Skip to content

Instantly share code, notes, and snippets.

@tothi
tothi / certifried_with_krbrelayup.md
Last active Aug 21, 2022
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
View certifried_with_krbrelayup.md

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@CCob
CCob / patchless_amsi.h
Created Apr 17, 2022
In-Process Patchless AMSI Bypass
View patchless_amsi.h
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H
#include <windows.h>
static const int AMSI_RESULT_CLEAN = 0;
PVOID g_amsiScanBufferPtr = nullptr;
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
@SwitHak
SwitHak / 20211210-TLP-WHITE_LOG4J.md
Last active Oct 4, 2022
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC
View 20211210-TLP-WHITE_LOG4J.md

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

  • Royce Williams list sorted by vendors responses Royce List
  • Very detailed list NCSC-NL
  • The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
@Mr-Un1k0d3r
Mr-Un1k0d3r / run.c
Created Aug 11, 2021
spawn an invisible process
View run.c
// To compile: gcc64.exe run.c -o run.exe
// To run: run.exe cmd.exe "/c whoami"
#include <Windows.h>
#include <stdio.h>
int main(int argc, char **argv) {
CHAR cDesktop[] = "hiddendesktop";
HDESK hDesk = CreateDesktop(cDesktop, NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, GENERIC_ALL, NULL);
View system32_exports.txt
This file has been truncated, but you can view the full file.
[*] - C:\Windows\System32\1028\VsGraphicsResources.dll
[?] 64-bit Image!
[>] Time Stamp: 12/31/1969 19:00:00
[>] Function Count:
[>] Named Functions:
[>] Ordinal Base:
[>] Function Array RVA: 0x
@matterpreter
matterpreter / CallTreeToJSON.py
Last active Sep 4, 2022
Convert Ghidra Call Trees to JSON for Neo4j Ingestion
View CallTreeToJSON.py
#@author matterpreter
#@category
#@keybinding
#@menupath
#@toolbar
###
# To import to Neo4j:
# CREATE CONSTRAINT function_name ON (n:Function) ASSERT n.name IS UNIQUE
#
@rvrsh3ll
rvrsh3ll / DInjectQueuerAPC.cs
Created Nov 20, 2020 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
View DInjectQueuerAPC.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@ropnop
ropnop / go-sharp-loader.go
Created Aug 5, 2020
Example Go file embedding multiple .NET executables
View go-sharp-loader.go
package main
/*
Example Go program with multiple .NET Binaries embedded
This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
$ go get -u github.com/gobuffalo/packr/packr
Place all your EXEs are in a "binaries" folder
@TheWover
TheWover / EtwpTest.cs
Created May 6, 2020
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
View EtwpTest.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace EtwpTest
{
class Program
{
static void Main(string[] args)
{