Skip to content

Instantly share code, notes, and snippets.

View reket99's full-sized avatar

reket99

1 follower · 2 following
View GitHub Profile
@reket99
reket99 / certifried_with_krbrelayup.md
Created November 15, 2022 02:58 — forked from tothi/certifried_with_krbrelayup.md
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@reket99
reket99 / ms-msdt.MD
Created December 11, 2022 23:25 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@reket99
reket99 / check_vulnerabledrivers.ps1
Created May 20, 2023 04:10 — forked from api0cradle/check_vulnerabledrivers.ps1
A quick script to check for vulnerable drivers. Compares drivers on system with list from loldrivers.io
# Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list
# Author: Oddvar Moe - @oddvar.moe
$drivers = get-childitem -Path c:\windows\system32\drivers
$web_client = new-object system.net.webclient
$loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") | ConvertFrom-Json
Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count)
foreach ($lol in $loldrivers.KnownVulnerableSamples)
{
@reket99
reket99 / LAPSDecrypt.cs
Created October 26, 2023 01:43 — forked from xpn/LAPSDecrypt.cs
Quick POC looking at how encryption works for LAPS (v2)
using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;
@reket99
reket99 / LSARecovery
Created December 8, 2023 00:45 — forked from rufflabs/LSARecovery
Retrieve saved passwords from local service accounts
function Enable-TSDuplicateToken {
<#
.SYNOPSIS
Duplicates the Access token of lsass and sets it in the current process thread.
.DESCRIPTION
The Enable-TSDuplicateToken CmdLet duplicates the Access token of lsass and sets it in the current process thread.
The CmdLet must be run with elevated permissions.
.EXAMPLE