all ASR rules into mode defined in -State parameter.
Tells how to configure all ASR rules available. Valid options:
- Disable (Disable the ASR rule)
mgeeky / PEB.cs
Created October 24, 2022 14:28 — forked from Sadulisten/PEB.cs
Unlinking Module from PEB with c# (64bit tested only)
View PEB.cs
public unsafe static bool UnlinkModuleFromPeb(IntPtr hModule)
if (hModule == IntPtr.Zero) return false;
PEB* peb = Get_PEB();
if (peb == null) return false;
LIST_ENTRY* CurrentEntry = peb->Ldr->InLoadOrderModuleList.Flink;
Debug.Assert(CurrentEntry != null);
View gist:a7dd62dd86205ad19c7365037508bb76
//All credit goes to and the great @tiraniddo
//Snippets copied from
// - Great read!
// - Another great read
using System;
using System.Collections.Generic;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using System.Reflection;
mgeeky / fork.c
Created September 25, 2022 12:06 — forked from Cr4sh/fork.c
fork() for Windows
View fork.c
* fork.c
* Experimental fork() on Windows. Requires NT 6 subsystem or
* newer.
* Copyright (c) 2012 William Pitcock <>
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
mgeeky /
Created September 15, 2022 20:26 — forked from gladiatx0r/
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.