Skip to content

Instantly share code, notes, and snippets.

View clod81's full-sized avatar
๐Ÿ”

clod clod81

๐Ÿ”
66 followers · 223 following
  • Tier Zero Security
View GitHub Profile
@tothi
tothi / ms-msdt.MD
Last active February 7, 2025 12:01
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@tothi
tothi / certifried_with_krbrelayup.md
Last active December 18, 2024 19:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@tothi
tothi / krbrelay_privesc_howto.md
Last active April 23, 2025 01:59
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
@CCob
CCob / patchless_amsi.h
Created April 17, 2022 16:18
In-Process Patchless AMSI Bypass
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H
#include <windows.h>
static const int AMSI_RESULT_CLEAN = 0;
PVOID g_amsiScanBufferPtr = nullptr;
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
@Flangvik
Flangvik / PKI_Abuse_cheatsheet.md
Last active August 26, 2023 13:22
PKI Abuse CheatSheet
@JohnHammond
JohnHammond / stack_string.py
Created June 20, 2021 14:44
#!/usr/bin/env python3
"""
# NOTE, you must change the string below for data you want.
# This script does not take arguments in its current form. Sorry!
"""
from pwn import *
string = b"foobar"
@JohnHammond
JohnHammond / rop_ripper.py
Created June 20, 2021 14:42
#!/usr/bin/env python3
"""
# NOTE, you must change the filename below for the rp++ output you want to process.
# This script does not take arguments in its current form. Sorry!
"""
import re
from pwn import p32, u32
@jfmaes
jfmaes / DInjectQueuerAPC.cs
Created November 13, 2020 19:00
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@mattifestation
mattifestation / CIPolicyParser.ps1
Last active May 1, 2025 07:39
Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.
# Ensure System.Security assembly is loaded.
Add-Type -AssemblyName System.Security
function ConvertTo-CIPolicy {
<#
.SYNOPSIS
Converts a binary file that contains a Code Integrity policy into XML format.
Author: Matthew Graeber (@mattifestation)