Skip to content

Instantly share code, notes, and snippets.

View mgeeky's full-sized avatar
💭
Wanna sip a sencha?

Mariusz Banach mgeeky

💭
Wanna sip a sencha?
2.4k followers · 95 following
  • Binary-Offensive.com
  • Poland
  • X @mariuszbit
View GitHub Profile
@mgeeky
mgeeky / Source.cpp
Created May 9, 2023 22:12 — forked from alfarom256/Source.cpp
Thread Execution via NtCreateWorkerFactory
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
WorkerFactoryTimeout, // LARGE_INTEGER
@mgeeky
mgeeky / IBM-MQ-Pentesting-notes.md
Last active December 6, 2023 12:46
Practical IBM MQ Penetration Testing notes, couple of handy tips and punch-q installation walkthrough

Practical IBM MQ Penetration Testing notes

In order to interact with IBM MQ in any way, we need to install IBM MQ Client libraries, available only on IBM website. Account registration will be required to get hands on them.

Step 1: Installing prerequisities

Pre-requisites: IBM MQ Client

  1. Download the IBM MQ V9.0.0.4 LTS Clients - the file should be named: 9.0.0.4-IBM-MQC-LinuxX64.tar.gz (9.0.0.4 Client install image for IBM MQ on Linux X86-64) - size: 397MB
  2. Extract it to whatever directory.
@mgeeky
mgeeky / Procmon_operationst.txt
Last active November 30, 2023 18:32
PROCMON Operations list
CloseFile
CreateFile
CreateFileMapping
DeviceIoControl
FileSystemControl
FlushBuffersFile
Load Image
LockFile
NotifyChangeDirectory
Process Create
@mgeeky
mgeeky / generateMSBuildPowershellXML.py
Last active November 27, 2023 14:14
Powershell via MSBuild inline-task XML payload generation script - To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'
#!/usr/bin/python3
#
# Red-Teaming script that will leverage MSBuild technique to convert Powershell input payload or
# .NET/CLR assembly EXE file into inline-task XML file that can be further launched by:
# %WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
#
# Requirements:
# - pefile
#
# Mariusz B. / mgeeky, <mb@binary-offensive.com>
@mgeeky
mgeeky / bluetoothObexSpam.py
Created May 29, 2016 16:05
Script intended to flood bluetooth enabled devices with incoming OBEX Object Push requests containing attacker-specified file.
#
# Bluetooth scanner with ability to spam devices
# with incoming OBEX Object Push requests containing
# specified file.
#
# Mariusz B. / MGeeky, 16'
#
# Partially based on `Violent Python` snippets.
# Modules required:
# python-bluez
@mgeeky
mgeeky / HInvoke.cs
Created May 18, 2023 00:18 — forked from dr4k0nia/HInvoke.cs
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime. Read the blog post: https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avo…
using System.Linq;
using System.Reflection;
namespace HashInvoke;
public class HInvoke
{
public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null)
{
// Get the System assembly and go trough all its types hash their name
@mgeeky
mgeeky / Update_Notes.md
Created April 30, 2020 21:41
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@mgeeky
mgeeky / msfvenom-reverse-tcp-WaitForSingleObject.md
Last active November 14, 2023 19:45
(OSCE/CTP, Module #3: Backdooring PE Files) Document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches.

Looking for WaitForSingleObject call within modern msfvenom generated payload.

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

@mgeeky
mgeeky / openvas-automate.sh
Last active November 12, 2023 19:15
OpenVAS automation script.
#!/bin/bash
#
# OpenVAS automation script.
# Mariusz B. / mgeeky, '17
# v0.2
#
trap ctrl_c INT
# --- CONFIGURATION ---
@mgeeky
mgeeky / README-setup-tunnel-as-systemd-service.md
Created June 20, 2023 10:53 — forked from drmalex07/README-setup-tunnel-as-systemd-service.md
Setup a secure (SSH) tunnel as a systemd service. #systemd #ssh #ssh-tunnel #ssh-forward

README

Create a template service file at /etc/systemd/system/secure-tunnel@.service. The template parameter will correspond to the name of target host:

[Unit]
Description=Setup a secure tunnel to %I
After=network.target