mosesrenegade mosesrenegade

## Workstation-Takeover.md

      
              1 file
            
          
              89 forks
            
          
              9 comments
            
          
              249 stars
            
          
                gladiatx0r
                / Workstation-Takeover.md
            
            
              Last active
              April 25, 2024 13:23
            
              
                From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
              
          
    Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

  
## dbxhashoutput.csv

          
            SignatureOwner
            SHA256Hash

            
              00000000-0000-0000-0000-000000000000
              6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D

            
              77fa9abd-0359-4d32-bd60-28f4e78f784b
              80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0A

            
              77fa9abd-0359-4d32-bd60-28f4e78f784b
              F52F83A3FA9CFBD6920F722824DBE4034534D25B8507246B3B957DAC6E1BCE7A

            
              77fa9abd-0359-4d32-bd60-28f4e78f784b
              C5D9D8A186E2C82D09AFAA2A6F7F2E73870D3E64F72C4E08EF67796A840F0FBD

            
              77fa9abd-0359-4d32-bd60-28f4e78f784b
              363384D14D1F2E0B7815626484C459AD57A318EF4396266048D058C5A19BBF76

            
              77fa9abd-0359-4d32-bd60-28f4e78f784b
              1AEC84B84B6C65A51220A9BE7181965230210D62D6D33C48999C6B295A2B0A06

            
              77fa9abd-0359-4d32-bd60-28f4e78f784b
              E6CA68E94146629AF03F69C2F86E6BEF62F930B37C6FBCC878B78DF98C0334E5

            
              77fa9abd-0359-4d32-bd60-28f4e78f784b
              C3A99A460DA464A057C3586D83CEF5F4AE08B7103979ED8932742DF0ED530C66

            
              77fa9abd-0359-4d32-bd60-28f4e78f784b
              58FB941AEF95A25943B3FB5F2510A0DF3FE44C58C95E0AB80487297568AB9771

## gist:8c65d438ae3aee8cf10b0e380776cd71
# start empire headless with the specified API username and password
./empire --headless --username empireadmin --password 'Password123!'

# login and the current server token
curl --insecure -i -H "Content-Type: application/json" https://localhost:1337/api/admin/login -X POST -d '{"username":"empireadmin", "password":"Password123!"}'
empire.login

# store the token in a variable
TOKEN=<API_token>

## background.css
#page:before {
    margin:21px;
    background-image: url("images/new_year_background.png");
    position:fixed;
    top:0px;
    left:0px;
    width:100%;
    height:100%;
    display:block;
    content: " ";

## good-forms.py
from django import forms

from myapp.models import Whatzit

class WhatzitForm(forms.ModelForm):
    class Meta(object):
        model = Whatzit
        fields = ('foo', 'bar', 'baz')

## index.md

      
              1 file
            
          
              217 forks
            
          
              23 comments
            
          
              587 stars
            
          
                rstacruz
                / index.md
            
            
              Last active
              November 3, 2023 09:56
            
              
                Rails models cheatsheet
              
          
    Rails Models

Generating models

$ rails g model User

Associations

belongs_to

has_one
	SignatureOwner	SHA256Hash
	00000000-0000-0000-0000-000000000000	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
	77fa9abd-0359-4d32-bd60-28f4e78f784b	80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0A
	77fa9abd-0359-4d32-bd60-28f4e78f784b	F52F83A3FA9CFBD6920F722824DBE4034534D25B8507246B3B957DAC6E1BCE7A
	77fa9abd-0359-4d32-bd60-28f4e78f784b	C5D9D8A186E2C82D09AFAA2A6F7F2E73870D3E64F72C4E08EF67796A840F0FBD
	77fa9abd-0359-4d32-bd60-28f4e78f784b	363384D14D1F2E0B7815626484C459AD57A318EF4396266048D058C5A19BBF76
	77fa9abd-0359-4d32-bd60-28f4e78f784b	1AEC84B84B6C65A51220A9BE7181965230210D62D6D33C48999C6B295A2B0A06
	77fa9abd-0359-4d32-bd60-28f4e78f784b	E6CA68E94146629AF03F69C2F86E6BEF62F930B37C6FBCC878B78DF98C0334E5
	77fa9abd-0359-4d32-bd60-28f4e78f784b	C3A99A460DA464A057C3586D83CEF5F4AE08B7103979ED8932742DF0ED530C66
	77fa9abd-0359-4d32-bd60-28f4e78f784b	58FB941AEF95A25943B3FB5F2510A0DF3FE44C58C95E0AB80487297568AB9771
	# start empire headless with the specified API username and password
	./empire --headless --username empireadmin --password 'Password123!'

	# login and the current server token
	curl --insecure -i -H "Content-Type: application/json" https://localhost:1337/api/admin/login -X POST -d '{"username":"empireadmin", "password":"Password123!"}'
	empire.login

	# store the token in a variable
	TOKEN=<API_token>
	#page:before {
	margin:21px;
	background-image: url("images/new_year_background.png");
	position:fixed;
	top:0px;
	left:0px;
	width:100%;
	height:100%;
	display:block;
	content: " ";
	from django import forms

	from myapp.models import Whatzit

	class WhatzitForm(forms.ModelForm):
	class Meta(object):
	model = Whatzit
	fields = ('foo', 'bar', 'baz')