fuckup1337

import requests
import random
import string
import sys
import time
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def id_generator(size=6, chars=string.ascii_lowercase + string.digits):

fuckup1337

using System;
using System.Runtime.InteropServices;

/* References
 * 1. https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions
 * 2. https://github.com/Mr-Un1k0d3r/EDRs
 */

namespace SharpHookCheck
{

fuckup1337

#!/usr/bin/env python
# Super dirty python3 scripts that alerts Cobalt Strike operator using pushover when a new IP is found amoung network interface on beacon
# Aggressor script for triggering this : https://gist.github.com/Flangvik/c31b26129743be699133dc9dab9c02c5
import argparse
from datetime import datetime
from base64 import b64encode,b64decode
from pushover import init, Client
from os import path

parser = argparse.ArgumentParser(description='beacon info')

fuckup1337

on heartbeat_15m {
	    foreach $beacon (beacons()) {
			println("[VPN] Running command on id: " . $beacon['id'] . ", hostname:" . binfo($beacon['id'], "computer") . "\n");
	        $id = $beacon['id'];
			bipconfig($id,{
				print("[VPN] Captured network interfaces from " . binfo($1, "computer") . ", looking for a new IPs to alert on\n"); 
                exec("python3.7 /<fullpath>/AlertOnNewIp.py --data " . transform($2, "powershell-base64") . " --user " . binfo($1, "user") . " --computer " . binfo($1, "computer"));   
            });
	    }    

fuckup1337

(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k

fuckup1337

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;

namespace HiddenEventLogs
{

fuckup1337

How to update the Go version

System: Debian/Ubuntu/Fedora. Might work for others as well.

1. Uninstall the exisiting version

As mentioned here, to update a go version you will first need to uninstall the original version.

To uninstall, delete the /usr/local/go directory by:

fuckup1337

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.