Skip to content

Instantly share code, notes, and snippets.


Chris Elgee chriselgee

  • Maine
View GitHub Profile
chriselgee /
Last active Feb 11, 2022
Finding and reading alternate data streams (ADS) with PowerShell on an NTFS partition

To find all streams within file.txt: Get-Item .\file.txt -Stream *

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\file.txt::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\
PSChildName   : file.txt::$DATA
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\file.txt
chriselgee / E-PS_Outside.ps1
Created Sep 18, 2021
Enter-PSSession from outside a domain
View E-PS_Outside.ps1
# Tell the attack machine to trust these hosts on a foreign domain
winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts=","}'
# Enter the credentials to use when connecting
$username = "\compromisedAdmin"
$pass = "Luggage=12345"
$fancypass = ConvertTo-SecureString $pass -AsPlainText -Force
$dacred = New-Object System.Management.Automation.PSCredential ($userName, $fancypass)
chriselgee /
Last active Jan 2, 2022
Tool Syntax with IPv6

Some tools allow or even require -6 as a command line option, and curl requires an IPv6 address to be in [] (square brackets). Also, for link local addresses, you usually have to specify the local interface you want to use.

  • ping 2001:7b8:666:ffff::1:42 -I eth0
  • nmap -6 2001:7b8:666:ffff::1:42%eth0
  • curl http://[2001:7b8:666:ffff::1:42]:8080/ --interface eth0
  • wget http://[2001:7b8:666:ffff::1:42]:8080/
  • telnet -6 2001:7b8:666:ffff::1:42
  • nc -6 2001:7b8:666:ffff::1:42%eth0 23

Want to find link local addresses for systems in your network segment? Try hitting local hosts and routers with these multicast addresses:

chriselgee /
Last active Dec 10, 2021
Decoding Flask Cookies with Python and Cyber Chef

Flask cookies, when stored client-side, are .-delimited, often zlib-deflated, and Base64-encoded with _ subbed in for / and - subbed in for + (URL-safe encoding).

Let's take an example cookie from


We can take the first piece (ignoring the signature) and store it as a variable in python3:

chriselgee / InstallingBloodhound.txt
Created Jul 16, 2021
Easiest paths to installing Bloodhound
View InstallingBloodhound.txt
Getting Bloodhound (visualizer) working can be tricky. I've done some research; these seem the best methods:
Kali VM:
Use Sharphound.ps1 or similar to collect the data and Bloodhound itself to visualize it. It's handy for pen testers, but it's wonderful for Active Directory defenders.
chriselgee / Typer.ahk
Created Nov 3, 2019
AutoHotkey Typer Script
View Typer.ahk
; Sends user-entered text to most recently used program -LTLG, 27JUN06
; Disables the little "H" systray icon while program runs
; Allows more than one copy to run at once
#SingleInstance, OFF
Gui, Add, Edit, x16 y50 w370 h70 vTextFodder,
Gui, Add, Text, x206 y120 w40 h20 , Times:
Gui, Add, Button, x276 y120 w110 h30 Default, &Giddyup!

Typing special characters:

  • In Windows, the simplest way to type special characters is with the Character Map, or charmap.exe. Scroll through, double-click the ° symbol you need, click Copy, and you can Paste it into your application. Notice though - while it's selected, there are codes at the bottom. On the left is the Unicode code, U+00B0. This means that the system stores the degree character as hex 00 and B0. (Who cares? We'll come back to it.) On the right, you see Alt-0176. This means that when NumLock is turned on, you can hold Alt and type 0176 on the number pad and get a degree symbol.
  • In Linux, we need that Unicode code. Press Ctrl-Shift-U, then type 00B0 and hit enter or space or whatever. The ° appears!

If you need to type something you haven't found in charmap, you can Google it. The lobster emoji, for example, is apparently 1F99E. So, on my Linux system, I hit Ctrl-Shift-U, enter the code, and get 🦞!

Want to type a lobster in Win 10? If you're up-to-date on p