Skip to content

Instantly share code, notes, and snippets.

View xpn's full-sized avatar

Adam Chester xpn

View GitHub Profile
View AADLAPS_Request.txt
GET /beta/deviceLocalCredentials/[DEVICE-ID]?$select=credentials HTTP/1.1
ocp-client-version: 1.0
client-request-id: 96cbfa59-dbfc-4a92-b261-7f77bd8f4b9b
ocp-client-name: Get-LapsAADPassword Windows LAPS Cmdlet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22621; en-US) PowerShell/5.1.22621.963 Invoke-MgGraphRequest
SdkVersion: graph-powershell/1.26.0, Graph-dotnet-1.25.1
FeatureFlag: 00000047
Cache-Control: no-store, no-cache
Authorization: Bearer [AAD-JWT-HERE]
Accept-Encoding: gzip
@xpn
xpn / LAPSDecrypt.cs
Last active October 26, 2023 01:43
Quick POC looking at how encryption works for LAPS (v2)
View LAPSDecrypt.cs
using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;
@xpn
xpn / sccmdecryptpoc.cs
Last active January 7, 2024 15:35
SCCM Account Password Decryption POC
View sccmdecryptpoc.cs
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace SCCMDecryptPOC
{
internal class Program
View DogFoodExec.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Linq;
namespace NautilusProject
{
internal class CombinedExec
{
public static IntPtr AllocMemory(int length)
View WriteGadget.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace NautilusProject
{
public class WriteGadget
{
View ReadGadget.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace NautilusProject
{
public class ReadGadget
{
public static IntPtr ReadMemory(IntPtr addr)
{
View ExecNativeSlot.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace NautilusProject
{
public class ExecNativeSlot
{
public static void Execute()
{
View ExecStubOverwriteWithoutPInvoke.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace NautilusProject
{
public class ExecStubOverwriteWithoutPInvoke
{
public static void Execute(byte[] shellcode)
{
View ExecStubOverwrite.cs
using System;
using System.Runtime.InteropServices;
namespace NautilusProject
{
public class ExecStubOverwrite
{
public static void Execute(byte[] shellcode)
{
// mov rax, 0x4141414141414141
View dotnet_inject.cpp
// Compile with g++ dotnet_injectbundle.cpp -o dotnet_injectbundle
#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include "main.h"
// libcorclr.dll signature for finding hlpDynamicFuncTable