Mike trash-rabbit

## config.zsh
bindkey -e
bindkey \^u backward-kill-line

## ws.harness.py
#!/usr/bin/python
import socket,ssl
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
from websocket import create_connection, WebSocket
from urlparse import parse_qs
import argparse
import os

LOOP_BACK_PORT_NUMBER = 8000

## certifried_with_krbrelayup.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                trash-rabbit
                / certifried_with_krbrelayup.md
            
            
              Created
              December 27, 2022 17:09
                — forked from tothi/certifried_with_krbrelayup.md
            
              
                Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
              
          
    Certifried combined with KrbRelayUp


Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts
or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user
on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged
domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:

  
## pedantically_commented_playbook.yml
---
# ^^^ YAML documents must begin with the document separator "---"
#
#### Example docblock, I like to put a descriptive comment at the top of my
#### playbooks.
#
# Overview: Playbook to bootstrap a new host for configuration management.
# Applies to: production
# Description:
#   Ensures that a host is configured for management with Ansible.
	#!/usr/bin/python
	import socket,ssl
	from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
	from websocket import create_connection, WebSocket
	from urlparse import parse_qs
	import argparse
	import os

	LOOP_BACK_PORT_NUMBER = 8000
	---
	# ^^^ YAML documents must begin with the document separator "---"
	#
	#### Example docblock, I like to put a descriptive comment at the top of my
	#### playbooks.
	#
	# Overview: Playbook to bootstrap a new host for configuration management.
	# Applies to: production
	# Description:
	# Ensures that a host is configured for management with Ansible.