Skip to content

Instantly share code, notes, and snippets.

View najashark's full-sized avatar
🐔
ciken

hewhewhew najashark

🐔
ciken
27 followers · 40 following
View GitHub Profile
@tothi
tothi / certifried_with_krbrelayup.md
Last active November 22, 2023 10:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@theevilbit
theevilbit / divide_and_conquer.c
Created January 17, 2021 15:11
Divide and Conquer NextGen AV bypass
/*
This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
*/
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include "Commctrl.h"
#include <string>
@d3vilbug
d3vilbug / frida-get-AES-keys
Created November 2, 2018 06:25
#!/usr/bin/env python3
from __future__ import print_function
import frida
import sys
import json
import time
def on_message(message, payload):
if(message['type'] == 'send'):
@zznop
zznop / mem-loader.asm
Last active March 6, 2023 00:17
Fun little loader shellcode that executes an ELF in-memory using an anonymous file descriptor (inspired by https://x-c3ll.github.io/posts/fileless-memfd_create/)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Copyright (C), zznop, brandonkmiller@protonmail.com
;;;
;;; This software may be modified and distributed under the terms
;;; of the MIT license. See the LICENSE file for details.
;;;
;;; DESCRIPTION
;;;
;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF
@wdormann
wdormann / acltest.ps1
Created May 1, 2018 15:20
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
Break
}
$outfile = "acltestfile"
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
Foreach ($path in $paths) {
# This prints a table of ACLs
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights
@mgeeky
mgeeky / Various-Macro-Based-RCEs.md
Last active January 14, 2024 16:43
Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

  1. Page substiution macro for luring user to click Enable Content
  2. The Unicorn Powershell based payload
@shahril96
shahril96 / thwart_IDA.c
Last active July 21, 2018 09:53
Sample C code to thwart IDA PRO analysis
/*
* gcc -m32 thwart_IDA.c -o thwart_IDA
*/
#include <stdio.h>
/* throws off esp analysis to thwart hexrays
Credit: https://github.com/RPISEC/MBE
@ryhanson
ryhanson / ExcelXLL.md
Last active March 29, 2024 05:27
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@HarmJ0y
HarmJ0y / LNKBackdoor.ps1
Created July 4, 2016 20:49
Functions to 'backdoor' .LNK files with additional functionality and enumerate all 'backdoored' .LNKs on a system.
function Set-LNKBackdoor {
<#
.SYNOPSIS
Backdoors an existing .LNK shortcut to trigger the original binary and a payload specified by
-ScriptBlock or -Command.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
@iamtekeste
iamtekeste / Download Google Drive files with WGET
Created July 8, 2015 11:00
Download Google Drive files with WGET
Download Google Drive files with WGET
Example Google Drive download link:
https://docs.google.com/open?id=[ID]
To download the file with WGET you need to use this link:
https://googledrive.com/host/[ID]
Example WGET command: