Skip to content

Instantly share code, notes, and snippets.

View wh0amitz's full-sized avatar
🌴
On vacation

WHOAMI wh0amitz

🌴
On vacation
508 followers · 41 following
View GitHub Profile
@wh0amitz
wh0amitz / PassTheCertificate.cs
Last active August 19, 2023 05:03
Pass The Certificate to LDAPS when PKINIT Padata is "NOSUPP"
using System;
using System.Net;
using System.Text;
using System.DirectoryServices;
using System.Text.RegularExpressions;
using System.Security.Principal;
using System.Security.AccessControl;
using System.DirectoryServices.Protocols;
using System.Security.Cryptography.X509Certificates;
@tothi
tothi / certifried_with_krbrelayup.md
Last active November 22, 2023 10:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@tothi
tothi / krbrelay_privesc_howto.md
Last active March 1, 2024 12:26
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
@N4kedTurtle
N4kedTurtle / CredGuard_PoC
Created August 25, 2020 14:17
PoC for enabling wdigest to bypass credential guard
#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <iostream>
DWORD GetLsassPid() {
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
@realslacker
realslacker / Enable-VSSShadowCopies.ps1
Created June 6, 2018 15:34
Enable VSS Shadow Copies on remote computers.
<#
.SYNOPSIS
Enable VSS Shadow Copies on remote computers.
.DESCRIPTION
Enable VSS Shadow Copies on remote computers. The default settings will take a snapshot every 1 hour and use up to 5% of the disk.
.PARAMETER ComputerName
The computer(s) to enable VSS on. If piping from Get-ADComputer use 'Get-ADComputer -Filter * | select Name' to handle a bug in Get-ADComputer's piping.
.PARAMETER DriveLetter
Which drive to enable VSS on.
.PARAMETER CacheSize
@masthoon
masthoon / SystemCMD.cpp
Last active April 11, 2024 08:16
Launch SYSTEM CMD in user current session (from a service)
#include "stdafx.h"
#include <windows.h>
#include <Winbase.h>
#include <Wtsapi32.h>
#include <Userenv.h>
#include <malloc.h>
#pragma comment(lib, "Wtsapi32.lib")
#pragma comment(lib, "Userenv.lib")