Mariusz Banach mgeeky

## adodb_stream_for_hta.js
var fso = new ActiveXObject("Scripting.FileSystemObject");
var ado = (function() {
    if (typeof window === "undefined") {
        return new ActiveXObject("ADODB.Stream");
    } else {
        var _GetObject = (typeof GetObject === "function") ? GetObject : (function() {
            var script = window.document.createElement("script");
            script.setAttribute("language", "VBScript");
            script.innerHTML = "Function GetObjectHelper(name)\nSet GetObjectHelper = GetObject(name)\nEnd Function";
            window.document.body.appendChild(script);

## loadlibrary_system.c
#include <windows.h>
#include <wchar.h>

#define LOAD_LIBRARY_SEARCH_SYSTEM32 (0x00000800)

HMODULE loadlibrary_system(const wchar_t* name)
{
	/* If running on Windows 8 or a system with KB2533623, LoadLibraryEx with
	   LOAD_LIBRARY_SEARCH_SYSTEM32 does the right thing */
	if (GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "AddDllDirectory"))

## KeePass-Export-Trigger.xml
<TriggerCollection
	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<Triggers>
		<Trigger>
			<Guid>Ab8CqzeKQUuKdzTx4tKy7A==</Guid>
			<Name>Debug</Name>
			<Events>
				<Event>
					<TypeGuid>5f8TBoW4QYm5BvaeKztApw==</TypeGuid>

## msteams-token.js
// Obtain teams token - you can reuse it for GoMapEnum for example
// Author: Juan Manuel Fernandez (@TheXC3LL)

const puppeteer = require('puppeteer');

(async () => {
    console.log("\t\tMS Teams Token Generator - @TheXC3LL\n\n");
    const username = process.argv[2];
    const password = process.argv[3];
    console.log("[*] Using credentials: %s:%s", username, password);

## FreshyCalls-VBA.vba
' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)


'Based on:
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
'https://www.crummie5.club/freshycalls/


Private Type LARGE_INTEGER

## Configure-ASR.ps1
#Requires -RunAsAdministrator

<#
.SYNOPSIS
    Script used to manage state of Microsoft Defender's Attack Surface Redution rules.
    Configures all ASR rules into mode defined in -State parameter.

.PARAMETER State
    Tells how to configure all ASR rules available. Valid options:
      - Disable (Disable the ASR rule)

## PEB.cs
public unsafe static bool UnlinkModuleFromPeb(IntPtr hModule)
{
	if (hModule == IntPtr.Zero) return false;

	PEB* peb = Get_PEB();
	if (peb == null) return false;

	LIST_ENTRY* CurrentEntry = peb->Ldr->InLoadOrderModuleList.Flink;
	Debug.Assert(CurrentEntry != null);

## gist:a7dd62dd86205ad19c7365037508bb76
//All credit goes to Ysoserial.net and the great @tiraniddo
//Snippets copied from ysoserial.net
//https://thewover.github.io/Mixed-Assemblies/ - Great read!
//https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read
using System;
using System.Collections.Generic;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using System.Reflection;

## fork.c
/*
 * fork.c
 * Experimental fork() on Windows.  Requires NT 6 subsystem or
 * newer.
 *
 * Copyright (c) 2012 William Pitcock <nenolod@dereferenced.org>
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.

## Workstation-Takeover.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              0 stars
            
          
                mgeeky
                / Workstation-Takeover.md
            
            
              Created
              September 15, 2022 20:26
                — forked from gladiatx0r/Workstation-Takeover.md
            
              
                From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
              
          
      View Workstation-Takeover.md
  
      
    Overview
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
	var fso = new ActiveXObject("Scripting.FileSystemObject");
	var ado = (function() {
	if (typeof window === "undefined") {
	return new ActiveXObject("ADODB.Stream");
	} else {
	var _GetObject = (typeof GetObject === "function") ? GetObject : (function() {
	var script = window.document.createElement("script");
	script.setAttribute("language", "VBScript");
	script.innerHTML = "Function GetObjectHelper(name)\nSet GetObjectHelper = GetObject(name)\nEnd Function";
	window.document.body.appendChild(script);
	#include <windows.h>
	#include <wchar.h>

	#define LOAD_LIBRARY_SEARCH_SYSTEM32 (0x00000800)

	HMODULE loadlibrary_system(const wchar_t* name)
	{
	/* If running on Windows 8 or a system with KB2533623, LoadLibraryEx with
	LOAD_LIBRARY_SEARCH_SYSTEM32 does the right thing */
	if (GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "AddDllDirectory"))
	<TriggerCollection
	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<Triggers>
	<Trigger>
	<Guid>Ab8CqzeKQUuKdzTx4tKy7A==</Guid>
	<Name>Debug</Name>
	<Events>
	<Event>
	<TypeGuid>5f8TBoW4QYm5BvaeKztApw==</TypeGuid>
	// Obtain teams token - you can reuse it for GoMapEnum for example
	// Author: Juan Manuel Fernandez (@TheXC3LL)

	const puppeteer = require('puppeteer');

	(async () => {
	console.log("\t\tMS Teams Token Generator - @TheXC3LL\n\n");
	const username = process.argv[2];
	const password = process.argv[3];
	console.log("[*] Using credentials: %s:%s", username, password);
	' Proof of Concept: retrieving SSN for syscalling in VBA
	' Author: Juan Manuel Fernandez (@TheXC3LL)


	'Based on:
	'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
	'https://www.crummie5.club/freshycalls/


	Private Type LARGE_INTEGER
	#Requires -RunAsAdministrator

	<#
	.SYNOPSIS
	Script used to manage state of Microsoft Defender's Attack Surface Redution rules.
	Configures all ASR rules into mode defined in -State parameter.

	.PARAMETER State
	Tells how to configure all ASR rules available. Valid options:
	- Disable (Disable the ASR rule)
	public unsafe static bool UnlinkModuleFromPeb(IntPtr hModule)
	{
	if (hModule == IntPtr.Zero) return false;

	PEB* peb = Get_PEB();
	if (peb == null) return false;

	LIST_ENTRY* CurrentEntry = peb->Ldr->InLoadOrderModuleList.Flink;
	Debug.Assert(CurrentEntry != null);
	//All credit goes to Ysoserial.net and the great @tiraniddo
	//Snippets copied from ysoserial.net
	//https://thewover.github.io/Mixed-Assemblies/ - Great read!
	//https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read
	using System;
	using System.Collections.Generic;
	using System.Runtime.Serialization.Formatters.Binary;
	using System.IO;
	using System.Reflection;
	/*
	* fork.c
	* Experimental fork() on Windows. Requires NT 6 subsystem or
	* newer.
	*
	* Copyright (c) 2012 William Pitcock <nenolod@dereferenced.org>
	*
	* Permission to use, copy, modify, and/or distribute this software for any
	* purpose with or without fee is hereby granted, provided that the above
	* copyright notice and this permission notice appear in all copies.