Skip to content

Instantly share code, notes, and snippets.

View clod81's full-sized avatar
🔐

clod clod81

🔐
  • Tier Zero Security
View GitHub Profile
@clod81
clod81 / find_drivers_addresses.c
Created April 27, 2024 08:38
Windows C program to find the addresses of kernel drivers
#include <Windows.h>
#include <psapi.h>
#include <stdio.h>
void main() {
LPVOID DriverBases[1024];
CHAR DriverName[100];
DWORD Needed;
ULONG i, DriverCount;
if (!EnumDeviceDrivers(DriverBases, sizeof(DriverBases), &Needed) || (Needed >= sizeof(DriverBases))) {
using System;
using System.Security.Cryptography;
using System.Text;
namespace Decrypt1
{
internal class Program
{
static void Main(string[] args)
{
@clod81
clod81 / encrypt.cs
Created January 21, 2024 21:44
C# DPAPI Example Usage
using System;
using System.Security.Cryptography;
using System.Text;
namespace Encrypt1
{
internal class Program
{
readonly static byte[] entropy = {}; //the entropy
@clod81
clod81 / cookies.py
Last active April 10, 2023 04:30
Parse a json of cookies and returns the document.cookie directives to be run in dev console in browser in the target domain
import json
cookies = '[{"name":"cookiename","value":"cookievalue","domain":"domain.com","path":"/","expires":1710446521.314705,"size":8,"httpOnly":false,"secure":true,"session":false,"priority":"Medium","sameParty":false,"sourceScheme":"Secure","sourcePort":443}]'
parsed = json.loads(cookies)
# print("")
# print("Set-Cookie: ******************************")
# print("")
@clod81
clod81 / scrape.py
Last active March 15, 2023 02:06
LinkedIn Python3 Selenium Scrape by: Employee + Company name. Returns: info - name, last position start date, LinkedIn profile URL. Info saved to: linked_dates.txt
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.common.keys import Keys
import time
import sys
import os
global driver
driver = webdriver.Chrome("/PATH_TO/chromedriver")
@clod81
clod81 / scrapy.js
Created March 8, 2023 00:44
LinkedIn JS scrape company employees and position
// 1. Access a company page on LinkedIn and click on the company employees
// 2. Open the browser dev console
// 3. Import jQuery first (copy and paste jQuery into browser dev console will do)
// 4. Copy and paste the below in the console
// 5. Wait until the last page (10 people per page are displayed)
// 6. Enjoy the list in console output
function scrape(){
jQuery.each(jQuery('span.entity-result__title-line span a span span[aria-hidden="true"]'), function(i,v){
console.log((v.innerHTML.replace(/<!---->/g, "").replace(/ /g, " ")));
@clod81
clod81 / esc1.ps1
Created February 23, 2023 19:18 — forked from b4cktr4ck2/esc1.ps1
PowerShell script to exploit ESC1/retrieve your own NTLM password hash.
#Thank you @NotMedic for troubleshooting/validating stuff!
$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER
// From: https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH/blob/16f8f7a90a543a0f5a3f70d3d02e8f120273e6ed/SharpNamedPipePTH/PipeServerImpersonate.cs
using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Diagnostics;
namespace SharpNamedPipePTH
{
class PipeServerImpersonate
@clod81
clod81 / js
Last active September 6, 2022 01:20
jQuery JS LinkedIn company employees' names scraping
// 1. Access a company page on LinkedIn and click on the company employees
// 2. Open the browser dev console
// 3. Import jQuery first (copy and paste jQuery into browser dev console will do)
// 4. Copy and paste the below in the console
// 5. Wait until the last page (10 people per page are displayed)
// 6. Enjoy the list in console output
function scrape(){
jQuery.each(jQuery('span.entity-result__title-line span a span span[aria-hidden="true"]'), function(i,v){
console.log((v.innerHTML.replace(/<!---->/g, "").replace(/ /g, ".")));
@clod81
clod81 / certifried_with_krbrelayup.md
Created May 17, 2022 02:48 — forked from tothi/certifried_with_krbrelayup.md
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites: