mgeeky

// Obtain teams token - you can reuse it for GoMapEnum for example
// Author: Juan Manuel Fernandez (@TheXC3LL)

const puppeteer = require('puppeteer');

(async () => {
    console.log("\t\tMS Teams Token Generator - @TheXC3LL\n\n");
    const username = process.argv[2];
    const password = process.argv[3];
    console.log("[*] Using credentials: %s:%s", username, password);

mgeeky

' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)


'Based on:
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
'https://www.crummie5.club/freshycalls/


Private Type LARGE_INTEGER

mgeeky

public unsafe static bool UnlinkModuleFromPeb(IntPtr hModule)
{
	if (hModule == IntPtr.Zero) return false;

	PEB* peb = Get_PEB();
	if (peb == null) return false;

	LIST_ENTRY* CurrentEntry = peb->Ldr->InLoadOrderModuleList.Flink;
	Debug.Assert(CurrentEntry != null);

mgeeky

//All credit goes to Ysoserial.net and the great @tiraniddo
//Snippets copied from ysoserial.net
//https://thewover.github.io/Mixed-Assemblies/ - Great read!
//https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read
using System;
using System.Collections.Generic;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using System.Reflection;

mgeeky

/*
 * fork.c
 * Experimental fork() on Windows.  Requires NT 6 subsystem or
 * newer.
 *
 * Copyright (c) 2012 William Pitcock <nenolod@dereferenced.org>
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.

mgeeky

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

mgeeky

filter Send-AmsiContent {
<#
.SYNOPSIS

Supplies the AmsiScanBuffer function with a buffer to be scanned by an AMSI provider.

Author: Matt Graeber
Company: Red Canary

.DESCRIPTION

mgeeky

{
        # This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this.
        acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

(proxy_upstream) {
        # Enable access logging to STDOUT
        log
        
        # This is our list of naughty client User Agents that we don't want accessing our C2

mgeeky

BOOL TransportSend( LPVOID Data, SIZE_T Size, PVOID* RecvData, PSIZE_T RecvSize )
{
#ifdef TRANSPORT_HTTP
    HANDLE  hConnect        = NULL;
    HANDLE  hSession        = NULL;
    HANDLE  hRequest        = NULL;
    
    DWORD   HttpFlags       = 0;

    LPVOID  RespBuffer      = NULL;

mgeeky

extract ova files from an archive

$ tar -xvf vmName.ova

modify ovf for some invalid tag

$ vi vmName.ovf