RemotePotato — Updated version (Cross session activation)
https://github.com/antonioCoco/RemotePotato0
#windows #privesc #lpe #pentest
https://github.com/antonioCoco/RemotePotato0
#windows #privesc #lpe #pentest
GitHub
GitHub - antonioCoco/RemotePotato0: Windows Privilege Escalation from User to Domain Admin.
Windows Privilege Escalation from User to Domain Admin. - antonioCoco/RemotePotato0
EfsPotato
Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).
https://github.com/zcgonvh/EfsPotato
#windows #privesc #pentest
Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).
https://github.com/zcgonvh/EfsPotato
#windows #privesc #pentest
GitHub
GitHub - zcgonvh/EfsPotato: Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation…
Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability). - zcgonvh/EfsPotato
📜 Abuse AD CS via dNSHostName Spoofing
This blog covers the technical details of CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability via AD CS dNSHostName Spoofing.
https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4
When you have SYSTEM on server/workstation:
https://gist.github.com/Wh04m1001/355c0f697bfaaf6546e3b698295d1aa1
#ad #adcs #privesc #redteam
This blog covers the technical details of CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability via AD CS dNSHostName Spoofing.
https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4
When you have SYSTEM on server/workstation:
https://gist.github.com/Wh04m1001/355c0f697bfaaf6546e3b698295d1aa1
#ad #adcs #privesc #redteam
APT
📜 Abuse AD CS via dNSHostName Spoofing This blog covers the technical details of CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability via AD CS dNSHostName Spoofing. https://research.ifcr.dk/certifried-active-directory-domain…
🛠 DNSHostName Spoofing combined with KrbRelayUp
Domain user to domain admin without the requirement for adding/owning previously a computer account. Step-by-step write-up of the attack in a pure Windows environment.
https://gist.github.com/tothi/f89a37127f2233352d74eef6c748ca25
#ad #adcs #privesc #ldap #relay #redteam
Domain user to domain admin without the requirement for adding/owning previously a computer account. Step-by-step write-up of the attack in a pure Windows environment.
https://gist.github.com/tothi/f89a37127f2233352d74eef6c748ca25
#ad #adcs #privesc #ldap #relay #redteam
Gist
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts - certifried_with_krbrelayup.md
🔥4
APT
KrbRelayUp Universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings) https://github.com/Dec0ne/KrbRelayUp #ad #privesc #kerberos #ldap #relay
⚙️ No-Fix LPE Using KrbRelay with Shadow Credentials
This article will explain how to separate the shadow credential method that KrbRelayUp uses into multiple different steps, giving you a bit more control regarding how each piece executes. For example, we can reflectively load some pieces, and execute others normally
https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay-With-Shadow-Credentials.html
#ad #privesc #kerberos #relay
This article will explain how to separate the shadow credential method that KrbRelayUp uses into multiple different steps, giving you a bit more control regarding how each piece executes. For example, we can reflectively load some pieces, and execute others normally
https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay-With-Shadow-Credentials.html
#ad #privesc #kerberos #relay
🔥4👍1
APT
📜 Abuse AD CS via dNSHostName Spoofing This blog covers the technical details of CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability via AD CS dNSHostName Spoofing. https://research.ifcr.dk/certifried-active-directory-domain…
📜 Defused That SAN Flag
One more post about Microsoft's recent security updates - re changes to Kerberos and the new certificate extension containing the requester's SID.
The changes 'defuse' the impact of the flag that allows adding custom subject alternative names to any certificate (including the ones that 'actually' should be auto-enrolled).
https://elkement.blog/2022/06/13/defused-that-san-flag/
#ad #adcs #privesc #redteam
One more post about Microsoft's recent security updates - re changes to Kerberos and the new certificate extension containing the requester's SID.
The changes 'defuse' the impact of the flag that allows adding custom subject alternative names to any certificate (including the ones that 'actually' should be auto-enrolled).
https://elkement.blog/2022/06/13/defused-that-san-flag/
#ad #adcs #privesc #redteam
👍2
Forwarded from Волосатый бублик
#ad #rpc #ntlm #privesc
[ Coercer ]
atricle: https://github.com/p0dalirius/windows-coerced-authentication-methods
There is currently 15 known methods in 5 protocols.
tool: https://github.com/p0dalirius/Coercer
A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.
[ Coercer ]
atricle: https://github.com/p0dalirius/windows-coerced-authentication-methods
There is currently 15 known methods in 5 protocols.
tool: https://github.com/p0dalirius/Coercer
A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.
👍2👎1