Skip to content

Instantly share code, notes, and snippets.

View mpgn's full-sized avatar
🕹️
Impose ta chance, serre ton bonheur et va vers ton risque.

mpgn

🕹️
Impose ta chance, serre ton bonheur et va vers ton risque.
View GitHub Profile
@mpgn
mpgn / netexec-vs-absolute.md
Last active April 17, 2024 17:04
NetExec vs Absolute

In progress

  1. First we get the domain name to edit our etc hosts file
netexec smb 10.10.11.181                                                          
SMB         10.10.11.181    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
  • Domain name: absolute.htb
  • Netbios name: DC
@mpgn
mpgn / Scrambled vs NetExec .md
Last active December 5, 2024 09:26
Scrambled vs NetExec for fun and profit by @mpgn_x64

Scrambled vs NetExec

Let pwn the box Scrambled from HackTheBox using only NetExec ! For context, I was reading Scrambled writeup from 0xdf_ when I read this:

smbclient won’t work, and I wasn’t able to get crackmapexec to work either.

To be fair, at the time of his writeup it was true, but not anymore and it's pretty simple with NXC, 5 minutes and you get root :)

Note: I will pass the web part where we get one username : ksimpson

# https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
# https://twitter.com/richinseattle/status/1354296177743679489
# if true on powershell command or no error on reg query output you are infected !
reg query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig'
reg query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig'
reg query 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update'
[System.IO.File]::Exists('C:\Windows\System32\Nwsapagent.sys')
[System.IO.File]::Exists('C:\Windows\System32\helpsvc.sys')
@mpgn
mpgn / wifi-relay.sh
Created November 2, 2020 11:01 — forked from 1mm0rt41PC/wifi-relay.sh
Wifi easy PEAP relay
#!/bin/bash
# Wifi easy PEAP relay
#
# Author: 1mm0rt41PC - immortal-pc.info - https://github.com/1mm0rt41PC
#
# Ref:
# - https://github.com/sensepost/hostapd-mana
# - https://github.com/sensepost/wpa_sycophant
# - https://sensepost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/
# - https://www.youtube.com/watch?v=eYsGyvGxlpI&feature=youtu.be&t=1052
@mpgn
mpgn / Blackfield vs NetExec .md
Last active April 17, 2024 15:02
Blackfield vs NetExec for fun and profit @mpgn_x64
@mpgn
mpgn / PowerView-3.0-tricks.ps1
Created March 29, 2020 16:35 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@mpgn
mpgn / README.md
Created November 26, 2019 15:12
CrackMapExec module to set as "owned" on BloodHound every target owned by the attacker

Installation

  • Copy bloodhound_owned.py in cme/modules and reinstall CrackMapExec python setup.py install
  • pip install neo4j

Usage

cme smb 10.10.0.0/24 -d adsec.local -u jsnow -p Winter_is_coming_\! -M bloodhound_owned
@mpgn
mpgn / areadme.md
Last active December 6, 2019 17:50
Procdump CME module that dump LSASS process and extract the result with pypykatz
  1. install pypykatz pip install pypykatz outisde your pipenv
  2. Add this file to cme/module/procdump.py
  3. compile python setup.py install
  4. run cme smb 172.16.60.152 -u Administrator -p P@ssword -M procdump

image