Skip to content

Instantly share code, notes, and snippets.

Avatar

Adam Chester xpn

1.6k followers · 4 following
View GitHub Profile
@xpn
xpn / AADLAPS_Request.txt
Last active May 2, 2023 12:15
View AADLAPS_Request.txt
GET /beta/deviceLocalCredentials/[DEVICE-ID]?$select=credentials HTTP/1.1
ocp-client-version: 1.0
client-request-id: 96cbfa59-dbfc-4a92-b261-7f77bd8f4b9b
ocp-client-name: Get-LapsAADPassword Windows LAPS Cmdlet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22621; en-US) PowerShell/5.1.22621.963 Invoke-MgGraphRequest
SdkVersion: graph-powershell/1.26.0, Graph-dotnet-1.25.1
FeatureFlag: 00000047
Cache-Control: no-store, no-cache
Authorization: Bearer [AAD-JWT-HERE]
Accept-Encoding: gzip
@xpn
xpn / LAPSDecrypt.cs
Last active May 17, 2023 20:53
Quick POC looking at how encryption works for LAPS (v2)
View LAPSDecrypt.cs
using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;
@xpn
xpn / sccmdecryptpoc.cs
Last active January 23, 2023 15:09
SCCM Account Password Decryption POC
View sccmdecryptpoc.cs
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace SCCMDecryptPOC
{
internal class Program
@xpn
xpn / DogFoodExec.cs
Created May 3, 2021 23:10
https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
View DogFoodExec.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Linq;
namespace NautilusProject
{
internal class CombinedExec
{
public static IntPtr AllocMemory(int length)
@xpn
xpn / WriteGadget.cs
Created May 3, 2021 23:09
https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
View WriteGadget.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace NautilusProject
{
public class WriteGadget
{
@xpn
xpn / ReadGadget.cs
Created May 3, 2021 23:08
https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
View ReadGadget.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace NautilusProject
{
public class ReadGadget
{
public static IntPtr ReadMemory(IntPtr addr)
{
@xpn
xpn / ExecNativeSlot.cs
Created May 3, 2021 23:06
https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
View ExecNativeSlot.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace NautilusProject
{
public class ExecNativeSlot
{
public static void Execute()
{
@xpn
xpn / ExecStubOverwriteWithoutPInvoke.cs
Created May 3, 2021 22:58
https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
View ExecStubOverwriteWithoutPInvoke.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace NautilusProject
{
public class ExecStubOverwriteWithoutPInvoke
{
public static void Execute(byte[] shellcode)
{
@xpn
xpn / ExecStubOverwrite.cs
Created May 3, 2021 22:56
https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
View ExecStubOverwrite.cs
using System;
using System.Runtime.InteropServices;
namespace NautilusProject
{
public class ExecStubOverwrite
{
public static void Execute(byte[] shellcode)
{
// mov rax, 0x4141414141414141
@xpn
xpn / dotnet_inject.cpp
Created September 13, 2020 22:51
View dotnet_inject.cpp
// Compile with g++ dotnet_injectbundle.cpp -o dotnet_injectbundle
#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include "main.h"
// libcorclr.dll signature for finding hlpDynamicFuncTable