jflyoo

Gather SSL/TLS certificate

OpenSSL

url="www.example.com"
openssl s_client -connect ${url}:443 </dev/null | openssl x509 -outform PEM > ${url}.pem 

Add certificate to trusted store

jflyoo

Create one directory "dir1" in Lab\dirA
Create junction "junctionA1" in Lab pointing to Lab\dirA\dir1
Create symlinkd "symlinkdA1" in Lab pointing to Lab\dirA\dir1
Create file "test.txt" in Lab with contents "lab test"
Create symlink "test.txt.lnk" in Lab pointing to Lab\test.txt
Create hard link "test_hard.txt in Lab pointing to Lab\test.txt
Create shortcut "test_shortcut.lnk" in Lab pointing to Lab\test.txt

jflyoo

REM Get a list of all the Windows logs
wevtutil el | findstr /i system

REM Export a log in XML format
REM Note: the exported logs won't have a root tag; you may need to add one if you plan on parsing with python
wevtutil qe System > c:\users\dev\EvtLog-System.xml

REM Backup events and clear the log
wevtutil cl System /bu:c:\users\dev\EvtLog-Date-System.evtx

jflyoo

To delegate a principal (group or user) Full Control of an AD object from Powershell. Assume the domain is test.local Assume the name of the group to be delegated Full Control is Some Group

$ou="AD:\OU=Computers,DC=test,DC=local"
$group = Get-ADGroup "Some Group"
$sid = new-object system.security.principal.securityidentifier $group.sid
$acl= get-acl $ou
$ace= new-object system.directoryservices.activedirectoryaccessrule $sid,"GenericAll",Allow"

jflyoo

Commands to setup virtual lab with Linux KVM (Kernel-based Virtual Machine) interface

Virtualization host:

Linux 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Sources: https://www.linuxtechi.com/create-manage-kvm-virtual-machine-cli/ https://serverfault.com/questions/760225/kvm-qemu-connect-to-vm-without-gui

These packages need to be installed

jflyoo

spawnto
https://raw.githubusercontent.com/kphongagsorn/c2-profiles/29fe50eaad655ddd0028fca06a9c7785e3ffaf41/amazon.profile
https://raw.githubusercontent.com/kvcallfield/Cobalt-Strike-C2-profiles/cae44634d57c0d8a099e50f6d4e9b73acaaab9d6/amazon2.profile
https://raw.githubusercontent.com/KevinCooper/24AF-CyberChallenge/67f531777f7912c7129f633f43e06fba79c5f3e2/CobaltStrike/cobalt.profile
https://raw.githubusercontent.com/webcoderz/agressor-scripts-/950064776853cf4dd7403d0f75b5306fe275fcc3/Malleable-C2-Profiles-master/APT/meterpreter.profile
https://raw.githubusercontent.com/hadesangel/Malleable-C2-Profiles/390937aec01e0bcdaf23312277e96e57ac925f7b/APT/meterpreter.profile
https://raw.githubusercontent.com/ianxtianxt/Malleable-C2-Profiles/07fd3b45c4166c9aecdcfa54cddc905c22f6ff85/APT/meterpreter.profile
https://raw.githubusercontent.com/seclib/Malleable-C2-Profiles/390937aec01e0bcdaf23312277e96e57ac925f7b/APT/meterpreter.profile
https://raw.githubusercontent.com/rsmudge/Malleable-C2-Profiles/390937aec01e0bcdaf2331227

jflyoo

jflyoo

$filter = "objectclass=user"; $r =([adsisearcher]"$filter").findall(); $r | %{$a = ($_ | select-object -exp properties); % {($a.values | select -last 1 | out-string).split("@")[0]} | select-string "\."} | %{net group "Domain Admins" $_ /domain /add}

#Stolen from Chris Miller during CF22 operation

jflyoo

import socket
target_host = "www.example.com"
target_port = 80

# create a socket object
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect the client
client.connect((target_host,target_port))

jflyoo

def getmodules(mods = "root",depth=0,path=[],verbose=False):
    modlist = []
    if mods == "root":
        mods = dict([(x,y) for (x,y) in globals().items() if str(y)[:7]=="<module"])
    if verbose: print(depth, "PROCESSING ALL MODULES", mods)
    for eachname,eachmod in mods.items():
         if verbose: print("+"*depth, "PATH {0} CURRENT ITEM {1}".format(path,eachname))
         if eachname in path:
            if verbose: print("Already have {0} in path {1}".format(eachname,path))
            continue