Skip to content

Instantly share code, notes, and snippets.

View sharpicx's full-sized avatar

sharpicx

View GitHub Profile
@rxwx
rxwx / AmsiContextHook.cpp
Created November 30, 2023 17:04
Bypass AMSI on Windows 11 by hooking the AMSI context VTable on the heap with a ROP gadget. Look ma, no code patches!
#include <Windows.h>
#include <Psapi.h>
#include <metahost.h>
#include <comutil.h>
#include <mscoree.h>
#include "patch_info.h"
#include "base\helpers.h"
/**
* For the debug build we want:
@D3Ext
D3Ext / amsi-bypass.md
Last active February 28, 2025 10:33
All methods to bypass AMSI (2022)

AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

However some methods may be detected by the AV but most of them actually work without problem

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

@lothan
lothan / CVE-2022-23935.md
Created March 18, 2022 18:17
Command Injection in Exiftool before 12.38

Overview

Exiftool versions < 12.38 are vulnerable to Command Injection through a crafted filename. If the filename passed to exiftool ends with a pipe character | and exists on the filesystem, then the file will be treated as a pipe and executed as an OS command.

Description

Exiftool is a "a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files." One of its features is being able to read metadata of compressed images. The code for this is GetImageInfo in exiftool:

sub GetImageInfo($$)
@n1ght-w0lf
n1ght-w0lf / Red Teaming References
Created January 10, 2022 16:10
###################################### Will Schroeder (@harmj0y) #######################################
S4U2Pwnage
http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/
A Guide to Attacking Domain Trusts
https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
Another Word on Delegation
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
@0xj0y
0xj0y / HTB_timing_rce.py
Created January 9, 2022 05:41
#!/usr/bin/python3
import subprocess
import requests
def fuzz(file_name):
url = 'http://timing.htb/images/uploads/' + file_name
r = requests.get(url)
if r.status_code != 404:
print(f'[+] Found the file at {url}')
@loknop
loknop / writeup.md
Created December 30, 2021 14:59
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

@dexit
dexit / google-dorks.txt
Created September 28, 2021 13:26 — forked from JoyGhoshs/google-dorks.txt
site:*/sign-in
site:*/account/login
site:*/forum/ucp.php?mode=login
inurl:memberlist.php?mode=viewprofile
intitle:"EdgeOS" intext:"Please login"
inurl:user_login.php
intitle:"Web Management Login"
site:*/users/login_form
site:*/access/unauthenticated
site:account.*.*/login
@muzlightbeer
muzlightbeer / windbg.md
Last active November 26, 2024 19:14
WinDbg for Linux Users

The Windows Debugger (WinDbg) for Linux users

The following provides commands for getting started with WinDbg if you've come from a Linux only background and have only used GDB and LLDB.

VMware Fusion and VHD images

Some Windows operating system trials come as virtual hard disk (VHD) images, that state Hyper-V is required to use them. With macOS and VMware Fusion (at the time of writing, VMware Fusion 12.1.2), you can drag the executable files into VMware (the same as with ISO images) and install them normally. No subscriptions are required to obtain access to a DVD or ISO image if you do not have a system that uses Windows as the base operating system.

Microsoft symbols

@kaimi-
kaimi- / gist:6b3c99538dce9e3d29ad647b325007c1
Last active February 27, 2025 22:07
Possible IP Bypass HTTP Headers
CACHE_INFO: 127.0.0.1
CF_CONNECTING_IP: 127.0.0.1
CF-Connecting-IP: 127.0.0.1
CLIENT_IP: 127.0.0.1
Client-IP: 127.0.0.1
COMING_FROM: 127.0.0.1
CONNECT_VIA_IP: 127.0.0.1
FORWARD_FOR: 127.0.0.1
FORWARD-FOR: 127.0.0.1
FORWARDED_FOR_IP: 127.0.0.1
@cyberheartmi9
cyberheartmi9 / 🔥Complete Bug Bounty Cheat Sheet🔥
Last active March 3, 2025 21:39
🔥Complete Bug Bounty Cheat Sheet🔥
XSS
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md
https://github.com/ismailtasdelen/xss-payload-list
SQLi
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/sqli.md