Skip to content

Instantly share code, notes, and snippets.

View captainGeech42's full-sized avatar
👽
happy pwning my dudes

Zander Work captainGeech42

👽
happy pwning my dudes
View GitHub Profile
@captainGeech42
captainGeech42 / vnc.md
Last active April 14, 2024 14:10
Setup VNC on Ubuntu Server

Install a window manager, XFCE is my preference for VNC setups.

$ sudo apt install xubuntu-desktop tightvncserver
$ sudo reboot

Next, configure the VNC session behavior. vncpasswd interactively prompts for a password, its different than the user password, and hashed into ~/.vnc/passwd.

$ mkdir ~/.vnc
#!/usr/bin/env python3
"""
A script to output tabular data from a Storm query. Stormfile queries must emit data via $lib.csv.emit()
Based on Synapse's csvtool
source: https://github.com/vertexproject/synapse/blob/master/synapse/tools/csvtool.py
"""
import argparse
@captainGeech42
captainGeech42 / ctf_patch.py
Last active May 21, 2022 07:25
Patch out common annoying functions in CTF binaries
IMPORTS_TO_PATCH = [
"alarm",
"ptrace"
]
# iterate over imported symbols
for import_sym in bv.get_symbols_of_type(SymbolType.ImportedFunctionSymbol):
# check if symbol is in the patch list
if import_sym.name in IMPORTS_TO_PATCH:
log.log_info(f"patching out call to {import_sym.name}")
@captainGeech42
captainGeech42 / otpboi.py
Last active April 24, 2022 00:22
Simple TOTP manager, backed by sqlite, intended for backing up TOTP in a usable manner.
#!/usr/bin/env python3
# script for managing OTP codes. requires py3.6+
# secrets can optionally be encrypted at rest with pbkdf2/chacha20
# uses a sqlite database for storing data
# to run tests: python -m pytest otpboi.py
import argparse
import base64
import binascii
@captainGeech42
captainGeech42 / pe_load_getproc.yara
Last active April 20, 2022 21:34
Yara rule for PEs with only LoadLibrary* and GetProcAddress imports
import "pe"
rule Methodology_PE_LoadLibraryGetProcAddrOnly {
meta:
date = "2022-04-18"
author = "Zander Work (@captainGeech42)"
ref = "80ecb9e09772f5c54b2c02519ed68883"
desc = "Look for binaries with only LoadLibrary* and GetProcAddress imports. Not necessarily a sign of maliciousness, but worth looking into probably."
condition:
pe.is_pe and pe.number_of_imported_functions == 2 and
@captainGeech42
captainGeech42 / no_manifest.yara
Created March 13, 2022 15:58
Yara rule looking for PE files with no manifest
import "pe"
rule Feature_PE_NoManifest {
meta:
date = "2022-03-13"
author = "Zander Work (@captainGeech42)"
descr = "Look for PE files that don't have a manifest. This could be indicative of malicious files trying to reduce their footprint."
notes = "When building a binary with MSVC, the manifest can be disabled by passing /MANIFEST:NO to link.exe. By default, a manifest is generated when compiling via Visual Studio."
ref_manifest = "https://gist.github.com/captainGeech42/5e0bf655d048a562336ce99eea23dccc"
ref_sample = "ade0b06ef992926f5e5c80b69af19a70"
@captainGeech42
captainGeech42 / scriptobf_replaceempty.yara
Last active January 11, 2022 02:19
Yara rule that detects string.replace() being used for possible script obfuscation
rule Methodology_ScriptObf_ReplaceEmpty {
meta:
author = "Zander Work (@captainGeech42)"
descr = "Detects the use of string.Replace() or similar, where the replacement string is an empty string. This is a common technique for basic script obfuscation."
strings:
// doesn't hit on the search string being passed in as a variable FYSA
$re1 = /replace\(["'].*["'], ["']["']\)/ nocase // catches basic usage in at least python and powershell
$re2 = /replace\(["'].*["'], ["']["'], \d+\)/ // python str.replace has an optional third argument, a number. this only catches a decimal number fysa
$re3 = /replace\(\/.*\/\w*, ["']["']\)/ // javascript String.prototype.replace can take a regex pattern for the first argument
$re4 = /replace\(\w+, ["'].*["'], ["']["']/ nocase // vbscript replace takes at least 3 arguments: var to replace in, search string, replacement string. there are three more optional args
@captainGeech42
captainGeech42 / gen_qtypes.py
Created December 19, 2021 04:15
Take all of the lines, remove leading/trailing whitespace and comments, and stick them in "in"
# https://github.com/miekg/dns/blob/master/types.go#L27
with open("in", "r") as f:
lines = [x.strip() for x in f.readlines()]
for l in lines:
parts = l.split("uint16 = ")
type = parts[0].strip()[4:]
val = parts[1]
@captainGeech42
captainGeech42 / export_ctftime.py
Created November 9, 2021 01:31
Export ctftime compatible scoreboard from rCTF
#!/usr/bin/env python3
import requests
import sys
# use an account with bit 1<<2 set (put 7 for ultimate laziness)
BASE_URL = "https://damctf.xyz"
TEAM_TOKEN = "redacted" # the thing from the url on the team profile page
@captainGeech42
captainGeech42 / powershell_parser.kql
Last active October 27, 2021 08:21
PowerShell Event Log Parser for Azure Sentinel (EID 4103/4104)
let EventData = Event
| where Source == "Microsoft-Windows-PowerShell"
| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
| project TimeGenerated,
Source,
EventID,
Computer,
UserName,
EventData,
RenderedDescription