Skip to content

Instantly share code, notes, and snippets.

View th3k3ymak3r's full-sized avatar

th3k3ymak3r th3k3ymak3r

21 followers · 28 following
  • The Matrix
View GitHub Profile
@zblurx
zblurx / lapsv2_decryptor.py
Last active April 24, 2024 06:42
Simple script to extract local admin password in cleartext with LAPSv2 using impacket
import argparse
import typing
import math
from uuid import UUID
from pyasn1.codec.der import decoder
from pyasn1_modules import rfc5652
from struct import unpack
from cryptography import utils
from cryptography.exceptions import AlreadyFinalized, InvalidKey
from cryptography.hazmat.primitives.kdf import KeyDerivationFunction
@LuemmelSec
LuemmelSec / Process_String_Extractor.ps1
Created May 9, 2023 07:48
A wrapper for strings2.exe to extract sensitive info out of processes
# This scriplet relies on https://github.com/glmcdona/strings2
# Import the script: PS> import-module .\Process_String_Extractor.ps1
# Run the function: PS> ScrapeProcessMemory -Strings2Path "D:\Tools\Strings2.exe" -Processname notepad -SearchString "Hello World"
# To extract Cookies for O365 / Azure PTC Attack: PS> ScrapeProcessMemory -Strings2Path "D:\Tools\Strings2.exe" -Processname chrome -SearchString "ESTSAUTH","SignInStateCookie"
function ScrapeProcessMemory {
    Param(
        [Parameter(Mandatory)]
        [string]$Processname,
[Parameter(Mandatory)]
@HackingLZ
HackingLZ / altitude.py
Created April 19, 2023 13:29
altitude alert
import csv
import requests
import argparse
from bs4 import BeautifulSoup
from colorama import Fore, Style, init
init(autoreset=True)
known_security_vendors = [
'symantec', 'mcafee', 'trendmicro', 'kaspersky', 'bitdefender',
@monoxgas
monoxgas / urbandoor.cs
Created April 10, 2023 22:58
Minimal PoC code for Kerberos Unlock LPE (CVE-2023-21817)
using NtApiDotNet;
using NtApiDotNet.Ndr.Marshal;
using NtApiDotNet.Win32;
using NtApiDotNet.Win32.Rpc.Transport;
using NtApiDotNet.Win32.Security.Authentication;
using NtApiDotNet.Win32.Security.Authentication.Kerberos;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server;
using NtApiDotNet.Win32.Security.Authentication.Logon;
using System;
@x4sh3s
x4sh3s / AMSI_ASCII.ps1
Last active December 28, 2022 09:26
Write-Host "
444444444 hhhhhhh 333333333333333
4::::::::4 h:::::h 3:::::::::::::::33
4:::::::::4 h:::::h 3::::::33333::::::3
4::::44::::4 h:::::h 3333333 3:::::3
xxxxxxx xxxxxxx4::::4 4::::4 ssssssssss h::::h hhhhh 3:::::3 ssssssssss
x:::::x x:::::x4::::4 4::::4 ss::::::::::s h::::hh:::::hhh 3:::::3 ss::::::::::s
x:::::x x:::::x4::::4 4::::4 ss:::::::::::::s h::::::::::::::hh 33333333:::::3 ss:::::::::::::s
x:::::xx:::::x4::::444444::::444s::::
@passthehashbrowns
passthehashbrowns / custom_pack.cna
Created September 9, 2022 17:28
This is a reimplementation of the bof_pack function in Aggressor.
#Custom function to pack our arguments for BOFs
#Usage: Call it the same way you would call bof_pack
sub custom_pack {
local('$beaconId $formatString $formatStringFixed @argsFixed $totalSize $shiftCounter $index $binarySize $packedData')
#We don't really need this but keeping it so the calling convention is the same
$beaconId = $1;
#Our original format string
$formatString = $2;
@X-C3LL
X-C3LL / FreshyCalls-VBA.vba
Created September 4, 2022 23:51
Retrieving SSN for syscalling in VBA following FreshyCalls technique
' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)
'Based on:
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
'https://www.crummie5.club/freshycalls/
Private Type LARGE_INTEGER
@tothi
tothi / ms-msdt.MD
Last active June 16, 2025 21:37
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@tothi
tothi / certifried_with_krbrelayup.md
Last active December 18, 2024 19:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@tothi
tothi / krbrelay_privesc_howto.md
Last active January 24, 2026 07:17
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)