D@rkR4y. darkr4y

This is some Ansible (for Ubuntu 22.04) to install and configure your initramfs to run dropbear (ie an SSH server).

Super handy if you have an encrypted root partition and don't have physical access to the machine to enter the encryption passphrase on the console.

Notes:

You'll need to put your actual public SSH keys, instead of the blahblah placeholder I have here
I set dropbear to run on port 31337 so the hostkey doesn't clash with the main OS' key in your ~/.ssh/known_hosts
This expects to be able to trigger two Ansible handlers when it makes changes, they are listed separately at the bottom
You'll need to change the GRUB_CMDLINE_LINUX_DEFAULT line below to have the actual IP/gateway/NIC/hostname you want the kernel to configure
After you ssh in when the machine is booting, the command to actually unlock the root filesystem is: cryptroot-unlock

	// By [Colin Finck] and used by the [Comprehensive Rust] course,
	// developed by the Android team at Google.
	//
	// This code compiles warning-free at the default warning level,
	// even in the latest GCC version (13.2 as of writing).
	//
	// [Colin Finck]: https://colinfinck.de/Master_Thesis_Slides.pdf
	// [Comprehensive Rust]: https://github.com/google/comprehensive-rust

	#include <stdio.h>

	using System;
	using System.Diagnostics;
	using System.Linq;
	using System.Runtime.InteropServices;
	using DInvoke.DynamicInvoke;

	namespace PatchETW
	{
	public static class Native
	{

	# Recovering strings objects from .NET Heap
	# Using clrMD "Microsoft.Diagnostics.Runtime.dll" - https://github.com/microsoft/clrmd
	# Use 32-bit PowerShell to investigate 32-bit process and 64-bit PowerShell to investigate 64-bit process

	[System.Reflection.Assembly]::LoadFile([System.IO.Path]::GetFullPath("Microsoft.Diagnostics.Runtime.dll")) \| Out-Null
	$processID = (Get-Process -Name "TestStrings_confused").Id
	$dataTarget = [Microsoft.Diagnostics.Runtime.DataTarget]::AttachToProcess($processID, $false)
	$clrInfo = $dataTarget.ClrVersions[0]
	$clrRuntime = $clrInfo.CreateRuntime()
	$objects = $clrRuntime.Heap.EnumerateObjects().Where{$_.Type.IsString}

	<#
	.SYNOPSIS
	Lazy Admin Stuff
	.DESCRIPTION
	COnfigure WINGET packages because I'm lazy AF
	.PARAMETER (none)
	.NOTES
	1.0.1 - 2024-01-13 - Skatterbrainz
	Copy the RAW Gist URL and assign to variable $URL
	Run: iex (iwr $URL)

	#/bin/bash

	set -ex

	rm -rf isofiles
	xorriso -osirrox on -indev debian-12.1.0-amd64-netinst.iso -extract / isofiles

	chmod +w -R isofiles/install.amd/
	gunzip isofiles/install.amd/initrd.gz

	#[

	PoC for hooking advapi32!LogonUserW to log credentials
	Patch and restore the function when called, original credit for 99% of the code is here: https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/Hook.nim
	Log to a named pipe server (must be started/managed by separate listener), and/or log to a file
	by default, just logs to C:\users\public\log.txt

	Compile:
	nim c -d=mingw --app=lib -d:release --nomain LogonUserSpy.nim

	/*
	TaskManagerSecret

	Author: @splinter_code

	This is a very ugly POC for a very unreliable UAC bypass through some UI hacks.
	The core of this hack is stealing and using a token containing the UIAccess flag set.
	A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html
	From there it uses a task manager "feature" to run a new High IL cmd.exe.
	This has been developed only for fun and shouldn't be used due to its high unreliability.

	import pefile, struct, sys

	if len(sys.argv) != 2:
	print(f"Strip your personal compile info from Exe Files by [email protected]")
	print(f"Usage: {sys.argv[0]} [path/to/exe]")
	sys.exit(-1)

	# Rewrite from pefile: https://github.com/erocarrera/pefile/blob/593d094e35198dad92aaf040bef17eb800c8a373/pefile.py#L3402
	def mask_myRichHdr(in_pefile):
	DANS = 0x536E6144 # 'DanS' as dword