antonioCoco

// TcbElevation - Authors: @splinter_code and @decoder_it

#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <stdio.h>

#pragma comment(lib, "Secur32.lib")

void EnableTcbPrivilege(BOOL enforceCheck);

namazso

meta:
  id: coff
  title: Common Object Format File
  file-extension:
    - obj
  license: CC0-1.0
  ks-version: 0.9
  endian: le
doc-ref: https://wiki.osdev.org/COFF
seq:

gladiatx0r

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

GavinRay97

# Requirements:
#   clang - The classes/structs you want to dump must be used in code at least once, not just defined.
#   MSVC  - The classes/structs you want to dump must have "MEOW" in the name for "reportSingleClass" to work.
# Usage:
#   $ make dump_vtables file=test.cpp
dump_vtables:
  clang -cc1 -fdump-record-layouts -emit-llvm  $(file) > clang-vtable-layout-$(file).txt
  clang -cc1 -fdump-vtable-layouts -emit-llvm  $(file) > clang-record-layout-$(file).txt
  g++ -fdump-lang-class=$(file).txt $(file)
  cl.exe $(file) /d1reportSingleClassLayoutMEOW > msvc-single-class-vtable-layout-$(file).txt

micjabbour

cmake_minimum_required(VERSION 3.2)
project(suppress_wer)

option(USE_DEBUGGER_BASED_SOLUTION "Uses a debugger-based solution instead of SetErrorMode. See suppress_wer_debugger.cpp for details" OFF)

if(USE_DEBUGGER_BASED_SOLUTION)
    add_executable(suppress_wer suppress_wer_debugger.cpp)
else()
    add_executable(suppress_wer suppress_wer_set_error_mode.cpp)
endif()

monoxgas

#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>

BOOL PatchTheRet(HMODULE realModule) {

	// Get primary module info

olamotte

#Example: Which users can access the SMB Session information on a Windows 10 computer (NetCease status)

#Retrieve the binary value
$acl=Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity -Name SrvsvcSessionInfo

#Use WMI helper to obtain a converter
$converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper

#Do the conversion to SDDL
$outsddl = $converter.BinarySDToSDDL($acl.SrvsvcSessionInfo)

masthoon

--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 368 at 0x5306908L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
64

Interfaces :
Endpoints :

mattifestation

#requires -version 5

<#
The things you find on Google searching for specific GUIDs...

Known Keyword friendly names:
"UTC:::CATEGORYDEFINITION.MS.CRITICALDATA":"140737488355328"
"UTC:::CATEGORYDEFINITION.MS.MEASURES":"70368744177664"
"UTC:::CATEGORYDEFINITION.MS.TELEMETRY":"35184372088832"
"UTC:::CATEGORYDEFINITION.MSWLAN.CRITICALDATA":"2147483648"

mohanpedala

Table of Contents

• set -e, -u, -x, -o pipefail
• set -e
• set -x
• set -u
• set -o pipefail
• Setting IFS
• Original Reference

set -e, -u, -x, -o pipefail